Link to home
Start Free TrialLog in
Avatar of rsnellman
rsnellmanFlag for United States of America

asked on

HELP!!! Trying to determine the safest/securest way to setup Microsoft IIS FTPS (FTP over SSL) and its requirements...

HELP!!!  Trying to determine the requirements for setting up Microsoft IIS FTPS (FTP over SSL)?

Also, what is the safest/securest approach to configuring IIS FTPS within my network (domain or workgroup)?


OS:  Microsoft Windows Server 2012 R2 - Standard Edition

SSL:  Will be using a third-party CA, probably GoDaddy.com for the SSL cert.


I need to support my company's ability to accept online credit card payments using a third-party company/vendor.  From what I have been told/shared is the third-party will accept the payments then connect to our network (database) via FTPS to reflect payment(s) have been made/completed by individuals.  The third-party can use FTPS which is why we are focused on using it, plus, it is a built-in feature of IIS FTP.


Thanks in advance.
Avatar of Jeff Darling
Jeff Darling
Flag of United States of America image

I would make sure that they really want FTPS.  FTPS is difficult to configure and get working through a firewall because of the way it uses ports.  SFTP is a much better option.
Avatar of rsnellman

ASKER

I agree with your statements, because I have set FTPS up on a Windows Server 2008 R2 - Standard Edition system years back, but it was for a different purpose/use and wasn't anything like my current situation.  So, that is why I am asking for opinions, ideas, options, comments, etc. now.  I do recall that the dynamic range of ports allowed through an internal/server firewalls was somewhat a pain to get working with FTPS, but it was doable and still works today.

What options / programs offer SFTP that is free or either very affordable for said purpose?
I would recommend Filezilla.  I used Filezilla for a number of years, both client and server programs work well.
I know the client is free...is the server free?

Does it support AD access too?


Thanks.
software is free, but I don't know about AD.  I think you are asking Active Directory authentication.  most likely internally you would jsut drop the file into the file system using existing AD credentials.
ASKER CERTIFIED SOLUTION
Avatar of Dan McFadden
Dan McFadden
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
OK.  Thanks for the clarifications.  A couple of last questions for now...what about using FileZilla server to install SFTP services on a Windows 10 virtual machine instead of the FTPS?  Which is more secure?


Thanks again.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
OK.  Thanks Dan.

I believe I can do this, but I need to ask for confirmation anyways.  Can I use a self-signed server certificate to test the initial setup of the FTPS services then once I have it all setup the way I desire it to be, safe/secure then purchase a SSL cert from a CA (i.e. GoDaddy, etc.) and apply it to finalize the setup?

Do you see any negatives to this approach?  Or gotcha's or bad "mojo"?


Thanks again.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
OK.  Thanks Dan.  I truly appreciate the confirmation of what I already knew I should do.  However, it had been several years since I setup FTPS on a Windows Server 2008 R2 box, it is nice to have those links you provided.  Thanks for keeping my second guessing myself in check.


Have a wonderful day.
No problem. Hopefully it helps you get it in place.

Dan
Well, I spoke too soon.

I have the FTP site configured according to the "Installing a Secure FTP Server on Windows using IIS" article.

https://winscp.net/eng/docs/guide_windows_ftps_server#opening_iis_manager

As a StandAlone FTP Site rather than in association with a website.  And with a self-signed server certificate for the moment.


I cannot connect to the FTP Site (FTPS server) with my FileZilla Client with the following settings:

Host: servername
Port: 1009
Protocol: FTP - File Transfer Protocol
Encryption: Require implicit FTP over TLS

Logon Type: Ask for password
User: ftpuser

I receive the following error in FileZilla client:

Connection attempt failed with "EAI_NODATA - No address associated with the nodename".


Any ideas?


Thanks.
I don't need to have a website up and running to use the IIS FTP, correct?
No website required.

Does the ftp site work without the cert?

Please the bindings for the site.  Also, give the ftp site a dedicated AppPool, do not share a pool with another site.

Dan
Dan,
I will have to try without the certificate binding to the site and get back to you on that.

There is nothing else on this server, VM.  It is only for the FTPS purpose.

Do I need to create a folder or can I just use the ftproot default folder for the path?  (Also, if I created a local user to be used to connect to the FTPS site, it needs to have at least modify NTFS permissions to the ftproot default folder, correct?


How can you check / verify the FTP Site has a dedicated AppPool?  I try viewing and there is nothing.

There is one step or item that struck me in one of the other articles (links) you provided that mentions installing/check marking FTP Extensibility during the FTP Server installation.  (The article notes the FTP Extensibility is needed to support ASP.Membership authentication or IIS Manager authentication for the FTP service.)

Do I need to install the FTP Extensibility service role too?
Oh, forgot to add, I didn't stick with the default ftp port, but rather selected port 1009.  

Also, I decided to narrow down the data channel port range within the FTP Firewall Support page from 0 - 0 to 5000 - 5050.

Could that cause an issue too?


NOTE:  I did manually add Custom FTP firewall rules within WFAS on the Server 2012 R2 - Standard Edition system for these ports/ranges.
Just tried and not even able to connect without cert.  Tried connecting with port 21 no TLS and still gives the same error of "Connection attempt failed with "EAI_NODATA - No address associated with nodename"."
I know it is something simple, it usually is for me.

Possibly permissions related, but I am not finding it any where.

I know I have the FTP Authorization Rules set correctly within the FTP Site.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Dan,
Thanks.  I appreciate your assistance.  

There is no other sites or apps running on this VM (Server 2012 R2 - Standard Edition).

