Differences

This shows you the differences between the selected revisions of the page.

guide_windows_ftps_server 2014-09-05 guide_windows_ftps_server 2023-10-19 (current)
Line 1: Line 1:
-~~NOINDEX~~ +====== Installing a secure FTP server on Windows using IIS ======
-====== Installing Secure FTP Server on Windows using IIS ======+
-You may want to install a secure FTP server on Windows either as standalone file storage or to have means of editing your website hosted on IIS (Internet Information Services) web server. In both cases, you can use an optional //%%FTP%% Server// component of the %%IIS%%. It can be installed standalone or along with a //Web Server//.+You may want to install a secure FTP server on Windows either as standalone file storage or to have means of editing your website hosted on IIS (Internet Information Services) web server. In both cases, you can use an optional //%%FTP%% Server// component of the %%IIS%%. It can be installed standalone or along with a //Web Server//.((This guide is partially based on article [[https://learn.microsoft.com/en-us/archive/blogs/mast/setting-up-a-passive-ftp-server-in-windows-azure-vm|Setting up a Passive FTP Server in Windows Azure VM]].))
===== Installing FTP Server ===== ===== Installing FTP Server =====
-==== On Windows Server 2012 ====+==== On Windows Server 2022, Windows Server 2019, Windows Server 2016 and Windows Server 2012 ====
  * In Windows //Server Manager// go to //Dashboard// and run //Manage > Add Roles and Features//.   * In Windows //Server Manager// go to //Dashboard// and run //Manage > Add Roles and Features//.
 +
 +~~AD~~
 +
  * In //Add Roles and Features// wizard:   * In //Add Roles and Features// wizard:
    * Proceed to //Installation Type// step and confirm //Role-based or feature-based installation//.     * Proceed to //Installation Type// step and confirm //Role-based or feature-based installation//.
-    * Proceed to //Server Roles// step and check //Web Server (%%IIS%%)// role. Note that it is checked already, if you had IIS installed as a Web Server previously. Confirm installing //%%IIS%% Management Console// tool. +    * Proceed to //Server Roles// step and check //Web Server (%%IIS%%)// role. Note that it is checked already, if you had IIS installed as a Web Server previously. If your are prompted to install //%%IIS%% Management Console// tool, confirm it
-    * Proceed to //Role Services// step and check //FTP Server// role service. Uncheck //Web Server// role service, if you do not need it.+    * Proceed to //Web Server Role (%%IIS%%) > Role Services// step and check //%%FTP%% Server// role service. Uncheck //Web Server// role service, if you do not need it.
    * Proceed to the end of the wizard and click //Install//.     * Proceed to the end of the wizard and click //Install//.
    * Wait for the installation to complete.     * Wait for the installation to complete.
-&screenshotpict(iis_install_win2012)+&screenshotpict(iis_install_win2016) 
 + 
 +&win2016 &win2012
-&win2012+Skip to the [[#opening_iis_manager|next step]].
==== On Windows Server 2008 R2 ==== ==== On Windows Server 2008 R2 ====
Line 27: Line 31:
  * In //Add Roles// wizard:   * In //Add Roles// wizard:
    * Proceed to //Server Roles// step and check //Web Server (%%IIS%%)// role.     * Proceed to //Server Roles// step and check //Web Server (%%IIS%%)// role.
-    * Proceed to //Role Services// step and check //FTP Server > %%FTP%% Service// role service. Uncheck //Web Server// role service, if you do not need it. Make sure //Management Service > %%IIS%% Management Console// role service is checked.+    * Proceed to //Role Services// step and check //%%FTP%% Server > %%FTP%% Service// role service. Uncheck //Web Server// role service, if you do not need it. Make sure //Management Service > %%IIS%% Management Console// role service is checked.
    * Proceed to the end of the wizard and click //Install//.     * Proceed to the end of the wizard and click //Install//.
    * Wait for the installation to complete.     * Wait for the installation to complete.
Line 45: Line 49:
&win2008r2 &win2008r2
-==== On Windows Desktop (8, 7 and Vista) ====+Skip to the [[#opening_iis_manager|next step]].
