Tutorials

Specify Alternate Text

How to install FTP 7.5 on a SBS 2008 server

Installing and configuring FTP 7.5 on IIS 7 is completely different compared to the old FTP on IIS 6. There are several ways we can configure a FTP server for User Isolation. Our task is to create FTP access for customers with the login credentials equal to the customers company name and those credentials are not part of our Active Directory.

Our task was also that the customer should only see files specifically uploaded for that customer. That means we need to configure the server for ‘User Isolation’ and we need to create accounts for those customers. In addition to this we also need to secure the FTP server with an SSL certificate that will encrypt all traffic.

TERMS This document and what comes with it are provided as-is with blunt warning: Use at your own risk, buyer beware. You break your system; you own the resolution as well. We have no liability for what you do, or can't do, or fail to do with this information. Your entire protection is to start over again with a protected backup, or from protected system. If you don't want to accept this idea, please don't use this document.

In this example our customer is an advertising agency with the name ‘Yes, we can’. I am sure you know who this agency helped.


Remove the old 'FTP Publishing role' first.

On a default SBS 2008 server the “old” FTP role is installed as a default service but it is not started. Before we can install the much improved FTP 7.5 we need to remove the ‘FTP Publishing Role’ from the web server. Here is how we do that.

  1. From the start button click ‘Server Manager’.
    How to install FTP 7.5 on a SBS 2008 server
  2. In the Server Manager choose ‘ Roles’.
    How to install FTP 7.5 on a SBS 2008 server
  3. In the screenshot below you see where we are going to, the Web Server role.
    How to install FTP 7.5 on a SBS 2008 server
  4. If you browse down the list you will see that the FTP Publishing server is installed.
    How to install FTP 7.5 on a SBS 2008 server
  5. Click on Remove Role Services.
    How to install FTP 7.5 on a SBS 2008 server
  6. Scroll down untill you see the FTP Publishing service and uncheck it.
    How to install FTP 7.5 on a SBS 2008 server
  7. Click next.
    How to install FTP 7.5 on a SBS 2008 server
  8. Click Remove.
    How to install FTP 7.5 on a SBS 2008 server
    How to install FTP 7.5 on a SBS 2008 server
  9. Click Close
    How to install FTP 7.5 on a SBS 2008 server
  10. We are now back in the Server Manager and the FTP Publishing service is no longer installed.
    How to install FTP 7.5 on a SBS 2008 server

Download and install Microsoft FTP Service 7.5 for IIS 7.0

Now that we have uninstalled the ‘old’ FTP we can proceed with downloading and installing Microsoft FTP Service 7.5. Download details: Microsoft FTP Service 7.5 for IIS 7.0 (x64)

  1. Double click the file you just downloaded.
    How to install FTP 7.5 on a SBS 2008 server
  2. We have downloaded the x64 version because SBS 2008 is x64 only. Click Run to start the installation.
    How to install FTP 7.5 on a SBS 2008 server
  3. Click Next.
    How to install FTP 7.5 on a SBS 2008 server
  4. Accept the terms and click Next.
    How to install FTP 7.5 on a SBS 2008 server
  5. Just accept the defaults and click Next.
    How to install FTP 7.5 on a SBS 2008 server
  6. Click Install.
    How to install FTP 7.5 on a SBS 2008 server
  7. Click Finish.
    How to install FTP 7.5 on a SBS 2008 server

Create a Host A Record for your FTP server

It is so much nicer to say to someone you can connect to our FTP server at ‘ftp.domain.com instead of your public IP address. For that reason we will create a Host A-Record. You need to create two A records. One on the server and one at your ISP or the company who is responsible for your DNS records. You may also want to read an excellent primer on DNS records by Robert Pearman at DNS Records and MS Exchange Email.

