Sunday, November 6, 2011

FTP on Windows 2008 Server R2

FTP on Windows Firewall and non-secure FTP traffic


To easily set up an FTP server, Filezilla can be used (test locally, make sure it works). Additionally, a quick step is necessary: add a rule in Windows Firewall to allow necessary ports.

Windows firewall can be configured from command line using netsh command. 2 simple steps are required to setup Windows Firewall to allow non-secure FTP traffic:

1) Open port 21 on the firewall
netsh advfirewall firewall add rule name="FTP (no SSL)" action=allow protocol=TCP dir=in localport=21

2) Activate firewall application filter for FTP (aka Stateful FTP) that will dynamically open ports for data connections
netsh advfirewall set global StatefulFtp enable

Taken from http://social.msdn.microsoft.com/Forums/en-US/winserver2008appcompatabilityandcertification/thread/72ea0c7d-1071-4637-a38f-e77195e8a738/

Some more info
Configuring FTP Firewall Settings in IIS 7
http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings-in-iis-7/

FTP7 for Windows Server 2008 RTM is released!
http://blogs.msdn.com/b/robert_mcmurray/archive/2008/02/27/ftp7-for-windows-server-2008-rtm-is-released.aspx

Installing FTP 7.5 on Windows Server 2008
http://technet.microsoft.com/en-us/library/dd722761(WS.10).aspx


Configure Total Commander as a client to use SSL/TSL feature

1. Get the OpenSSL package from
- official page - http://gnuwin32.sourceforge.net/packages/openssl.htm
- the LibCurl library - http://curl.haxx.se/download.html *
* Please scroll down to the section named "Win32 - Generic" and download the following package (or a newer one): Win32 2000/XP 7.19.0 libcurl SSL enabled Günter Knauf 1.54 MB

2. Copy the two dlls libssl32.dll and libeay32.dll from the "bin" subdir of the archive to the Total Commander directory.

3. Now you can make connections with prefix ftps:// and https://

Note: There will appear a red open locker for connections because the root certificates are missing. To get the root certificates of Verisign, Thawte etc, do the following:
1. Start Internet Explorer and open its configuration dialog
2. Go to the page "Content"
3. Click on "Certificates"
4. Go to the last page "Trusted root certificate authorities"
5. Select all certificates
6. Click on"Export"
7. As name, enter: rootcerts
8. Confirm with Next/OK. This creates a file rootcerts.p7b
9.a. Copy rootcerts.p7b to the installation folder of OpenSSL C:\Program Files\OpenSSL\bin\
9.b. Issue the following two commands to convert to openssl format:
openssl pkcs7 -inform DER -in rootcerts.p7b -print_certs -out unfiltered.pem
openssl x509 -in unfiltered.pem -out rootcert.pem

10. Put the file rootcert.pem in the Total Commander directory