How to setup secure FTP site on IIS7

Hi everyone,

I have a secure website setup on a Server 2008 running IIS7.  I also have an SSL certificate already purchased and installed on the webserver for the secure website.  Now, I am trying to setup an FTP site on the same server, is it possible to use the same SSL certificate that I have purchased for the website for FTP site as well?

- Could you please give me some steps or provide me with some directions for setting up a secure FTP site on IIS7?

Thanks for your help in advance!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Paul MacDonaldDirector, Information SystemsCommented:
The web page linked does not include SSL, so I will provide some additional screenshots.

Start off by setting up a standard FTP site, as per the guide linked, and then go into FTP SSL Settings to choose your Certificate and other SSL settings.

FTP SSL SettingsFirst off, select FTP SSL from the Home page of your FTP Site

FTP SSL SettingsSecondly, use the drop down to select your SSL Certificate already installed for your web site, and then choose your SSL Security Setting - explained as follows:

Allow SSL connections - will allow clean or encrypted connections
Require SSL connecitons - will require Encryption on both the control channel and data channel
Custom - allows you to choose which channels to force encrypt
Use 128-bit encryption for SSL connections - if you are exporting encryption, use this.  This means, if people outside of your country are connecting, and there are encryption export laws limiting you to 128 bit encryption, you should use this.  Nobody does though.

If it interests you, I have also written an article entitled "Make your FTP Server support Active and Passive" available on Experts Exchange at   
Paul MacDonaldDirector, Information SystemsCommented:
"The web page linked does not include SSL..."
I beg to differ.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Apologies, you're absolutely right it does. :)
BeerTimeAuthor Commented:
Thank you both Paulmacd and LesterClayton for your posts! I will review them and get back to you.  Do you off the top if internet explorer, firefox, google chrome, safari support secure ftp or simple ftp protocol?
Paul MacDonaldDirector, Information SystemsCommented:
I'm pretty certain IE does not, but can't speak for the others.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BeerTimeAuthor Commented:
Thanks Paulmacd.  I will check the other ones.
IE does not support FTP-Secure. Firefox doesn't natively but there is a FireFTP add-on that might. You will likely need a client like FileZilla or WinSCP. There are some configuration tricks for those as well. Here is the required setup for FIleZilla 3.5.0:

Assuming you have already created a Site profile in Filezilla, go to File->Site Manager, under the General tab type in the host name or IP address in the "Host:" field. In the "Port:" field, type in the port you have configured within IIS (probably port 21). Leave the protocol field on "FTP - File Transfer Protocol." Change the "Encryption:" field to either Explicit or Implicit (depending on how you have IIS configured). Change your Logon Type if you are not connecting anonymously.

Under the Transfer tab, change the "Transfer Mode:" to Passive.

Click OK to save this Site profile in Filezilla, then try Connecting to it.

Back to the FTP-S server, I would recommend using IIS FTP 7.5 instead. Here are instructions for setting it up in Passive Mode:

1.       In the IIS Manager server-level FTP Firewall Settings, configure the passive FTP Data Channel ports needed. Then under the FTP Site in IIS Manager, under FTP Firewall Settings, type the external (NAT) IP address of the IIS/FTP server that clients will be accessing.
      a.       NOTE: You will need to restart the Microsoft FTP Service or reboot the server in order for any changes to these Data Channel ports to be applied. Restarting the IIS FTP site or the IIS Server within IIS Manager will not do the trick!

2.       On the external firewall, open port 21 (FTP) AND open the Passive Data Channel ports defined in IIS (see above) from the outside network to the external (NAT) address of the IIS/FTP server. Of course, the server will need to be correctly NAT'd for this to work.

3.       Configure FTP-S clients to use Passive FTP over SSL/TLS (i.e. FTP-S) on port 21. This works for both FIlezilla and WinSCP, and I can give specific instructions on both if you need them.

What this accomplishes conceptually is the following:

FTP client --> (Outside) <firewall> (Inside) --> FTP server

1) FTP client connects via port 21 to FTP server's NAT'd IP address.
2) FTP client and server negotiate SSL/TLS.
3) FTP client requests Passive Mode.
4) FTP server returns external (NAT) IP address and custom port for Data Channel

PRO: Allows for the FTP client to maintain an encrypted Control Channel on port 21 and an encrypted Data Channel--on the custom port(s) defined above--at all times.
CON: Having to open the additional inbound ports to the IIS/FTP server.


•      FTP Site will not work internally because external IP address being used is not routable from inside the network.
•      FTP clients will need to be configured by the end user or you will need to figure out a way to create a "profile" of the correct settings and get that to them.

More detail for those who are interested:

•      An alternative to this setup is to use Clear Command Channel (CCC) method but that means passing all your Control Channel traffic (after initial encrypted authentication) in the clear, including file/folder names. CCC also introduces a hijacking risk. Some FTP developers refuse to support CCC at all (Filezilla), others do not support it yet (WinSCP), and even those who do support it typically have strong warnings in place (Ipswitch et al.). The RFC itself states "the use of CCC is not recommended, but is defined in the interest of interoperability between implementations which might desire such functionality":

•      A great overview of the classic FTP/FTPS issues can be found here:

Hope this helps! Please let us know.
BeerTimeAuthor Commented:
Thanks everyone for your feedback on this post.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.