Bradley Handziuk's blog

Setting up FTP access to Windows 2008 R2 through Amazon EC2

I had a really hard time getting this to work. In the end it was my lack of understanding of how passive versus active FTP and FTP connection ports versus data ports. The general process for getting this to work is:

  • Setting up an FTP site in IIS in your Windows instance
  • Knowing your external IP address and telling it to the FTP service in Windows
  • Opening the appropriate port in your EC2's instance's security group and have those open ports match the open ports for the Data Channel in the FTP Firewall in IIS

To set up an FTP site in IIS

This video was very helpful to me for this step. I also like this option better than setting up Filezilla Server because everything is in one place (IIS).

  1. Open Server Manager
  2. Right click on Web Server (IIS)
  3. Click Add Role Services

  4. In Role Services check FTP Server
  5. Click Install
  6. It will go through some installation process
  7. Once it is finished, go to IIS > Sites and right click Add FTP Site
  8. Give it a sensible name (ftp.domain.com) and put the files where you would like them to go (%SystemDrive%\inetpub\ftproot)
  9. Many sites say to just "Allow SSL Connections" but I checked "Require SSL Connections" and i checked the "Use 128-bit encryption for SSL Connections" box. This means that when connection in Filezilla the Protocol is FTP and the Encryption is "Require explicit FTP over TLS" (remember FTPS = SSL, SFTP = SSH)
  10. (Optional) Directory Browsing > Directory Listing Options > Virtual directories (true). This lets you create linked directories to other places so you can pop files where ever if need be.

External IP Address of Firewall

If you do not tell the FTP service the external IP address of your server then when the connection is initally made from the outside and the then tries to tell the client how to move to the data channel it will tell it to move to some random port (well fix that part later) on an internal IP (i.e. You want it to continue to talk to the client over the external IP address. Change this in IIS > your ftp site > FTP Firewall Support > External IP Address of Firewall. 

I think you can set this either at a the server level's FTP Firewall Support rule or at a specific site. I imagine if they are different then the site specific one takes precedence.

If you are using an Elastic IP through AWS and you enter that you'll only have to enter it once. If you don't use an Elastic IP and Amazon changes your IP addrss or you move your domain to another instance you might need to change this IP address here, too. Not a big deal but something to check in the future.

All of this is my best understanding and hopefully it is right. It is at least what worked for me.

The Firewalls

  1. Log in to your EC2 account
  2. Go to the Security Group under which your instance is running (which if you have multiple you can confirm by going to Instances > click on your instance > In the Description section look for Security Groups > Click on it)
  3. Edit the Inbound rules
  4. Add two Custom TCP Rules
    1. One to allow Access to port 21 from My IP  to complete the connection handshake
    2. Once the connection is established (and you are working in Passive Mode) data are sent over a random port between 0-65535 (remember 0-1024 are reserved for the system). But because this means you'd need to open every port in AWS you should restrict your ports to some reasonable range. They key is that the open ports on IIS FTP Firewall need to match the open ports in AWS (and only let "My IP" through not just any IP)

      IIS FTP Firewall Data Channel Ports.

      AWS Inbound open ports in the security group associated with your instance

      Note that when you make changes to the data connection ports you need to restart the Ftp service ("Microsoft FTP Service" from the Windows Services window. For whatever reason, just restarting the FTP site in IIS is not enough.
  5. Allow FTP access through your server's Windows firewall (Start > Administrative Tools > Windows Firewall with Advanced Security > Inbound Rules)
    Add these rules if they do not exist:

All done!

FYI - The rabbit hole that did not work! - Setting up SSL on IIS for use with Filezilla

  • Create a self-signed certificate through IIS
  • Export that certificate. It will create a .pfx file (IIS default location > IIS (section) > Server Certificates > Pick a certificate (probably the one you made above) > right click > Export... >
  • You need to convert that file to a .pem file for Filezilla to recognize it.
  • Use openssl to convert pfx --> pem (you might need to install C++ 2008 redistributables which requires a reboot)
  • created a script to do the pfx --> pem conversion
REM Set the path to include the openssl directory

REM set path=%path%;C:\OpenSSL\bin;
set path=%path%;C:\OpenSSL-Win64\bin;

openssl pkcs12 -in C:\...\PfxCertificateName.pfx -out C:\...\PemKeyCertificateName.key -nocerts -nodes
openssl rsa -in C:\wip\PemKeyCertificateName.key -out C:\...\PemKeyCertificateName_rsa.key
openssl pkcs12 -in C:\...\PfxCertificateName.pfx -out C:\...\PemCertificateName.pem -nokeys -clcerts