Adding SSL transfer to Server 2012 FTP connection

Currently we connect to our 2012 server using port 21 FTP to add files etc.  We would like to make this connection secure using either port 22 or port 990.

I have created the certificate in IIS and set this to Allow SSL.  IN the Bindings I have port 21, 22, and 990 to connect to the IP over FTP which Im not sure I need

The networking team opened the above ports in the router firewalls.  We can connect either port but we cant load the directory like in standard FTP.

Windows firewall is allowing FTP 21 and 990.  FTP Firewall support under IIS is set to 0-0



Connect socket #1008 to *********, port 990...
TLSv1.2, cipher TLSv1/SSLv3 (ECDHE-RSA-AES256-SHA384) - 256 bit
USER anonymous  
331 Anonymous access allowed, send identity (e-mail name) as password.  
PASS **********  
230 User logged in.  
SYST  
215 Windows_NT  
Keep alive off...
Attemping Active mode transfer...
PBSZ 0  
200 PBSZ command successful.  
PROT P  
200 PROT command successful.  
PORT ##,###,##,##,70,225  
501 Server cannot accept argument.  
PORT command failed
Error loading directory...
990-connection.PNG
AGenMISAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tim EdwardsIT Team Lead - Unified Communications & CollaborationCommented:
On top of port 21 and 990 did you configure the Data Channel Port Range and open these ports on the firewall?
0
AGenMISAuthor Commented:
That's where my issue lies I believe as to what ports to add or adjust. We have set to 0-0 in the IIS as seen in the screen shot
SSL.PNG
0
Dan McFaddenSystems EngineerCommented:
You need both 20/tcp AND 21/tcp open for general FTP.  21 is the command channel and 20 is the data channel, so it makes sense that no data info is being transfer when 20 is not open.

passive FTP Data channel reference link:   https://technet.microsoft.com/en-us/library/dd463996(v=ws.10).aspx

FTP over SSL (FTPS) link:  https://www.iis.net/configreference/system.applicationhost/sites/site/ftpserver/security/ssl

Here is a nice walk-thru on setting up a FTP over SSL site in IIS:

http://www.vsysad.com/2013/06/install-and-configure-ftp-over-ssl-ftps-in-iis-7-5/

Dan
0
The Five Tenets of the Most Secure Backup

Data loss can hit a business in any number of ways. In reality, companies should expect to lose data at some point. The challenge is having a plan to recover from such an event.

AGenMISAuthor Commented:
Firewall ports 20, 21, 22, 989, and 990 are open on the network firewall so it must be an adjustment in IIS
0
Dan McFaddenSystems EngineerCommented:
The PORT command is the FTP client's attempt to open the data channel. The error message at the end of the FTP session indicates that the dir list cannot be displayed, usually meaning that something is blocking access to the data channel port.

Did you setup the FTP Firewall Support options?
Have you tried to run a passive FTP session?

Dan
0
AGenMISAuthor Commented:
Yes tried passive checked and unchecked no luck.  Firewall support options is set to 0-0 and ssl is set to Allow SSL connections. When I connect over port 21 Auth TLS , open ssl. I connect it asks do I wanna accept the certicate, I click ok and it errors out
0
Dan McFaddenSystems EngineerCommented:
1. Does the hostname for the server match the hostname in the SSL Cert?
2. What are you using for your login credentials?

Dan
0
AGenMISAuthor Commented:
yes hostname is the same and we connect over anonymous that's linked to one of the local admin accounts
0
AGenMISAuthor Commented:
Followed so many articles on google and I don't see anything wrong with the setup in IIS 8 on server 2012 so I took screen shots of my setup if anyone can look at it to just verify the IIS is correct and it maybe a network firewall issue and not server related
ftp-SETUP.docx
0
Dan McFaddenSystems EngineerCommented:
- Is there an external firewall involved, not just the Windows Firewall Service?
- Have you tested the server with the Windows Firewall Service disabled?  I recommend this to eliminate the FW as the source of the issue.
- What do the FTP Site bindings look like?
0
AGenMISAuthor Commented:
binding is FTP port 21 to the ip address

Yes the network firewall is controlled by another agency but we have not tried to disable the windows firewall as this would need a maintenance window
0
Dan McFaddenSystems EngineerCommented:
Since there is an external firewall, have you tried, on the FTP Site object, to enter that IP address in the "FTP Firewall Support" feature?

