I had a few questions from an old colleague, Virgil, who had just built a 2008 server core machine and was having issues configuring FTP. Without asking I knew Virgil would be chasing an FTP server that would have some method of secure transport such as FTPS and pluggable authentication methods, I know this because he's an interoperable kind of guy 🙂
He'd already been trying to configure this with the default install of FTP that comes with Server 2008, but I recommended that he use the downloadable version from the iis.net website. Only issue here is that you have to uninstall the old FTP server before that will install, then configure the service all over again... so after about 30 minutes of furious IM conversations this is how we did it..
First we uninstalled the FTP Service that comes with 2008 :
start /w pkgmgr /uu:IIS-FTPPublishingService;IIS-FTPServer
Then downloaded the FTP publishing service for IIS 7, with the friendly name of FTP7;
- x86 - http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1619
- x64 - http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1620
and installed it:
msiexec /i ftp7_x86_rtw.msi
Once that was in we simply had add the appropriate bindings to the site, like so (Make sure you close your quotes properly or it goes NUTS!) :
c:\windows\system32\inetsrv\appcmd.exe set site /site.name:"Default Web Site" /+bindings.[protocol='ftp',bindingInformation="*:21:"]
then we simply had to set an authorised user to the server:
c:\windows\system32\inetsrv\appcmd.exe set config "Default Web Site" /sectionystem.ftpserver/security/authorization /+[accessType='Allow',permissions='Read,Write',roles='',users='ftpuser'] /commit:apphost
And we were done! (or so we thought!).... On attempting to connect to the FTP server we ended up with the error :
534-Policy requires SSL.
Win32 error: Access is denied.
Error details: SSL policy requires SSL for control channel.
ahh that's right - by default the FTP install is set to run as FTPS thus requiring a secure connection... to turn off this feature (it was a lab environment and didn't require secure transfer) resulted in a LOT of head scratching, eventually to save time we popped open the applicationhost.config file and and added theses lines in the <site /> tag..:
<ssl controlChannelPolicy="SslAllow" dataChannelPolicy="SslAllow" />
Not very elegant but served the purpose - a bit more investigation I eventually fell upon the answer using the IIS7 Administration Pack, which allowed me to generate the correct script:
c:\windows\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites /[name='Default Web Site'].ftpServer.security.ssl.controlChannelPolicy:"SslAllow" /[name='Default Web Site'].ftpServer.security.ssl.dataChannelPolicy:"SslRequire" /commit:apphost
And there we go, FTP7 configured on Windows Server 2008 Core - couldn't be easier to script...