This post is the first one from the mini-series on firewall configuration for FTP7 (full product name: Microsoft FTP Publishing Service for IIS 7.0). The goal of this post if to provide instructions on how to setup local Windows Firewall to enable access to FTP over non-secure or secure connections. This post does NOT address IP address translation related issues and other issues that apply when there is an external firewall (such as ISA server) between client and server.
It is often a challenge to setup firewall rules for FTP server to work correctly. The root cause for this challenge lies in the FTP protocol architecture.
Each FTP client requires 2 connections to be maintained between client and server.
FTP commands are transferred over connection called control channel. That is the one that typically connects to well known FTP port 21.
Any data transfer, such as directory listing, upload and download happen on secondary connection called data channel.
To open port 21 on firewall is an easy task. But having port 21 opened ONLY means that clients will be able to connect to FTP server, authenticate successfully, create, delete directories but will NOT be able to see directory listings or be able to upload/download files. It is because data connections for FTP server are not allowed to pass through the firewall.
Many firewalls simplify the challenge with data connections by scanning FTP traffic and dynamically allowing data connections through. Some firewalls enable such filters by default but it is not always the case. These firewall filters are able to detect what ports are going to be used for data transfers and temporarily open them on firewall so that clients can open data connections. Windows Firewall has such filter. It is called StatefulFtp.
Active vs. Passive FTP Data Connections
The challenge with FTP protocol doesn't end with the requirement of secondary data connection. To complicate things even more there are actually 2 different ways on how to establish data connection.
Active data connections are the ones where client sets up port for listening and server initiates the connection to such port (typically from port 20). This used to be the default way of connecting to FTP server in the past. It is NOT recommended for use any more because it is not friendly in internet scenarios (eg. clients behind NAT will not be able to establish active data connections).
Passive data connections are recommended for connecting to FTP servers. They respect the client/server roles. Server is the one listening and client is the one who activates the connection. Passive connections are friendlier to the internet scenarios and recommended by RFC 1579 (Firewall-Friendly FTP)
Note: Many clients require explicit action to enable passive connections. Some clients don't even support passive connections. One such example is command line ftp.exe that ships with Windows. To add to confusion, some clients try to be smart and alternate between the 2 modes when network errors happen but they don’t always get it right.
Windows Firewall and non-secure FTP traffic
Windows firewall can be configured from command line using netsh command. 2 simple steps are required to setup Windows Firewall to allow non-secure FTP traffic
1) Open port 21 on the firewall
netsh advfirewall firewall add rule name="FTP (no SSL)" action=allow protocol=TCP dir=in localport=21
2) Activate firewall application filter for FTP (aka Stateful FTP) that will dynamically open ports for data connections
netsh advfirewall set global StatefulFtp enable
Warning: Active FTP connections are not necessarily covered by these rules. Outbound connection from port 20 would need to be enabled on server and client machine will have to have exceptions setup for inbound traffic.
Warning: FTPS (FTP over SSL) will not be covered by these rules. SSL negotiation will (most likely) get stuck because firewall filter for FTP will not be able to parse encrypted data. Some firewall filters recognize the beginning of SSL negotiation (AUTH SSL or AUTH TLS commands) and return error to prevent SSL negotiation from starting.
Windows Firewall and secure FTP (FTPS) traffic
SSL traffic will not get any help from the firewall filter for FTP. As a matter of fact it will (most likely) prevent SSL from working. So we have to look for other options on how to enable it.
The easiest way to configure Windows Firewall to allow FTPS traffic is to put the NT service for FTP7 on the inbound exception list. The NT Service name is "Microsoft FTP Service" or "ftpsvc". This service is hosted in generic service process host called svchost.exe so it is not possible to put it on the exception list thought the program exception.
Warning: FTPSVC service doesn’t listen to any ports other than configured endpoints for ftp sites and data connection ports that are setup for data transfers. But you should double check the listening endpoints for FTPSVC by using netstat –n –a –o. The –o switch allows listing the process ID (or PID) of the listening process. Find out the PID for FTPSVC and check the listening endpoints.
The following 4 steps will allow both non-secure and SSL FTP traffic through firewall.
1) FTPSVC service has to get tagged with FTPSVC service SID. It is new security feature introduced for Vista / Windows 2008. "Microsoft FTP Publishing Service for IIS 7.0 RC0" doesn’t have service SID enabled by default so the following command line has to be run to enable service SID.
sc sidtype ftpsvc unrestricted
Note: Changing of sidtype will not be necessary in future releases of Microsoft FTP Publishing Service for IIS 7.0 after RC0 release
2) Restart ftpsvc service for the previous step to take effect
net stop ftpsvc & net start ftpsvc
3) Setup Windows Firewall to allow "ftpsvc" service to listen on all ports it opens.
netsh advfirewall firewall add rule name="FTP for IIS7" service=ftpsvc action=allow protocol=TCP dir=in
4) Make sure that FTP filter for Windows Firewall is disabled
netsh advfirewall set global Statefulftp disable
Warning: Do not use active FTP connections with SSL if client is behind NAT. It will not work.
To check the state of FTP filtering on firewall you can use the following command line netsh advfirewall show global. Look for StatefulFtp setting. It must be disabled if FTPS is configured.
You could also go to "Administrative Tools"/"Windows Firewall with Advanced Security" to check if firewall rule that was created for FTP server is not overruled by some other rule. Please note that the Firewall tool from Control Panel is a very simplified version of the "Windows Firewall with Advanced Security" administration tool.
If you need to test SSL connections then you will have to use a third party SSL client for FTP. There is no FTP client with SSL support included in Windows.
FTP7 was tested with about 20 different clients for overall compatibility (including SSL) so most of them should would fine.
Most clients offer multiple modes for SSL with FTP. Look for FTP over SSL, FTP over TLS or FTPS. If there is option for explicit and implicit, then choose explicit. Also be aware that SFTP is different from FTPS.