When testing the FTP SSL conection, are you going thru the network firewall?

Dan.
0
AGenMISAuthor Commented:
entered ip address in the ftp firewall support and no luck, no blocks on mcafee hips for the ftp and no difference without firewall.  attached iis log and core ftp log.

Checking with the network team if they opened ports one way or bidirectional
COREFTP.LOG
IIS.log
0
Dan McFaddenSystems EngineerCommented:
Are you running the FTP service/AppPool as a non-Default user?  Another way of asking that is... are you using a service account for the FTP Service?

You most likely have an access issue reading the SSL certificate therefore causing a handshake failure.

Dan
0
AGenMISAuthor Commented:
I created a self signed certificate on the 2012 server to use and named it the same name as the server if that may have been the issue?
0
AGenMISAuthor Commented:
I created a new self signed certificate -Personal on the server and applied it to the FTP site - no luck. Also the service is running as Local System.  Attached the coreftp log
Sever-ftp-issues.docx
0
AGenMISAuthor Commented:
If I connect using port 990 over FTPS it connects and accepts the certificate but fails to load the directory as it times out. Do I need additional ports open on the network firewall as I see in the log its trying to open a couple other ports


Connect socket #844 to *****, port 990...Cert 'E1 BE CC 35 14 CA E4 42 9F BC B5 03 41 08 F6 24' specified...TLSv1 (AES-256/SHA1), 256 bitsUSER anonymous

331 Anonymous access allowed, send identity (e-mail name) as password.

PASS **********

230 User logged in.

SYST

215 Windows_NT

Keep alive off...PBSZ 0

200 PBSZ command successful.

PROT P

200 PROT command successful.

PORT *,*,*,*,71,76

501 Server cannot accept argument.

Attemping PASV mode transfer...PASV

227 Entering Passive Mode (*,*,*,*,218,90).

LIST

150 Opening ASCII mode data connection.

Connect socket #1352 to ******, port 55898...timeoutConnection timed outError loading directory...Total uploaded files:  0

Total uploaded data:  0

Total downloaded files:  0

Total downloaded data:  0
0
Dan McFaddenSystems EngineerCommented:
The SSL Settings need to be set at the both server level and the site level, for the FTP SSL Settings.

So, click on the server object and set up the FTP SSL Settings as you have done for the site.  Restart IIS.

Dan
0
AGenMISAuthor Commented:
would this effect only FTP as we have a website that uses a certificate as well
0
Dan McFaddenSystems EngineerCommented:
You are changing the server scope FTP SSL Settings, not the HTTP settings.

Dan
0
Dan McFaddenSystems EngineerCommented:
Any additional info for this question?

Dan
0
AGenMISAuthor Commented:
Connect socket #972 to  port 990...TLSv1.2, cipher TLSv1/SSLv3 (ECDHE-RSA-AES256-SHA384) - 256 bitUSER anonymous

331 Anonymous access allowed, send identity (e-mail name) as password.

PASS **********

230 User logged in.

SYST

215 Windows_NT

Keep alive off...PBSZ 0

200 PBSZ command successful.

PROT P

200 PROT command successful.

PASV

227 Entering Passive Mode (,231,181).

LIST

150 Opening ASCII mode data connection.

Connect socket #720 to , port 59317...timeoutQUIT

226 ABOR command successful.

Connect socket #1036 to , port 990...TLSv1.2, cipher TLSv1/SSLv3 (ECDHE-RSA-AES256-SHA384) - 256 bitUSER anonymous

331 Anonymous access allowed, send identity (e-mail name) as password.

PASS **********

230 User logged in.

SYST

215 Windows_NT

Keep alive off...Attemping Active mode transfer...PBSZ 0

200 PBSZ command successful.

PROT P

200 PROT command successful.

PORT 10,164,24,115,44,221

501 Server cannot accept argument.

PORT command failedError loading directory...
0
Dan McFaddenSystems EngineerCommented:
The PASV port negotiation timing out is usually due to something preventing or blocking access to that port.    The PORT command returning a 501 error is due to a firewall (software and/or hardware) blocking access.

I believe configuring the firewall compatibility feature was mentioned in a previous post.

To me, this appears to be a firewall/port blocking issue, which you also mentioned previously.

Dan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.