IIS 7.0 - FTP Publishing Service

[patris1]

کد:

http://www.windowsnetworking.com/articles_tutorials/IIS-FTP-Publishing-Service-Part1.html

Part 1: Installation


It is no big secret that Microsoft has never had the best FTP server product, compared to the general competition in the FTP Server market. Although Microsoft has always included an FTP Server in almost all of the previous versions of IIS and Windows Server, it lacked a lot of the more enhanced FTP server features. Microsoft has overcome much of this, with the new version of FTP Publishing Service which was released at the official Windows Server 2008 launch. The new FTP Publishing Service has been completely rewritten, just like IIS 7.0 and it is available only for IIS 7.0.
There are actually two FTP Services available for IIS 7.0, the first one comes with the binaries of Windows Server 2008 or Windows Vista and the second one is available for download only.
Why two FTP servers and what is the difference you might ask?

• The first one is actually just a minor upgrade and quite similar to the FTP Service that was a part of IIS 6.0.
• The second FTP Service is the new improved version, available as a download and for IIS 7.0.

This article will focus on the new and improved version of the FTP Publishing Service.
The new FTP Service has many new features which will enable web authors to more easily publish content and it offers more security and deployment options for administrators. It is available for Windows Server 2008 in 32-bit and 64-bit versions.
What's New

The new FTP Publishing Server includes a wide range of new features and improvements. Below I will highlight the major new topics and describe each of these new enhancements.

• Integration with IIS 7.0
  The new FTP service is tightly integrated with the brand-new administration interface and configuration store of IIS 7.0
• Support for new Internet standards
  The new FTP service supports FTP over SSL, also known as FTPS or FTP/SSL and uses a public key certificate (SSL/TLS). It should not be confused with SFTP or FTP over SSH, which is another standard currently not support by Microsoft FTP Publishing Service. It also supports other improvements such as UTF8 and IPv6.
• Shared hosting
  The new FTP service is improved and is fully integrated into IIS 7.0, it is possible to host FTP and web content from the same site by adding an FTP binding to an existing website. The FTP service also has virtual hostname support, which makes it possible to host multiple FTP sites on the same IP address. It has improved user isolation, making it possible to isolate users through per-user virtual directories.
• Extensibility
  The new FTP service supports developer (API) extensibility, which makes it easier for software vendors to write custom providers for FTP authentication.
• Logging
  FTP logging has been improved and enhanced to include all FTP traffic in the log files.
• Improved troubleshooting features
  IIS 7.0 has new improved troubleshooting features, such as Event Tracing for Windows (ETW), the FTP service support this feature along with providing detailed error responses and messages for local users, also a new option of IIS 7.0.

Installation prerequisites

The new FTP Publishing Service is available for free as a downloadable module from IIS.net DownloadCenter.
There are some prerequisites that need to be in place before continuing with the installation of the FTP Publishing Service.

• You must be using Windows Server 2008,
• IIS 7.0 must be installed,
• If you want to manage the new FTP services using the new IIS 7.0 interface, the IIS Management Console must be installed,
• You must be an logged in as an administrator,
• IIS 7.0 Shared configuration must be disabled on each node in a web farm scenario, before installing the new FTP service, it can be re-enabled after the FTP service has been installed,
• The FTP service which is shipped with the Windows Server 2008 binaries must be uninstalled before installing the new FTP service.

Installation

In this step-by-step installation guide I will go through the installation of the FTP service on a newly installed Windows Server 2008 server. I will only cover the FTP installation and not any of the other IIS 7.0 services.

