Managing FTP Firewall Options
To access an FTP
server, firewalls must allow network traffic to be passed for both the
control channel and the data channel. When users connect to a Web
server, the initial connection is made using the port provided in the
address. (The default is port 21 if none is provided.) However, for
sending data channel information such as directory listings and files,
the FTP server can respond using a range of port numbers. If these ports
are not allowed across the firewall, users will be unable to use the
full functionality of the site.
Note: Troubleshooting common FTP connection issues
A common FTP
connection issue is related to accessing an FTP server from across a
firewall. Users might report that they are able to connect to the FTP
server and provide their authentication credentials. However, when they
attempt to perform an action (such as listing the contents of a
directory), they do not receive a response. This is a classic case of an
issue with a firewall that is restricting data channel communications.
One option for resolving this issue is to enable passive FTP connections
on the FTP client. Another option is to reconfigure the firewall. Keep
these symptoms in mind when you are troubleshooting FTP connection
issues.
You can avoid this problem through the FTP Firewall Support feature in IIS Manager. (See Figure 26.)
FTP 7 supports passive-mode FTP connections to specify the ports on
which the FTP server will respond to requests. The Data Channel Port
Range setting enables you to specify the range of ports that will be
used for sending responses to clients. You should use ports between
1,024 and 65,535. The External IP Address Of Firewall setting enables
the FTP server to determine from where packets are being sent. This is
useful for supporting SSL encryption scenarios.
Implementing IP Address and Domain Restrictions
You can increase the
security of an FTP server by limiting from which network addresses
specific FTP sites or folders can be accessed. To manage these settings,
select an FTP site or folder in IIS Manager, and then select the FTP
IPv4 Address And Domain Restrictions feature. The Actions pane provides
two commands for managing rules: Add Allow Entry and Add Deny Entry. IP
address-based rules enable you to specify either a single IP address or a
range of IP addresses that is defined using a subnet mask. (See Figure 27.)
Use the Edit
Feature Settings command in the Actions pane to specify the default
action for IP addresses that do not match any of the existing rules. The
default setting, Allow, specifies that these IP addresses will be
allowed to connect. You can restrict access to only those clients that
match Allow Entries by selecting the Deny option.
You
can enable domain name restrictions through the Edit Feature Settings
dialog box also. Domain name restrictions are based on DNS domain names
(such as extranet.contoso.com). Although they can be easier to manage
than specific IP address rules, the drawback is that domain name
restrictions can reduce performance significantly. This is because rules
are evaluated based on performing a reverse DNS lookup operation, which
can be time-consuming and can create significant load on the DNS
infrastructure.
IPv4 Address And
Domain Restrictions settings are automatically inherited by child
objects. For example, restrictions defined at the level of an FTP site
will automatically apply to all the folders that are part of that site.
You can override this behavior by creating explicit rules for specific
folders and virtual directories. You can also use the Revert To Parent
command in the Actions pane to remove any specific settings.