-··* Go to //Control Panel > Programs > Program and Features > Turn Windows features on or off//. &wincp+==== On Windows Desktop (Windows 11, Windows 10, Windows 8, Windows 7 and Windows Vista) ==== 
 + 
 +··* Go to //Control Panel > Programs > Programs and Features > Turn Windows features on or off//. &wincp
  * On a //Windows Features// window:   * On a //Windows Features// window:
    * Expand //Internet Information Services > %%FTP%% Server// and check //%%FTP%% Service//.     * Expand //Internet Information Services > %%FTP%% Server// and check //%%FTP%% Service//.
Line 54: Line 60:
    * Wait for the installation to complete.     * Wait for the installation to complete.
-&screenshotpict(iis_install_win7)+&screenshotpict(iis_install_win10)
-&winvista &win7 &win8+&winvista &win7 &win8 &win10 &win11
-===== Opening IIS Manager =====+===== [[opening_iis_manager]] Opening IIS Manager =====
-  * Go to //Control Panel > System and Security > Administrative Tools// and open //Internet Information Services (%%IIS%%) Manager//. &wincp+  * Go to //Control Panel > System and Security > Administrative Tools// (//Windows Tools// on Windows 11) and open //Internet Information Services (%%IIS%%) Manager//. &wincp
  * Navigate to your Windows server node.   * Navigate to your Windows server node.
Line 67: Line 73:
===== [[certificate]] Creating Certificate for the FTPS Server ===== ===== [[certificate]] Creating Certificate for the FTPS Server =====
-You need a TLS/SSL certificate to secure your FTPS server. Ideally you should acquire the certificate from a certificate authority.+You need a TLS/SSL certificate to secure your FTP server. Ideally, you should acquire the certificate from a certificate authority.
-You may also create a self-signed certificate locally, but in such case users of your FTPS server [[ftps#certificate|will be warned]], when connecting to the server.+You may also create a self-signed certificate locally, but in such case users of your FTPS server [[tls#certificate|will be warned]], when connecting to the server.
To create the self-signed certificate: To create the self-signed certificate:
Line 76: Line 82:
  * Click on //Create Self-Signed Certificate// action.   * Click on //Create Self-Signed Certificate// action.
  * Specify a certificate name (e.g. "%%FTP%% Server") and submit with //OK//.   * Specify a certificate name (e.g. "%%FTP%% Server") and submit with //OK//.
- 
-//Note that [[guide_microsoft_azure#windows|Microsoft Azure Windows servers]] come with self-signed certificate, so you do not need to acquire one.// 
&screenshotpict(iis_certificates) &screenshotpict(iis_certificates)
-===== [[firewall]] Servers behind Firewall/NAT =====+Self-signed certificates created by old versions of %%IIS%% Manager do not work with %%FTPS%% clients that check for key usage violations.((E.g. clients that use GnuTLS, like FileZilla, do not accept certificates created by IIS on Windows 10 and Windows Server 2019 and older.)) To create a certificate with a correct key usage, use ''[[ps>pki/new-selfsignedcertificate|New-SelfSignedCertificate]]'' PowerShell as an Administrator:
-If your server is behind a firewall/NAT, you need to tell the FTP server its external IP address, to allow passive mode connections.+<code powershell> 
 +New-SelfSignedCertificate -FriendlyName "FTP Server" -CertStoreLocation cert:\localmachine\my -DnsName ftp.example.com  
 +</code> 
 + 
 +===== [[firewall]] Servers behind external Firewall/NAT ===== 
 + 
 +If your server is behind an external firewall/NAT, you need to tell the FTP server its external IP address, to allow passive mode connections.
  * In //%%IIS%% Manager//, open //%%FTP%% > %%FTP%% Firewall Support//.   * In //%%IIS%% Manager//, open //%%FTP%% > %%FTP%% Firewall Support//.
-  * Specify your server's external IP address.+  * Specify your server's external IP address. \\ For [[guide_azure_ftps_server|Microsoft Azure Windows servers]] you will find the external IP address in //Public IP address// section of the virtual machine page.
