One of the main disadvantages of FTP for file transfer is the lack of protection and encryption means for the transferred data. When connecting to an FTP server username and password are also sent in clear text. To transfer data (especially using public communication channels), it is recommended to use more secure protocols, like FTPS or SFTP. Let’s see how to configure an FTPS server on Windows Server 2012 R2.
FTPS protocol (FTP over SSL/TLS, FTP+SSL) is an extension of the standard FTP protocol, but the connection between a client and a server is protected (encrypted) using SSL /TLS. As a rule, the same 21 port is used for connection.
FTP over SSL support appeared in IIS 7.0 (Windows Server 2008). To make an FTPS server work, you will have to install an SSL certificate on your IIS server.
Installation of the FTP Server Role
The installation of the FTP server role in Windows Server 2012 doesn’t cause any problems and has been already described.
How to Generate and Install an SSL Certificate in IIS
Then open the IIS Manager console, select a server and go to the Server Certificates section.
In this section you can import a certificate, create certificate request, update a certificate or create a self-signed certificate. For demonstrative purposes, let’s create a self-signed certificate. (It can also be created using New-SelfSifgnedCertificate cmdlet.) When addressing a service, a warning that the certificate is issued by an untrusted CA will appear. To disable this warning for this certificate, add it to the list of trusted certificates using GPO.
Select Create Self-Signed Certificate.
In the Create Certificate wizard, specify its name and select Web Hosting type of the certificate.
A new self-signed certificate will appear in the list of available certificates. This certificate will expire in 1 year.
How to Create an FTP Site with SSL Support
Then you have to create an FTP site. In the IIS Manager console, right-click Sites and create a new FTP site (Add FTP).
Specify its name and the path to the root directory of the FTP site (in our case, it is default path C:\inetpub\ftproot ).
In the next window of the wizard, select the certificate you have created in the SSL certificates section.
Now you only have to select the type of authentication and user access permissions.
Click Finish in the wizard window. By default, SSL protection is mandatory and used to encrypt both management commands and transferred data.
FTPS and Firewalls
When using FTP protocol, 2 different TCP connections are used, one is for command transfer and another is for data transfer. For each data transfer channel, an individual TCP port is opened, which number is selected by a client or a server. Most firewalls allow to inspect FTP traffic, and after analyzing it, automatically open the necessary ports. When using protected FTPS connection, the transferred data are encrypted and not subject to analysis. As the result, a firewall cannot determine, which port has to be opened for data transfer.
In order not to open the whole range of TCP ports 1024-65535 to an FTPS server from outside, you can specify the range of used addresses for the FTP server. The range is specified in the IIS site settings in FTP Firewall Support section.
After the range of ports has been changed, restart the service (iisreset).
The following rules are responsible for the incoming traffic in the Windows Firewall:
- FTP Server (FTP Traffic-In)
- FTP Server Passive (FTP Passive Traffic-In)
- FTP Server Secure (FTP SSL Traffic-In)
So, you will have to open ports 21, 990 and 50000-50100 (the range of ports you select) on the front firewall.
How to Test FTP over SSL Connection
To test an FTPS connection, let’s use Filezilla.
- Start FileZilla (or any other client supporting FTPS).
- Click File > Site Manager, and create a new connection (New Site).
- Specify the FTPS server address (Host), protocol type (Require explicit FTP over TLS), user name (User) and the requirement to enter a password to authenticate (Ask for password)
- Click Connect and enter your password.
- The warning of the untrusted certificate will appear (in case of using self-signed certificate). Confirm the connection.
- The connection has to be established, and the following entries will appear in the log:
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established. - It means that the secure connection is established and you can transfer files using FTPS protocol.