Default FTP Firewall Support Settings <firewallSupport>

Overview

The <ftpServer/firewallSupport> element of the <siteDefaults> element is used to configure the way that the FTP service works with firewalls by default.

This element allows server administrators to configure the external address of the firewall that the FTP service will send to FTP clients when passive connections are being used.

When passive connections are negotiated using the FTP PASV command, the FTP server sends a response which contains IP address and port of the server. By specifying the externalIp4Address attribute, you can direct FTP clients to communicate with your firewall, which should route the client traffic to your FTP server. By specifying an external IP address for your firewall per-site, this allows you to route the firewall traffic for each FTP site through a different firewall.

Note: While the external IP address can be configured per-site, you can also specify the data channel port range that the FTP service will use in the global <system.ftpServer/firewallSupport> element.

Compatibility

Version
IIS 8.5 The <firewallSupport> element was not modified in IIS 8.5.
IIS 8.0 The <firewallSupport> element was not modified in IIS 8.0.
IIS 7.5 The <firewallSupport> element of the <ftpServer> element ships as a feature of IIS 7.5.
IIS 7.0 The <firewallSupport> element of the <ftpServer> element was introduced in FTP 7.0, which was a separate download for IIS 7.0.
IIS 6.0 N/A

Note: The FTP 7.0 and FTP 7.5 services shipped out-of-band for IIS 7.0, which required downloading and installing the modules from the following URL:

http://www.iis.net/expand/FTP

With Windows 7 and Windows Server 2008 R2, the FTP 7.5 service ships as a feature for IIS 7.5, so downloading the FTP service is no longer necessary.

Setup

To support FTP publishing for your Web server, you must install the FTP service. To do so, use the following steps.

Windows Server 2012 or Windows Server 2012 R2

  1. On the taskbar, click Server Manager.
  2. In Server Manager, click the Manage menu, and then click Add Roles and Features.
  3. In the Add Roles and Features wizard, click Next. Select the installation type and click Next. Select the destination server and click Next.
  4. On the Server Roles page, expand Web Server (IIS), and then select FTP Server.

    Note: To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will need to select FTP Extensibility, in addition to FTP Service.
    .
  5. Click Next, and then on the Select features page, click Next again.
  6. On the Confirm installation selections page, click Install.
  7. On the Results page, click Close.

Windows 8 or Windows 8.1

  1. On the Start screen, move the pointer all the way to the lower left corner, right-click the Start button, and then click Control Panel.
  2. In Control Panel, click Programs and Features, and then click Turn Windows features on or off.
  3. Expand Internet Information Services, and then select FTP Server.

    Note: To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.
  4. Click OK.
  5. Click Close.

Windows Server 2008 R2

  1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
  2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
  3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
  4. On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.
  5. Select FTP Service.

    Note: To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.
  6. Click Next.
  7. On the Confirm Installation Selections page, click Install.
  8. On the Results page, click Close.

Windows 7

  1. On the taskbar, click Start, and then click Control Panel.
  2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
  3. Expand Internet Information Services, and then FTP Server.
  4. Select FTP Service.

    Note: To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.
  5. Click OK.

Windows Server 2008 or Windows Vista

  1. Download the installation package from the following URL:
  2. Follow the instructions in the following walkthrough to install the FTP service:

How To

How to configure the FTP service for the default external IP address to use for your firewall

  1. Open Internet Information Services (IIS) Manager:
    • If you are using Windows Server 2012 or Windows Server 2012 R2:
      • On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows 8 or Windows 8.1:
      • Hold down the Windows key, press the letter X, and then click Control Panel.
      • Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
    • If you are using Windows Server 2008 or Windows Server 2008 R2:
      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:
      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, click the server name.
  3. In the server's Home pane, double-click FTP Firewall Support.
  4. In the External IP Address of Firewall box, type the IPv4 address of the Internet-facing network adapter of your firewall.
  5. In the Actions pane, click Apply.

