Improve company productivity with a Business Account.Sign Up


SFTP ports, IIS, ASA

Posted on 2014-01-06
Medium Priority
Last Modified: 2014-01-06
Server 2008 R2 Standard, IIS 7.5. Trying to set up SFTP (SSL) site for a single vendor. I want to open ports on ASA, for only their IP address. However, during testing I see that SFTP uses two ports, TCP 22 and then a randomly generated TCP port (Data Channel) in the 57K plus range (at least from logs so far).

I've gone into IIS and set Data Channel port range, but when I'm testing it is not using this 5 port range I configured, it is still randomly generated.

Obviously this sort of creates a problem from the Firewall point of view, as I do not know what ports will be used for the data channel.

Question by:AHEC
LVL 30

Expert Comment

by:Brad Howe
ID: 39759540
I don't see this as an IIS issue for you but an CISCO configuration issue. We had a similar problem with our Juniper Device (SRX) where we needed to change a setting to allow ftps. FTPS support for SRX can be enabled by using the following configuration command:

set security alg ftp ftps-extension

I know it is not Cisco ASA, but I would start there if your FTPS works properly locally when using a FTPS Client such as CoreFTP LE.

Some details
FTPS (FTP-SSL) is just like any FTP Server that runs over port 21. The main difference is that it uses TSL/SSL protocols to encrypt the control & data channels.

When the CONTROL channel is encrypted, the authentication is protected - therefore passwords are secure.

When the DATA channel is encrypted, the file transfers are secure while in transit.

Please do not confuse this with SFTP.  

SFTP is FTP Services over SSH which runs on tcp/22.
FTPS runs over SSL or TLS on tcp/21 or tcp/990.

Setup your FTPS in IIS Manager

Setup the custom data port channels under IIS Manager - Server Level

Sample Core FTP Log

Welcome to Core FTP, release ver 2.2, build 1747 (x64) — © 2003-2012
 WinSock 2.0
 Mem — 8,339,356 KB, Virt — 8,589,934,464 KB
 Started on Saturday September 8, 2012 at 12:44:PM
 Connect socket #976 to, port 21…
220 Microsoft FTP Service
234 AUTH command ok. Expecting TLS Negotiation.
 TLSv1, cipher TLSv1/SSLv3 (AES128-SHA) – 128 bit
 USER ftpuser
 331 Password required
 PASS **********
 230 User logged in.
 215 Windows_NT
 Keep alive off…
 257 “/” is current directory.
 200 PBSZ command successful.
 200 PROT command successful.
 227 Entering Passive Mode (192,168,56,101,192,23).
 Connect socket #864 to, port 49175…
150 Opening ASCII mode data connection.
 TLSv1, cipher TLSv1/SSLv3 (AES128-SHA) – 128 bit
 226 Transfer complete.
 Transferred 0 bytes in 0.011 seconds

Let us know if it works locally first over the proper data channels.
LVL 16

Expert Comment

ID: 39759614
Hades666 is correct.  IIS is not capable of serving SFTP, only FTPS.  If this is your first time you should get it working serving plain FTP and only then add SSL to the mix.  This will be easier for you if you use Explicit FTPS... implicit is rare these days anyway so for a new site you should do explicit.

If you actually NEED an SFTP server then you need different server-side software because IIS doesn't do SFTP.  This is the easiest SFTP server I've installed:

Author Comment

ID: 39759685
Sorry, I am referring to FTPS (SSL), not SFTP.

anyway, not knowing how a Juniper appliance works, I can tell you that in Cisco ASA I only have the option to configure an ACL to allow specific ports.

It does work internally, but I am allowing all ports from my PC to Server (in DMZ), but like I said, it is using random ports for Data Channel  even though I have specified ports for this in IIS; a range of 5 ports. If this configuration actually did what I thought it did, then I could easily configure firewall to allow port 22 (which I specified for Control Channel) and Ports 61000 - 61005 from IP XXX.XXX.XXX.XXX.

So, is there a way to configure what the data channel ports will be or will they always be random?
If always be random, what is the range?

perhaps my configuration in IIS is incorrect.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

LVL 30

Expert Comment

by:Brad Howe
ID: 39759750
Data channels are specific. Even locally using a proper FTP client that supports FTPS it should use specified ports. If it doesn't then the FTPS setup in IIS is incorrect.

Can you describe your IIS setup exactly.

Author Comment

ID: 39759847
FTP Authentication = Basic
FTP Authorization rules is configured with a username having Read, Write permissions.
Firewall Support = Data Channel Port Range: 63500 - 63505
External IP Address of Firewall = I've tried various entries as I am trying to test this from within my network, I've used inside address, external, address of DMZ interface (where FTP server lives), I've tried blank.
FTP IPv4 Address and Domain Restrictions are set to allow my inside network subnet that my PC is on.
FTP SSL Settings = pointing to self signed cert, custom policy = Require only for credentials, and allow (for Data Channel section).

Just to recap, When I allow all of TCP from my PC subnet to DMZ (where FTP lives) it works fine, but again, the Data Channel port is random, this randomness would force me to allow all of TCP from the vendor's IP address to the server, which I do not want to do.

When I configure the "External IP address of Firewall" in FTP Firewall Support section, the client connects fine on Control Port, but never seems to even attempt connection on Data Channel, (I see this via the Firewall log). If I configure it blank or with the FTP servers address, it works fine and I can see Control and Data channel connection attempts.

In the link provided by you for setup, it does not show to configure this "External IP address of Firewall".

Author Comment

ID: 39759878 windows firewall is running, only Cisco ASA. I wonder if this setting "External IP address of Firewall" is for the Server's firewall?
LVL 12

Accepted Solution

Henk van Achterberg earned 2000 total points
ID: 39760317

Author Closing Comment

ID: 39760367
I was restarting the FTP site after each change, but apparently that wasn't enough....yes, restarting Microsoft FTP service did it.
Wow Microsoft...WAY TO MAKE SOMETHING SO FREAKIN simple, "please restart Microsoft FTP Service" message was way to hard to put in there...or in your instructions on TechNet....omg...whatever :)

but thanks henkva!

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

608 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question