How to setup IIS FTP server behind Endian Firewall

1. Create FTP group and user(s)
2. Install FTP server
3. Set up Endian Firewall Appliance
4. Test FTPS connection with Filezilla

Create FTP group and user(s)

Using server manager (which you may launch with servermanager.msc), expand your server > Configuration > Local Users and Groups, right click to create a New Group…

Name the user group “ftp-group” and provide a meaningful description about this groups role and select Create, then Close

Now we will create a user and add it to the group we just created. Right click Users > New User …

Enter a User name, Description, and strong Password (you’ll need to remember these credentials as this is what you’ll be giving your user) – uncheck “User must change password at next logon” > Create

Right click this new user and select Properties

To add them to the ftp-group, choose the Member Of tab and Add…

Enter “ftp-group” > Check Names > OK

I like to remove this user group from the standard “Users” group (that group exists thoughout the windows server so to me it is safest to remove) so select “Users” > Remove > OK

Install FTP server

Add FTP role

Using server manager (which you may launch with servermanager.msc), Click on Roles in the left pane and the Roles section will appear in the right pane. Locate the Web Server (IIS) section and then then click on Add Role Services:

In the Select Role Services scroll and add checks to FTP Server, FTP Service & FTP Extensibility then Next > Install

Command line version of installing the same:

CMD /C PKGMGR.EXE /iu:IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility

Setup FTP Server

Start IIS Manager ( inetmgr)

We need to add a new FTP site (you may add FTP publishing to an existing web site if that’s what you’re attempting)

Using Sites in the left column, right click and choose Add FTP Site…

Provide a name and point it to a folder you want your FTP users to save to/get data from.

In the “Binding and SSL Settings” dialog, create “All Unassigned” as IP Address, Port: 21, Allow SSL, SSL Certificate not selected:

Note: If you want your FTP site to use a specific IP address, select it from the drop-down menu, otherwise leave the default setting which binds all FTP traffic to the site you are creating.

Next, for Authorization ensure that only Basic is checked. Under Authorization, ensure that your new user group “ftp-group” is set under the Specified roles or user groups box, provide Read, Write permissions as you desire then select Finish

That completes the basic installation and setup details of the FTP site.

Server firewall

Now we need to configure the server firewall support:

Click on the Server object (the name of your server) which is at the top of the left column in IIS Manager and then in the right pane double-click on the FTP Firewall Support icon configuring FTP connections to use Passive Transfers and the Data Channel Port Range will be set to 50000-50999, the External IP Address of Firewall should be left blank:

Next, choose your FTP site in the left column again and then in the right pane double-click on the FTP Firewall Support icon. Input the FTP site’s public IP address – the public IP address of the Endian Firewall – and then click on Apply under the Actions pane on the right-hand side:

Within IIS Manager, click on the server object and in the center pane open Server Certificates

Then click on Create Self-Signed Certificate in the Actions pane in the right hand side

Type a name for the certificate, I used FTP Site Cert but anything meaningful will work, then click on OK. You will now see the created certificate in the list:

Click on the server object again and open FTP SSL Settings

Under SSL Certificate select the certificate we created earlier. Under SSL Policy select Custom and then click on the Advanced button

Under Control Channel select Require only for credentials and under Data Channel select Require and then click on OK:

Now click on the FTP site in the Connections left side column and then open FTP SSL Settings and ensure you configure the same settings as for the server level in the preceding step. Failing to configure the FTP SSL Settings at BOTH the SERVER and SITE levels with result in FTP connection errors like the following:

(Optional) If you want this site to only answer for a specific domain name:

Choose Bindings in the Actions pane:

In the Site Bindings section click on the Add Button:

In the Add Site Binding section select the Type as ftp, leave the IP Address box as All Unassigned and then enter the hostname for the FTP Site and then click on OK

Confirm the new FTP Site binding and then click Close

While still in the ftp site context select Advanced Settings in the Actions pane to view the FTP Site’s home directory – it will be the physical path we set for this site.  You will need to configure the ftp_group or this user to have write permissions to this folder in order for you to be able to upload files to this directory.

Using windows explorer, right click the folder on this site’s path and add the “ftp-group” and provide permissions as needed:

If you have an active Windows software firewall, rules that need to be enabled to allow FTP and FTPs communication are:

Inbound Rules FTP Server (FTP Traffic-In) FTP Server Passive (FTP Passive Traffic-In) FTP Server Secure (FTP SSL Traffic-In)

Double click each one and choose Advanced tab > Edge traversal > Allow edge traversal

Outbound Rules no changes required because the default setting for public traffic is that outbound connections that do not match a rule are allowed.

Setting up Endian Firewall

Log in to the firewall’s UI site (maybe yours is at http://192.168.1.1/ from the server side).

Using the Firewall button on the navigation bar, we need to add some Port forwarding / NAT rules

In Incoming IP, you will need to select your RED or an Uplink you want to allow public traffic to reach you on.

In Incoming Service/Port, Add FTP service, Port 21, protocol TCP

Add the IP address of your Windows FTP server in the Insert IP address field

This provides our command channel.  Now let’s add the rules for the data channels. Create a new rule with the same Incoming IP setup as before:

But the Incoming Service/Port will be different (<ANY>, 50000-50999, still TCP though)

Translate will be similar to the command channel settings above except for the Port/Range

The site will probably tell you to Apply the changes.

It probably would be a good idea to use the proxy tab on the navigation bar and enable the virus scanner on FTP (but I think that may just be for outbound, not inbound to your internal server connections).

Testing/Connecting to the FTP Site

The only thing left to do is test the connection from your FTP client. Using FileZilla, you will need to supply credentials for this connection.  I suggest using the site manager to do so:

File > Site Manager… > New Site

Provide a name for this connection (it can be anything meaningful to you)

Under general, enter the host (Firewall IP address or domain name), Port 21, Protocol: FTP – File Transfer Protocol, Encryption: Use explicit FTP over TLS if available, Logon type: Normal, User and Password for the user we created on the server.

Under Transfer Settings, choose mode: Passive

Note: If you chose to supply the optional domain name the user field must be VirtualHostName|User to allow successful authentication. The virtual host name is a requirement and the FTP Server is expecting that string, if it doesn’t see it then you will see the following error:

Once you have input the relevant connection info for the FTP Site, click Connect and assuming that the connection is successful you will see a pop-up box displaying an unknown self-signed cert we created earlier:

If you don’t want to see this every time, check the box Always trust certificate in future sessions and hit OK.

You should now be connected to the home directory

Comments Closed.