Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows Server 2012 R2 / FTP over SSL (FTPS) on Windows Server 2012 R2

July 7, 2016 Windows Server 2012 R2

FTP over SSL (FTPS) on Windows Server 2012 R2

One of the main disadvantages of FTP for file transfer is the lack of protection and encryption means for the transferred data. When connecting to an FTP server username and password are also sent in clear text. To transfer data (especially using public communication channels), it is recommended to use more secure protocols, like FTPS or SFTP. Let’s see how to configure an FTPS server on Windows Server 2012 R2.

FTPS protocol (FTP over SSL/TLS, FTP+SSL) is an extension of the standard FTP protocol, but the connection between a client and a server is protected (encrypted) using SSL /TLS. As a rule, the same 21 port is used for connection.

Note. You should not mix FTPS and SFTP (Secure FTP or SSH FTP). The latter is the extension of the SSH protocol having nothing in common with FTP.

Contents:
  • Installation of the FTP Server Role
  • How to Generate and Install an SSL Certificate in IIS
  • How to Create an FTP Site with SSL Support
  • FTPS and Firewalls
  • How to Test FTP over SSL Connection

FTP over SSL support appeared in IIS 7.0 (Windows Server 2008). To make an FTPS server work, you will have to install an SSL certificate on your IIS server.

Installation of the FTP Server Role

The installation of the FTP server role in Windows Server 2012 doesn’t cause any problems and has been already described.

How to Generate and Install an SSL Certificate in IIS

Then open the IIS Manager console, select a server and go to the Server Certificates section.

Server Certificates settings in IIS Manager console

In this section you can import a certificate, create certificate request, update a certificate or create a self-signed certificate. For demonstrative purposes, let’s create a self-signed certificate. (It can also be created using New-SelfSifgnedCertificate cmdlet.) When addressing a service, a warning that the certificate is issued by an untrusted CA will appear. To disable this warning for this certificate, add it to the list of trusted certificates using GPO.

Select Create Self-Signed Certificate.

IIS Create Self-Signed Certificate

In the Create Certificate wizard, specify its name and select Web Hosting type of the certificate.

web hosting certificate template

A new self-signed certificate will appear in the list of available certificates. This certificate will expire in 1 year.

ftp over ssl certificate

How to Create an FTP Site with SSL Support

Then you have to create an FTP site. In the IIS Manager console, right-click Sites and create a new FTP site (Add FTP).

add ftp site in iis

Specify its name and the path to the root directory of the FTP site (in our case, it is default path  C:\inetpub\ftproot ).

ftp site name and physical path

In the next window of the wizard, select the certificate you have created in the SSL certificates section.

bind ssl certificate to ftp site

Now you only have to select the type of authentication and user access permissions.

Tip. If each user must have their own FTP root folder, you can use the manual How to create an FTP server with user isolation.

Click Finish in the wizard window. By default, SSL protection is mandatory and used to encrypt both management commands and transferred data.

FTPS and Firewalls

When using FTP protocol, 2 different TCP connections are used, one is for command transfer and another is for data transfer. For each data transfer channel, an individual TCP port is opened, which number is selected by a client or a server. Most firewalls allow to inspect FTP traffic, and after analyzing it, automatically open the necessary ports. When using protected FTPS connection, the transferred data are encrypted and not subject to analysis. As the result, a firewall cannot determine, which port has to be opened for data transfer.

In order not to open the whole range of TCP ports 1024-65535 to an FTPS server from outside, you can specify the range of used addresses for the FTP server. The range is specified in the IIS site settings in FTP Firewall Support section.

After the range of ports has been changed, restart the service (iisreset).

FTP Firewall port range

The following rules are responsible for the incoming traffic in the Windows Firewall:

  • FTP Server (FTP Traffic-In)
  • FTP Server Passive (FTP Passive Traffic-In)
  • FTP Server Secure (FTP SSL Traffic-In)

So, you will have to open ports 21, 990 and 50000-50100 (the range of ports you select) on the front firewall.

How to Test FTP over SSL Connection

To test an FTPS connection, let’s use Filezilla.

  1. Start FileZilla (or any other client supporting FTPS).
  2. Click File > Site Manager, and create a new connection (New Site).FileZilla testing FTP over SSL connection
  3. Specify the FTPS server address (Host), protocol type (Require explicit FTP over TLS), user name (User) and the requirement to enter a password to authenticate (Ask for password)
  4. Click Connect and enter your password.
  5. The warning of the untrusted certificate will appear (in case of using self-signed certificate). Confirm the connection.FileZilla untrusted cert
  6. The connection has to be established, and the following entries will appear in the log:
    Status: Initializing TLS...
    Status: Verifying certificate...
    Status: TLS connection established.
  7. It means that the secure connection is established and you can transfer files using FTPS protocol.

0 comment
0
Facebook Twitter Google + Pinterest
previous post
Process Priority Management in Windows
next post
Fixing High Memory Usage by Metafile on Windows Server 2008 R2

Related Reading

PowerShell Install-Module Error: Unable to Download from URI

April 21, 2022

Configuring Always-On High Availability Groups on SQL Server

December 2, 2021

Fix: Windows Stuck at “Preparing to Configure Windows”

August 23, 2021

Updating PowerShell Version on Windows

July 15, 2021

How to Check, Enable or Disable SMB Protocol...

June 7, 2021

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows 7
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • PowerShell
  • VMWare
  • Hyper-V
  • MS Office

Recent Posts

  • How to Deploy Windows 10 (11) with PXE Network Boot?

    June 27, 2022
  • Checking Windows Activation Status on Active Directory Computers

    June 27, 2022
  • Configuring Multiple VLAN Interfaces on Windows

    June 24, 2022
  • How to Disable or Enable USB Drives in Windows using Group Policy?

    June 24, 2022
  • Adding Domain Users to the Local Administrators Group in Windows

    June 23, 2022
  • Viewing a Remote User’s Desktop Session with Shadow Mode in Windows

    June 23, 2022
  • How to Create a Wi-Fi Hotspot on your Windows PC?

    June 23, 2022
  • Configuring SSH Public Key Authentication on Windows

    June 15, 2022
  • How to Run a Program as a Different User (RunAs) in Windows?

    June 15, 2022
  • FAQ: Licensing Microsoft Exchange Server 2019/2016

    June 14, 2022

Follow us

woshub.com

ad

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Granting Remote Access on SCManager to Non-admin Users
  • Schedule Task to Start When Another Task Finishes
  • How to Obtain SeDebugPrivilege when Debug Program Policy is Enabled
  • Printer Pooling: How to Configure a Printer Pool in Windows Server 2012 R2
  • How to Install TFTP Server on Windows Server 2012 R2
  • Windows 10: WSUS Error 0x8024401c
  • Configuring Kerberos Authentication on IIS Website
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top