I had a really hard time getting this to work. In the end it was my lack of understanding of how passive versus active FTP and FTP connection ports versus data ports. The general process for getting this to work is:
- Setting up an FTP site in IIS in your Windows instance
- Knowing your external IP address and telling it to the FTP service in Windows
- Opening the appropriate port in your EC2's instance's security group and have those open ports match the open ports for the Data Channel in the FTP Firewall in IIS
To set up an FTP site in IIS
This video was very helpful to me for this step. I also like this option better than setting up Filezilla Server because everything is in one place (IIS).
- Open Server Manager
- Right click on
Web Server (IIS) - Click
Add Role Services
- In Role Services check
FTP Server
- Click
Install
- It will go through some installation process
- Once it is finished, go to IIS > Sites and right click
Add FTP Site
- Give it a sensible name (ftp.domain.com) and put the files where you would like them to go (%SystemDrive%\inetpub\ftproot)
- Many sites say to just "Allow SSL Connections" but I checked "Require SSL Connections" and i checked the "Use 128-bit encryption for SSL Connections" box. This means that when connection in Filezilla the Protocol is FTP and the Encryption is "Require explicit FTP over TLS" (remember FTPS = SSL, SFTP = SSH)
- (Optional)
Directory Browsing > Directory Listing Options > Virtual
directories (true). This lets you create linked directories to other
places so you can pop files where ever if need be.
External IP Address of Firewall
If you do not tell the FTP service the external IP address of your
server then when the connection is initally made from the outside and
the then tries to tell the client how to move to the data channel it
will tell it to move to some random port (well fix that part later) on
an internal IP (i.e. 192.168.1.3). You want it to continue to talk to
the client over the external IP address. Change this in IIS > your
ftp site > FTP Firewall Support > External IP Address of
Firewall.
I think you can set this either at a the server level's FTP Firewall
Support rule or at a specific site. I imagine if they are different then
the site specific one takes precedence.
If you are using an
Elastic IP through AWS and you enter that you'll only have to enter it
once. If you don't use an Elastic IP and Amazon changes your IP addrss
or you move your domain to another instance you might need to change
this IP address here, too. Not a big deal but something to check in the
future.
All of this is my best understanding and hopefully it is right. It is at least what worked for me.The Firewalls
- Log in to your EC2 account
- Go to the Security Group under which your instance is running (which if you have multiple you can confirm by going to
Instances > click on your instance > In the Description section look for Security Groups > Click on it) - Edit the Inbound rules
- Add two
Custom TCP Rules
- One to allow Access to port 21 from
My IP to complete the connection handshake - Once the connection is established (and you are working in Passive Mode) data are sent over a random port between 0-65535 (remember 0-1024 are reserved for the system). But because this means you'd need to open every port in AWS you should restrict your ports to some reasonable range. They key is that the open ports on IIS FTP Firewall need to match the open ports in AWS (and only let "My IP" through not just any IP)
IIS FTP Firewall Data Channel Ports.
AWS Inbound open ports in the security group associated with your instance
Note that when you make changes to the data connection ports you need to restart the Ftp service ("Microsoft FTP Service" from the Windows Services window. For whatever reason, just restarting the FTP site in IIS is not enough.
- Allow FTP access through your server's Windows firewall (Start > Administrative Tools > Windows Firewall with Advanced Security > Inbound Rules)
Add these rules if they do not exist:
All done!
FYI - The rabbit hole that did not work! - Setting up SSL on IIS for use with Filezilla
- Create a self-signed certificate through IIS
- Export
that certificate. It will create a .pfx file (IIS default location >
IIS (section) > Server Certificates > Pick a certificate
(probably the one you made above) > right click > Export... >
- You need to convert that file to a .pem file for Filezilla to recognize it.
- Use openssl to convert pfx --> pem (you might need to install C++ 2008 redistributables which requires a reboot)
- jjhayterz10 created a script to do the pfx --> pem conversion
REM Set the path to include the openssl directory
REM set path=%path%;C:\OpenSSL\bin;
set path=%path%;C:\OpenSSL-Win64\bin;
openssl pkcs12 -in C:\...\PfxCertificateName.pfx -out C:\...\PemKeyCertificateName.key -nocerts -nodes
openssl rsa -in C:\wip\PemKeyCertificateName.key -out C:\...\PemKeyCertificateName_rsa.key
openssl pkcs12 -in C:\...\PfxCertificateName.pfx -out C:\...\PemCertificateName.pem -nokeys -clcerts