Note: The data channel port range must be configured in the global <system.ftpServer/firewallSupport> element.

For additional information about how to configure the firewall settings for the FTP service, see the following topic on the Microsoft IIS.NET web site:

Configuring FTP Firewall Settings
http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/

Configuration

Attributes

Attribute Description
externalIp4Address Optional string attribute.

Specifies the external IPv4 address for your firewall.

There is no default value.

Child Elements

None.

Configuration Sample

The following configuration sample displays an example <firewallSupport> element for a server that defines the default firewall settings.

<siteDefaults>
   <ftpServer>
      <firewallSupport externalIp4Address="169.254.10.10" />
   </ftpServer>
</siteDefaults>

Sample Code

The following code samples demonstrate how to configure the default firewall settings for the FTP service.

AppCmd.exe

REM Configure the default external IP address of a firewall.
appcmd.exe set config -section:system.applicationHost/sites /siteDefaults.ftpServer.firewallSupport.externalIp4Address:"169.254.10.10" /commit:apphost

Note: You must be sure to set the commit parameter to apphost when you use AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.

C#

using System;
using System.Text;
using Microsoft.Web.Administration;

internal static class Sample
{
   private static void Main()
   {
      using (ServerManager serverManager = new ServerManager())
      {
         Configuration config = serverManager.GetApplicationHostConfiguration();
         ConfigurationSection sitesSection = config.GetSection("system.applicationHost/sites");
         ConfigurationElement siteDefaultsElement = sitesSection.GetChildElement("siteDefaults");
         ConfigurationElement ftpServerElement = siteDefaultsElement.GetChildElement("ftpServer");

         ConfigurationElement firewallSupportElement = ftpServerElement.GetChildElement("firewallSupport");
            firewallSupportElement["externalIp4Address"] = @"169.254.10.10";

         serverManager.CommitChanges();
      }
   }
}

VB.NET

Imports System
Imports System.Text
Imports Microsoft.Web.Administration

Module Sample
   Sub Main()
      Dim serverManager As ServerManager = New ServerManager
      Dim config As Configuration = serverManager.GetApplicationHostConfiguration
      Dim sitesSection As ConfigurationSection = config.GetSection("system.applicationHost/sites")
      Dim siteDefaultsElement As ConfigurationElement = sitesSection.GetChildElement("siteDefaults")
      Dim ftpServerElement As ConfigurationElement = siteDefaultsElement.GetChildElement("ftpServer")

      Dim firewallSupportElement As ConfigurationElement = ftpServerElement.GetChildElement("firewallSupport")
         firewallSupportElement("externalIp4Address") = "169.254.10.10"

      serverManager.CommitChanges()
   End Sub

End Module

JavaScript

var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST";

var sitesSection = adminManager.GetAdminSection("system.applicationHost/sites", "MACHINE/WEBROOT/APPHOST");
var siteDefaultsElement = sitesSection.ChildElements.Item("siteDefaults");
var ftpServerElement = siteDefaultsElement.ChildElements.Item("ftpServer");

var firewallSupportElement = ftpServerElement.ChildElements.Item("firewallSupport");
   firewallSupportElement.Properties.Item("externalIp4Address").Value = "169.254.10.10";

adminManager.CommitChanges();

VBScript

Set adminManager = createObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"
Set sitesSection = adminManager.GetAdminSection("system.applicationHost/sites", "MACHINE/WEBROOT/APPHOST")
Set siteDefaultsElement = sitesSection.ChildElements.Item("siteDefaults")
Set ftpServerElement = siteDefaultsElement.ChildElements.Item("ftpServer")

Set firewallSupportElement = ftpServerElement.ChildElements.Item("firewallSupport")
   firewallSupportElement.Properties.Item("externalIp4Address").Value = "169.254.10.10"

adminManager.CommitChanges()
Deprecated Elements