22 Aug 2011

The IIS7 FTP Publishing Service 7.5 on AWS EC2 Instances

In a previous post I advised on how to configure a 3rd party FTP Server under Windows Server 2003 for an Amazon AWS EC2 instance and the tricks required to open up the data ports for passive transfer. 

In this post I'm going to describe how to install and enable the new FTP Publishing Service 7.5 under IIS7 on MS Server 2008, again this is relative to an Amazon AWS EC2 instance.

The first thing you need to do is install the service itself and under IIS7 on Srv08 this, and all other IIS related operations, are carried out using the Web Platform Installer. Download the WPI from HERE, install and once open search for, add, and install the FTP service as shown in Fig:1.


Fig:1 - Install the FTP Service through the WPI.

Once installed you'll see the new services in the IIS admin window (Fig:2).


Fig:2 - The FTP Publishing Service shown as installed into the IIS admin panel.

The next stage is to open up Firewall support for the passive data port range and/or add the external (Elastic) IP of your instance (Fig:3).


Fig:3 - The Data Channel Port Range, input as desired along with your static (Elastic) instance IP.

The next step is to actually create your FTP site as you need somewhere to upload files to. This is done from the left hand pane under the 'Sites' tree by (obviously) adding an FTP Site. 
Choose the site name and path/folder, in this instance we have used default c:\inetpub\www, although for security purposes you may wish to channel uploads elsewhere than directly into your live website folder.


Fig:4 - Add FTP Site.


Fig:5 - Choose IP address binding (or leave as default) along with VHost and SSL options.

The last stage in IIS is to select authentication and users. Either use an existing account or create and select a dedicated FTP user (preferred).


Fig:6 - Authentication and Authorization.

*NOTE* - If you do create a new user you will have to grant them permissions to the upload folder you selected earlier.

Ok, all good, we have the FTP service configured in IIS however now the tricky part. Although we've specified a data port range the relevant ports on the actual firewall aren't yet open. You can easily open a single port (i.e 21) under the MS Firewall settings through Control Panel however there is no GUI option to facilitate a dynamic port range to cover the chosen data port allocation, for this we need to go back to the command line. Luckily the commands needed are quite straightforward. Simply fire up a CMD window as Admin and..

To open port 21 enter the following command..

netsh advfirewall firewall add rule name="FTP" action=allow protocol=TCP dir=in localport=21

To activate a firewall application filter for FTP (aka Stateful FTP) that will dynamically open ports for data connections enter the following command..

netsh advfirewall set global StatefulFtp enable

Manually restart all services.

The final stage is to configure your AWS Security Group (Firewall) and as well as the regular webserver ports (i.e HTTP/80, HTTPS/443, RDP/3389, FTP/20-21) you'll need to open up a range for the data port allocation you configured in IIS, for example if you set 40000-41000 then you'll need an AWS Security Group TCP port range entry to match.

And that's it, or should be, feel free to get in touch if you have any problems, I'm always happy to help.

10 comments:

Rob Penguin said...

I followed these instructions but could not list the remote directory with Filezilla. Changed Filezilla's transfer mode from default to active then it worked ok - hope other will find this useful. Thanks for the tutorial - very handy.

Dave

RichBos said...

Hey Dave, glad you found it helpful. Yes, that active/passive thing can catch people out and I'd actually covered the issue in a previous post - http://blog.cirronix.com/2011/06/ftp-access-for-windows-instances-on-aws.html - Had I been doing my job right I should referenced it in this one though, shoddy, half a job...! Thanks for posting the workaround though, most useful.

Richard.

Marlon McMartin said...

Hello, we are a small group with limited Cloud security experience. We recently experienced a data transfer spike, presumably from some malicious activity on one of our instances.

AWS is telling us to close all ports except http/https. We have a number of customer data upload apps running on the instance and I am very confused why AWS is being very adamant about closing Port 21.

The proper handling of this will allow my to submit for refund of $1,400 US in runaway data transfer charges so I am researching the solution (though not making much progress yet ;o) Thank you kindly.

RichBos said...

Hi, a good thing to do initially would be to set up billing alerts, and yes, make sure your ports are secure, especially port 21 (open FTP is always a concern), from then you can start to look at platform lockdown, traffic limiting and increased security.

http://aws.amazon.com/about-aws/whats-new/2012/05/10/announcing-aws-billing-alerts/

If you would like to discuss options to move this forward feel free to contact us for further advice via the main website at http://cironix.com.

Best regards

Richard

Jeff Bowman said...

Hi Richard

I'm having trouble getting passive mode to work on my EC2 instance running IIS8 FTP on Server 2012.

I followed your instructions: Security Group 5000-5100, FTP Firewall Support 5000-5100/[Elastic IP], Windows Firewall turned off under all profiles. I can authenticate but I can't get to the data port for some reason (I'm trying to publish a ClickOnce app).

Can you assist?

Thanks,
Jeff Bowman

RichBos said...

Hi Jeff, I'm working with 2012 for some VPC hosted Active Directory lately so will take a look at setting up FTP on there. Just a couple of questions spring to mind -

Are you using VPC?
Did you run both netsh commands?

If you can't get things going I'd be happy to take a look under your account for you, you can contact us/me direct if you would prefer - http://cirronix.com/contact

Jeff Bowman said...

Hi Richard

OK, it’s fixed.

It turns out I wasn’t restarting the FTP service. It seems IISReset no longer does that for us:

http://blogs.msdn.com/b/vijaysk/archive/2009/10/05/iis-7-ftps-module-does-not-pick-up-the-firewall-ip-and-data-port-range-settings.aspx

It was this famous page that led me to the discovery:

http://slacksite.com/other/ftp.html

I learned here that the data channel port is calculated from the fifth and sixth octets, like so: ([5th]*256)+[6th]

My FileZilla log kept showing ports in the 50K range, which of course was very odd since I’d set mine to 5000-6000. A little more Googling and I found the IISReset/FTPSvc page above.

My oh my oh my...

Thanks,
Jeff Bowman

RichBos said...

Hi Jeff, that's awesome, good news...!

I ran through the FTP install myself last night on AWS/2012 and the procedure does have minor differences, going to update the blog with a new post specifically for 2012 over the next day or so.

RichB

Michael Daniels said...

This was at the end of 3 days of searching for an answer to this issue. My client would drop connection from the server when it went into PASV mode, but only behind my work Firewall. This article (and Wireshark) clued me in to the IP coming from the server not being from the EIP, but the server's IP instead. Setting "External IP Address of Firewall" cured the problem. Thank you for the information.

RichBos said...

Ah cool, happy to be able to help, it's usually me pulling fixes from everyone else :-) It foxed us for a while did this one.

Post a Comment