FTP Site Over SSL In IIS
In this article, we will create an FTP Site with Basic Authentication over SSL in IIS.
Refresher:
FTP: The File Transfer Protocol (FTP) is a standard network protocol used to transfer computer files between a client and server on a computer network. FTP is built on a client-server model architecture and uses separate control and data connections between the client and the server.
Authentication: Is the process of proving that you are who you say you are.
Authorization: Is the act of granting an authenticated party permission to do something. It specifies what data you’re allowed to access and what you can do with that data.
Explicit FTPS: FTP sites and clients use port 21 for the control channel, and the server and client will negotiate secondary ports for data channel connections. In a typical FTP request, an FTP client will connect to an FTP site over the control channel, and then the client can negotiate SSL/TLS with the server for either the control channel or the data channel.
Implicit FTPS: FTP sites and clients use port 21 for the control channel, and the server and client will negotiate secondary ports for data channel connections. In a typical FTP request, an FTP client will connect to an FTP site over the control channel, and then the client can negotiate SSL/TLS with the server for either the control channel or the data channel.
Our first goal is to create an FTP Site with Anonymous Authentication.
First you will need to install FTP Server, and the Extensibility if you do require it.
Go to your IIS Manager
Right click in “Sites” and “Add FTP Site…”
Give it a name and set the Physical path:
Add the IP and select “No SSL” for now.
This is what I have at that path:
It is not a good idea to use hostname in FTP protocol. If not used correctly, it can cause a lot of issues.
As for Authentication let us use “Anonymous” and for Authorization “Anonymous users”.
We will change this later on, but we need to make sure that the ftp site is working.
Open Command Prompt and enter as:
User: anonymous
Password: anonymous
Our basic FTP Site is working fine.
Now let us remove Anonymous Authentication and enable Basic authentication.
Before doing this, I will create “FTP_Users” group and add my account to that group. This is optional.
Go to FTP Authentication module and disabled Anonymous while enabling Basic.
Go to FTP Authorization Rules, remove the rule that allows anonymous users.
Add a new rule to allow “FTP_Users”
Test
It is now working with Basic Authentication.
Our next task is to enable FTPS functionality
Go to FTP SSL Settings
Select your certificate and the Policy. I will allow both SSL and non SSL connections. If you only want to allow SSL connections select the second option and if you want to customize it go with third option.
For testing purposes for SSL we need some software like WinSCP or FileZilla.
I will test both of them.
WinSCP
However this will give us an error:
This is because FTPS has two “modes”. We have explicit FTPS (ftpes://) and implicit FTPS (ftps://).
When we actually configured FTP Site and SSL settings, as we just did with no additional configuration, we are good to go with “ftpes://” but not with “ftps://”
Testing for Explicit FTPS (ftpes://)
Testing for Implicit FTPS (ftps://)
Create an ftp binding on port 990
FileZilla
“ftps://10.0.0.5” => Implicit FTPS
“ftpes://10.0.0.5” => Explicit FTPS
And with this, we configured our FTP Site with Basic Authentication over SSL. Our site is working with implicit and explicit SSL.
Conclusions:
- The File Transfer Protocol (FTP) is a standard network protocol used to transfer computer files between a client and server on a computer network.
- Authentication is the process of proving that you are who you say you are.
- Authorization is the act of granting an authenticated party permission to do something.
- FTPS has two forms: explicit FTPS (ftpes://) and implicit FTPS (ftps://).
- Implicit FTPS requires TCP Port 990.