-When behind an external firewall, you need to open ports for data connections (obviously in addition to opening an %%FTP%% port 21 and possibly an implicit SSL %%FTP%% port 990). You won't probably want to open whole default port range 1024-65535. In such case, you need to tell the %%FTP%% server to use only the range that is opened on the firewall. Use a //Data Channel Port Range// box for that.+When behind an external firewall, you need to open ports for data connections (obviously in addition to opening an %%FTP%% port 21 and possibly an implicit TLS/SSL %%FTP%% port 990). You won't probably want to open whole default port range 1024-65535. In such case, you need to tell the %%FTP%% server to use only the range that is opened on the firewall. Use a //Data Channel Port Range// box for that. Any time you change this range, you will need to [[#restart|restart FTP service]]. //Learn how to [[guide_azure_ftps_server#firewall|open ports on Microsoft Azure]].//
Click //Apply// action to submit your settings. Click //Apply// action to submit your settings.
Line 96: Line 106:
Some external firewalls are able to monitor %%FTP%% control connection and automatically open and close the data connection ports as needed. So you do not need to have whole port range opened all the time, even when not in use. This won't work with the secure FTPS as the control connection is encrypted and the firewall cannot monitor it. Some external firewalls are able to monitor %%FTP%% control connection and automatically open and close the data connection ports as needed. So you do not need to have whole port range opened all the time, even when not in use. This won't work with the secure FTPS as the control connection is encrypted and the firewall cannot monitor it.
-An internal Windows firewall is automatically configured to open ports 21, 990 and 1024-65535 when %%IIS%% %%FTP%% server is installed. Should you want to verify or change this, go to //Control Panel > System and Security > Windows Firewall > Advanced Settings > Inbound Rules// and locate three "%%FTP%% server" rules. &wincp+===== [[window_firewall]] Windows Firewall Rules ===== 
 + 
 +An internal Windows firewall is automatically configured with rules for the ports 21, 990 and 1024-65535 when %%IIS%% %%FTP%% server is installed. 
 + 
 +The rules are not enabled initially on some versions of Windows.((The rules are enabled initially on Windows Server 2016 and newer.)) &win2016 To enable or change the rules, go to //Control Panel > System and Security > Windows Defender Firewall//((//Windows Firewall// on older versions of Windows.))// > Advanced Settings > Inbound Rules// &wincp &win10 &win11 and locate three "%%FTP%% server" rules. &wincp If the rules are not enabled, click on //Actions > Enable Rule//. 
 + 
 +===== [[restart]] Restarting FTP Service ===== 
 + 
 +While the internal Windows firewall is automatically configured to open FTP ports when %%FTP%% server is installed, this change does not seem to apply, until %%FTP%% service is restarted. The same is true for changing data channel port range. 
 + 
 +To restart %%FTP%% service go to //Control Panel > System and Security > Administrative Tools// (//Windows Tools// on Windows 11) &win11 and open //Services//. Locate //Microsoft %%FTP%% Service// and click //Restart service//.((Try restarting whole system, if a service restart does not help.)) &wincp
===== Adding FTP Site ===== ===== Adding FTP Site =====
==== To a Web Site ==== ==== To a Web Site ====
-If you want to add FTP server to manage your web site remotely, locate your web site node in //%%IIS%% Manager// and:+If you want to add FTP server to manage your existing web site remotely, locate your web site node in //%%IIS%% Manager// and:
  * Click //Add %%FTP%% Publishing// action.   * Click //Add %%FTP%% Publishing// action.
  * In //Add %%FTP%% Site Publishing// wizard:   * In //Add %%FTP%% Site Publishing// wizard:
    * On an initial //Binding and SSL Settings// step, select //Require %%SSL%%// to disallow non-encrypted connections and select your certificate.     * On an initial //Binding and SSL Settings// step, select //Require %%SSL%%// to disallow non-encrypted connections and select your certificate.
-    * On //Authentication and Authorization Information// step, select //Basic// authentication and make sure //Anonymous// authentication is not selected. Select which users (Windows accounts) you allow to connect to the server with what permissions. You can choose //All users// or select only one. Do not select //Anonymous users//.+    * On //Authentication and Authorization Information// step, select //Basic// authentication and make sure //Anonymous// authentication is not selected. Select which users (Windows accounts) you allow to connect to the server with what permissions. You can choose //All users// or select only some. Do not select //Anonymous users//.
    * Submit with //Finish// button.     * Submit with //Finish// button.
-Your secure FTPS server is now running and can be [[guide_windows_ftps_server#connect|connected to]].+Your secure FTPS server is now running and can be [[#connect|connected to]].
&screenshotpict(iis_authentication) &screenshotpict(iis_authentication)
-==== Standalone FTP Site ====+==== [[standalone_ftp_site]] Standalone FTP Site ====
If you want to add a standalone FTP server to store/exchange files, locate //Sites// node (folder) of your Windows server in //%%IIS%% Manager// and: If you want to add a standalone FTP server to store/exchange files, locate //Sites// node (folder) of your Windows server in //%%IIS%% Manager// and:
Line 121: Line 141:
    * On an initial //Site Information// step, give a name to your %%FTP%% site (if it's the only site you are going to have, simple "%%FTP%% site" suffice) and specify a path to a folder on your server's disk that is going to be accessible using %%FTP%%.     * On an initial //Site Information// step, give a name to your %%FTP%% site (if it's the only site you are going to have, simple "%%FTP%% site" suffice) and specify a path to a folder on your server's disk that is going to be accessible using %%FTP%%.
    * On a //Binding and SSL Settings// step, select //Require %%SSL%%// to disallow non-encrypted connections and select your certificate.     * On a //Binding and SSL Settings// step, select //Require %%SSL%%// to disallow non-encrypted connections and select your certificate.
-    * On //Authentication and Authorization Information// step, select //Basic// authentication and make sure //Anonymous// authentication is not selected. Select which users (Windows accounts) you allow to connect to the server with what permissions. You can choose //All users// or select only one. Do not select //Anonymous users//.+    * On //Authentication and Authorization Information// step, select //Basic// authentication and make sure //Anonymous// authentication is not selected. Select which users (Windows accounts) you allow to connect to the server with what permissions. You can choose //All users// or select only some. Do not select //Anonymous users//.
    * Submit with //Finish// button.     * Submit with //Finish// button.
-Your secure FTPS server is now running and can be [[guide_windows_ftps_server#connect|connected to]].+Your secure FTPS server is now running and can be [[#connect|connected to]].
===== [[connect]] Connecting to Your FTPS Server ===== ===== [[connect]] Connecting to Your FTPS Server =====
 +
 +//For connecting to a Microsoft Azure Windows instance, see a specific [[guide_microsoft_azure#windows|guide]].//
Start WinSCP. [[ui_login|Login Dialog]] will appear. On the dialog: Start WinSCP. [[ui_login|Login Dialog]] will appear. On the dialog:
-  * Select //FTP// protocol and //TLS Explicit encryption//. +  * Select //FTP// protocol and //TLS/SSL Explicit encryption//. 
-  * Enter your Windows server hostname to //Host name// field.  Avoid using an IP address to allow WinSCP to verify that the host name matches with host the server's certificate was issued to (not applicable to self-signed certificates). +  * Enter your Windows server hostname to //Host name// field.  Avoid using an IP address to allow WinSCP to verify that the hostname matches with host the server's certificate was issued to (not applicable to self-signed certificates). 
-  * Specify username and password of Windows account you want to connect with (when using domain accounts, you need to specify full username with format ''domain\username'').+  * Specify username and password for Windows account you want to connect with (when using domain accounts, you need to specify a full username with format ''domain\username'').
  * You may want to [[session_configuration#site|save your session details]] to a site so you do not need to type them in every time you want to connect. Press //Save// button and type site name.   * You may want to [[session_configuration#site|save your session details]] to a site so you do not need to type them in every time you want to connect. Press //Save// button and type site name.
  * Press //Login// to connect.   * Press //Login// to connect.
 +  * If you are using [[#certificate|self-signed certificate]], you will be prompted to [[tls#certificate|accept it]].
&screenshotpict(iis_login) &screenshotpict(iis_login)
-===== Further Reading ===== +===== Further reading ===== 
-  * [[guide_connect|Connecting to FTP server]].+  * [[guide_azure_ftps_server|*]]; 
 +  * [[guide_windows_openssh_server|*]]; 
 +  * [[guide_upload|*]]; 
 +  * [[guide_automation|*]].

Last modified: by martin – Currently locked by: 149.36.50.29