• Download the new FTP Service version from the link above
• Run the downloaded program as “Run as Administrator” to install or install using one of these two commands:
  - x86 version: msiexec /i ftp7_x86_rtw.msi
  - x64 version: msiexec /i ftp7_x64_rtw.msi
  
  These steps are needed because of User Account Control (UAC) which otherwise prevents you from accessing the applicationHost.config file.
• When the installation program starts, click Next:

Figure A: Installation start

• Accept the EULA and click Next:

Figure B: EULA

• Select the options you want to install and click Next:

Figure C: Selecting installation features
Installation features described:

• Common files
  Provides common files for Microsoft FTP Service for IIS 7.0, such as the FTP configuration schema file, the common files are required on all FTP servers using shared configuration mode.
• FTP Publishing Service
  The FTP Publishing Service, the core component required for FTP to work and requires that the Process Model from the Windows Process Activation Service feature is installed.
• Managed Code Support
  Support for managed code features. This feature is required when managed code features, such as ASP.NET users or IIS Manager Users, will be used with FTP. This feature is optional and will not work when running Windows Server 2008 in Server Core mode.
• Administration Features
  Supports administration by using IIS Manager, the user interface (UI). This feature requires that the IIS Manager and the .NET 2.0 Framework are installed.
• Begin the installation, click Install:

Figure D: Begin installation

• Click Read notes to view the readme and click Finish:

Figure E: Finished install
Confirm that the FTP Service is installed by checking that the Microsoft FTP Service is running and/or in IIS Manager check the new FTP section, with all the management components for the FTP Service.

Figure F: FTP section in IIS Manager
By default the FTP Server is locked down and does not accept any FTP requests.
From within the IIS Manager it is quite easy to either publish a new FTP site or add FTP Publishing to an existing website.
For user security the FTP Service supports anonymous, which is not recommended, and there are also two ways of authenticating your FTP users:

• Windows Authentication
  Users are located in the Active Directory or local user store on the dedicated FTP server.
• IIS Manager Authentication
  This is the new feature, where IIS Manager is used for user administration and all users are added using IIS Manager and authentication is handled by the new “IISManagerAuth” provider.

Summary

The new downloadable version of FTP Publishing Service from Microsoft is long awaited. It is great to see that Microsoft has revised and rewritten their FTP Server and released it with support for FTP-S.
Security and encryption was a lacking in the old versions and since FTP transmits in clear-text this feature is absolutely the best enhancement.
Another benefit of this new FTP Service is the integration into the IIS Manager and the binding to existing websites directly within IIS Manager.
This concludes part 1 of this 3 part article series about the new FTP Publishing Service for Internet Information Services 7.0 (IIS 7.0). In part 2, I will explain the configuration options including how to publish a FTP folder secure.

---

موضوعات مشابه:

• از بین بردن محدودیت زمانی 120 روزه rdp service , terminal service
• تقاوت دقیق terminal service va sharpoint service
• WDS(windows deployment service) & RIS( remote installation service
• Publishing OWA Sites using ISA Firewall Web Publishing Rules (2004) Version 1.1
• Publishing Multiple Web Sites using Web Publishing Rules

---

[patris1]

کد:

http://www.windowsnetworking.com/articles_tutorials/IIS-FTP-Publishing-Service-Part2.html

Part 2: Configuration


Introduction

This article covers different configuration scenarios of the new FTP Publishing Service for IIS 7.0. The prerequisites of this article is that the FTP Publishing Service is already installed on Windows Server 2008. Part 1 of this article series covered how to download and install the new version of the FTP Publishing Service. This article will consist of two main configuration topics each divided into its own section:

• How to configure a new FTP site
• How to add FTP Publishing to an existing website

Both topics will cover configuring FTP using the GUI and the command line management tools.
The use of FTP can be different depending on the usage and the requirement for FTP in the organization. Therefore this article will cover some different scenarios.
Configure a new FTP site

There are numerous of ways to configure a new FTP site with IIS 7.0 and the new FTP Publishing Service, it is now possible to change or add an ftp site directly in the configuration xml files or by using scripting.
The first part of this section will cover configuring FTP “the GUI way” using IIS Manager and in the end I will cover configuring FTP using the command line interface. Both ways have the same end result, which is a new FTP site.
Creating a new folder
A folder needs to be prepared for FTP Publishing. It is easier to create the folder now, before continuing with the FTP configuration. Make sure the folder is configured with the correct permissions. The folder used in this example is: “D:\Inetpub\ftproot\ftp.iis-digest.com”.

