Recently Windows has made great improvements in the FTP server that integrates with IIS. In Windows Server 2008 and Server 2008 R2 II7 now has a new FTP Server 7.5. This can be installed from a download if you are using Windows Server 2008 or added as a role service if you are using Windows Server 2008 R2.
The link below is a good walkthrough of how to get it running.
http://learn.iis.net/page.aspx/321/configure-ftp-with-iis-7-manager-authentication/
This is all well and good except there is a big "gotcha" in working with passive mode FTP.
An excerpt from "How to Configure Windows Firewall for a Passive Mode FTP Server"
Using the File Transfer Protocol (FTP) service on a server behind a firewall creates a set of challenges because of the way FTP works. A standard mode FTP client initiates a session to a server by opening a "command channel" connection to TCP port number 21. A file transfer is requested by the client by sending a PORT command to the server. The server then attempts to initiate a "data channel" connection back to the client on TCP port number 20. A typical firewall running on the client sees this data channel connection request from the server as unsolicited and drops the packets, causing the file transfer to fail. Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008 support stateful FTP, which allows it match inbound connection requests on port 20 with previous outbound PORT commands from the client. However, if you use FTP over SSL to encrypt and secure the FTP traffic, then the firewall can no longer inspect the inbound connection requests from the server, and they are blocked.
To avoid this issue, FTP also supports a "passive" operational mode in which the client initiates the data channel connection. Instead of using the PORT command, the client sends a PASV command on the command channel. The server responds with the TCP port number to which the client should connect to establish the data channel. By default, the server uses an available port in the ephemeral range (1025 through 5000). To better secure the server, you can restrict the port range used by the FTP service, and then create a firewall rule that allows FTP traffic on only those allowed port numbers.
So as you can see, the communication initials on port 21 but then a "data channel" is setup on port 20 which is where your communication is probably getting blocked.
Follow the steps in the link below to enable Windows Firewall to allow this data channel communication through.
http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/
http://technet.microsoft.com/en-us/library/dd421710(WS.10).aspx
Comments