You want to Setup FTP on your Windows Server, (and more importantly make it work without disabling the firewall.) Below are the procedure you will need to carry out.
Note: For older Windows Operating systems like Server 2012, click here, or for Server 2008, click here.
Setup FTP Server (Windows Server)
Setup FTP on Windows Server 2012 (Including firewall setup)
Setup FTP on Windows Server 2008 R2 (Including firewall setup)
Firewall Configuration for FTP on Server 2008 R2 (Included in the Video above).
>
Related Articles, References, Credits, or External Links
FTP might be an ages old solution for moving files around, but a lot of people swear by it. With Windows Server it’s still supported, even if it is hidden as a ‘role service’.
Solution
Create a Security Group For Domain FTP Access
Note: For a Standalone/Workgroup server see below for setting up users and groups.
1. Launch Server Manager > Tools > Active Directory Administrative Center.
2. New > Group.
3. Give the group a sensible name.
4. Here I’m going to create a user to test with, in production you would just use the domain users who you want to give access to.
5. I will simply create a user called ‘ftpuser’.
6. Add the domain user(s) to your new security group.
7. Create a folder that will be the ‘root’ of your FTP site.
8. Grant your security group rights to this folder (Note: By default they will only get Read rights, you will need to add ‘Write’ if you want your users to be able to ‘put’ files).
Create a Security Group For Workgroup / Standalone FTP Access
1. From Server Manager > Tools >Computer Management.
2. System Tools > Local Users and Groups > Groups.
3. Give the group a sensible name.
4. I’m going to create a test user called ftpuser, this is done in Local users and groups > Users.
5. Place the user(s) you want to grant access to, into your local security group.
6. Crete a folder that will be the ‘root’ of your FTP site and open its properties.
7. On the security Tab > Advanced > Grant your security group rights to this folder (Note: By default they will only get Read rights, you will need to add ‘Write’ if you want your users to be able to ‘put’ files).
Windows Server 2012 Install FTP
1. From Server Manager > Tools > Add Roles and Features.
2. Next.
3. Next
4. Next
5. Select Web Server (IIS) > Select Add (when prompted) > Next.
6. Next
7. Next
8. Locate and Select FTP Server AND FTP Extensibility > Next.
9. Install
10. Close.
11. Reboot the server. This is because some of the firewall settings have a habit of not enabling until the server has restarted, this does not happen all the time, so you may be lucky and not need to reboot. But I’m a firm believer in ‘If something can go wrong, it will go wrong’.
Windows Server 2012 Configure FTP
1. Windows Key > Internet Information Services (IIS) Manager.
3. Expand the servername > Right click ‘Sites’ > Add FTP Site.
4. Give the site a name > Browse to the folder you are going to use as the FTP ‘root’ folder > Next.
5. Select No SSL (I’m not going to secure the site with web certificates) > Next.
6. Authentication = Basic > Allow Access to = Selected roles or user groups > Permissions = Select read and write as appropriate > Finish.
7. Windows Key+R > firewall.cpl > Allow an app or feature through Windows Firewall.
8. Ensure FTP Server is allowed for the ‘profile’ that your network card has been allocated.
9. Advanced Settings.
10. Incoming Rules.
11. There should be three FTP Settings, by default they should be enabled (for FTP Port 21, Passive Ports, and Secure FTP / TCP 990).
Windows 2012 FTP Server – Testing Access
1. You can test the firewall is open by opening a telnet session to the server on port 21;
[box]
telnet {ip address or name of server} 21
[/box]
2. This is what you should see (or in some cases a blinking cursor, if you are going through a firewall or device that suppresses response headers).
3. Or you can use a web browser and navigate to ftp://{ip address or name of the FTP server}.
4. Or from command line you can use the direct ftp command like so;
[box]
ftp {ip address or name of server}[/box]
Windows 2012 FTP Server – Testing External Access
To access the server externally (from the internet), requires your remote users to know either the public IP address or the public name of the server. In addition FTP (TCP Port 21) needs to be open to that IP address. This can be done by giving the server its own public IP address, or by Port Forwarding FTP from your public IP address to the private IP address of the FTP server. How that is done will differ depending on your firewall or router.
