SFTP ports, IIS, ASA

I don't see this as an IIS issue for you but an CISCO configuration issue. We had a similar problem with our Juniper Device (SRX) where we needed to change a setting to allow ftps. FTPS support for SRX can be enabled by using the following configuration command:

set security alg ftp ftps-extension

I know it is not Cisco ASA, but I would start there if your FTPS works properly locally when using a FTPS Client such as CoreFTP LE.

Some details
FTPS (FTP-SSL) is just like any FTP Server that runs over port 21. The main difference is that it uses TSL/SSL protocols to encrypt the control & data channels.

When the CONTROL channel is encrypted, the authentication is protected - therefore passwords are secure.

When the DATA channel is encrypted, the file transfers are secure while in transit.

Please do not confuse this with SFTP.  

SFTP is FTP Services over SSH which runs on tcp/22.
FTPS runs over SSL or TLS on tcp/21 or tcp/990.

Setup your FTPS in IIS Manager
http://www.iis.net/learn/publish/using-the-ftp-service/using-ftp-over-ssl-in-iis-7

Setup the custom data port channels under IIS Manager - Server Level
http://www.iis.net/learn/publish/using-the-ftp-service/configuring-ftp-firewall-settings-in-iis-7

Sample Core FTP Log

Welcome to Core FTP, release ver 2.2, build 1747 (x64) — © 2003-2012
 WinSock 2.0
 Mem — 8,339,356 KB, Virt — 8,589,934,464 KB
 Started on Saturday September 8, 2012 at 12:44:PM
 Connect socket #976 to 192.168.56.101, port 21…
220 Microsoft FTP Service
 AUTH TLS
234 AUTH command ok. Expecting TLS Negotiation.
 TLSv1, cipher TLSv1/SSLv3 (AES128-SHA) – 128 bit
 USER ftpuser
 331 Password required
 PASS **********
 230 User logged in.
 SYST
 215 Windows_NT
 Keep alive off…
PWD
 257 “/” is current directory.
 PBSZ 0
 200 PBSZ command successful.
 PROT P
 200 PROT command successful.
 PASV
 227 Entering Passive Mode (192,168,56,101,192,23).
 LIST
 Connect socket #864 to 192.168.56.101, port 49175…
150 Opening ASCII mode data connection.
 TLSv1, cipher TLSv1/SSLv3 (AES128-SHA) – 128 bit
 226 Transfer complete.
 Transferred 0 bytes in 0.011 seconds


Let us know if it works locally first over the proper data channels.
Hades666

Hades666 is correct.  IIS is not capable of serving SFTP, only FTPS.  If this is your first time you should get it working serving plain FTP and only then add SSL to the mix.  This will be easier for you if you use Explicit FTPS... implicit is rare these days anyway so for a new site you should do explicit.

If you actually NEED an SFTP server then you need different server-side software because IIS doesn't do SFTP.  This is the easiest SFTP server I've installed: http://www.robo-ftp.com/help/robo-ftp_server/3.3/sftp_quick_start_guide.htm

Sorry, I am referring to FTPS (SSL), not SFTP.

anyway, not knowing how a Juniper appliance works, I can tell you that in Cisco ASA I only have the option to configure an ACL to allow specific ports.

It does work internally, but I am allowing all ports from my PC to Server (in DMZ), but like I said, it is using random ports for Data Channel  even though I have specified ports for this in IIS; a range of 5 ports. If this configuration actually did what I thought it did, then I could easily configure firewall to allow port 22 (which I specified for Control Channel) and Ports 61000 - 61005 from IP XXX.XXX.XXX.XXX.

So, is there a way to configure what the data channel ports will be or will they always be random?
If always be random, what is the range?

perhaps my configuration in IIS is incorrect.

Data channels are specific. Even locally using a proper FTP client that supports FTPS it should use specified ports. If it doesn't then the FTPS setup in IIS is incorrect.

Can you describe your IIS setup exactly.

FTP Authentication = Basic
FTP Authorization rules is configured with a username having Read, Write permissions.
Firewall Support = Data Channel Port Range: 63500 - 63505
External IP Address of Firewall = I've tried various entries as I am trying to test this from within my network, I've used inside address, external, address of DMZ interface (where FTP server lives), I've tried blank.
FTP IPv4 Address and Domain Restrictions are set to allow my inside network subnet that my PC is on.
FTP SSL Settings = pointing to self signed cert, custom policy = Require only for credentials, and allow (for Data Channel section).

Just to recap, When I allow all of TCP from my PC subnet to DMZ (where FTP lives) it works fine, but again, the Data Channel port is random, this randomness would force me to allow all of TCP from the vendor's IP address to the server, which I do not want to do.

When I configure the "External IP address of Firewall" in FTP Firewall Support section, the client connects fine on Control Port, but never seems to even attempt connection on Data Channel, (I see this via the Firewall log). If I configure it blank or with the FTP servers address, it works fine and I can see Control and Data channel connection attempts.

In the link provided by you for setup, it does not show to configure this "External IP address of Firewall".

BTW...no windows firewall is running, only Cisco ASA. I wonder if this setting "External IP address of Firewall" is for the Server's firewall?

I was restarting the FTP site after each change, but apparently that wasn't enough....yes, restarting Microsoft FTP service did it.
Wow Microsoft...WAY TO MAKE SOMETHING SO FREAKIN DIFFICULT...lol...a simple, "please restart Microsoft FTP Service" message was way to hard to put in there...or in your instructions on TechNet....omg...whatever :)

but thanks henkva!