Categories: FTPSIISSSLWindows

Setup FTPS on IIS 7.5 Using Host Headers Tutorial

This is a tutorial guide on how to setup FTPS (FTP-SSL) on IIS 7.5 using host headers. Host headers allow you to run more than one FTP site on the same server sharing port 21. It should also help you to avoid the pitfalls I ended up in. If you follow the guide, you’ll probably save yourself at least an hour of time googling.

 

First things first. To use FTPS you’re going to need an SSL certificate, which you can purchase from a CA like GoDaddy or Verisign, or use a self-signed certificate if you’re on a budget/using for testing purposes. I’m a budget kind of person so this article will be demonstrating a self cert. If you have already purchased the cert, just supplement that instead of my directions.

Create a self signed certificate

In IIS Manager navigate to the top-level server object then open Server Certificates under IIS.

 

Create Self-Signed Certificate Request. Enter a friendly name. That was easy wasn’t it?

Open Passive FTP Ports

Most FTP servers operate in Passive mode apposed to Active because it is a more reliable method from the end users firewall point of view. Read more about the differences between passive and active modes. Navigate to the server-level object in IIS Manager and open the FTP Firewall Support object. Specify your passive port range and the public IP address you will be using. I’m using data channel port range 65400-65535 for this demonstration. You will also need to open these ports to your FTP server on your hardware firewall and software firewall if you’ve using one. I’m always pro software firewall even if you have a H/W firewall in place, it just adds an extra layer of security, I don’t care what the servers function is. Advfirewall on Windows, iptables on Linux.

Configure your FTPS Site

Navigiate back up to the server level object and open the FTP SSL Settings object.

Select the certificate you’ve just created from the dropdown menu.

 

Select Custom, click Advanced… and select ‘Require only for credentials’ for the Control Channel and ‘Require’ for the Data Channel. This will ensure the login and password information is secure as well as data you transfer to and from the server using industry standard SSL encryption.

Create a new FTP site, go to FTP SSL Settings and make sure to use the same certificate as specified on the server-level object. If you don’t you will be seeing the error:

Error: Primary connection and data connection certificates don’t match.

Right-click on your FTPS site go to ‘Edit Bindings’. Edit or Add an entry to specify the public DNS name of your ftps server.

 

Configure User Groups and Accounts

Create your domain groups or user accounts. Your access hierarchy will depend on your scenario. For the sake of simplicity I’m creating one local user account and providing it access to the site. In your FTP site, open the FTP Authorization object and add your new local account in an ‘Allow Authorization Rule’ with read/write permissions. Don’t forget to set NTFS ACL permissions for this account in the root FTP directory.

Connect with an FTP Client

I recommend FileZilla Client, I have not tested with any others. I don’t believe the built-in ftp.exe utility shipped with Windows is capable of FTPS. Comment below if I’m wrong.

Host: ftps.yourdomain.com
 Protocol: FTP - File Transfer Protocol
 Encryption: Require explicit FTP over TLS
 Logon Type: Normal
 User: ftps.yourdomain.com|test
 Password: ***********

 

Did you catch that? In the user field the syntax is FtpSiteHostHeader|UserName. There is a bracket in-between the host header name and the username. If you leave this out, you won’t be able to connect and you will be greeted with “530 Valid hostname is expected”.

Status:      Resolving address of ftps.sysinfo.io
Status:      Connecting to 10.10.10.151:21…
Status:      Connection established, waiting for welcome message…
Response: 220 Microsoft FTP Service
Command: AUTH TLS
Response: 234 AUTH command ok. Expecting TLS Negotiation.
Status:      Initializing TLS…
Status:      Verifying certificate…
Command: USER test
Status:      TLS/SSL connection established.
Response: 530 Valid hostname is expected.
Error:       Could not connect to server

Accept the unknown certificate message.

 

If you’ve connected properly you should see:

Status: Resolving address of ftps.sysinfo.io
Status: Connecting to 10.10.10.151:21…
Status: Connection established, waiting for welcome message…
Response: 220 Microsoft FTP Service
Command: AUTH TLS
Response: 234 AUTH command ok. Expecting TLS Negotiation.
Status: Initializing TLS…
Status: Verifying certificate…
Command: USER ftps.sysinfo.io|test
Status: TLS/SSL connection established.
Response: 331 Password required for ftps.sysinfo.io|test.
Command: PASS *********
Response: 230 User logged in.
Command: OPTS UTF8 ON
Response: 200 OPTS UTF8 command successful – UTF8 encoding now ON.
Command: PBSZ 0
Response: 200 PBSZ command successful.
Command: PROT P
Response: 200 PROT command successful.
Status: Connected
Status: Retrieving directory listing…
Command: PWD
Response: 257 “/” is current directory.
Command: TYPE I
Response: 200 Type set to I.
Command: PASV
Response: 227 Entering Passive Mode (10,10,10,151,255,134).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Response: 226 Transfer complete.
Status: Directory listing successful

Share
Disqus Comments Loading...

Recent Posts

FreeNAS Error Creating Pool

command '('gpart', 'create', '-s', 'gpt', '/dev/da8')' returned non-zero exit status 1. If you get this error while trying to create… Read More

June 7, 2019 3:44 pm

Change Grub Default Boot Entry on Linux Mint

I'm dual booting Windows and Linux Mint on my laptop. The grub default is to boot into Linux Mint, however… Read More

April 23, 2019 7:45 pm

How to Reset Secure Channel On Active Directory Domain Controller

When you're a little too careless about virtualizing your domain controllers, cloning, migrating, backing up and restoring, returning from vacation… Read More

April 21, 2019 8:14 am

Run Systemd Script Before System Shutdown

I tried to retain the NGINX FastCGI cache and have it persist across system reboots instead of being ephemeral by… Read More

April 20, 2019 10:14 am

Learn Systemctl Usage to Manage Systemd Service in Linux

Systemd is new service manager for Linux. It's a replacement for all previous init systems (SysV/SysVinit & Ubuntu's Upstart) and… Read More

April 20, 2019 7:55 am

Force Delete Windows Server DHCP Failover Relationship

If you've found yourself here then chances are you messed up one of your domain controllers or at least one… Read More

April 20, 2019 5:54 am