Windows 2019
Sponsored Link

FTP Server : SSL/TLS Setting
2019/09/06
 
Add FTP Site with enable SSL setting.
For example, Configure FTP site with SSL setting to create a local group [FTPGroup] and add local users you allow to use FTP to the group, and also grant read and write authority to the group.
[1]
[2] Run PowerShell with Admin Privilege and Configure FTP Service.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

# add a group [FTPGroup] for FTP
PS C:\Users\Administrator> New-LocalGroup -Name "FTPGroup" 

Name     Description
----     -----------
FTPGroup

# add users to the [FTPGroup] you allow to use FTP
# add [Serverworld] user to [FTPGroup] as an example below
PS C:\Users\Administrator> Add-LocalGroupMember -Group "FTPGroup" -Member "Serverworld" 

# confirm
PS C:\Users\Administrator> Get-LocalGroupMember -Name "FTPGroup" 

ObjectClass Name             PrincipalSource
----------- ----             ---------------
User        RX-7\Serverworld Local

# add FTP site
# -Name [any name you like]
# -IPAddress [listening IP address] (below is 0.0.0.0 (all))
# -Port [listening port]
PS C:\Users\Administrator> New-WebFtpSite -Name "FTPSite01" -IPAddress "*" -Port 21 

Name             ID   State      Physical Path                  Bindings
----             --   -----      -------------                  --------
FTPSite01        2    Started                                   ftp *:21:

# set physical folder that is used for FTP site
# example below, create a [FTPSite01] folder under the [C:\inetpub\ftproot] that is created by default and set it
PS C:\Users\Administrator> mkdir 'C:\inetpub\ftproot\FTPSite01' 
PS C:\Users\Administrator> Set-ItemProperty "IIS:\Sites\FTPSite01" -Name physicalPath -Value 'C:\inetpub\ftproot\FTPSite01' 

# set SSL/TLS required
PS C:\Users\Administrator> Set-ItemProperty "IIS:\Sites\FTPSite01" -Name ftpServer.security.ssl.controlChannelPolicy -Value "SslRequire" 
PS C:\Users\Administrator> Set-ItemProperty "IIS:\Sites\FTPSite01" -Name ftpServer.security.ssl.dataChannelPolicy -Value "SslRequire" 

# confirm Thumbprint of certificate
PS C:\Users\Administrator> Get-ChildItem Cert:\LocalMachine\My 

   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

Thumbprint                                Subject
----------                                -------
560F4FE5B89D70A8CAC5F65B1869C4F8A9274C15  CN=rx-8.srv.world

# add cert store and Thumbprint
PS C:\Users\Administrator> Set-ItemProperty "IIS:\Sites\FTPSite01" -Name ftpServer.security.ssl.serverCertStoreName -Value "My" 
PS C:\Users\Administrator> Set-ItemProperty "IIS:\Sites\FTPSite01" -Name ftpServer.security.ssl.serverCertHash -Value "560F4FE5B89D70A8CAC5F65B1869C4F8A9274C15" 

# set basic authentication
PS C:\Users\Administrator> Set-ItemProperty "IIS:\Sites\FTPSite01" -Name ftpServer.security.authentication.basicAuthentication.enabled -Value $true 

# set read and write authority to [FTPGroup] group
PS C:\Users\Administrator> Add-WebConfiguration "/system.ftpServer/security/authorization" -Location FTPSite01 -PSPath IIS:\ -Value @{accessType="Allow";roles="FTPGroup";permissions="Read,Write"} 

# set external IP address (the one client computers can connect)
PS C:\Users\Administrator> Set-ItemProperty "IIS:\Sites\FTPSite01" -Name ftpServer.firewallSupport.externalIp4Address -Value "10.0.0.101" 

# set NTFS access authority to the physical folder
# example below, add full control
PS C:\Users\Administrator> icacls "C:\inetpub\ftproot\FTPSite01" /grant "FTPGroup:(OI)(CI)(F)" 
processed file: C:\inetpub\ftproot\FTPSite01
Successfully processed 1 files; Failed processing 0 files

# restart FTP site
PS C:\Users\Administrator> Restart-WebItem -PSPath 'IIS:\Sites\FTPSite01' 
FTP Server : SSL/TLS Setting (GUI)
 
On GUI configuration, set like follows.
[3] Add a local group and add local users to the group you allow to use FTP site.
On this example, Create a [FTPGroup] group and add [Serverworld] user to the group to allow to use FTP site. For creating local user and others, refer to here.
[4] Create a physical folder for FTP site's root path and add access authority for the group added on [2] to the folder. On this example, create a [FTPSite01] folder under the [C:\inetpub\ftproot] that is created by default and set it.
[5] Buy ot Get or Create SSL certificate first.
On this example, create self-signed certificate and use it. (for self-signed one. refer to here).
[6] Add FTP Site.
Run [Start] - [Server Manager] and Click [Tools] - [Internet Information Services (IIS) Manager]. Next, Select the [Site] and right click it, then Open [Add FTP Site].
[7] Input any name for [FTP site name], specify physical Path for [Physical path] that you added on [3] section.
[8] This is Binding and SSL settings section. It's OK to keep default for IP Address and Port.
For the case of this default setting, FTP service listens on 0.0.0.0:21.
For [SSL] section, Select [Require SSL] and also select your certificate on [SSL Certificate] field.
[9] This is Authentication and Authorization settings section.
On this example, set [Basic] for authentication and [Specified roles or user groups] for Authorization.
[10] For Authorization setting, if selected [Specified roles or user groups], it needs to specify group you allow to access. On this example, set the group created on [2] section.
[11] FTP site has been added. Select the new FTP site on the left pane and click [FTP Firewall Support] on center pane.
[12] Set IP address that client computers can connect to.
That's OK to configure FTP site.
Matched Content