Solved

SFTP ports, IIS, ASA

Posted on 2014-01-06
8
1,775 Views
Last Modified: 2014-01-06
Server 2008 R2 Standard, IIS 7.5. Trying to set up SFTP (SSL) site for a single vendor. I want to open ports on ASA, for only their IP address. However, during testing I see that SFTP uses two ports, TCP 22 and then a randomly generated TCP port (Data Channel) in the 57K plus range (at least from logs so far).

I've gone into IIS and set Data Channel port range, but when I'm testing it is not using this 5 port range I configured, it is still randomly generated.

Obviously this sort of creates a problem from the Firewall point of view, as I do not know what ports will be used for the data channel.

Thoughts?
0
Comment
Question by:AHEC
8 Comments
 
LVL 30

Expert Comment

by:Brad Howe
Comment Utility
I don't see this as an IIS issue for you but an CISCO configuration issue. We had a similar problem with our Juniper Device (SRX) where we needed to change a setting to allow ftps. FTPS support for SRX can be enabled by using the following configuration command:

set security alg ftp ftps-extension

I know it is not Cisco ASA, but I would start there if your FTPS works properly locally when using a FTPS Client such as CoreFTP LE.

Some details
FTPS (FTP-SSL) is just like any FTP Server that runs over port 21. The main difference is that it uses TSL/SSL protocols to encrypt the control & data channels.

When the CONTROL channel is encrypted, the authentication is protected - therefore passwords are secure.

When the DATA channel is encrypted, the file transfers are secure while in transit.

Please do not confuse this with SFTP.  

SFTP is FTP Services over SSH which runs on tcp/22.
FTPS runs over SSL or TLS on tcp/21 or tcp/990.

Setup your FTPS in IIS Manager
http://www.iis.net/learn/publish/using-the-ftp-service/using-ftp-over-ssl-in-iis-7

Setup the custom data port channels under IIS Manager - Server Level
http://www.iis.net/learn/publish/using-the-ftp-service/configuring-ftp-firewall-settings-in-iis-7

Sample Core FTP Log

Welcome to Core FTP, release ver 2.2, build 1747 (x64) — © 2003-2012
 WinSock 2.0
 Mem — 8,339,356 KB, Virt — 8,589,934,464 KB
 Started on Saturday September 8, 2012 at 12:44:PM
 Connect socket #976 to 192.168.56.101, port 21…
220 Microsoft FTP Service
 AUTH TLS
234 AUTH command ok. Expecting TLS Negotiation.
 TLSv1, cipher TLSv1/SSLv3 (AES128-SHA) – 128 bit
 USER ftpuser
 331 Password required
 PASS **********
 230 User logged in.
 SYST
 215 Windows_NT
 Keep alive off…
PWD
 257 “/” is current directory.
 PBSZ 0
 200 PBSZ command successful.
 PROT P
 200 PROT command successful.
 PASV
 227 Entering Passive Mode (192,168,56,101,192,23).
 LIST
 Connect socket #864 to 192.168.56.101, port 49175…
150 Opening ASCII mode data connection.
 TLSv1, cipher TLSv1/SSLv3 (AES128-SHA) – 128 bit
 226 Transfer complete.
 Transferred 0 bytes in 0.011 seconds


Let us know if it works locally first over the proper data channels.
Hades666
0
 
LVL 16

Expert Comment

by:AlexPace
Comment Utility
Hades666 is correct.  IIS is not capable of serving SFTP, only FTPS.  If this is your first time you should get it working serving plain FTP and only then add SSL to the mix.  This will be easier for you if you use Explicit FTPS... implicit is rare these days anyway so for a new site you should do explicit.

If you actually NEED an SFTP server then you need different server-side software because IIS doesn't do SFTP.  This is the easiest SFTP server I've installed: http://www.robo-ftp.com/help/robo-ftp_server/3.3/sftp_quick_start_guide.htm
0
 
LVL 1

Author Comment

by:AHEC
Comment Utility
Sorry, I am referring to FTPS (SSL), not SFTP.

anyway, not knowing how a Juniper appliance works, I can tell you that in Cisco ASA I only have the option to configure an ACL to allow specific ports.

It does work internally, but I am allowing all ports from my PC to Server (in DMZ), but like I said, it is using random ports for Data Channel  even though I have specified ports for this in IIS; a range of 5 ports. If this configuration actually did what I thought it did, then I could easily configure firewall to allow port 22 (which I specified for Control Channel) and Ports 61000 - 61005 from IP XXX.XXX.XXX.XXX.

So, is there a way to configure what the data channel ports will be or will they always be random?
If always be random, what is the range?

perhaps my configuration in IIS is incorrect.
0
 
LVL 30

Expert Comment

by:Brad Howe
Comment Utility
Data channels are specific. Even locally using a proper FTP client that supports FTPS it should use specified ports. If it doesn't then the FTPS setup in IIS is incorrect.

Can you describe your IIS setup exactly.
0
Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

 
LVL 1

Author Comment

by:AHEC
Comment Utility
FTP Authentication = Basic
FTP Authorization rules is configured with a username having Read, Write permissions.
Firewall Support = Data Channel Port Range: 63500 - 63505
External IP Address of Firewall = I've tried various entries as I am trying to test this from within my network, I've used inside address, external, address of DMZ interface (where FTP server lives), I've tried blank.
FTP IPv4 Address and Domain Restrictions are set to allow my inside network subnet that my PC is on.
FTP SSL Settings = pointing to self signed cert, custom policy = Require only for credentials, and allow (for Data Channel section).

Just to recap, When I allow all of TCP from my PC subnet to DMZ (where FTP lives) it works fine, but again, the Data Channel port is random, this randomness would force me to allow all of TCP from the vendor's IP address to the server, which I do not want to do.

When I configure the "External IP address of Firewall" in FTP Firewall Support section, the client connects fine on Control Port, but never seems to even attempt connection on Data Channel, (I see this via the Firewall log). If I configure it blank or with the FTP servers address, it works fine and I can see Control and Data channel connection attempts.

In the link provided by you for setup, it does not show to configure this "External IP address of Firewall".
0
 
LVL 1

Author Comment

by:AHEC
Comment Utility
BTW...no windows firewall is running, only Cisco ASA. I wonder if this setting "External IP address of Firewall" is for the Server's firewall?
0
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 500 total points
Comment Utility
0
 
LVL 1

Author Closing Comment

by:AHEC
Comment Utility
I was restarting the FTP site after each change, but apparently that wasn't enough....yes, restarting Microsoft FTP service did it.
Wow Microsoft...WAY TO MAKE SOMETHING SO FREAKIN DIFFICULT...lol...a simple, "please restart Microsoft FTP Service" message was way to hard to put in there...or in your instructions on TechNet....omg...whatever :)

but thanks henkva!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now