IIS - Microsoft Internet Information Services

HomeLearn IIS7 Deploying Web Sites on IIS 7.0 Publishing Content to Web Sites FTP 7 for IIS 7.0 Configuring FTP Firewall Settings

Configuring FTP Firewall Settings

Author: Robert McMurray

Published on January 15, 2008 by iisteam

Updated on June 24, 2008 by iisteam

Average Rating  Rate It (0)

Tags
FTP
RSS

Introduction

Microsoft has created a new FTP service that has been completely rewritten for Windows ServerĀ® 2008. This FTP service incorporates many new features that enable web authors to publish content better than before, and offers web administrators more security and deployment options.

This document walks you through configuring the firewall settings for the new FTP server. It contains:

Prerequisites

The following items are required to be installed to complete the procedures in this article:

  1. IIS 7 must be installed on your Windows 2008 Server, and the Internet Information Services Manager must be installed.
  2. The new FTP service. You can download and install the FTP service from the http://www.iis.net/ web site using one of the following links:
  3. You must create a root folder for FTP publishing:
    • Create a folder at "%SystemDrive%\inetpub\ftproot"
    • Set the permissions to allow anonymous access:
      • Open a command prompt.
      • Type the following command:
        CACLS "%SystemDrive%\inetpub\ftproot" /G IUSR:R /T /E
      • Close the command prompt.

Note: The settings listed in this walkthrough specify "%SystemDrive%\inetpub\ftproot" as the path to your FTP site. You are not required to use this path; however, if you change the location for your site you will have to change the site-related paths that are used throughout this walkthrough.

Use the FTP Site Wizard to Create an FTP Site With Anonymous Authentication

In this section you, create a new FTP site that can be opened for Read-only access by anonymous users. To do so, use the following steps:

  1. Go to the IIS 7.0 Manager. In the Connections pane, click the Sites node in the tree.
  2. Right-click the Sites node in the tree and click Add FTP Site, or click Add FTP Site in the Actions pane.

  3. When the Add FTP Site wizard appears:
    • Enter "My New FTP Site" in the FTP site name box, then navigate to the "%SystemDrive%\inetpub\ftproot" folder that you created in the Prerequisites section. Note: If you choose to type in the path to your content folder, you can use environment variables in your paths.
    • Click Next.
  4. On the next page of the wizard:
    • Choose an IP address for your FTP site from the IP Address drop-down, or choose to accept the default selection of "All Unassigned." Because you will be accessing this FTP site remotely, you want to make sure that you do not restrict access to the local server and enter the local loopback IP address for your computer by typing "127.0.0.1" in the IP Address box.
    • You would normally enter the TCP/IP port for the FTP site in the Port box. For this walk-through, you will choose to accept the default port of 21.
    • For this walkthrough, you do not use a host name, so make sure that the Virtual Host box is blank.
    • Make sure that the Certificates drop-down is set to "Not Selected" and that the Allow SSL option is selected.
    • Click Next.
  5. On the next page of the wizard:
    • Select Anonymous for the Authentication settings.
    • For the Authorization settings, choose "Anonymous users" from the Allow access to drop-down. Select Read for the Permissions option.
    • Click Finish.
  6. Go to the IIS 7.0 Manager. Click the node for the FTP site that you created. The icons for all of the FTP features display.

Summary

To recap the items that you completed in this step:

  1. You created a new FTP site named "My New FTP Site", with the site's content root at "%SystemDrive%\inetpub\ftproot".
  2. You bound the FTP site to the local loopback address for your computer on port 21, choosing not to use Secure Sockets Layer (SSL) for the FTP site.
  3. You created a default rule for the FTP site to allow anonymous users "Read" access to the files.

Step 1: Configure the Passive Port Range for the FTP Service

In this section, you configure the server-level port range for passive connections to the FTP service. Use the following steps:

  1. Go to IIS 7.0 Manager. In the Connections pane, click the server-level node in the tree.

  2. Double-click the FTP Firewall Support icon in the list of features.

  3. Enter a range of values for the Data Channel Port Range.

  4. Once you have entered the port range for your FTP service, click Apply in the Actions pane to save your configuration settings.

Notes:

  1. The valid range for ports is 1025 through 65535. (Ports from 1 through 1024 are reserved for use by system services.)
  2. You can enter a special port range of "0-0" to configure the FTP server to use the Windows TCP/IP dynamic port range.
  3. For additional information, please see the following Microsoft Knowledge Base articles:
  4. This port range will need to be added to the allowed settings for your firewall server.

Step 2: Configure the IPv4 Address for a Specific FTP Site

In this section, you configure the external IPv4 address for the specific FTP site that you created earlier. Use the following steps:

  1. Go to IIS 7.0 Manager. In the Connections pane, click the FTP site that you created earlier in the tree, Double-click the FTP Firewall Support icon in the list of features.

  2. Enter the IPv4 address of the external-facing address of your firewall server for the External IP Address of Firewall setting.

  3. Once you have entered the external IPv4 address for your firewall server, click Apply in the Actions pane to save your configuration settings.

Summary

To recap the items that you completed in this step:

  1. You configured the passive port range for your FTP service.
  2. You configured the external IPv4 address for a specific FTP site.

More Information

Once you have configured your firewall settings for the FTP service, you must configure your firewall software or hardware to allow connections through the firewall to your FTP server. For information on configuring your firewall, please consult the documentation that was provided with your firewall software or hardware.

For information regarding Microsoft's Windows Firewall software, please see the following topics on Microsoft's web sites:

Related Content

Comments

  1. Submitted on Apr 01 2008 by
    bpajer     Hi I have followed your guide but I still cant get it to work. If I try the ftp site from the server that it is on it works, however the FTP site doesnt work from anywhere else on my network and nor it does from the internet. I have the router setup to forward port 21 to the server on post 21. But I think there is some other firewall issue I have setup the FTP firewall as described in your article but cant connect to it from anywhere on the network. Please help. thx
  2. Submitted on Jul 31 2008 by
    boen_robot     @bpajer Have you tried turning off the firewall on the server? Is it working everywhere then? If it does, you can add port 21 as an Exception in Windows Firewall (go to the Exception tab and click "Add Port..."), and then start the firewall. However I too have a problem with this. I've followed it and the FTP server works from my local network, but not from the internet. I tried specifying 4000-4001 as the passive port range, and my router NATs the public port 21 to the local port 21 and the public 4000-4001 range to the local 4000-4001 range, and it still doesn't work (with or without a Firewall on). Once the FTP enters passive mode I see a response in my FTP client (FileZilla) saying "150 Opening BINARY mode data connection." after which it hangs until it gets timed out. Any ideas?
  3. Submitted on Aug 16 2008 by
    robmcm     If you're using the built-in Windows Firewall on your system, you should see Jaro's blog post on configuring that: http://blogs.iis.net/jaroslad/archive/2007/09/29/windows-firewall-setup-for-microsoft-ftp-publishing-service-for-iis-7-0.aspx

You must Log In to comment.

Powered by IIS7   Powered by IIS7

Copyright © 2008 Microsoft Corporation. All Rights Reserved. | Terms of Use | Privacy Statement
Questions/Problems with www.iis.net? | Interested in Advertising with us? | Hosted by OrcsWeb | Ads served by BanManPro

Page view counter