  1. From the start button click ‘Server Manager’.
    How to install FTP 7.5 on a SBS 2008 server
  2. In the Server Manager choose ‘ Roles’.
    How to install FTP 7.5 on a SBS 2008 server
  3. In the screenshot below you see where we are going to, the Web Server role.
    How to install FTP 7.5 on a SBS 2008 server
  4. If you browse down the list you will see that the FTP Publishing server is installed.
    How to install FTP 7.5 on a SBS 2008 server
  5. Click on Remove Role Services.
    How to install FTP 7.5 on a SBS 2008 server
  6. Scroll down untill you see the FTP Publishing service and uncheck it.
    How to install FTP 7.5 on a SBS 2008 server
  7. Click next.
    How to install FTP 7.5 on a SBS 2008 server
  8. Click Remove.
    How to install FTP 7.5 on a SBS 2008 server
    How to install FTP 7.5 on a SBS 2008 server
  9. Click Close
    How to install FTP 7.5 on a SBS 2008 server
  10. We are now back in the Server Manager and the FTP Publishing service is no longer installed.
    How to install FTP 7.5 on a SBS 2008 server

Create a new FTP site and set permissions

In our example the customer is an advertising agency who has a lot of customers that need to transfer images to the agency. We would like to create a folder for each customer and isolate the customer in its own folder so that they cannot see files from other customers. We don’t want or need those special ‘customer’ logins to be part of our Active Directory.

  1. Create a folder that will be the root of your FTP site on your drive subsystem. In our example we will create a folder named ‘ftproot’ inside the ‘inetpub’ folder.
    How to install FTP 7.5 on a SBS 2008 server
    Inside the ftproot we need to add another folder named /LocalUser/Public. That will be used for Anonymous access if needed.
  2. Once we have created that folder we need to set permission so that anonymous users have read access. Open a command prompt as an Administrator
    How to install FTP 7.5 on a SBS 2008 server
    and type:
     
    CACLS "%SystemDrive%\inetpub\ftproot" /G "Network Service":C /T /E
    CACLS "%SystemDrive%\Windows\System32\inetsrv\config" /G "Network Service":R /E 
    CACLS "%SystemDrive%\Windows\System32\inetsrv\config\administration.config" /G "Network Service":R /E 
    CACLS "%SystemDrive%\Windows\System32\inetsrv\config\redirection.config" /G "Network Service":R /E 

    if all went well you should see this:
    How to install FTP 7.5 on a SBS 2008 server
  3. Open IIS manager from the Administrative Tools menu.
    How to install FTP 7.5 on a SBS 2008 server
  4. In IIS Manager right ‘Sites’ and choose Add FTP Site.
    How to install FTP 7.5 on a SBS 2008 server
  5. Give your FTP site a name point it to the ftproot folder you earlier made.
    How to install FTP 7.5 on a SBS 2008 server
  6. Make sure you select ‘Allow SSL. The rest can stay default as in the screenshot. We have accepted the default setting ‘All Unassigned’ for the IP address that will be sued. That means that the site can be accessed from within your Lan. Your Firewall should still block FTP access. Allowing FTP in your Firewall rules is something we will do later in this article.
    How to install FTP 7.5 on a SBS 2008 server
  7. We will set anonymous access for the root and allow anonymous users to read. Click Finish.
    How to install FTP 7.5 on a SBS 2008 server
  8. There is our site listed!
    How to install FTP 7.5 on a SBS 2008 server
  9. Now we do a little test if you can browse our FTP site with an Anonymous account. Open Internet Explorer and type ftp://localhost. Do you notice that we do not see in what folder we are? For an anonymous user the folder ftproot\LocalUser\Public is the root of the FTP session. In the next chapter we will explain how we did that. BTW, it is called ‘user isolation’.
    How to install FTP 7.5 on a SBS 2008 server

Create access for a non AD account with limited access

There are several ways we can configure a FTP server for User Isolation. Our task is to create FTP access for customers with the login credentials equal to the customers company name and those credentials are not part of our Active Directory. Our task was also that the customer should only see files specifically uploaded for that customer. That means we need to configure the server for ‘User Isolation’ and we need to create accounts for those customers. In this example our customer is an advertising agency with the name ‘Yes, we can’. I am sure you know who this agency helped.

The account name on our FTP server will be ‘yes-we-can’.

Now this is going to be very confusing for you and thought Microsoft put a lot of effort in FTP 7.5 there are some procedures very difficult to understand but if you follow the next steps all will be just fine.

