This is for a very specific purpose

In this article I describe how (and why) I created two FTP servers on a Windows machine with IIS installed, and running on an Azure VM.

First a bit about the why. I did this to create a public FTP server that allowed anonymous logon, and provided a download service for the program files that my company provides. This is a very simple facility, with no authentication of users, and no user identities, and providing only read-only access to the files.

But I also wanted to be able to upload new versions of my program to the FTP server, instead of having to log on to the VM with RDP and do copy-and-paste of the new files. So for one specific user (me) I wanted read-write access to the FTP server's files. And I wanted to ensure that nobody else (i.e., those nasty hackers) would be able to gain access as me and upload anything. (Worst case would be that a hacker succeeded in replacing my program files with a modified version containing malware.) And I wanted to avoid the use of any insecure authentication technique for ensuring that only the real me could log on as me, so anything involving a cleartext password was not acceptable.

I considered using FTPS, but I'm a great believer in KISS (keep it simple, stupid!) and instead came up with a somewhat kludgy setup with two FTP server instances. The first one, as described above, involves no authentication and only provides read-only access to the files. The second one also involves no authentication and provides read-write access to the files, But, access to the second FTP server is only allowed by Azure from the fixed IP addresses belonging to my company. Yes, somewhat kludgy, but it works.

Despite the fact that this article focuses on my very specific requirements, there may be some information of interest for other setups of an FTP server on an IIS system, and/or an FTP server running on an Azure VM.

Enabling creation of FTP servers

This only has to be done once, irrespective of how many FTP sites you create on the system.

Windows does not have FTP server creation enabled by default, even if IIS has been installed. This is somewhat similar to what was done back in the article Joomla on IIS - Part 4 - Enabling IIS - take a quick look at that article if you are unsure of how to get to the following dialog:

FTP Snap1

Set check marks in the two boxes shown above (and ignore the fact that the screen shot is not correct - it was made after having done the installation), and then click Next and complete the setup dialogs. That's all there is to it.

Define the network ports FTP will use for passive data transfer

This is also something that only needs to be done once, or, more accurately, it can be done again later if you need to change the settings, but these settings are applied to all of the IIS FTP servers configured on this machine.

The FTP protocol is not as simple as one might assume - it had me fooled, I thought it only needed one network port, and that was it. This web page provides a fairly good explanation, without involving FTPS: Active FTP vs. Passive FTP, a Definitive Explanation

So basically, to support the old "active mode" (which is never used nowadays) we need to enable ports 20 and 21, but to support the newer (from 1994) "passive mode" we need to enable a group of network ports, and we need to ensure that both the FTP server and the firewall have been given the same information about which ports are in this group.

Start IIS Manager and select the left-panel entry for the whole machine.

FTP Snap7

Double-click on the FTP Firewall Support option. (If the FTP options are not being shown you need to stop and restart IIS Manager. Or, worst case, you may need to restart the machine.)

FTP Snap8

Here you enter two things: the port range for passive mode data ports, and the server's external IP address.

The IP address bit is simple, but it does imply that you have to have a static public IP address. In the case of an Azure VM I talk about static IP addresses in this article: Joomla on IIS - Part 2 - Accessing an Azure VM from the internet

The data channel port range is something that is quite arbitrary, as long as you choose a range between 1024 and 65535. To reduce your exposure to hackers I suggest that you keep the range small. For example, I don't ever expect more than one or two people to be downloading files from my website simultaneously, so I've defined a range containing only 10 ports. Pick some random range, say 53320 - 53329. Note it on a piece of paper, you'll be using it a bit later.

Complete this step by clicking Apply over to the right.

Create a disk folder for the files the FTP server(s) will make available

For my specific use I only needed to create one disk folder for the files that would be used by both FTP servers. This is a bit unusual, but is an acceptable usage and it works. Typical usage probably involves creating different disk folders for each FTP server.

 The following screen shots document how I did it. First I created the folder, E:\Merlinia FTP, and then right-clicked on it and selected Properties, and then selected the Security tab.

FTP Snap2

To add the IUSR user I first clicked the Edit button ...

FTP Snap3

then Add ...

FTP Snap4

In the "Enter the object names .." box type "iusr". Then click on Check Names. This should result in IUSR being capitalized and underlined, indicating that the correct internal representation of the account name has been found. Click on OK.

FTP Snap6

Back in the permissions dialog user IUSR should be selected. Give this user Full Control permission, and click on OK, and then click OK to close the Properties dialog.

