IIS 7 and Above
ftps with virtual host names
Last post Feb 25, 2020 09:21 AM by Jalpa Panchal
Feb 23, 2020 06:03 PM|rossh|LINK
IIS 10 with a new FTP site, add virtual host name, set binding to port 990 (FTPS). Add valid wildcard cert to IIS FTP settings section. Check firewall is open in the appropriate port. The binding is in the config file is eg. "126.96.36.199:990:abcd.mydoman.com"
This all worked in 2008R2, but in IIS 10 it fails. The server immediately closes the connection after receiving the Client hello packet. It looks and smells like the SChannel is not happy with the cert-port-domain map, but why?
If I eliminate the virtual host name and let it go with a * and the binding becomes "188.8.131.52:990:" then it all works and FTPS runs fine, albeit without the virtual host separations.
So how to make IIS 10 map a FTP binding with a virtual host name to a cert, and accept the connection?
Thanks ross h
Feb 24, 2020 06:55 AM|Jalpa Panchal|LINK
First, make sure your iis site binding is correct. when you use the virtual hostname with ftp site in iis you need to provide the username.
set allow rule in iis manager permission feature for your site:
FTP authorization rule:
This uses the "ftp.example.com|username" syntax as part of the client login in order to route FTP requests to the correct FTP site. This syntax is compatible with FTP almost every FTP client and should be thought of as a backward-compatible method for binding
multiple FTP hostnames to a single IP address.
you could refer this below link for more detail:
Feb 24, 2020 11:50 AM|rossh|LINK
My settings follow your example. Your example has no cert and does not use SSL, and if I do the exact copy of your example, it works here too .
Modify the example as follows.
Set the binding to port 990 (FTPS implicit),
Add a valid wildcard cert with the FTP SSL settings feature,
Set your FileZilla to Implicit FTP over TLS mode (which defaults to port 990).
06:45:25 Status: Resolving address of bu***.*********.com
06:45:25 Status: Connecting to 1**.**.**.151:990...
06:45:25 Status: Connection established, initializing TLS...
06:45:25 Error: GnuTLS error -110: The TLS connection was non-properly terminated.
06:45:25 Status: Server did not properly shut down TLS connection
06:45:25 Status: Connection attempt failed with "ECONNABORTED - Connection aborted".
06:45:25 Error: Could not connect to server
In my case, the server drops the connection immediately on the reception of clients hello packet. A Wireshark packet check shows the server closes the connection.
How to make schannel map the virtual host name - cert - port combination?
Feb 25, 2020 09:21 AM|Jalpa Panchal|LINK
When you use the Explicit FTPS to the iis FTP site then you could use any other expect 990. 990 is used with the Implicit FTPS.so just try to use the 21 port.
please refer this below link: