Q: Does the FTP server that's included with Microsoft IIS support FTP over SSL? If it does, how can I configure it? Can I configure it to secure only the exchange of the FTP user credentials?
A: The IIS FTP server supports FTP over SSL, starting with the IIS 7.0 web server that's bundled with Windows Server 2008. To enable FTP over SSL, you should first make sure that you have a valid SSL certificate configured for your web server. You can create a self-signed certificate or obtain a certificate from your enterprise Certification Authority (CA) or from a commercial CA. You can configure an SSL certificate using the Server Certificates option that shows up in the center pane of IIS Manager when you select your web server object.
You must also allow the use of SSL when you enable the FTP protocol for your website. To enable FTP from IIS Manager, select the website and click Add FTP Publishing in the Actions pane. Next, in the Bindings and SSL Settings section, make sure that you select Allow SSL in the SSL section. Finally, in the Authentication and Authorization Information dialog box, you typically select Basic in the Authentication section, select the Specified Users option in the Allow access to drop-down list, and enter the FTP user logon account in the accompanying text box in the Authorization section.
You can then further configure FTP over SSL using IIS Manager's FTP SSL Settings feature, which you can find in the center pane, both on the web-server level and website level. This is the feature you'd use to configure IIS to secure only the FTP credential exchanges using SSL. It's important that you configure the same settings on both the web-server level and website level. If you don't do so, you'll get "conflicting TLS setting" error messages when you try to connect to your FTP site.
To change the FTP SSL Settings for your website, navigate to your website from IIS Manager and double-click FTP SSL Settings in the center pane to open the FTP SSL Settings dialog box. From the SSL Certificate list, select the certificate that you want to use for securing your FTP connections. Under SSL Policy, you can select one of the following options.
Allow SSL connections. Choose this option if you want your FTP server to support both non-SSL and SSL connections.
Require SSL connections. Select this option if you want to enforce the use of SSL encryption for all FTP communications.
Custom. Choose this option if you want to configure a different SSL policy for the FTP control and data channels. After you select it, click the Advanced button. In the Advanced SSL Policy dialog box, you can select the SSL policies. For the FTP control channel, your options are:
- Allow. Allows SSL for the control channel, meaning that SSL isn't required.
- Require. Enforces the use of SSL for the control channel.
- Require only for credentials. Requires that only the FTP user credentials have to be sent using SSL.
For the FTP data channel, your options are:
- Allow. Allows SSL for the data channel, meaning that SSL isn't required.
- Require. Enforces the use of SSL for the data channel.
- Deny. Denies the use of SSL for the data channel.
In your case, you'd select the Custom option. Then, in the Advanced SSL Policy dialog box, you'd choose Require only for credentials for the FTP control channel and Allow for the FTP data channel. Remember that after you configured these settings for your website, you must also configure the same settings for your web server.