Windows Firewall setup for Microsoft FTP Publishing Service for IIS 7.0.

Objective

This post is the first one from the mini-series on firewall configuration for FTP7 (full product name: Microsoft FTP Publishing Service for IIS 7.0). The goal of this post if to provide instructions on how to setup local Windows Firewall to enable access to FTP over non-secure or secure connections. This post does NOT address IP address translation related issues and other issues that apply when there is an external firewall (such as ISA server) between client and server.

Introduction

It is often a challenge to setup firewall rules for FTP server to work correctly. The root cause for this challenge lies in the FTP protocol architecture.
Each FTP client requires 2 connections to be maintained between client and server.
FTP commands are transferred over connection called control channel. That is the one that typically connects to well known FTP port 21.
Any data transfer, such as directory listing, upload and download happen on secondary connection called data channel.

To open port 21 on firewall is an easy task. But having port 21 opened ONLY means that clients will be able to connect to FTP server, authenticate successfully, create, delete directories but will NOT be able to see directory listings or be able to upload/download files. It is because data connections for FTP server are not allowed to pass through the firewall.

Many firewalls simplify the challenge with data connections by scanning FTP traffic and dynamically allowing data connections through. Some firewalls enable such filters by default but it is not always the case. These firewall filters are able to detect what ports are going to be used for data transfers and temporarily open them on firewall so that clients can open data connections. Windows Firewall has such filter. It is called StatefulFtp.

Active vs. Passive FTP Data Connections

The challenge with FTP protocol doesn't end with the requirement of secondary data connection. To complicate things even more there are actually 2 different ways on how to establish data connection.

Active data connections are the ones where client sets up port for listening and server initiates the connection to such port (typically from port 20). This used to be the default way of connecting to FTP server in the past. It is NOT recommended for use any more because it is not friendly in internet scenarios (eg. clients behind NAT will not be able to establish active data connections).

Passive data connections are recommended for connecting to FTP servers. They respect the client/server roles. Server is the one listening and client is the one who activates the connection. Passive connections are friendlier to the internet scenarios and recommended by RFC 1579 (Firewall-Friendly FTP)

Note: Many clients require explicit action to enable passive connections. Some clients don't even support passive connections. One such example is command line ftp.exe that ships with Windows. To add to confusion, some clients try to be smart and alternate between the 2 modes when network errors happen but they don’t always get it right.

Windows Firewall and non-secure FTP traffic

Windows firewall can be configured from command line using netsh command. 2 simple steps are required to setup Windows Firewall to allow non-secure FTP traffic

1) Open port 21 on the firewall

netsh advfirewall firewall add rule name="FTP (no SSL)" action=allow protocol=TCP dir=in localport=21

2) Activate firewall application filter for FTP (aka Stateful FTP) that will dynamically open ports for data connections

netsh advfirewall set global StatefulFtp enable

Warning: Active FTP connections are not necessarily covered by these rules. Outbound connection from port 20 would need to be enabled on server and client machine will have to have exceptions setup for inbound traffic.

Warning: FTPS (FTP over SSL) will not be covered by these rules. SSL negotiation will (most likely) get stuck because firewall filter for FTP will not be able to parse encrypted data. Some firewall filters recognize the beginning of SSL negotiation (AUTH SSL or AUTH TLS commands) and return error to prevent SSL negotiation from starting.

Windows Firewall and secure FTP (FTPS) traffic

SSL traffic will not get any help from the firewall filter for FTP. As a matter of fact it will (most likely) prevent SSL from working. So we have to look for other options on how to enable it.

The easiest way to configure Windows Firewall to allow FTPS traffic is to put the NT service for FTP7 on the inbound exception list. The NT Service name is "Microsoft FTP Service" or "ftpsvc". This service is hosted in generic service process host called svchost.exe so it is not possible to put it on the exception list thought the program exception.

