Install and configure FTP Over SSL (FTPS) in IIS 7.5

This guide will show you how to install FTP Server in IIS 7.5 and also how to configure FTP Over SSL (FTPS).

FTP Over SSL (FTPS) allows FTP sessions to be encrypted. It is vitally important to secure FTP traffic as usernames and passwords, are by default, sent in plain text across the network when an FTP client is establishing a connection with the server.

Note: In this guide I am assuming that your server environment is Windows Server 2008 R2 and that you have IIS 7.5 already installed but not the FTP Server. I am also assuming that you want to add FTP publishing to an existing site – in the example below this will be the Default Web Site.

Installing the FTP Server

In Server 2008 R2 the FTP Server is a module that can be found under the Web Server role. To install it do the following:

1. Click Start > Run and then enter servermanager.msc in the Open dialogue box then click OK to load Server Manager:


2. Click on Roles in the left pane and the Roles section will appear in the right pane. Locate the Web Server (IIS) section and then then click on Add Role Services:


3. In the Select Role Services  scroll down to the bottom and check FTP Server, FTP Service & FTP Extensibility then click Next and then Install:


4. Once the installation completes click Close. To install FTP Server, FTP Service & FTP Extensibility via the command line run the following:

C:\>CMD /C PKGMGR.EXE /iu:IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility

Configuring the FTP Server

5. Click Start > Run and then enter inetmgr in the dialogue box then click OK to load Internet Information Services (IIS) Manager.

6. Once IIS Manager is open select Default Web Site and then click on Add FTP Publishing under the Actions pane as highlighted below:


7. In the Bindings and SSL Settings section configure the settings per the screenshot below and click Next:


Note: If you want your FTP site to use a specific IP address, select it from the drop-down menu, otherwise leave the default setting which binds all FTP traffic to the site you are creating.

8. In the next section configure per the screenshot below. Under Authentication ensure that only Basic is checked. Under Authorization, ensure that your FTP user account is set under the Specified Users box, then click Finish:


At this point basic FTP publishing has been enabled on the Default Web Site.

9. Next, click on the Server object and then in the right pane double-click on the FTP Firewall Support icon:


10. I am configuring FTP connections to use Passive Transfers and the Data Channel Port Range will be set to 0-0 and the External IP Address of Firewall should be left blank (per below):


Note: The firewall in this environment is the built-in Windows software firewall. As it provides Stateful Packet Inspection (SPI) we do not need to state a port range for passive transfers as the firewall will detect which ports are dynamically required and allow the data transfers to go through..For more information about configuring firewalls for FTP see this link.

11. Next, click on the Default Web Site and then in the right pane double-click on the FTP Firewall Support icon. When this loads up input the FTP site’s public IP address and then click on Apply under the Actions pane on the right-hand side:


11. Within IIS Manager, click on the server object and in the centre pane open Server Certificates:


12. Then click on Create Self-Signed Certificate in the Actions pane in the right hand side:


13. Type a name for the certificate, I used FTP Site Certificate but any descriptive name will suffice, then click on OK:


14. You will now see the created certificate in the list:


15. Click on the server object again and open FTP SSL Settings:


16. Under SSL Certificate select the certificate we created earlier. Under SSL Policy select Custom and then click on the Advanced button:


17. Under Control Channel select Require only for credentials and under Data Channel select Require and then click on OK:


18. Now click on the Default Web Site and then open FTP SSL Settings and ensure you configure the same settings as for the server level as performed in steps 15 – 17. Failing to configure the FTP SSL Settings at BOTH the SERVER and SITE levels with result in FTP connection errors per the below:

Response: 534 Local policy on server does not allow TLS secure connections.
Error: Critical error
Error: Could not connect to server

19. Click on the Default Web Site and then click on Bindings in the Actions pane:


20. In the Site Bindings section click on the Add Button:


21. In the Add Site Binding section select the Type as ftp, leave the IP Address box as All Unassigned and then enter the hostname for the FTP Site and then click on OK:


22. Confirm that you can see the new FTP Site binding and then click Close:


23. While still in the Default Web Site context select Advanced Settings in the Actions pane to view the FTP Site’s home directory – it will be the physical path for the Default Web Site:


24. You will need to configure the ftp_user account to have write permissions to C:\inetpub\wwwroot in order for you to be able to upload files to this directory. NTFS permissions should be configured per below:


25. As mentioned earlier, my environment uses the Windows software firewall. The rules that need to be enabled to allow FTP and FTPs communication are:

Inbound Rules
FTP Server (FTP Traffic-In)
FTP Server Passive (FTP Passive Traffic-In)
FTP Server Secure (FTP SSL Traffic-In)

Outbound Rules
N/A – because the default setting for public traffic is that outbound connections that do not match a rule are allowed.

Connecting to the FTP Site

26. The only thing left to do is test the connection from your FTP client. Using FileZilla, you will need the connection information below, changing only the Host, User and Password fields according to your specific settings:

Protocol: FTP – File Transfer Protocol
Encryption: Require explicit FTP over TLS
Logon Type: Normal
Password: **********

In FileZilla, I added a site called vSysad and then added the relevant connection info above:


Note: The user field must be VirtualHostName|User to allow successful authentication. The virtual host name is a requirement and the FTP Server is expecting that string, if it doesn’t see it then you will see the following error:

Status: Connecting to…
Status: Connection established, waiting for welcome message…
Response: 220 Microsoft FTP Service
Command: AUTH TLS
Response: 234 AUTH command ok. Expecting TLS Negotiation.
Status: Initializing TLS…
Status: Verifying certificate…
Command: USER ftp_user
Status: TLS/SSL connection established.
Response: 530 Valid hostname is expected.
Error: Could not connect to server

27. Once you have input the relevant connection info for the FTP Site, click Connect and assuming that the connection is successful you will see a pop-up box displaying an unknown certificate which we created earlier:

20130608193639 - Copy

28. Check the box Always trust certificate in future sessions and hit OK. After which you will be connected to the home directory:


And that’s all. Happy FTPing over SSL!

Using FTP Virtual Host Names in IIS 7
Configuring FTP 7.5 with Host Header and SSL
Setup FTPS on IIS 7.5 Using Host Headers Tutorial
Local policy on server does not allow TLS secure connections
Configuring FTP Firewall Settings in IIS 7
Using FTP Over SSL in IIS 7

Install IIS 7.5 & FTP Server from the command line or script

If you have to install IIS multiple times on multiple systems, using the GUI to do it becomes a  real chore. An easier way is to install it from a script or from the command line.

This page has more details about installing IIS 7.5 from the command line. I have added some options in the command to install the FTP Server also, see below:

CMD /C START /w PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASPNET;IIS-NetFxExtensibility;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementConsole;IIS-ManagementScriptingTools;IIS-ManagementService;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;IIS-LegacySnapIn;IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility;WAS-WindowsActivationService;WAS-ProcessModel;WAS-NetFxEnvironment;WAS-ConfigurationAPI;IIS-ManagementService

Running the above command in the CMD shell will install the Web Server Role on Server 2008 R2 (IIS 7.5). If you do not require all of the modules, remove the ones you don’t need from the command.

To install from a script, dump the command above into a batch file and execute it.