There is only the one IP address on the server.

The VM is in a workgroup (called IT).  So, not sure of the FQDN of the server...maybe "servername.IT"?

No DNS alias.


Attached is a screenshot of the ftp service bindings, but not sure what you mean by Sites panel screenshot.


However, I have successfully changed the ports used in another FTPS server setup a few years back, but it did include a website and was on the domain.


Also, thanks for pointing out the error referencing DNS issues.

I changed the from using the server name to the IP address in the FileZilla FTP client and now I receive a new error, which I believe might be progress in the right direction.


GnuTLS error - 15: An unexpected TLS packet was received.


Any ideas?


Thanks again.
T--Admin-Tools-SSCC-Servers-Theseus-.jpg
Also, one other thing I have discovered is the App pool will not start, even after creating a dedicated one as you described in your easy to read/understand steps.

When I try to start the App pool, I receive the following error:  There was an error while performing this operation.
                                                                                                                Details:  Service WAS was not found on computer '.'.


Please see attachment for further details.


Thanks.
T--Admin-Tools-SSCC-Servers-Theseus-.jpg
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Also, not sure if this makes a difference, but I don't have the Windows Process Activation Service (WAS) feature installed.  Actually, I don't have any of the Web Server role services/features installed except FTP Server and IIS Management Console.

In one of the articles you provided mentioned unselecting the Web Server if I wasn't planning to use a website, but only a FTP site.

Do I need to install the FTP Extensibility role?


Please see the attached files for further details.


Thanks.
T--Admin-Tools-SSCC-Servers-Theseus-.jpg
T--Admin-Tools-SSCC-Servers-Theseus-.jpg
T--Admin-Tools-SSCC-Servers-Theseus-.jpg
T--Admin-Tools-SSCC-Servers-Theseus-.jpg
T--Admin-Tools-SSCC-Servers-Theseus-.jpg
T--Admin-Tools-SSCC-Servers-Theseus-.jpg
T--Admin-Tools-SSCC-Servers-Theseus-.jpg
T--Admin-Tools-SSCC-Servers-Theseus-.jpg
Dan, I was wondering if I am missing certain services since I removed the Web Server role all together during the FTP Server role installation.

Can you look over the previous screenshots and let me know if there are any other services that need installed so I can install them all at once?


Thanks.
Great news Dan!

I decided to upgrade to the latest FileZilla FTP client and wouldn't you know it that the cert acceptance page would pop-up, which is what I was thinking why it was failing the connection to the FTPS server in the first place...well, that and a couple other things (WAS not installed, etc.).

Anyways, I am now connected and looks good.  So, anything you think I need to attempt to verify my testing phase is completed and I can now move on to purchasing a SSL cert from a CA?


Thanks again for everything.
Well, wouldn't you know it that I spoke too soon again.

I am trying to test uploading files to the FTPS site with no luck.

I keep getting the following:


Status:      Connecting to 10.20.50.103:1005...
Status:      Connection established, waiting for welcome message...
Status:      Initializing TLS...
Status:      Verifying certificate...
Status:      TLS connection established.
Status:      Logged in
Status:      Starting upload of C:\Users\jdalton\Desktop\AMA_Vintage_Days\WP_20140712_001.jpg
Command:      CWD /..
Response:      250 CWD command successful.
Command:      PWD
Response:      257 "/" is current directory.
Command:      TYPE I
Response:      200 Type set to I.
Command:      PASV
Response:      227 Entering Passive Mode (10,20,50,103,19,157).
Command:      STOR WP_20140712_001.jpg
Response:      150 Opening BINARY mode data connection.
Response:      550 The supplied message is incomplete. The signature was not verified.
Error:      File transfer failed after transferring 2,600,998 bytes in 1 second
Status:      Starting upload of C:\Users\jdalton\Desktop\AMA_Vintage_Days\WP_20140712_001.jpg
Command:      PASV
Response:      227 Entering Passive Mode (10,20,50,103,19,158).
Command:      STOR WP_20140712_001.jpg
Response:      150 Opening BINARY mode data connection.
Response:      550 The supplied message is incomplete. The signature was not verified.
Error:      File transfer failed after transferring 2,600,998 bytes in 1 second
Status:      Starting upload of C:\Users\jdalton\Desktop\AMA_Vintage_Days\WP_20140712_001.jpg
Command:      PASV
Response:      227 Entering Passive Mode (10,20,50,103,19,159).
Command:      STOR WP_20140712_001.jpg
Response:      150 Opening BINARY mode data connection.
Response:      550 The supplied message is incomplete. The signature was not verified.
Error:      File transfer failed after transferring 2,600,998 bytes in 1 second
Status:      Disconnected from server



Any ideas what I am missing?


Thanks.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks Dan.  Yes, I figured that out pretty quickly after posting the errors, but forgot to let you know.  So, everything else looks good to you?  It seems to be working fine now that I installed that MS hotfix and upgraded my FileZilla FTP client.

Also, I shouldn't have any issues adding/installing a SSL cert from GoDaddy, correct?  Just switch the server cert from the self-signed one to the GoDaddy one, correct?


Thanks again for everything.  Couldn't have done it without you.


Have a great day.
As long as you follow GoDaddy's instructions on how to request a cert and finish the installation process.

Reference link:  https://www.godaddy.com/help/iis-8windows-server-2012-generate-csrs-certificate-signing-requests-4950

Dan
Awesome.  Thanks.  Yes, everything seems to have gone smoothly and is now up and running.


Thanks again.


Have a great day.