Posted on July 7, 2016 · Posted in Windows Server 2012 R2

FTP over SSL (FTPS) on Windows Server 2012 R2

One of the main disadvantages of FTP for file transfer is the lack of protection and encryption means for the transferred data. When connecting to an FTP server username and password are also sent in clear text. To transfer data (especially using public communication channels), it is recommended to use more secure protocols, like FTPS or SFTP. Let’s see how to configure an FTPS server on Windows Server 2012 R2.

FTPS protocol (FTP over SSL/TLS, FTP+SSL) is an extension of the standard FTP protocol, but the connection between a client and a server is protected (encrypted) using SSL /TLS. As a rule, the same 21 port is used for connection.

Note. You should not mix FTPS and SFTP (Secure FTP or SSH FTP). The latter is the extension of the SSH protocol having nothing in common with FTP.

FTP over SSL support appeared in IIS 7.0 (Windows Server 2008). To make an FTPS server work, you will have to install an SSL certificate on your IIS server.

Installation of the FTP Server Role

The installation of the FTP server role in Windows Server 2012 doesn’t cause any problems and has been already described.

How to Generate and Install an SSL Certificate in IIS

Then open the IIS Manager console, select a server and go to the Server Certificates section.

Server Certificates settings in IIS Manager console

In this section you can import a certificate, create certificate request, update a certificate or create a self-signed certificate. For demonstrative purposes, let’s create a self-signed certificate. (It can also be created using New-SelfSifgnedCertificate cmdlet.) When addressing a service, a warning that the certificate is issued by an untrusted CA will appear. To disable this warning for this certificate, add it to the list of trusted certificates using GPO.

Select Create Self-Signed Certificate.

IIS Create Self-Signed Certificate

In the Create Certificate wizard, specify its name and select Web Hosting type of the certificate.

web hosting certificate template

A new self-signed certificate will appear in the list of available certificates. This certificate will expire in 1 year.

ftp over ssl certificate

How to Create an FTP Site with SSL Support

Then you have to create an FTP site. In the IIS Manager console, right-click Sites and create a new FTP site (Add FTP).

add ftp site in iis

Specify its name and the path to the root directory of the FTP site (in our case, it is default path  C:\inetpub\ftproot ).

ftp site name and physical path

In the next window of the wizard, select the certificate you have created in the SSL certificates section.

bind ssl certificate to ftp site

Now you only have to select the type of authentication and user access permissions.

Tip. If each user must have their own FTP root folder, you can use the manual How to create an FTP server with user isolation.

Click Finish in the wizard window. By default, SSL protection is mandatory and used to encrypt both management commands and transferred data.

FTPS and Firewalls

When using FTP protocol, 2 different TCP connections are used, one is for command transfer and another is for data transfer. For each data transfer channel, an individual TCP port is opened, which number is selected by a client or a server. Most firewalls allow to inspect FTP traffic, and after analyzing it, automatically open the necessary ports. When using protected FTPS connection, the transferred data are encrypted and not subject to analysis. As the result, a firewall cannot determine, which port has to be opened for data transfer.

In order not to open the whole range of TCP ports 1024-65535 to an FTPS server from outside, you can specify the range of used addresses for the FTP server. The range is specified in the IIS site settings in FTP Firewall Support section.

After the range of ports has been changed, restart the service (iisreset).

FTP Firewall port range

The following rules are responsible for the incoming traffic in the Windows Firewall:

  • FTP Server (FTP Traffic-In)
  • FTP Server Passive (FTP Passive Traffic-In)
  • FTP Server Secure (FTP SSL Traffic-In)

So, you will have to open ports 21, 990 and 50000-50100 (the range of ports you select) on the front firewall.

How to Test FTP over SSL Connection

To test an FTPS connection, let’s use Filezilla.

  1. Start FileZilla (or any other client supporting FTPS).
  2. Click File > Site Manager, and create a new connection (New Site).FileZilla testing FTP over SSL connection
  3. Specify the FTPS server address (Host), protocol type (Require explicit FTP over TLS), user name (User) and the requirement to enter a password to authenticate (Ask for password)
  4. Click Connect and enter your password.
  5. The warning of the untrusted certificate will appear (in case of using self-signed certificate). Confirm the connection.FileZilla untrusted cert
  6. The connection has to be established, and the following entries will appear in the log:
    Status: Initializing TLS...
    Status: Verifying certificate...
    Status: TLS connection established.
  7. It means that the secure connection is established and you can transfer files using FTPS protocol.

Related Articles