This will, in theory, give both FTP servers write and delete access to the files in this folder, but we'll configure the first FTP server to only provide read-only access, so only the second FTP server (the one I'll use for doing uploads) will exploit the full control permission.

Create the first (public) FTP server

Now we create the (first) FTP server. In IIS Manager select Sites over in the left panel ...

FTP Snap9

... and click on Add FTP Site... over in the right panel.

FTP Snap10

 Provide a name for the FTP server (this is only used internally by IIS) and the path to the folder containing the files that the FTP server should work with. Then click Next.

FTP Snap11

This FTP server will not support FTPS, so select No SSL, and click Next.

If you do want to support FTPS then see this article telling how you can obtain and install free SSL certificates: Joomla on IIS - Part 10 - Installing and using an SSL certificate. However, at time of writing (Dec. 2017) the "Certify the web" program does not support updating the SSL certificates for IIS FTP sites, only for IIS websites. This means that if you use that program to obtain and renew your SSL certificates then you will have to manually update the SSL certificate setting for your FTP servers every 60 days or so.

FTP Snap12

On this dialog you shoudl deselect "basic authentication", just to keep things simple. And this FTP server will only serve anonymous users, and only provide them with read-only access to the files. Click Finish.

That's it for the first (or only) FTP server. Skip the next section and go to Setting Azure networking rules, unless you want to create a second FTP server that gives yourself read-write access to the files.

Create the second (private) FTP server

This is only applicable if you want to do what I did, and create a second FTP server which provides read-write access to the files for a limited number of users who will access the site from certain predefined fixed IP addresses. (But although I refer to this FTP server as being "private", it is, in fact, just as public as the first one - the only things that makes it "private" is that you don't advertise its network port number, and you set up Azure's networking rules to block access from all 4.3 billion IPv4 addresses in the world except for the few that you own.)

Rather than clutter this article up with more screen shots I'll just describe what is different when creating the second FTP site.

In the first dialog you give it a different name. (In my case "Merlinia FTP 2".) It shares the same folder containing files as the first FTP server

In the second dialog you change the port number from 21 to some arbitrary port number you define yourself, for example 53221. (It's OK that you accept "All Unassigned" for the IP address; we'll do the IP address filtering in Azure networking.)

In the third dialog you provide both Read and Write permissions to all of the anonymous users.

That's it, you now have two FTP servers.

Setting Azure networking rules

This step is obviously only applicable if your system is running on an Azure VM. For other environments there will be other firewall considerations to take into account. Incidentally, in my experience installing IIS FTP on a Windows Server system automatically adds the necessary rules to Windows Firewall, but this may not be true for Windows 10 or other systems.

These steps are done with the Azure desktop portal program.

FTP Snap13

Select the portal display for the virtual machine in question and click on Networking. Then use the Add inbound port button multiple times to define rules for handling incoming messages for the FTP server(s). Here are the rules I defined for the two FTP servers I created:

FTP Snap14

The priorities are arbitrary. Here are some notes:

1050 This is optional; it is only needed if you want to support some very, very old FTP client programs that may still use "active mode".
1051 This is the standard "control port" for the first FTP server.
1055 This rule should specify the same range of port numbers, for example 53320 - 53329, that you specified back in the second step of this article, Define the network ports FTP will use for passive data transfer. Note that this rule is applicable to all IIS FTP servers.
106x These define the "control port" of the second FTP server, and specify the IP addresses that are allowed to connect to this port. The port number (for example 53221) is the same in all of these rules; it is the port number you specified, instead of 21, when you created the second FTP server. The number of rules needed depends on how many IP addresses, or ranges of IP addresses, for which you need to allow access to this FTP server.

This completes the creation and setup of the FTP servers.

Testing the FTP servers

Now it's time to test the FTP servers. Use your favorite FTP client program (I like WinSCP) and connect to the machine on which the FTP servers are running, using either an IP address or a domain name. If it doesn't work, check if restarting the Microsoft FTP Service program helps, using the Windows Services program. Failing that, try restarting the machine, although that should not be necessary.

If you've set up one of the FTP servers to only provide read-only service, then check that it is not possible to upload or delete or modify the files - you should get an "access denied" error message.

If you've set up a second FTP server then you select it by specifying the port number that was defined for that FTP server, instead of port 21, for example 53221.

You must login to post a comment.
Loading comment... The comment will be refreshed after 00:00.

Be the first to comment.