Link to home
Start Free TrialLog in
Avatar of AHEC

asked on

SFTP ports, IIS, ASA

Server 2008 R2 Standard, IIS 7.5. Trying to set up SFTP (SSL) site for a single vendor. I want to open ports on ASA, for only their IP address. However, during testing I see that SFTP uses two ports, TCP 22 and then a randomly generated TCP port (Data Channel) in the 57K plus range (at least from logs so far).

I've gone into IIS and set Data Channel port range, but when I'm testing it is not using this 5 port range I configured, it is still randomly generated.

Obviously this sort of creates a problem from the Firewall point of view, as I do not know what ports will be used for the data channel.

Avatar of Brad Howe
Brad Howe
Flag of Canada image

I don't see this as an IIS issue for you but an CISCO configuration issue. We had a similar problem with our Juniper Device (SRX) where we needed to change a setting to allow ftps. FTPS support for SRX can be enabled by using the following configuration command:

set security alg ftp ftps-extension

I know it is not Cisco ASA, but I would start there if your FTPS works properly locally when using a FTPS Client such as CoreFTP LE.

Some details
FTPS (FTP-SSL) is just like any FTP Server that runs over port 21. The main difference is that it uses TSL/SSL protocols to encrypt the control & data channels.

When the CONTROL channel is encrypted, the authentication is protected - therefore passwords are secure.

When the DATA channel is encrypted, the file transfers are secure while in transit.

Please do not confuse this with SFTP.  

SFTP is FTP Services over SSH which runs on tcp/22.
FTPS runs over SSL or TLS on tcp/21 or tcp/990.

Setup your FTPS in IIS Manager

Setup the custom data port channels under IIS Manager - Server Level

Sample Core FTP Log

Welcome to Core FTP, release ver 2.2, build 1747 (x64) — © 2003-2012
 WinSock 2.0
 Mem — 8,339,356 KB, Virt — 8,589,934,464 KB
 Started on Saturday September 8, 2012 at 12:44:PM
 Connect socket #976 to, port 21…
220 Microsoft FTP Service
234 AUTH command ok. Expecting TLS Negotiation.
 TLSv1, cipher TLSv1/SSLv3 (AES128-SHA) – 128 bit
 USER ftpuser
 331 Password required
 PASS **********
 230 User logged in.
 215 Windows_NT
 Keep alive off…
 257 “/” is current directory.
 200 PBSZ command successful.
 200 PROT command successful.
 227 Entering Passive Mode (192,168,56,101,192,23).
 Connect socket #864 to, port 49175…
150 Opening ASCII mode data connection.
 TLSv1, cipher TLSv1/SSLv3 (AES128-SHA) – 128 bit
 226 Transfer complete.
 Transferred 0 bytes in 0.011 seconds

Let us know if it works locally first over the proper data channels.
Hades666 is correct.  IIS is not capable of serving SFTP, only FTPS.  If this is your first time you should get it working serving plain FTP and only then add SSL to the mix.  This will be easier for you if you use Explicit FTPS... implicit is rare these days anyway so for a new site you should do explicit.

If you actually NEED an SFTP server then you need different server-side software because IIS doesn't do SFTP.  This is the easiest SFTP server I've installed:
Avatar of AHEC


Sorry, I am referring to FTPS (SSL), not SFTP.

anyway, not knowing how a Juniper appliance works, I can tell you that in Cisco ASA I only have the option to configure an ACL to allow specific ports.

It does work internally, but I am allowing all ports from my PC to Server (in DMZ), but like I said, it is using random ports for Data Channel  even though I have specified ports for this in IIS; a range of 5 ports. If this configuration actually did what I thought it did, then I could easily configure firewall to allow port 22 (which I specified for Control Channel) and Ports 61000 - 61005 from IP XXX.XXX.XXX.XXX.

So, is there a way to configure what the data channel ports will be or will they always be random?
If always be random, what is the range?

perhaps my configuration in IIS is incorrect.
Data channels are specific. Even locally using a proper FTP client that supports FTPS it should use specified ports. If it doesn't then the FTPS setup in IIS is incorrect.

Can you describe your IIS setup exactly.
Avatar of AHEC


FTP Authentication = Basic
FTP Authorization rules is configured with a username having Read, Write permissions.
Firewall Support = Data Channel Port Range: 63500 - 63505
External IP Address of Firewall = I've tried various entries as I am trying to test this from within my network, I've used inside address, external, address of DMZ interface (where FTP server lives), I've tried blank.
FTP IPv4 Address and Domain Restrictions are set to allow my inside network subnet that my PC is on.
FTP SSL Settings = pointing to self signed cert, custom policy = Require only for credentials, and allow (for Data Channel section).

Just to recap, When I allow all of TCP from my PC subnet to DMZ (where FTP lives) it works fine, but again, the Data Channel port is random, this randomness would force me to allow all of TCP from the vendor's IP address to the server, which I do not want to do.

When I configure the "External IP address of Firewall" in FTP Firewall Support section, the client connects fine on Control Port, but never seems to even attempt connection on Data Channel, (I see this via the Firewall log). If I configure it blank or with the FTP servers address, it works fine and I can see Control and Data channel connection attempts.

In the link provided by you for setup, it does not show to configure this "External IP address of Firewall".
Avatar of AHEC

ASKER windows firewall is running, only Cisco ASA. I wonder if this setting "External IP address of Firewall" is for the Server's firewall?
Avatar of Henk van Achterberg
Henk van Achterberg
Flag of Netherlands image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of AHEC


I was restarting the FTP site after each change, but apparently that wasn't enough....yes, restarting Microsoft FTP service did it.
Wow Microsoft...WAY TO MAKE SOMETHING SO FREAKIN simple, "please restart Microsoft FTP Service" message was way to hard to put in there...or in your instructions on TechNet....omg...whatever :)

but thanks henkva!