Setup FTPS on IIS 7.5 Using Host Headers Tutorial

This is a tutorial guide on how to setup FTPS (FTP-SSL) on IIS 7.5 using host headers. Host headers allow you to run more than one FTP site on the same server sharing port 21. It should also help you to avoid the pitfalls I ended up in. If you follow the guide, you'll probably save yourself at least an hour of time googling.


First things first. To use FTPS you're going to need an SSL certificate, which you can purchase from a CA like GoDaddy or Verisign, or use a self-signed certificate if you're on a budget/using for testing purposes. I'm a budget kind of person so this article will be demonstrating a self cert. If you have already purchased the cert, just supplement that instead of my directions.

Create a self signed certificate

In IIS Manager navigate to the top-level server object then open Server Certificates under IIS.


Create Self-Signed Certificate Request. Enter a friendly name. That was easy wasn't it?

Open Passive FTP Ports

Most FTP servers operate in Passive mode apposed to Active because it is a more reliable method from the end users firewall point of view. Read more about the differences between passive and active modes. Navigate to the server-level object in IIS Manager and open the FTP Firewall Support object. Specify your passive port range and the public IP address you will be using. I'm using data channel port range 65400-65535 for this demonstration. You will also need to open these ports to your FTP server on your hardware firewall and software firewall if you've using one. I'm always pro software firewall even if you have a H/W firewall in place, it just adds an extra layer of security, I don't care what the servers function is. Advfirewall on Windows, iptables on Linux.

Configure your FTPS Site

Navigiate back up to the server level object and open the FTP SSL Settings object.

Select the certificate you've just created from the dropdown menu.


Select Custom, click Advanced... and select 'Require only for credentials' for the Control Channel and 'Require' for the Data Channel. This will ensure the login and password information is secure as well as data you transfer to and from the server using industry standard SSL encryption.

Create a new FTP site, go to FTP SSL Settings and make sure to use the same certificate as specified on the server-level object. If you don't you will be seeing the error:

Error: Primary connection and data connection certificates don't match.

Right-click on your FTPS site go to 'Edit Bindings'. Edit or Add an entry to specify the public DNS name of your ftps server.


Configure User Groups and Accounts

Create your domain groups or user accounts. Your access hierarchy will depend on your scenario. For the sake of simplicity I'm creating one local user account and providing it access to the site. In your FTP site, open the FTP Authorization object and add your new local account in an 'Allow Authorization Rule' with read/write permissions. Don't forget to set NTFS ACL permissions for this account in the root FTP directory.

Connect with an FTP Client

I recommend FileZilla Client, I have not tested with any others. I don't believe the built-in ftp.exe utility shipped with Windows is capable of FTPS. Comment below if I'm wrong.

 Protocol: FTP - File Transfer Protocol
 Encryption: Require explicit FTP over TLS
 Logon Type: Normal
 Password: ***********


Did you catch that? In the user field the syntax is FtpSiteHostHeader|UserName. There is a bracket in-between the host header name and the username. If you leave this out, you won't be able to connect and you will be greeted with "530 Valid hostname is expected".

Status:      Resolving address of
Status:      Connecting to
Status:      Connection established, waiting for welcome message...
Response: 220 Microsoft FTP Service
Command: AUTH TLS
Response: 234 AUTH command ok. Expecting TLS Negotiation.
Status:      Initializing TLS...
Status:      Verifying certificate...
Command: USER test
Status:      TLS/SSL connection established.
Response: 530 Valid hostname is expected.
Error:       Could not connect to server

Accept the unknown certificate message.


If you've connected properly you should see:

Status: Resolving address of
Status: Connecting to
Status: Connection established, waiting for welcome message...
Response: 220 Microsoft FTP Service
Command: AUTH TLS
Response: 234 AUTH command ok. Expecting TLS Negotiation.
Status: Initializing TLS...
Status: Verifying certificate...
Command: USER|test
Status: TLS/SSL connection established.
Response: 331 Password required for|test.
Command: PASS *********
Response: 230 User logged in.
Command: OPTS UTF8 ON
Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.
Command: PBSZ 0
Response: 200 PBSZ command successful.
Command: PROT P
Response: 200 PROT command successful.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I.
Command: PASV
Response: 227 Entering Passive Mode (10,10,10,151,255,134).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Response: 226 Transfer complete.
Status: Directory listing successful

Disqus Comments Loading...

Recent Posts

VMWare vSphere 6.7 ESXTOP Output Garbled

If your VMWare vSphere 6.x environment command output of esxtop looks like a bunch of garbled gibberish (it's actually CSV… Read More

February 28, 2019 7:39 pm 19:39

How To Run RoboCopy Backup in Parallel

From time to time Windows Admins will surprise you with band-aid and bubble gum scripts, that's entirely expected I think.… Read More

February 28, 2019 12:20 pm 12:20

Windows 10 GodMode - The Ultimate Administrator Shortcut

Have you ever wondered what life might be like if the Windows 10 OS somehow had a single folder that… Read More

February 28, 2019 7:58 am 07:58

Samsung Galaxy S9 G960/G965 Stock ROM Firmware Download

There could be any number of reasons for needing to flash manufacturer stock OEM firmware on a Samsung Galaxy S9… Read More

January 24, 2019 7:42 am 07:42

Output IP Address with ipconfig Findstr Ethernet Adapter

How many times have you entered  ipconfig /all at the command line to return a single IP address, then have to strain… Read More

January 20, 2019 12:39 am 00:39

AWS SES Assistance in Enterprise Market - A Must Read

Designing e-mail solutions on a large scale can be a complex and costly challenge for a business: you need to… Read More

December 25, 2018 4:01 pm 16:01