Warning: FTPSVC service doesn’t listen to any ports other than configured endpoints for ftp sites and data connection ports that are setup for data transfers. But you should double check the listening endpoints for FTPSVC by using netstat –n –a –o. The –o switch allows listing the process ID (or PID) of the listening process. Find out the PID for FTPSVC and check the listening endpoints.

The following 4 steps will allow both non-secure and SSL FTP traffic through firewall.

1) FTPSVC service has to get tagged with FTPSVC service SID. It is new security feature introduced for Vista / Windows 2008. "Microsoft FTP Publishing Service for IIS 7.0 RC0" doesn’t have service SID enabled by default so the following command line has to be run to enable service SID.

sc sidtype ftpsvc unrestricted

Note: Changing of sidtype will not be necessary in future releases of Microsoft FTP Publishing Service for IIS 7.0 after RC0 release

2) Restart ftpsvc service for the previous step to take effect

net stop ftpsvc & net start ftpsvc

3) Setup Windows Firewall to allow "ftpsvc" service to listen on all ports it opens.

netsh advfirewall firewall add rule name="FTP for IIS7" service=ftpsvc action=allow protocol=TCP dir=in

4) Make sure that FTP filter for Windows Firewall is disabled

netsh advfirewall set global Statefulftp disable

Warning: Do not use active FTP connections with SSL if client is behind NAT. It will not work.

Troubleshooting options

To check the state of FTP filtering on firewall you can use the following command line netsh advfirewall show global. Look for StatefulFtp setting. It must be disabled if FTPS is configured.

You could also go to "Administrative Tools"/"Windows Firewall with Advanced Security" to check if firewall rule that was created for FTP server is not overruled by some other rule. Please note that the Firewall tool from Control Panel is a very simplified version of the "Windows Firewall with Advanced Security" administration tool.

If you need to test SSL connections then you will have to use a third party SSL client for FTP. There is no FTP client with SSL support included in Windows.
FTP7 was tested with about 20 different clients for overall compatibility (including SSL) so most of them should would fine.
Most clients offer multiple modes for SSL with FTP. Look for FTP over SSL, FTP over TLS or FTPS. If there is option for explicit and implicit, then choose explicit. Also be aware that SFTP is different from FTPS.

Jaro Dunajsky

28 Comments

  • You are a life saver. I had been happily using WebDAV in Server 2003. It seems to have disappeared in Server 2008 (Any ideas where it went).

    Anyway, it seems I was forced into using FTP, but the old IIS 6.0 FTP sucks when it comes to poking holes in the firewalls (especially the capricious Windows Vista Firewall with Advanced Security). So then I found FTP for IIS 7.0, which looked like a winner, but again the firewall issues were beyond me.

    Thanks for putting this in a simple form. This could have easily turned into a two or three day effort.

  • WebDAV RC was just released. =) You should be able to find it on iis.net easily.

  • Can you confirm that "sc sidtype ftpsvc unrestricted" will not be required in the RTW version of the FTP Server based on the current plans?

  • RTW release doesn't require the "sc sidtype ftpsvc unrestricted" any more. FTPSVC is setup with the service SID during the installation phase.

  • Jaro,
    I've got a strange thing happening.
    I've got a fresh install of Windows Server 2008. I installed FTP 7.0 and followed your instructions (thanks, I couldn't find this info anywhere else). Things work just fine right after running the scripts.
    After abot a day or two, the firewall stops the FTP traffic. Everything else is working honkey dorey. If I re-run the scripts, the FTP traffic starts again.
    Any idea why the firewall spontaneously shuts down this traffic. Is there some sort of discovery phase for the FTP channels that needs a more permanent configuration?

  • What ports do I need to open on my Linksys Firewall?

  • I have the rtw release but accidentally ran the "sc sidtype ftpsvc unrestricted" command. Do I need to undo it? (should I run "sc sidtype ftpsvc restricted"). This is on vista x64 sp1 using ms ftp 7.0 rtw. thanks.

    >>>RTW release doesn't require the "sc sidtype ftpsvc unrestricted" any more.