Note: If you have a Cisco Firewall, I’ll put the links you require on the bottom of the page.
1. Here I’m on an external machine, and I’m using FileZilla (a free FTP client) to connect to my FTP server.
2. Just to test I’ll drag a file to the FTP server, to make sure I can write/put files.
3. Here is the file uploaded.
4. Back on the server, in the ‘root’ folder you can see the file successfully uploaded.
Related Articles, References, Credits, or External Links
If you have an FTP server, simply allowing the FTP traffic to it wont work. FTP (in both active and passive mode) uses some random high ports that would normally be blocked on the firewall. So by actively inspecting FTP the firewall will know what ports to open and close.
Solution
How you ‘allow’ access to the FTP server will depend on weather you have a public IP address spare or not, if you only have one public IP you will need to ‘port forward’ the FTP traffic to the server. But if you have a spare public IP address you can create a static mapping to that IP address instead.
Cisco ASA FTP Procedure
1. Connect to the firewall > Go to enable mode > Go to Configure terminal mode > Create an object for the FTP server > redirect all FTP Traffic to that object.
Note: In this example 192.168.1.1 is the IP of the FTP server.
[box]
USING PORT FORWARDING
User Access Verification
Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# object network Internal_FTP_Server
Petes-ASA(config-network-object)# host 192.168.1.1
Petes-ASA(config-network-object)# nat (inside,outside) static interface service tcp ftp ftp
Petes-ASA(config-network-object)#exitPetes-ASA(config)#USING A SPARE PUBIC IP (STATIC MAPPING to 123.123.123.124)
User Access Verification
Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# object network Internal_FTP_ServerPetes-ASA(config-network-object)#host 192.168.1.1Petes-ASA(config-network-object)# nat (inside,outside) static 123.123.123.124Petes-ASA(config-network-object)#exitPetes-ASA(config)#
[/box]
2. Then allow the FTP traffic in from outside.
Now you need to allow the ftp traffic in. Before you can add an ACL you need to see if you already have one. We are applying an ACL to the outside interface for traffic going in (I call this inbound for obvious reasons). To see if you already have an ACL applied, issue the following command;
[box]
Petes-ASA(config)#show run access-group
access-group inbound in interface outside
access-group outbound in interface inside[/box]
Note: In the example above we have an ACL called inbound that we MUST use. (If you added a new one, all the access list entries for the old one get ‘Un-applied’). If yours has a different name (e.g. outside_access_in then use that instead of the ACL name I’m using here). If you DONT have an access-group entry for inbound traffic then we will do that at the end!
[box]
Petes-ASA(config)# access-list inbound permit tcp any object Internal_FTP_Server eq ftp[/box]
3. Then: Only carry out the following command if you DO NOT HAVE an ACL applied for incoming traffic.
[box]
Petes-ASA(config)#access-group inbound in interface outside
[/box]
4. Then to allow the ASA to insect the FTP traffic, do the following;
1. Connect to the ASDM > Configuration > Firewall > Addresses Section > Add > Network Object > Give the FTP server a name > Set it to ‘Host’ > Enter The IP Address > Select the drop down arrow > Tick the ‘Add Automatic Address Translation Rule’ > Advanced.
2. Set Source interface = inside > Destination Interface = outside > Protocol = tcp > Real and Mapped ports = ftp > OK > OK > Apply.
3. To allow the traffic in right click the outside interface > Add Access Rule.. > Set the destination to the server you created earlier > and the service to tcp/ftp > OK > Apply.
4. Service Policy Rules > Inspection_default > Edit > Rule Actions > Tick FTP > OK > Apply.
5. Save the changes > File > Save running Configuration to Flash.
Cisco PIX FTP Procedure
1. Connect to the firewall > Go to enable mode > Go to Configure terminal mode > Access List for the inbound FTP traffic (Its wide open we will narrow it down in a moment).
[box]
User Access Verification
Password:
Type help or '?' for a list of available commands.
PetesPIX> enable
Password: ********
PetesPIX# configure terminal
PetesPIX(config)# access-list inbound permit tcp any any eq ftp
PetesPIX(config)# access-group inbound in interface outside
[/box]
2. Create a static mapping that locks all incoming FTP traffic to the internal servers IP address (In this case 192.168.1.1).
