In a previous post I advised on how to configure a 3rd party FTP Server under Windows Server 2003 for an Amazon AWS EC2 instance and the tricks required to open up the data ports for passive transfer.
In this post I'm going to describe how to install and enable the new FTP Publishing Service 7.5 under IIS7 on MS Server 2008, again this is relative to an Amazon AWS EC2 instance.
The first thing you need to do is install the service itself and under IIS7 on Srv08 this, and all other IIS related operations, are carried out using the Web Platform Installer. Download the WPI from HERE, install and once open search for, add, and install the FTP service as shown in Fig:1.
Fig:1 - Install the FTP Service through the WPI.
Once installed you'll see the new services in the IIS admin window (Fig:2).
Fig:2 - The FTP Publishing Service shown as installed into the IIS admin panel.
The next stage is to open up Firewall support for the passive data port range and/or add the external (Elastic) IP of your instance (Fig:3).
Fig:3 - The Data Channel Port Range, input as desired along with your static (Elastic) instance IP.
The next step is to actually create your FTP site as you need somewhere to upload files to. This is done from the left hand pane under the 'Sites' tree by (obviously) adding an FTP Site.
Choose the site name and path/folder, in this instance we have used default c:\inetpub\www, although for security purposes you may wish to channel uploads elsewhere than directly into your live website folder.
Fig:4 - Add FTP Site.
Fig:5 - Choose IP address binding (or leave as default) along with VHost and SSL options.
The last stage in IIS is to select authentication and users. Either use an existing account or create and select a dedicated FTP user (preferred).
Fig:6 - Authentication and Authorization.
*NOTE* - If you do create a new user you will have to grant them permissions to the upload folder you selected earlier.
Ok, all good, we have the FTP service configured in IIS however now the tricky part. Although we've specified a data port range the relevant ports on the actual firewall aren't yet open. You can easily open a single port (i.e 21) under the MS Firewall settings through Control Panel however there is no GUI option to facilitate a dynamic port range to cover the chosen data port allocation, for this we need to go back to the command line. Luckily the commands needed are quite straightforward. Simply fire up a CMD window as Admin and..
To open port 21 enter the following command..
netsh advfirewall firewall add rule name="FTP" action=allow protocol=TCP dir=in localport=21
To activate a firewall application filter for FTP (aka Stateful FTP) that will dynamically open ports for data connections enter the following command..
netsh advfirewall set global StatefulFtp enable
Manually restart all services.
The final stage is to configure your AWS Security Group (Firewall) and as well as the regular webserver ports (i.e HTTP/80, HTTPS/443, RDP/3389, FTP/20-21) you'll need to open up a range for the data port allocation you configured in IIS, for example if you set 40000-41000 then you'll need an AWS Security Group TCP port range entry to match.
And that's it, or should be, feel free to get in touch if you have any problems, I'm always happy to help.