1. Create the folder D:\Inetpub\ftproot\ftp.iis-digest.com
2. Set folder permissions using calcs through a commandprompt:

CACLS "C:\inetpub\ftproot\ftp.iis-digest.com" /G IUSR:R /T /E

FIGURE A: Command prompt and cacls command
The above command changes the permissions on the ftp.ii-digest.com folder and add read and execute permissions to the IUSR account.
The IUSR user is the new built-in account on Windows Server 2008 used for IIS 7.0, replacing the old IUSR_machinename account found previously in Windows Server 2003 and IIS 6.0.
Configuring FTP

1. Start the IIS Manager found at Start – Administrative Tools – Internet Information Service (IIS) Manager.
2. In IIS Manager under Sites, click Add FTP Site…

FIGURE B: Add FTP Site…

1. The Add FTP Site Wizard starts and at the first dialog box, enter the name of the FTP Site and the physical path, created previously:

FIGURE C: Add FTP Site Wizard – Enter site information

FIGURE D: Add FTP Site Wizard – Enter Binding and SSL Settings

1. Enter the IP address information for the FTP Site and binding on port, use default FTP port 21. In case you know what you are doing and if your application might need to use another port than the default one, you can change it here.
2. As something new with FTP Publishing Service, it now support virtual host naming, which is the same as using host headers on website. A Virtual Host name like e.g. ftp.iis-digest.com means that it is now possible to have multiple FTP Sites configured on one IP address and no conflicting bindings on the port.
3. SSL is also a new feature supported by FTP Publishing Service, by combining SSL and FTP, the server is providing FTPS support. By selecting a SSL certificate during configuration, the FTP Site is made available as a secure site, so all traffic will be encrypted. In the above example it should be “Allow SSL”, since there is no SSL certificate for this ftp site.
4. Set the Authentication to anonymous to provide anonymous access to the new ftp site used as example in this article.

FIGURE E: Add FTP Site Wizard – Set Authentication and Authorization Information

1. Add the Authorization settings used for the ftp site, set it to “Anonymous users” and Read (only) permissions.

1. The new ftp site has been configured and can been seen in the IIS Manager

FIGURE F: IIS Manager – view of the new ftp site

1. Test the new FTP site: In this example we login to the test site ftp.iis-digest.com with an anonymous user. With FTP 7 using virtual headers, login needs to be formatted like this: “ftp.iis-digest.com|anonymous”:

FIGURE G: Command prompt – test the ftp connection
There are numerous ways of configuring the users for an ftp site in a secure way and it is not recommended to use anonymous level of authentication for production. Securing FTP will be covered in my next article.
Configure a new FTP site using command line or scripting

With IIS 7.0 and the new FTP 7, it is now possible to script and automate a lot of management of IIS and FTP. This section will describe how to accomplish creating and configuring the same new FTP site as above, just using command line and scripting instead.
Using the new command line tool AppCMD.exe, the command and parameters for creating a new FTP site are:
appcmd add site /name:"ftp.iis-digest.com ftpsite" /bindings:ftp://ftp.iis-digest.com:21 /physicalpath:"c:\inetpub\ftproot\ftp.iis-digest.com /ftpServer.security.ssl.dataChannelPolicy:SslAllow"

FIGURE H: Command prompt – using the appcmd management tool
The same can be archived using PowerShell and the new PowerShell Provider for IIS 7.0. It is an requirement that PowerShell 1.0 is installed on the Windows Server 2008 along with the new PowerShell Provider for IIS 7.0. The PowerShell Provider can be downloaded from www.iis.net. Both needs to be installed to provide the connection and commands for managing IIS 7.0 and FTP 7 using PowerShell.
There is also another more programmatic interface for managing IIS 7.0, which is Microsoft.Web.Administration, more information about this interface can be found on the official IIS website (www.iis.net). The interface will not covered in this article.
Add FTP Publishing to an existing website

With IIS 7.0 and the new FTP Publishing Service it is now possible to add FTP to an existing website, directly from within the IIS Manager. This is a great new feature, not previously seen in IIS. This means that in e.g. hosting environments it is now a lot easier to add FTP access to a website already running on the web server.
With the new FTP Publishing Service it is easy to publish a FTP to an already existing website and this can be done directly within the IIS Manager. In the example below an FTP site will be added to the default website.

