Groups
Groups

Problems creating FTPS site in Win 2019

273 views
Skip to first unread message

Mike Leone

unread,
May 27, 2021, 4:08:27 PM5/27/21
to NTSysAdmin
This is driving me crazy. I have an FTP site running in IIS on Win 2019. Works perfectly. I got a cert for that server, assigned it in IIS Manager. 

Went to "FTP SSL" for that FTP site, chose the cert, and choose "Allow SSL connections".

And nothing. Testing with Filezilla - site: ftps://<myURL>, ID and password - I see it's trying to connect, but just timing out on, port 990.

Even though the FTP installation created firewall rules, I made a new one - port 21, 990, and 40000-41000 (for passive ports), protocol TCP. Didn't help. 
I verified that I had 40000-41000 in the "FTP Firewall Support" entry for the site.

The weird thing? If I connect with Filezilla to plain "ftp://<myURL>", works fine AND tells me it sees  a valid  cert:

Status: Connecting to 10.64.7.45:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Status: Directory listing of "/" successful


So what am I doing wrong, that I can't specify FTPS as a connection method?
(it's not just Filezilla that hangs, I'm trying to do a backup of my vCenter, and wants to use FTPS. But it fails, too. So it's not just a Filezilla issue.

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

This space reserved for future witticisms ...

Philip Elder

unread,
May 27, 2021, 4:16:13 PM5/27/21
to ntsys...@googlegroups.com

Based on the status statements it looks as though FTPS is in place. It’s still the “FTP” protocol just secured by an SSL certificate?

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Cloud: www.CanadianCloudWorx.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Skype: MPECSInc.

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BiJVDzVJNRt4E2Ob36OMTuxREVYJ3y0F___1jHfeRS8VA%40mail.gmail.com.

Kurt Buff

unread,
May 27, 2021, 5:26:27 PM5/27/21
to ntsys...@googlegroups.com
1) I'm not a fan of filezilla - I'd run tests with WinSCP, powershell and nmap, just to make sure that the port is open and functions as expected.

2) You are getting the TLS connection - is vCenter just not willing to take the ftp:// URI stem?

3) I don't have an IIS box handy for a test, but does netstat show the port as open and listening on the machine? Is there a host firewall rule allowing connections?

Kurt
 

--

Mike Leone

unread,
May 27, 2021, 6:05:38 PM5/27/21
to NTSysAdmin
On Thu, May 27, 2021 at 4:16 PM Philip Elder <Phili...@mpecsinc.ca> wrote:

Based on the status statements it looks as though FTPS is in place. It’s still the “FTP” protocol just secured by an SSL certificate?


You would think .. but it doesn't work if I use the FTPS URI. and it shouldn't, I don't think ...
 

Mike Leone

unread,
May 27, 2021, 6:10:00 PM5/27/21
to NTSysAdmin
On Thu, May 27, 2021 at 5:26 PM Kurt Buff <kurt...@gmail.com> wrote:
1) I'm not a fan of filezilla - I'd run tests with WinSCP, powershell and nmap, just to make sure that the port is open and functions as expected.

WinSCP doesn't do FTPS, it does SFTP (which is different - that's FTP over SSH, as opposed to FTP over SSL, which is what I am trying to do).

Also, I tried turning the firewall off completely; still didn't work. :-) So it's not being blocked ....

 
2) You are getting the TLS connection - is vCenter just not willing to take the ftp:// URI stem?

It doesn't connect when specifying FTPS://. Neither does Filezilla, which just sits there and says connection timed out. Since it fails with 2 clients, that leads me to believe I'm doing something wrong with the server ...

 

3) I don't have an IIS box handy for a test, but does netstat show the port as open and listening on the machine? Is there a host firewall rule allowing connections?

Yep. As I said, installing the FTP service added a rule. And I even added my own rule, effectively duplicating that. Still nothing. But since it doesn't work with the firewall off, that's can't be the problem ...

 

Kurt Buff

unread,
May 27, 2021, 6:20:52 PM5/27/21
to ntsys...@googlegroups.com
The WinSCP docs surely imply that it does FTPS:

And, when I select FTP as the protocol, there are selections for "no encryption", "tls/ssl implicit encryption", and "tls/ssl explicit encryption" - choosing implicit automatically changes the port specification to 990.

What does NMAP say when that machine is scanned?

