IIS 7.5 FTPS external access - 534 Policy requires SSL

Question

I have setup a FTP site that requires SSL but when I try connect to it externally I get the error:

220 Microsoft FTP Service 534 Policy requires SSL.

I know - I set it so! Why doesnt it fetch the SSL cert from the site and allow me to logon?!

(Incidentally beware of all the tutorials that Allow but do not Require SSL - while that will solve the problem it will be because SSL is not being used!).

I suspect it may be I need a client that supports FTPS (FTP over SSL) and Windows explorer just uses IE which does not. But trying FileZilla and WinSCP I get a little further but then it hangs on TLS/SSL negotiation expecting a response from the server....

UPDATE: I have tried (from: http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/):

1. Configure the Passive Port Range for the FTP Service.
2. Configure the external IPv4 Address for a Specific FTP Site.
3. Configure the firewall to allow the FTP service to listen on all ports that it opens.
4. Disabling stateful FTP filtering so that Windows Firewall will not block FTP traffic.

And still I get (in FileZilla trying both Active and Passive):

Status: Connecting to 203.x.x.x:21...
Status: Connection established, waiting for welcome message...
Response:   220 Microsoft FTP Service
Command:    AUTH TLS
Response:   234 AUTH command ok. Expecting TLS Negotiation.
Status: Initializing TLS...
Error:  Connection timed out
Error:  Could not connect to server

The Windows firewall logs unhelpfully have nothing to say..

UPDATE2: Turning the firewall off does not resolve the problem.

I cannot believe how difficult it is to get something so simple to work and even once following the documentation it does not work.

UPDATE3: Running FileZilla locally connecting through the loopback works in Active mode, in Passive mode I get up to:

Command:    LIST
Response:   150 Opening BINARY mode data connection.
Error:  GnuTLS error -53: Error in the push function.

Turning the firewall off at both ends I can still not connect the client and get the same error as above.

Answer 1

You're correct that FileZilla or WinSCP are needed. Basically those FTP settings say that anyone trying to use the normal method over port 21 should be denied, and it doesn't attempt to reestablish a different type of connection. Thus IE and the command line options won't work.

A good test is to install FileZilla locally on the FTP server, or on another server that doesn't have a firewall in-between. Get it working there to prove that it works, and then start looking at your firewall policy to allow it through. Most likely you're running again a firewall rule that blocks the dynamic ports necessary for FTPS.

In FileZilla, use "explicit FTP over TLS" and test using active and passive mode. Active and passive require different firewall ports.

Answer 2

To confirm: You need a client that supports FTPS. WinInet in Internet Explorer, and Windows' command-line FTP.EXE do not.

Answer 3

I suspect that you have a similar problem that I experienced in the past in that our border security device was being a little too helpful with FTP connections. In short, if you have a modern enterprise UTM device, try binding TCP/990 to your FTP site and allowing it through the firewall if you're using FTPS. The "FTP helper" service on the UTM may be getting in the way because it expects to see unencrypted traffic traversing TCP/21.

I wrote a blog entry describing the issue and solutions: http://www.lewisroberts.com/2010/08/06/scripting-ftpes-explicit-tlsssl-with-curl/

You should also configure your passive FTP port range within IIS and open those ports in your firewall. In IIS, clickthe top level node (server name), then click FTP Firewall Support. In there, define a range of ports that you must then open in your firewall and forward to the FTP server.

You can likely ignore the parts about cURL but hey, you might find it useful in the future!

HTH

-Lewis

Answer 4

How about enabling Clear Command Channel support in the ftps client connection?

Answer 5

This post goes along with my previous one, but I want to include more information. Here are some steps that you can test further (after your update 3).

For all of the following, use the localhost FileZilla

• Try reverting the passive ports setting back again and then test on the local machine. The local machine should be able to connect with active and passive mode.
• Try with the SSL setting set to Allow rather than Require, just to rule you the obscure.
• Try setting up a new FTP account again and see how that works.
• Just to be sure, you're using FTPES right?

And as a recap, your settings should look something like this: - FTP Authentication. anonymous disabled, basic enabled. - FTP Authorization rule. Create an allow all rule and delete your temp one ... just for testing. There was a bug at one point that didn't work with certain combinations of users for the authorization rule ... although it would reveal itself as access denied so likely not your issue. - Make sure to test with a windows user account (vs. IIS user) until you narrow this down - Make sure that your windows user has access to the FTP root folder - FTP SSL Settings should be Allow or Require for testing (require when live). Make sure that your SSL cert is valid. You can test with another self signed cert to rule that out ... although since it works with Active mode, that's likely not the issue. - don't use FTP headers (in the site bindings) until you've gotten everything else working - FTP User Isolation: the 3rd option down is a good one in many situation, but the very top option is a good simple one for testing.

I still believe it has to do with the passive ftp ports or something else with the firewalls, so many of the above steps won't help, but it doesn't hurt to review them.

Are you using a VPN or anything else between your client machine and ftp server? That can mess with passive FTP too.

Answer 6

1. Make sure that you have configured the SSL Certificate in FTP SSL Settings at the server level and it's the same at the site level. For some reason MS site (https://learn.iis.net/page.aspx/304/using-ftp-over-ssl-in-iis-7/) shows you to configure certificate in FTP SSL Settings only on the site, not on both the Server and the Site. This blog helped me: http://prestondev.wordpress.com/2012/02/24/iis-ftp-7-5-ftp-over-ssl-ftps-setup/

2. Since I was using self-signed certificate, I had to set "Require Explicit FTP over TLS" in FireZilla. It then gave me a message box that my hostname did not match the certificate, which I ignored.

3. This is not a firewall or active/passive issue. Your logs show you are able to establish the control channel through the firewall. Next you'll negotiate SSL and authenticate while still on the control channel. Once that succeeds you'd proceed to setup data channel in active or passive mode, depending on your configuration. Here's how your logs will look like...

   Status: Connecting to x.y.z.91:21...
   Status: Connection established, waiting for welcome message...
   Response:   220 Microsoft FTP Service
   Command:    AUTH TLS
   Response:   234 AUTH command ok. Expecting TLS Negotiation.
   Status: Initializing TLS...
   Status: Verifying certificate...
   Command:    USER ftp.myserver.com|ftpuser
   Status: TLS/SSL connection established.
   Response:   331 Password required for ftp.myserver.com|ftpuser.
   Command:    PASS *********
   Response:   230 User logged in.
   Command:    OPTS UTF8 ON
   Response:   200 OPTS UTF8 command successful - UTF8 encoding now ON.
   Command:    PBSZ 0
   Response:   200 PBSZ command successful.
   Command:    PROT P
   Response:   200 PROT command successful.
   Status: Connected
   Status: Retrieving directory listing...
   Command:    PWD
   Response:   257 "/" is current directory.
   Command:    TYPE I
   Response:   200 Type set to I.
   Command:    PASV
   Response:   227 Entering Passive Mode (x,y,z,91,194,245).
   Command:    LIST
   Response:   150 Opening BINARY mode data connection.
   ...
   

Good luck!