1. Expand “Sites” and find the website, which you want to add FTP functionality to, in this example the site name is “Default Web Site”
2. Mark the web site (Default Web Site) and right click or from the Action Pane choose “Add FTP Publishing…”:

FIGURE I: IIS Manager – Choose Add FTP Publishing…

1. A dialog with the Add FTP Publishing Wizard appears, first page “Binding and SSL Settings”:

FIGURE J: Add FTP Site Wizard – Enter Binding and SSL Settings

1. IP Address: Choose the IP address for your new FTP site, this can be either “All Unassigned” or you can enter the IP address or chose from the pull down menu. In this example “All Unassigned” are used

1. Port: The default FTP port is TCP Port 21, which will also be used in this example

1. Virtual Name: It is now possible to use host header for a FTP site, as we know from host headers on web sites and from my first example above. In this example it will be left blank, which means that it will respond to the IP address

1. Select “Allow SSL” since there is no SSL certificate to add to the ftp site

FIGURE K: Add FTP Site Wizard – Enter Authentication and Authorization

1. Select Basic or Anonymous authentication method for your ftp site, it is not recommended to use anonymous. In this example we use anonymous since it is a test site

FTP has now been added to the existing Default web site. Test the ftp connection by connecting to the server IP address or on the server using localhost.

FIGURE L: Testing the FTP connection
Summary

The article described how to configure a new FTP site and how to add FTP Publishing to an existing website. The configuration was done using the IIS Manager and also showed that it can be done through the new command line interface appcmd.exe.
This concludes part 2 of this 3 part article series about the new FTP Publishing Service for Internet Information Services 7.0 (IIS 7.0).
The next article in this series will cover FTP security and how to secure the FTP Publishing Service.

[patris1]

کد:

http://www.windowsnetworking.com/articles_tutorials/IIS-FTP-Publishing-Service-Part3.html

Part 3: Securing an FTP site


Introduction

This article will cover the different configuration scenarios of enhancing security of an FTP site, using a SSL certificate in the new FTP Publishing Service for IIS 7.0. The prerequisite for this article is that the FTP Publishing Service is already installed on Windows Server 2008 and an FTP site has been configured. To see how this is done, please refer to part 1 and part 2 of this article series. This article will contain two main configuration topics each divided into its own sections:

• How to configure a secure FTP site using a commercial SSL certificate
• How to configure a secure FTP site using a self-signed SSL certificate

The new FTP Publishing Service for IIS 7.0 supports adding an SSL certificate to an FTP site. Using an SSL certificate with an FTP site is also known as FTP-S or FTP over Secure Socket Layers (SSL). FTP-S is a RFC standard (RFC 4217) where an SSL certificate is added to an FTP site and thereby making it possible to perform secure file transfers using a TLS (SSL) layer below the FTP protocol. By using SSL, the FTP transmission is encrypted and secured from point to point and all FTP traffic is thereby guarded against interception.
The requirements for the users would be to use an FTP client that is able to connect using FTP-S to connect to the FTP site. Examples or FTP clients which support FTP-S could be the open-source FTP client FileZilla or the commercial FTP client CuteFTP.
Configure a secure FTP site using a commercial SSL

Below I will describe how to secure an existing FTP site using a SSL certificate. The certificate issued and used below will be created on an internal Certificate Authority made for testing purpose only, but the certificate enrollment process on the server is the same as when ordering a certificate from a third party certificate provider such as Verisign or Godaddy. It is also possible to create a self-signed certificate directly from within IIS, this process will be described later in the article.
Make sure you have the FTP site running and that you are able to log in to the FTP site. The FTP site used as example in this article ftp.example.com as illustrated below.