  1. Before we can use ‘non’ AD integrated accounts we have to turn on IISManagerAuthentication. Click on your FTP site and choose ‘FTP Authentication’.
    How to install FTP 7.5 on a SBS 2008 server
  2. Click on ‘Custom Providers’.
    How to install FTP 7.5 on a SBS 2008 server
  3. Check ‘IISManagerAuth’ and click ‘OK’.
    How to install FTP 7.5 on a SBS 2008 server
  4. The ‘IISManagerauth’ is installed and enabled.
    How to install FTP 7.5 on a SBS 2008 server
  5. Choose the main hive in IIS Manager and on the middle pane browse down to ‘IIS Manager Users’.
    How to install FTP 7.5 on a SBS 2008 server
  6. Click ‘Add user’.
    How to install FTP 7.5 on a SBS 2008 server
  7. Add the user, our user will be ‘yes-we-can’. Make sure you have a strong password. If the password is not strong enough you will be warned. Click OK.
    How to install FTP 7.5 on a SBS 2008 server
  8. If you see a warning on the right that the server is configured to allow connections from Windows Accounts please follow the next steps.
    How to install FTP 7.5 on a SBS 2008 server
  9. Again we are back in the main IIS Manager window and we choose ‘Management Service’.
    How to install FTP 7.5 on a SBS 2008 server
  10. Make sure you set it to ‘Windows credentials or IIS Manager Credentials’. It is not needed to ‘Enable remote connections’ so please do NOT check that.
    How to install FTP 7.5 on a SBS 2008 server
  11. We need to go back to the hive where our FTP server is and choose ‘IIS Manager Permissions’.
    How to install FTP 7.5 on a SBS 2008 server
  12. Choose ‘Allow User’.
    How to install FTP 7.5 on a SBS 2008 server
  13. Choose ‘IIS Manager’ and choose ‘Select’. If the option ‘IIS Manager’ is grayed out you need start at the top of this page and read again.
    How to install FTP 7.5 on a SBS 2008 server
  14. Choose the user ‘yes-we-can’.
    How to install FTP 7.5 on a SBS 2008 server
  15. Click ‘OK
    How to install FTP 7.5 on a SBS 2008 server
  16. The new user is now listed in the ‘IIS Manager Permissions’.
    How to install FTP 7.5 on a SBS 2008 server
  17. Click on your FTP server and in the middle pane choose ‘FTP Authorization Rules’.
    How to install FTP 7.5 on a SBS 2008 server
  18. Click ‘Add Allow Rule’.
    How to install FTP 7.5 on a SBS 2008 server
  19. Type ‘yes-we-can’ in the Specified users box and allow ‘Read’. Click ‘OK’.
    How to install FTP 7.5 on a SBS 2008 server
  20. The new user is now listed in ‘FTP Authorization Rules’.
    How to install FTP 7.5 on a SBS 2008 server

Configure the server with 'user isolation'.

If a client like the advertising agency logs on to our FTP server we want them to be in their own folder without seeing any of the other folders that may be created under ftproot. That is called ‘user isolation’. Without going into details about the several different options you have we are going to configure ‘User name directory (disable global virtual directories)’.

  1. Click on your FTP server in the left pane and choose in the middle pane ‘FTP User Isolation’.
    How to install FTP 7.5 on a SBS 2008 server
  2. Click ‘User name directory (disable global virtual directories)’ and click ‘Apply’.
    How to install FTP 7.5 on a SBS 2008 server
  3. Go to the ftproot localuser folder and create a folder with exactly the username as we defined earlier. In our case that is ‘yes-we-can’. Each time you create a new FTP account you MUST create the folder inside the ftproot localuser folder with exactly the same name as the username.
    How to install FTP 7.5 on a SBS 2008 server
  4. Open My Computer and type in the address box ftp://localhost and fill in the credentials for your user.
    How to install FTP 7.5 on a SBS 2008 server
  5. And…voila! Our FTP server works.
    How to install FTP 7.5 on a SBS 2008 server

Configure the FTP site for FTP over SSL

Before we can configure our server to use SSL we need to either buy a ‘real’ trusted certificate or we can use a self signed certificate. In our example we choose to create and use a self signed certificate. Here is how we do that.

  1. Open IIS Manager if you have closed previously or other wise browse to ‘Server Certificates’.
    How to install FTP 7.5 on a SBS 2008 server
  2. In the right pane choose ‘Create Self-Signed Certificate’.
    How to install FTP 7.5 on a SBS 2008 server
  3. It is a good idea to use a FQDN (Fully Qualified Domain Name) for the friendly name of your certificate. You also need to create Host A Records for your FQDN at your service provider and if you wish on your own server (we will do that later when we finish the SSL stuff).
    How to install FTP 7.5 on a SBS 2008 server
  4. There is our certificate listed.
    How to install FTP 7.5 on a SBS 2008 server
  5. Click on your FTP server and choose ‘FTP SSL Settings’.
    How to install FTP 7.5 on a SBS 2008 server
  6. Choose the certificate from the dropdown menu, set ‘Require SSL Connections’ and check ‘Use 128-bit encryption for SSL connections’ and click ‘Apply’ in the right pane.
    How to install FTP 7.5 on a SBS 2008 server
  7. If we now try to connect to our FTP server with the Microsoft FTP client it does not work anymore because the Microsoft FTP client cannot connect to FTPS. We need a real FTP client and there are many. Some you have to pay for, others are free. I prefer FileZilla and if you want to try that please go to http://filezilla-project.org/ and download the latest client here http://filezilla-project.org/download.php?type=server.
    How to install FTP 7.5 on a SBS 2008 server
  8. Our server is now setup for FTPES traffic and to be more specific it is FTP in Explicit SSL mode. You can read more about FTPES on wiki here: http://en.wikipedia.org/wiki/FTPS#Methods_of_invoking. We are going to test our FTPS server with FileZilla. In the site manager we created a new site and set it to use FTPES – FTP over explicit TLS/SSL.
    How to install FTP 7.5 on a SBS 2008 server
  9. There is our certificate telling us that the connection is secure. Click ‘OK
    How to install FTP 7.5 on a SBS 2008 server

And once connected you can see what happened during handshaking:

Status:    Resolving address of ftp.contoso.com
Status:    Connecting to 192.168.80.2:21... 
Status:    Connection established, waiting for welcome message... 
Response:  220 Microsoft FTP Service 
Command:   AUTH TLS 
Response:  234 AUTH command ok. Expecting TLS Negotiation. 
Status:    Initializing TLS... 
Status:    Verifying certificate... 
Command:   USER yes-we-can 
Status:    TLS/SSL connection established. 
Response:  331 Password required for yes-we-can. 
Command:   PASS *********** 
Response:  230 User logged in. 
Command:   SYST 
Response:  215 Windows_NT 
Command:   FEAT 
Response:  211-Extended features supported: 
Response:  LANG EN* 
Response:  UTF8 
Response:  AUTH TLS;TLS-C;SSL;TLS-P; 
Response:  PBSZ 
Response:  PROT C;P; 
Response:  CCC 
Response:  HOST 
Response:  SIZE 
Response:  MDTM 
Response:  REST STREAM 
Response:  211 END 
Command:   OPTS UTF8 ON 
Response:  200 OPTS UTF8 command successful - UTF8 encoding now ON. 
Command:   PBSZ 0 
Response:  200 PBSZ command successful. 
Command:   PROT P 
Response:  200 PROT command successful. 
Status:    Connected 
Status:    Retrieving directory listing... 
Command:   PWD 
Response:  257 "/" is current directory. 
Command:   TYPE I 
Response:  200 Type set to I. 
Command:   PASV 
Response:  227 Entering Passive Mode (192,168,80,2,69,36). 
Command:   LIST 
Response:  150 Opening BINARY mode data connection.

About www.server-essentials.com 

www.server-essentials.com is founded by Mariette Knap, a Dutch Microsoft MVP. www.server-essentials.com is a community for IT Consultants and Business Owners who, themselves, take care of the IT infrastructure and Employees who do that little extra in the company to keep things running. Our forum is for discussing all things ‘IT’ and more.  Our documentation is top notch and written by and for the community.

Change your cookie settings


 
Contact Us

Concentrix BV

C. de Rijcklaan 1

3723 PM Bilthoven

The Netherlands

KvK 30202318

VAT Id 814036739B01

The layout of this page is made to be viewed online.