知識庫

Windows 伺服器上用於 FTP 的 SSL

FTPS (FTP over SSL) was introduced on Windows servers starting from IIS 7.0, where it was a stand-alone additional element and a separate download was required. IIS 7.5 and each forthcoming version has FTPS functionality from the box, hence only IIS Manager and/or FTP service, which is included to IIS package, needs to be installed in order to have an opportunity to setup secure FTP connection.

Before proceeding to the instructions below, make sure that the following prerequisites have been considered:

  • IIS Manager and FTP Service are enabled on the server instance. Installation guidelines for IIS and FTP can be found here and here.

  • The SSL certificate, which will be used for setting up FTPS, is installed to the server storage.

Let us describe the process of adding an SSL-enabled FTP site and configuring its SSL settings.

Creating an SSL-enabled FTP site

  1. Open IIS Manager (Run -> inetmgr -> Enter).
  2. Hover the mouse over Connections pane on the left side of the window, click on Sites node and press Add FTP site in Actions pane on the right.

    image1_windows_ftp

  3. Enter a name for a FTP site in the FTP site name field. Specify the path to the root folder in the Physical Path field. Actual path to FTP root folder may be different from the one, displayed on the screenshot as an example. After all fields are filled in, click Next to proceed.

    image2_windows_ftp

  4. On Binding and SSL Settings page, there are several fields to modify:
    • IP Address - add a specific IP address for a FTP site or leave All Unassigned option.
    • Port - this field contains a port number a FTP site will be connected through. A default port number is 21.
    • Enable Virtual Host Names checkbox should be ticked and the corresponding field filled in if you are going to host multiple FTP Servers.
    • Allow SSL radio-button should be selected in the SSL subsection. This option will allow connection to an FTP site either in secure or in non-secure mode, giving more flexibility for an FTP connection handling. There will be more detailed explanation further on how to switch a whole FTP site or a particular channel between Allow SSL and Require SSL options. At this point, it is worth mentioning that Allow SSL is more preferable over Require SSL mode for the reasons mentioned here
    • Choose pre-imported SSL certificate from a drop-down list in the SSL Certificate subsection.
    • image3_windows_ftp


      Once all settings are done here, click Next to move on.
  5. On Authentication and Authorization Information screen, check Basic for Authentication and set users for a FTP site at Authorization subsection. There are several options to set users and permissions for them, thus actual settings may differ from the ones on the screenshot.

    image4_windows_ftp


Once done, click Finish to complete adding a new SSL-enabled FTP site.

Configuring additional SSL Settings for FTP site

Generally, an FTP communication between Windows server and client is split to a control channel, used for authentication and sending FTP commands, and a data channel, used for data transfer.

Means of IIS Manager and FTP Service offer flexible settings in order to allow FTP clients to decide, whether FTP traffic should be encrypted partially or completely.

Control Channel Policy Data Channel Policy Description
SslAllow SslAllow This configuration allows the client to decide whether any part of the FTP session should be encrypted.
SslRequireCredentialsOnly SslAllow This configuration protects FTP client credentials from eavesdropping and allows the client to decide whether data transfer should be encrypted.
SslRequireCredentialsOnly SslRequire This configuration requires that the client's credentials must be secure and then allows the client to decide whether FTP commands should be encrypted. However, all data transfers must be encrypted.
SslRequire SslRequire This configuration is the most secure - the client must negotiate SSL by using the FTPS-related commands before other FTP commands are allowed, and all data transfers must be encrypted.


Let us see how to modify the above-mentioned settings using IIS Manager:

  1. While on IIS Home page, select the newly created FTP site (expand Sites node, if needed) and double-click on FTP SSL Settings icon in the site's home section.

    image5_windows_ftp

  2. In SSL Policy section, select Custom radio-button and click Advanced to open Advanced SSL Policy settings.

    image6_windows_ftp

  3. Here on Advanced SSL Policy screen, there is an opportunity to customize specific settings for Control and Data channels, described in the table above.

    image7_windows_ftp

  4. Once all set, click OK and then Apply in the Actions pane on the right side of IIS Manager to save configurations changes.

    image8_windows_ftp