Tuesday, 3 April 2012

IIS 7 FTP firewall woes sorted

Note:- First I was following this:
http://learn.iis.net/page.aspx/301/creating-a-new-ftp-site-in-iis-7/

which is similar if not the same to the preceding chapters of the article linked below.

but i did find there was an issue and it was helpful to use this info: http://forums.iis.net/t/1161450.aspx
[quote]D'oh. Instead of setting up a binding to 127.0.0.1 i set up a binding to ::1 and it immediately started working. In the tutorial 127.0.0.1 seemed to work, so i'm not sure whether the tutorial is wrong or it's just a simple setting somewhere. Anyways it's working fine now. [/quote]  

'All Unassigned' worked also for me   

Bindings found by right clicking   Ftp Site -> Edit Bindings  

anyway... back to it...
     

Using Windows Firewall with non-secure FTP traffic

From Article:
http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings-in-iis-7/


To configure Windows Firewall to allow non-secure FTP traffic, use the following steps:

  1. Open a command prompt: click Start, then All Programs, then Accessories, then Command Prompt.
  2. To open port 21 on the firewall, type the following syntax then hit enter:
    netsh advfirewall firewall add rule name="FTP (non-SSL)" action=allow protocol=TCP dir=in localport=21
  3. To enable stateful FTP filtering that will dynamically open ports for data connections, type the following syntax then hit enter:
    netsh advfirewall set global StatefulFtp enable

Important Notes:

  • Active FTP connections would not necessarily covered by the above rules; an outbound connection from port 20 would also need to be enabled on server. In addition, the FTP client machine would need to have its own firewall exceptions setup for inbound traffic.
  • FTP over SSL (FTPS) will not be covered by these rules; the SSL negotiation will most likely fail because the Windows Firewall filter for stateful FTP inspection will not be able to parse encrypted data. (Some 3rd-party firewall filters recognize the beginning of SSL negotiation, e.g. AUTH SSL or AUTH TLS commands, and return an error to prevent SSL negotiation from starting.)

Using Windows Firewall with secure FTP over SSL (FTPS) traffic


The stateful FTP packet inspection in Windows Firewall will most likely prevent SSL from working because Windows Firewall filter for stateful FTP inspection will not be able to parse the encrypted traffic that would establish the data connection. Because of this behavior, you will need to configure your Windows Firewall settings for FTP differently if you intend to use FTP over SSL (FTPS). The easiest way to configure Windows Firewall to allow FTPS traffic is to list the FTP service on the inbound exception list. The full service name is the "Microsoft FTP Service", and the short service name is "ftpsvc". (The FTP service is hosted in a generic service process host (Svchost.exe) so it is not possible to put it on the exception list though a program exception.)

To configure Windows Firewall to allow secure FTP over SSL (FTPS) traffic, use the following steps:

  1. Open a command prompt: click Start, then All Programs, then Accessories, then Command Prompt.
  2. To configure the firewall to allow the FTP service to listen on all ports that it opens, type the following syntax then hit enter:
    netsh advfirewall firewall add rule name="FTP for IIS7" service=ftpsvc action=allow protocol=TCP dir=in
  3. To disable stateful FTP filtering so that Windows Firewall will not block FTP traffic, type the following syntax then hit enter:
    netsh advfirewall set global StatefulFtp disable

No comments:

Post a Comment