Using FTP Virtual Host Names

  • Author: Robert McMurray
  • Published on January 22, 2008 by pharr
  • Updated on March 18, 2009 by pharr
  • Tags: FTP

Introduction

Microsoft has created a new FTP service that has been completely rewritten for Windows Server® 2008. This new FTP service incorporates many new features that enable web authors to publish content better than before, and offers web administrators more security and deployment options.

One of the features of the new FTP service is the ability to configure virtual host names, which enables web hosters to configure multiple FTP sites on a single IP address. This document walks you through creating two FTP sites with unique virtual host names in two ways: using the new FTP user interface and by directly editing the IIS 7.0 configuration files. It contains:

Note: This walk-through contains a series of steps in which you  log in to your FTP site using the local administrator account. These steps should only be followed on the server itself using the loopback address or over SSL from a remote server. If you prefer to use a separate user account instead of the administrator account, you will need to create the appropriate folders and set the correct permissions for that user account when necessary.

Prerequisites

You must install the following items to complete the procedures in this article:

  1. IIS 7.0 must be installed on your Windows Server 2008, and the Internet Information Services Manager must be installed.
  2. The new FTP service. You can download and install the FTP service from the http://www.iis.net/ web site using one of the following links:
  3. You will need to create root folders for the FTP sites:
    • "%SystemDrive%\inetpub\www.example.com"
    • "%SystemDrive%\inetpub\www.contoso.com"

Creating Two Hostname-based FTP Sites Using the IIS 7.0 Manager

Step 1: Use the FTP Site Wizard to Create the First FTP Site

In this first step, we create a new FTP site using a unique virtual host name.

  1. Open the Internet Information Services (IIS) Manager. In the Connections pane, click the Sites node in the tree.
  2. Right-click the Sites node in the tree and click Add FTP Site, or click Add FTP Site in the Actions pane.
  3. When the Add FTP Site wizard displays:
    • Enter "www.example.com" in the FTP site name box.
    • Navigate to the "%SystemDrive%\inetpub\www.example.com" folder that you created in the Prerequisites section. Note: If you choose to type in the path to your content folder, you can use environment variables in your paths.
    • Click Next.
  4. On the next page of the wizard:
    • Choose an IP address for your FTP site from the IP Address drop-down, or choose to accept the default selection of "All Unassigned." Because you will be using the administrator account later in this walk-through, make sure that you restrict access to the server and enter the local loopback IP address for your computer by typing "127.0.0.1" in the IP Address box.
    • You would normally enter the TCP/IP port for the FTP site in the Port box. For this walk-through, you will choose to accept the default port of 21.
    • Enter "www.example.com" in the Virtual Host box.
    • Make sure that the SSL Certificate drop-down is set to "Not Selected" and that the Allow SSL option is selected.
    • Click Next.
  5. On the next page of the wizard:
    • In Authentication settings, select Basic.
    • In Authorization settings:
      • Choose "Specified users" from the Allow access to drop-down.
      • Type "administrator" for the user name in the field below.
      • In the Permissions option, select read and Write.
    • Click Finish.

Summary

You have successfully created a new FTP site using the new FTP service. To recap the items that you completed in this step:

  • You created a new FTP site named "www.example.com", with the site's content root at "%SystemDrive%\inetpub\www.example.com".
  • You bound the FTP site to the local loopback address for your computer on port 21 using "www.example.com" as the virtual host name.
  • You enabled Basic Authentication and created an authorization rule for the local administrator account for Read and Write access.

Step 2: Use the FTP Site Wizard to Create the Second FTP Site

In this second step, we create another new FTP site using a unique virtual host name.

  1. Open the Internet Information Services (IIS) Manager. In the Connections pane, click the Sites node in the tree.
  2. Right-click the Sites node in the tree and click Add FTP Site, or click Add FTP Site in the Actions pane.
  3. When the Add FTP Site wizard appears:
    • Enter "www.contoso.com" in the FTP site name box.
    • Navigate to the "%SystemDrive%\inetpub\www.contoso.com" folder that you created in the Prerequisites section. Note: If you choose to type in the path to your content folder, you can use environment variables in your paths.
    • Click Next.
  4. On the next page of the wizard:
    • Choose an IP address for your FTP site from the IP Address drop-down, or choose to accept the default selection of "All Unassigned." Because you will be using the administrator account later in this walk-through, make sure that you restrict access to the server and enter the local loopback IP address for your computer by typing "127.0.0.1" in the IP Address box.
    • You would normally enter the TCP/IP port for the FTP site in the Port box. For this walk-through, choose to accept the default port of 21.
    • Enter "www.contoso.com" in the Virtual Host box.
    • In the SSL Certificates drop-down, choose "Not Selected" and select the  Allow SSL radio button.
    • Click Next.
  5. On the next page of the wizard:
    • In Authentication settings, select Basic.
    • In Authorization settings:
      • Choose "Specified users" from the Allow access to drop-down.
      • Type "administrator" for the user name in the field below.
      • In the Permissions option, select read and Write.
    • Click Finish.
       

