SFTP ports, IIS, ASA

Server 2008 R2 Standard, IIS 7.5. Trying to set up SFTP (SSL) site for a single vendor. I want to open ports on ASA, for only their IP address. However, during testing I see that SFTP uses two ports, TCP 22 and then a randomly generated TCP port (Data Channel) in the 57K plus range (at least from logs so far).

I've gone into IIS and set Data Channel port range, but when I'm testing it is not using this 5 port range I configured, it is still randomly generated.

Obviously this sort of creates a problem from the Firewall point of view, as I do not know what ports will be used for the data channel.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brad HoweDevOps ManagerCommented:
I don't see this as an IIS issue for you but an CISCO configuration issue. We had a similar problem with our Juniper Device (SRX) where we needed to change a setting to allow ftps. FTPS support for SRX can be enabled by using the following configuration command:

set security alg ftp ftps-extension

I know it is not Cisco ASA, but I would start there if your FTPS works properly locally when using a FTPS Client such as CoreFTP LE.

Some details
FTPS (FTP-SSL) is just like any FTP Server that runs over port 21. The main difference is that it uses TSL/SSL protocols to encrypt the control & data channels.

When the CONTROL channel is encrypted, the authentication is protected - therefore passwords are secure.

When the DATA channel is encrypted, the file transfers are secure while in transit.

Please do not confuse this with SFTP.  

SFTP is FTP Services over SSH which runs on tcp/22.
FTPS runs over SSL or TLS on tcp/21 or tcp/990.

Setup your FTPS in IIS Manager

Setup the custom data port channels under IIS Manager - Server Level

Sample Core FTP Log

Welcome to Core FTP, release ver 2.2, build 1747 (x64) — © 2003-2012
 WinSock 2.0
 Mem — 8,339,356 KB, Virt — 8,589,934,464 KB
 Started on Saturday September 8, 2012 at 12:44:PM
 Connect socket #976 to, port 21…
220 Microsoft FTP Service
234 AUTH command ok. Expecting TLS Negotiation.
 TLSv1, cipher TLSv1/SSLv3 (AES128-SHA) – 128 bit
 USER ftpuser
 331 Password required
 PASS **********
 230 User logged in.
 215 Windows_NT
 Keep alive off…
 257 “/” is current directory.
 200 PBSZ command successful.
 200 PROT command successful.
 227 Entering Passive Mode (192,168,56,101,192,23).
 Connect socket #864 to, port 49175…
150 Opening ASCII mode data connection.
 TLSv1, cipher TLSv1/SSLv3 (AES128-SHA) – 128 bit
 226 Transfer complete.
 Transferred 0 bytes in 0.011 seconds

Let us know if it works locally first over the proper data channels.
Hades666 is correct.  IIS is not capable of serving SFTP, only FTPS.  If this is your first time you should get it working serving plain FTP and only then add SSL to the mix.  This will be easier for you if you use Explicit FTPS... implicit is rare these days anyway so for a new site you should do explicit.

If you actually NEED an SFTP server then you need different server-side software because IIS doesn't do SFTP.  This is the easiest SFTP server I've installed: http://www.robo-ftp.com/help/robo-ftp_server/3.3/sftp_quick_start_guide.htm
AHECAuthor Commented:
Sorry, I am referring to FTPS (SSL), not SFTP.

anyway, not knowing how a Juniper appliance works, I can tell you that in Cisco ASA I only have the option to configure an ACL to allow specific ports.

It does work internally, but I am allowing all ports from my PC to Server (in DMZ), but like I said, it is using random ports for Data Channel  even though I have specified ports for this in IIS; a range of 5 ports. If this configuration actually did what I thought it did, then I could easily configure firewall to allow port 22 (which I specified for Control Channel) and Ports 61000 - 61005 from IP XXX.XXX.XXX.XXX.

So, is there a way to configure what the data channel ports will be or will they always be random?
If always be random, what is the range?

perhaps my configuration in IIS is incorrect.
Announcing the Winners!

The results are in for the 15th Annual Expert Awards! Congratulations to the winners, and thank you to everyone who participated in the nominations. We are so grateful for the valuable contributions experts make on a daily basis. Click to read more about this year’s recipients!

Brad HoweDevOps ManagerCommented:
Data channels are specific. Even locally using a proper FTP client that supports FTPS it should use specified ports. If it doesn't then the FTPS setup in IIS is incorrect.

Can you describe your IIS setup exactly.
AHECAuthor Commented:
FTP Authentication = Basic
FTP Authorization rules is configured with a username having Read, Write permissions.
Firewall Support = Data Channel Port Range: 63500 - 63505
External IP Address of Firewall = I've tried various entries as I am trying to test this from within my network, I've used inside address, external, address of DMZ interface (where FTP server lives), I've tried blank.
FTP IPv4 Address and Domain Restrictions are set to allow my inside network subnet that my PC is on.
FTP SSL Settings = pointing to self signed cert, custom policy = Require only for credentials, and allow (for Data Channel section).

Just to recap, When I allow all of TCP from my PC subnet to DMZ (where FTP lives) it works fine, but again, the Data Channel port is random, this randomness would force me to allow all of TCP from the vendor's IP address to the server, which I do not want to do.

When I configure the "External IP address of Firewall" in FTP Firewall Support section, the client connects fine on Control Port, but never seems to even attempt connection on Data Channel, (I see this via the Firewall log). If I configure it blank or with the FTP servers address, it works fine and I can see Control and Data channel connection attempts.

In the link provided by you for setup, it does not show to configure this "External IP address of Firewall".
AHECAuthor Commented:
BTW...no windows firewall is running, only Cisco ASA. I wonder if this setting "External IP address of Firewall" is for the Server's firewall?
Henk van AchterbergSr. Technical ConsultantCommented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AHECAuthor Commented:
I was restarting the FTP site after each change, but apparently that wasn't enough....yes, restarting Microsoft FTP service did it.
Wow Microsoft...WAY TO MAKE SOMETHING SO FREAKIN DIFFICULT...lol...a simple, "please restart Microsoft FTP Service" message was way to hard to put in there...or in your instructions on TechNet....omg...whatever :)

but thanks henkva!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.