Introduction to the Secure FTP Server 7.0 in Windows 2008
I’ve been working with this a lot recently and thought I’d share some of what I found with you.
You'll see that I'll refer a lot to Robert McMurray's post as he is the Program Manager for this feature in the IIS product team.
First of all you can download the release version from https://www.iis.net/ftp.
Then you need to install the fix below.
955136 A hotfix rollup is available for the out-of-band FTP service for IIS 7.0
https://support.microsoft.com/default.aspx?scid=kb;EN-US;955136
Then to setup the FTP over SSL you can follow the steps at https://learn.iis.net/page.aspx/304/using-ftp-over-ssl/
The steps are pretty simple.
You need to
a) Create a Self Signed Certificate
b) Create your site and enable SSL using the Certificate above.
Ok, so now you have a Secure FTP site and so how do you connect?
Well you can use one of the following tools.
a) A command line FTPS.exe similar to FTP.exe in Windows from https://www.ipswitchft.com/moveitfreely or
b) A GUI tool like Filezilla from https://filezilla-project.org/
You'll see from the following blog entry how the current Web Browsers support Secure FTP.
So that's why you'll need to test with FTPS.exe or Filezilla.
Then you come to the interesting part which is Implicit or Explicit FTP?
Once again Robert covers this well here.
Implicit FTPS means that the FTP communication is encrypted from the very first packet.
An SSL Handshake must be carried out before you exchange any FTP commands.
Explicit FTPS means that an FTP client connects over the control/command channel (usually on port 21), and then the client can negotiate SSL for either the command/control channel or the data channel using new FTP commands like AUTH, PROT, CCC, etc.
You'll see that the Advanced SSL Policy gives you more granular controls over what happens on the control and data channels.
This means that the following defines how the FTP Server uses Explicit or Implicit FTP.
If you enable FTPS and you assign the FTP site to the default port of 21, you are using Explicit SSL.
If you enable FTPS and you assign the FTP site to port 990, you are using Implicit SSL.
In point of fact, if you enable FTPS and you assign the FTP site to any port other than port 990, you are always using Explicit SSL.
The FTP logs are a good resource for troubleshooting and there is also some good ETW tracing.
The instructions for setting this up and parsing the log files are here.
https://blogs.iis.net/sudt/archive/2008/08/28/collecting-etw-traces-for-ftp-sessions.aspx
I hope this is useful and I’ve enjoyed learning about the great features in this new FTP release.