Geeks With Blogs

News Welcome to Adam Pooler's weblog.

Adam Pooler

Microsoft Certified Professional Developer



The Out Campaign: Scarlet Letter of Atheism



The Quandary Phase This code was generated by a tool.
Since this has consumed rather more of my afternoon than I had anticipated, it seems worth sharing.

There don't seem to be too many articles out there on configuring FTP in IIS 7/8 with user isolation, over TLS, and there are quite a few points at which it's fairly easy to come a cropper.

Firstly, the scenario: I wanted all of our FTP sites to require TLS (SSL) for incoming connections. I also wanted user-specific FTP root directories. Finally, as the incoming connections would be from behind a firewall, we needed the server to be configured for passive mode.

The latest version of the FTP Server bundled with Windows Server 2008 R2 and 2012 support all of the above, so should be a breeze, right? Well, whilst it's hardly a hideous configuration headache, it is a far cry from the two-minutes-worth of configuration time you could expect to have to expend on a Filezilla installation to achieve much the same.

That said, it works well once everything's configured correctly, and here's what I did to get to that point:

  1. I opened TCP port 21, and ports 5001-5050 in the firewall (port 21 supports the initial FTP connection and ports 5001-5050 are allocated for the subsequent passive mode communication).
  2. In the Server Manager, navigated to the existing Web Server role and selected the option to Add Role Services.
  3. Installed the FTP services (FTP server + extensibility).
  4. In IIS, navigated to the server root node, selected the FTP Firewall support option, entered the external IP address of the firewall and entered the port range as 5001-5050.
  5. Created a new user group in Computer Management (named 'FTP Users') 
  6. In the local security policy (open the management console, add local security policy snap-in), I assigned rights for the new user group to log on locally, and denied access to log on over RDP.
  7. In Computer Management, I created the two windows user accounts (e.g. ftp_user1 and ftp_user2) and selected appropriately secure passwords. These are the credentials used to access the FTP server. I assigned the two new user accounts to the new FTP Users group, and removed them from the default Users group
  8. In IIS, navigated to the root server node, clicked Server Certificates in the features view, and generated a new self-signed certificate
  9. Navigated to IIS and created a new FTP site, using %SYSTEMROOT%\Inetpub\ftproot as the root physical path. I left the port at 21, and selected the option to require SSL, with the newly generated self-signed certificate selected in the certificates dropdown. For the authentication mechanism, I selected Basic and deselected Anonymous. In the Authorization section, I configured the FTP Users group with read/write access.
  10. In IIS, on the features view for the new FTP site, I opened the FTP User Isolation configuration, and enabled the 'User name directory (disable global directories)' option.
  11. Within the %SYSTEMROOT%\Inetpub\ftproot physical directory, I created a new directory named LocalUser (this step is vital in order to get the user isolation working).
  12. Refreshed the new FTP site in IIS- the new LocalUser directory is displayed under the FTP root. 
  13. In the FTP site in IIS, I created two new virtual directories below the LocalUser directory, with the directory alias set the same as my two windows user accounts (e.g. ftp_user1 and ftp_user2). The physical locations of these two virtual directories are the two folders I wanted my two FTP users to be able to see as their respective root folders.
  14. Restarted the FTP service in the services snap-in (also critical to get this working!)- you'll find it listed in the Windows Services list as 'Microsoft FTP Service'.
That's it- now I can connect from a Filezilla client, with the explicit FTP over TLS option enabled (no need to worry about FTP passwords being transmitted in plain text any more), and after accepting the self-signed server certificate as prompted, everything ticks along nicely. If I connect using either of the two user accounts, I see the correct FTP root directory and, crucially, cannot access the other user's root. 

One final gotcha- there's a bug in the current Filezilla client release (3.6.0.2) which causes connections to the TLS-secured FTP sites to fail with an error message like this one:

Error: GnuTLS error -110: The TLS connection was non-properly terminated.

I downgraded my Filezilla client version to 3.5.3, and the error went away.
Posted on Tuesday, January 29, 2013 11:52 AM FTP , IIS , TLS , SSL , IIS 7 , IIS 8 | Back to top


Comments on this post: Configuring FTP Over TLS In IIS With User Isolation

Comments are closed.
Comments have been closed on this topic.
Copyright © Adam Pooler | Powered by: GeeksWithBlogs.net