Monday, October 13, 2008

IIS 7.0, FTP 7, and Firewalls

I've spent a lot of time over the past few weeks setting up IIS 7.0 on new servers.  One step in that setup was the creation and authentication of several FTP sites.  In this post I have compiled a number of troubleshooting tips gathered from around the webosphere.  Hopefully you will find them useful.


The IIS team has put together a new FTP service which they are calling FTP 7 (available here). This service offers IIS 7 management console integration, which was lacking in the RTM of Windows Server 2008, as well as new user isolation features.  There are some tricky aspects of this new FTP service which may get you stumped the first time you setup an FTP site.

As far as User Isolation goes, you can do nothing better than thuroughly aquaint yourself with this article.  Let me simply add what may appear obvious, but is no less irritating: you must uninstall the IIS FTP role service shipped with Server 2008.

On to firewalls:

Standard (unsecured) FTP uses port 21 as a control channel.  This brings me to symptom number 1:

- Symptom: FTP connection times out waiting server:
- Solution: Open up port 21 on your server firewall.  You can do this through the firewall manager in Server 2008 or by entering at the command prompt:
netsh advfirewall firewall add rule name="FTP (no SSL)"  
action=allow protocol=TCP dir=in localport=21
However, not all FTP modes operate the same.  In passive mode FTP 7 dynamically selects an available port over which to transfer data to the client after the connection is established on port 21.  And so symptom number 2:

- Symptom: Failed to retrieve directory listing
- Solution: Check user permissions, if permissions are in order enable stateful ftp connections.
netsh advfirewall set global StatefulFtp enable
This allows the firewall to open specific ports (controlled by the OS) when the FTP service needs to create a passive connection.

Naturally there are other possible problems.  I simply failed to recall them as off this posting, or did not encounter them in my own cases.

Thanks to Jaro Dunajsky for the stateful tip.  You can read his entire article, which also covers secured FTP, here