  • I have the RTM version and I'm trying to do FTPS, bu the firewall is preventing. I'm unclear on what to do from here - the comment above suggests the sidtype command isn't necessary anymore?
    I ran the FTP (no SSL) and the StatefulFtp to get regular FTP working, but FTPS will fail after the user logs in.
    Please let me know if there is any updated info available. thanks, Rick

  • Nevermind on my above question on FTPS. I just ignored the sidtype command and ran the other two that follow it and I was able to do an FTPS session.
    Thanks for putting these instructions out there.

  • Thanks a lot!

  • Ahhh, FTP problems solved. Thank you very much.

  • Thanks man, It seems that your the only one on the net who documented this.

  • this OPTION SHOULD BE AVAILABLE FROM THE FIREWALL SETTING UI!!!!!
    Thanks for the post as it saved me a lot of hasle

  • thanx for this nice post but is it possible to make these settings from GUI..?

  • doors1.txt;3;5

  • test

  • I've been trying to follow all these directions and I've done all of this but for some reason I'm not getting a directory listing when connected to the ftp account from another computer using a ftp program using my public ip. I see the connection is made from the server and the banner messages are showing in the client but no directory listing is displayed. The last queue msg. is ["/" is current directory]. but no files are listed. If I'm on the network I can access it by using the private ip address but not the public ip. I'm behind a static nat with out using SSL as specified. the public is pointing to the private with port 21 open. and I'm able to go through to website on 80 port fine using the public ip. So I know it's just something in the FTP configuration. ANY HELP REALLY....APPRECIATED.

  • forgot to log in but I'm the last anonymous above with the ...REALLY...APPRECIATED.

  • I'm using WS2008 and whenever I type in "netsh advfirewall..." into cmd (or PowerShell) I get this back:

    "The following comamnd was not found: advfirewall add rule name="FTP (no SSL)" action=allow protocol=TCP dir=in localport=21"

    Did I misconfigure something?

  • cheers.. working perfectly.

  • If one defers to Windows to choose the dynamic posrt for the PASV connections, how are the ports controlled or known so I can open them on my router as well? I tried to set the port range inside the IIS7 Admin panel but it is grayed out with 0-0 in it. I apologize for the anon post - it may just be the way I arrived here but I see no link to create an account.

  • I found the join button. Sorry. I posted th anon above.

  • Thanks a lot. The command... "netsh advfirewall set global StatefulFtp enable" did it for me :-)

  • I used the ISA 2006 Std. Ed. to publish Win 2003/FTP Server v6, no problem.

    Same FTP Publishing rule, except now it is Win2008/FTP Server v7. I can authenticate FTP from the Internet, but it seems that ISA 2006 gets stuck with Data Connection part afterward (when I issue the dir or get commands). Internal FTP is working on both authentication and data connections.

    After successful authentication, an error occurred opening a folder on the FTP Server:

    200 Type set to A.
    425 Cannot open data connection
    200 Type set to A.
    550 No connection could be made because the target machine actively refused it.

    Can the FTP Stateful Inspection Filter included with ISA 2006 FTP publishing handle FTP v7?

  • I did all this however when I test with the client I get: Connect socket #2128 to 10.48.132.32, port 53101.. and then timeout.... "Cannot retrieve directory listing (server not responding) Would you like to try the directory listing in the opposite mode (active/pasv)?"
    The site works fine on port 21. With SSL I tried port 990, 991 with no result. I can telnet just fine on these ports and get the FTP service response.

    Any ideas?
    Thanks much,
    C

  • Excellent guide. Thanks heaps. Took me all day trying to configure the windows firewall until i found this!!!

  • I recently came accross your blog and have been reading along. I thought I would leave my first comment. I dont know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.


    Kaylee

    http://www.craigslistdecoded.info

  • Wonderful guide. I find my want here at last. Your article is well written. Thank you very much!http://www.simplyrest.com 

Comments have been disabled for this content.