Summary

You have successfully created a new FTP site using the new FTP service. To recap the items that you completed in this step:

  1. You created a new FTP site named "www.contoso.com", with the site's content root at "%SystemDrive%\inetpub\www.contoso.com".
  2. You bound the FTP site to the local loopback address for your computer on port 21 using "www.contoso.com" as the virtual host name.
  3. You enabled Basic Authentication and created an authorization rule for the local administrator account for Read and Write access.

Step 3: Logging in to Your FTP Site

In Steps 1 and 2, you created two FTP sites using unique virtual host names and configured the security settings to allow only the administrator account to log in. In this step, you log in using your administrator account.

Note: In this step, you log in to your FTP site using the local administrator account. When creating the FTP sites in Steps 1 and 2, we bound the FTP sites to the local loopback IP address. If you did not use the local loopback address, use SSL to protect your account settings. If you prefer to use a separate user account instead of the administrator account, set the correct permissions for that user account for the appropriate folders.

Logging in to the First FTP Site Using Your Administrator Account

  1. On your FTP server, open a command prompt session.
  2. Type the following command to connect to your FTP server:
            FTP 127.0.0.1
  3. When prompted for a user name, enter the "www.example.com" virtual host name followed by the vertical line (|) character.
            For example: "www.example.com|administrator"
  4. When prompted for a password, enter your administrator password.
  5. You should now be logged in to the "www.example.com" FTP site as the local administrator.

Logging in to the Second FTP Site Using Your Administrator Account

  1. On your FTP server, open a command prompt session.
  2. Type the following command to connect to your FTP server:
            FTP 127.0.0.1
  3. When prompted for a user name, enter the "www.contoso.com" virtual host name followed by the vertical line (|) character.
            For example: "www.contoso.com|administrator"
  4. When prompted for a password, enter your administrator password.
  5. You should now be logged in to the "www.contoso.com" FTP site as the local administrator.

 

Creating Virtual Host FTP Sites by Editing the IIS 7.0 Configuration Files

You can also create FTP sites for the new FTP service by editing the IIS 7.0 configuration files.

Note: Editing your applicationHost.config file requires full administrative permissions. Use one of two methods:

  • Log in to your computer using the local "administrator" account.

Or

  • If you are logged in using an account with administrative permissions that is not the local "administrator" account, open Notepad using the "Run as Administrator" option.

Note: One of the above steps is required because the User Account Control (UAC) security component in the Windows Vista and Windows Server 2008 operating systems prevents access to your applicationHost.config file. For more information about UAC, please see the following documentation:

The following steps walk you through all of the required settings to create a new FTP site from scratch.