1. Start the IIS Manager found at Start – Administrative Tools – Internet Information Service (IIS) Manager
2. In IIS Manager click the FTP server and mark the server and choose Server Certificates:

Figure A: Server Certificates

1. In the actions pane, choose Create Certificate Request:

Figure B: Server Certificates - Actions

1. In the dialog windows that pops up, fill out the required information for the certificate and click Next:

Figure C: Self-signed Certificate - Name

1. Choose the default cryptographic service provider and click Next:

Figure D: Cryptographic Service Provider

1. Save the request to a file and click Finish:

Figure E: Save Certificate request
The certificate request has now been done and is pending in IIS. The request is now ready to be sent off to a commercial 3rd party certificate provider (e.g. Verisign, Godaddy etc.).
Import Certificate request

When the certificate request gets back from the certificate provider, it needs to be imported into IIS to work.

1. In IIS Manager click the FTP server and choose Server Certificates:

Figure F: IIS Manager – Server Certificates

1. Choose Complete Certificate Request…:

Figure G: Server Certificates – Complete Certificate Request

1. Select the Certificate request, that came back from the certificate provider and enter the common name of the site and click OK:

Figure H: Complete Certificate Request

1. The certificate is now displayed in the IIS Manager and ready for use:

Figure I: Server Certificates
Enable the commercial certificate on the FTP site

When imported the SSL certificate can be enabled and applied to an FTP site. Go to the FTP site, which you want to apply the certificate to.

1. In IIS Manager select the FTP site and click FTP SSL Settings:

Figure J: FTP site – FTP SSL Settings

1. Select the certificate and the SSL policy (Allow or Required SSL) settings and click Apply:

Figure K: FTP SSL Settings

1. The SSL certificate has now been applied to the FTP site:

Figure L: FTP SSL Settings
The FTP site is now secured and requires the connection to the FTP site to be FTP-S, using a FTP client which supports FTP-S.
Configure a secure FTP site using a self-signed SSL

As described previously it is also possible to generate a self-signed SSL certificate, directly from within the Internet Information Services (IIS) Manager. This process is quicker, than compared to requesting a commercial certificate. Self-signed certificates are great for testing FTP sites or maybe internal use, but not recommended for production use.

1. Start the IIS Manager found at Start – Administrative Tools – Internet Information Service (IIS) Manager
2. In IIS Manager click the FTP server and choose Server Certificates:

Figure M: Server Certificates

1. In the actions pane, choose Create Self-Signed Certificate:

Figure N: Server Certificates - Actions

1. In the dialog windows that pops up, give the certificate a friendly name and click OK:

Figure O: Self-signed Certificate - Name

1. The certificate is now generated and ready for use:

Figure P: Server Certificates – Generated certificates
Next step is to apply and enable this new certificate on an existing FTP site.

1. Select the FTP site (in this example: ftp.example.com) and click on FTP SSL Settings:

Figure Q: FTP site – FTP SSL Settings

1. Choose the certificate and select the settings needed (Require SSL Connections) and click apply:

Figure R: FTP site – FTP SSL Settings
The FTP site is now ready to be used and all traffic will be encrypted. An FTP client that supports FTPs is now required to connect to the new FTP site.
Connecting to an FTP site

Use an FTP client which supports FTP-S to connect to the FTP site and test the connectivity. In the example below FileZilla is used. It is important to configure the FTP server setting in FileZilla to connect using FTPs, with FileZilla the settings would be "FTPES - FTP over explicit TLS/SSL".

Figure S: FileZilla – FTPS Settings
The first time you logon to an FTP site running with a self-signed certificate, the FTP client (FileZilla) will prompt and tell you that the root of the certificate is not known. If you want to trust it and import it, click OK.
The FTP site is now ready to be used in a secure manner.
Summary

With the new Microsoft FTP Publishing Service it is now possible to deploy a secure FTP solution based on a Microsoft product, with the integration to Internet Information Services and Active Directory. All FTP communication can now be encrypted because the FTP Publishing Service for IIS 7.0 supports FTP-S (FTP over SSL), FTP-S is a RFC standard (RFC 4217) for encryption FTP traffic.
Encryption of your FTP traffic can be done using a commercial or self-signed SSL certificate. All the configuration is done on the server. The clients connecting to the new secure FTP site, need to use an FTP client that supports FTP-S.
This concludes part 3 of this 3 part article series about the new FTP Publishing Service for Internet Information Services 7.0 (IIS 7.0).