ftps with virtual host namesRSS

3 replies

Last post Feb 25, 2020 09:21 AM by Jalpa Panchal

  • ftps with virtual host names

    Feb 23, 2020 06:03 PM|rossh|LINK

    IIS 10 with a new FTP site, add virtual host name, set binding to port 990 (FTPS). Add valid wildcard cert to IIS FTP settings section.  Check firewall is open in the appropriate port.   The binding is in the config file is eg. "1.2.3.4:990:abcd.mydoman.com"

    This all worked in 2008R2, but in IIS 10 it fails. The server immediately closes the connection after receiving the Client hello packet. It looks and smells like the SChannel is not happy with the cert-port-domain map, but why?

    If I eliminate the virtual host name and let it go with a * and the binding becomes "1.2.3.4:990:" then it all works and FTPS runs fine, albeit without the virtual host separations.

    So how to make IIS 10 map a FTP binding with a virtual host name to a cert, and accept the connection?

    Thanks ross h

  • Re: ftps with virtual host names

    Feb 24, 2020 06:55 AM|Jalpa Panchal|LINK

    Hi,

    First, make sure your iis site binding is correct. when you use the virtual hostname with ftp site in iis you need to provide the username.

    set allow rule in iis manager permission feature for your site:

    FTP authorization rule:

    This uses the "ftp.example.com|username" syntax as part of the client login in order to route FTP requests to the correct FTP site. This syntax is compatible with FTP almost every FTP client and should be thought of as a backward-compatible method for binding multiple FTP hostnames to a single IP address.

    result:

    you could refer this below link for more detail:

    https://docs.microsoft.com/en-us/archive/blogs/robert_mcmurray/ftp-clients-part-3-creating-a-global-listener-ftp-site

    https://serverfault.com/questions/887176/530-valid-hostname-is-expected-when-setting-up-iis-10-for-multiple-sites

    https://forums.iis.net/t/1196845.aspx

    Regards,

    Jalpa

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: ftps with virtual host names

    Feb 24, 2020 11:50 AM|rossh|LINK

    Hi,

    My settings follow your example.  Your example has no cert and does not use SSL, and if I do the exact copy of your example, it works here too .

    Modify the example as follows.  

    Set the binding to port 990 (FTPS implicit),

    Add a valid wildcard cert with the FTP SSL settings feature,

    Set your FileZilla to Implicit FTP over TLS  mode (which defaults to port 990).

    try that.

    06:45:25 Status: Resolving address of bu***.*********.com
    06:45:25 Status: Connecting to 1**.**.**.151:990...
    06:45:25 Status: Connection established, initializing TLS...
    06:45:25 Error: GnuTLS error -110: The TLS connection was non-properly terminated.
    06:45:25 Status: Server did not properly shut down TLS connection
    06:45:25 Status: Connection attempt failed with "ECONNABORTED - Connection aborted".
    06:45:25 Error: Could not connect to server

    In my case, the server drops the connection immediately on the reception of clients hello packet.   A Wireshark packet check shows the server closes the connection.

    How to make schannel map the virtual host name - cert - port combination?

  • Re: ftps with virtual host names

    Feb 25, 2020 09:21 AM|Jalpa Panchal|LINK

    Hi,

    When you use the Explicit FTPS to the iis FTP site then you could use any other expect 990. 990 is used with the Implicit FTPS.so just try to use the 21 port.

    please refer this below link:

    https://docs.microsoft.com/en-us/iis/publish/using-the-ftp-service/configuring-ftp-firewall-settings-in-iis-7

    https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/ftpserver/security/ssl

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.