  1. Using a text editor such as Windows Notepad, open your applicationHost.config file, which is located in your %SystemRoot%\System32\inetsrv\config folder by default.
  2. Locate the <sites> section. Add the first FTP site inside the <sites> using syntax similar to the following. Note: You may need to choose a different number than "2" for the site ID if any site is currently using that site identifier. 
    <site name="www.example.com" id="2">
    <application path="/">
        <virtualDirectory path="/" physicalPath="%SystemDrive%\inetpub\www.example.com" />
    </application>
    <bindings>
        <binding protocol="ftp" bindingInformation="127.0.0.1:21:www.example.com" />
    </bindings>
    <ftpServer>
        <security>
            <ssl controlChannelPolicy="SslAllow" dataChannelPolicy="SslAllow" />
            <authentication>
                <basicAuthentication enabled="true" />
            </authentication>
        </security>
    </ftpServer>
</site>
  3. Add the second FTP site inside the <sites> using syntax similar to the following. Note: You may need to choose a different number than "3" for the site ID if any site is currently using that site identifier. 
    <site name="www.contoso.com" id="3">
    <application path="/">
        <virtualDirectory path="/" physicalPath="%SystemDrive%\inetpub\www.contoso.com" />
    </application>
    <bindings>
        <binding protocol="ftp" bindingInformation="127.0.0.1:21:www.contoso.com" />
    </bindings>
    <ftpServer>
        <security>
            <ssl controlChannelPolicy="SslAllow" dataChannelPolicy="SslAllow" />
            <authentication>
                <basicAuthentication enabled="true" />
            </authentication>
        </security>
    </ftpServer>
</site>
  4. Scroll to the bottom of your applicationHost.config file and add location sections for both of your FTP sites that contain your authorization settings. Note: As shown in this example, the authorization settings for the FTP sites are configured per URL, and these settings specifically enable Read/Write permissions for the administrator account. 
    <location path="www.example.com">
    <system.ftpServer>
        <security>
            <authorization>
                <add accessType="Allow" users="administrator" permissions="Read, Write" />
            </authorization>
        </security>
    </system.ftpServer>
</location>
<location path="www.contoso.com">
    <system.ftpServer>
        <security>
            <authorization>
                <add accessType="Allow" users="administrator" permissions="Read, Write" />
            </authorization>
        </security>
    </system.ftpServer>
</location>
  5. Save your applicationHost.config file.

You should now be able to log in to your newly created FTP sites using an FTP client. For additional details, see the Step 3: Logging in to Your FTP Site section of this walk-through.

Summary

To recap the items that you completed in this step:

  • You created two FTP sites named "www.example.com" and "www.contoso.com", with the sites' respective content roots at:
    • "%SystemDrive%\inetpub\www.example.com"
    • "%SystemDrive%\inetpub\www.contoso.com".
  • You bound both FTP sites to the local loopback IP address for your computer on port 21 using "www.example.com" and "www.contoso.com" as the virtual host names.
  • You enabled Basic Authentication and created an authorization rule for the local administrator account for Read and Write access for each site.

Related Content

Comments

magnus09

It allowed me to install on Vista with IIS7 but it is having problems when bound to a domain name, everytime you try to connect an error message is displayed in ie8 saying diagnose connection problems and when try to access in windows explorer it tells me a valid host name must be used. Is this because it isn't actually compatible with Vista or am I missing something?

Apr 15 2009 by magnus09
shawaj

Why in the world should we have to enter the hostname again to login? Why can't we just use the username from the local account on the machine? Is there a way around this? Com'n Microsoft!

Sep 04 2009 by shawaj
pjondevelopment

@magnus09 and @shawaj

The problem is the underlying FTP protocol that, although extensible, does not provide means to infer directly the host name for an specific connection.

As the examples above show, you have two virtual FTP servers that can be accessed by connecting to ftp.example.com AND ftp.contoso.com. Both these virtual servers points to the same IP. And each of these virtual servers points to different location in the same server (it could even be in another server, but let's keep it simple for argument's sake).

Now, let's say that the users allowed to access ftp.example.com DO NOT have access to ftp.contoso.com. With me so far?

When an FTP client connects to a full qualified domain name (like ftp.example.com) it actually makes a connection to the IP that is represented by that name (your basic DNS service) and, usually, on port 21.

After a connection is established, the FTP server sends a simple reply "220 Connection OK".

At this point the FTP server have NO IDEA of what FQDN the client requested. There's no way to tell. It can't even make a DNS reverse lookup, because the all the server knows at this point is that a client is connected to an specific listening port, bound to an specific address (or not so specific -- as you can set the binding to listen on all server's address).

So there are two approaches:

1. The FTP client sends a HOST command to specify which virtual host it's addressing
2. Use issue the "USER virtual.host|userName" command

Older FTP clients are not prepared for this kind of situation.

And not all the newer ones are ready for this.

As an workaround Robert McMurray proposed back in '08 to use a "Global Listener FTP Site" ( http://blogs.msdn.com/robert_mcmurray/archive/2008/12/17/ftp-clients-part-3-creating-a-global-listener-ftp-site.aspx ) which it's nothing more than an unbidden FTP site that routes users to the appropriated paths.

However this approach isn't a solution as it doesn't resolve the problem of a single user that have access to more than one FTP virtual server.

So, to wrap it up, the "virtual.host|userName" approach to connect to an FTP virtual server, is the best fall back solution for older FTP clients that are not aware of the new HOST command, and gives their users a possible mean of connection.

Regards,

Jan 09 2010 by pjondevelopment

Submit a Comment

You must Log In to comment.