They say a picture is worth a 1000 words, in this case it’s worth every one. Recently in the forums @ http://forums.iis.net, a few posts came up people trying to setup FTP over SSL with an external firewall. They were running into issues where they could connect, but couldn’t get a directory list. After answering a few threads stating the configuration to support FTP over SSL with PASV ports. I thought I would blog what few steps to complete the config. This blog isn’t meant to be the ‘end all be all’, but will be a targeted post to help people visually.
I’m assuming you’ve installed FTP 7. If not, here is an article to install FTP 7. This is a great starter article and one I’d recommend for people looking for a secure FTP over SSL solution. (Assuming you have Windows Server 2008 / FTP 7.x of course)
http://learn.iis.net/page.aspx/263/installing-and-troubleshooting-ftp75/
Also, I’m assuming you configured your server to use an SSL certificate. If not, here is an article that can assist setting this up.
http://learn.iis.net/page.aspx/304/using-ftp-over-ssl/
First thing: Define a range of PASV TCP ports on your router or firewall. From my days of running WS-FTP server, they used ports 4900 – 4910 by default. I got hooked and use these ones. The ports can be anything. If you are not sure, check with your network admin.
Secondly – Open IIS Manager, select the computer name, open FTP Firewall Support
Next, type in the Data Channel Port Range and external IP address. The External IP address can be left blank and filled in at a site level. The port range will be inherited by each site. Assuming you have static IP address on each site, there won’t be an issue sharing this range across multiple FTP sites.
TEST, TEST, TEST
You can use FileZilla, CoreFTP to test your connections.
Between the two articles on http://learn.iis.net, and this added tidbit, you should have a secure FTP solution over port 21. I’ve not tried using port 990 for FTP recently, I’ve done it in the past but it’s been too long, so I stick with port 21, require SSL and open a few PASV ports.
Hope this helps,
Steve Schofield
Microsoft MVP – IIS
Resources.
http://support.ipswitch.com/kb/FS-20051115-DM01.htm
Check out Robert’s blog (IIS Team FTP guru)
Steve,
Also remember those values are ignored unless you apply an additiounal hotfix Microsoft released after FTP 7 RTM’d – google for it.
I had such a headache because I had my Windows 2008 (IIS 7) virtual machine running on a Windows Server 2003 host running Virtual Server. So I needed to configure the software firewall/router in 2003 to open the correct ports on the firewall and then forward 10 ports (which I used for this) to the Windows 2008 virtual machine; then I needed to do what you have described in your blog post. But it still wasn’t working.
Then I found Microsoft hotfix and everything worked correctly after applying the hotfix, causing IIS 7 to start honoring the specified port range!
Regards,
Dave
I used this to open up the ports on Windows Firewall. Thought it might be useful to somebody else.
C:>for /L %i in (4900,1,4910) do netsh firewall add portopening TCP %i “FTP Passive Port %i)”
I am confused about the data port and External firewall IP in IIS 7.5
My GPRS clients are not able to do the FTP, they are not external clients, but outside the firewall
Now tell me which External firewall IP I should configure here,
One more question that is default CMD utility which is with Windows 7 does support passive FTP.