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BiA0NZ2sSExtxkjhqquf2quso5O0-TR5ayDnRT16AmqDA%40mail.gmail.com.

Mike Leone

unread,
May 27, 2021, 6:25:47 PM5/27/21
to NTSysAdmin
I haven't scanned with nmap (I don't have a copy of it handy). But with no firewall turned on, then it should be open ..

WinSCP does just as FileZilla ... nothing. :-) Just times out ...."Timeout detected (Control connection)".


To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce4-vZx31fAAqexf-yVbsL0qnWbY7P%3DW6ogaYdrzfOkcdA%40mail.gmail.com.

Mike Leone

unread,
May 27, 2021, 6:28:57 PM5/27/21
to NTSysAdmin
On Thu, May 27, 2021 at 6:25 PM Mike Leone <tur...@mike-leone.com> wrote:
I haven't scanned with nmap (I don't have a copy of it handy). But with no firewall turned on, then it should be open ..

However, a Powershell Test-NetConnection -port 990 fails, although ping succeeds. Which is what I've been thinking - there's nothing responding on that port, although the FTP service *should* be listening on it. And it's not ...

Kurt Buff

unread,
May 27, 2021, 6:39:16 PM5/27/21
to ntsys...@googlegroups.com
Interesting. So netstat on the IIS box shows port 990 as in a listening state? On what interface?

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bgm9KK6%3DkTUhFQWxVjwNE8WnMNB1JHc4e%2BJiS%2Bqy9VuAQ%40mail.gmail.com.

Kurt Buff

unread,
May 27, 2021, 6:40:10 PM5/27/21
to ntsys...@googlegroups.com
Or rather, what IP address?

Kurt

Mike Leone

unread,
May 27, 2021, 6:57:12 PM5/27/21
to NTSysAdmin
Netstat on the IIS box doesn't show port 990 at all. I see 21 as LISTENING (0.0.0.0:0) TCP, but no 990. There's nothing listening on that port, as I said.


To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce4PbZn3MoeierqbSy3mUsvNOdgBHbWeG3DxtH5hqr1VMA%40mail.gmail.com.

Michael B. Smith

unread,
May 27, 2021, 6:57:37 PM5/27/21
to ntsys...@googlegroups.com

Just like SMTP over TLS happens over port 25, I don’t find it odd that FTP over TLS happens over port 21.

2) You are getting the TLS connection - is vCenter just not willing to take the ftp:// URI stem?

Mike Leone

unread,
May 27, 2021, 7:37:21 PM5/27/21
to NTSysAdmin


On Thu, May 27, 2021, 6:57 PM Michael B. Smith <mic...@smithcons.com> wrote:

Just like SMTP over TLS happens over port 25, I don’t find it odd that FTP over TLS happens over port 21.


Yes, but every client that I've tried, when specifying a FTPS:// URI, defaults to port 990. Even when I specify port 21 with a FTPS URI, the client attempts to connect to port 990. Filezilla, WinSCP, etc.

And doesn't SMTP over SSL happen on port 465?

Kurt Buff

unread,
May 27, 2021, 7:42:00 PM5/27/21
to ntsys...@googlegroups.com
So bind the service to port 990, and see if your clients like it better.

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BgyTJz9aSmkrz%2BGDxQ-xbyUZ_1w_JnOBOPYY9EaPYNqCA%40mail.gmail.com.

Mike Leone

unread,
May 27, 2021, 7:51:12 PM5/27/21
to ntsys...@googlegroups.com
Tried that. The only binding options in IIS are ftp, Port 21. And https, which I can bind to 990. And already tried that, which didn't work (not that I expected it to).


--
"Well, it wasn't actually dreadful. It was mildly lamentable."

Michael B. Smith

unread,
May 27, 2021, 7:56:25 PM5/27/21
to ntsys...@googlegroups.com

Some smtp servers support, others don’t.

 

Exchange, for example, allows you to bind to whatever port you want. But SMTP over TLS is by default port 25.

Kurt Buff

unread,
May 27, 2021, 10:57:09 PM5/27/21
to ntsys...@googlegroups.com
Grasping at straws, but perhaps this will help:

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BhyV6-mOqvRZW4DSJ4qh8YboZ-AyHxq1WzJk44XvmrSWg%40mail.gmail.com.

Andrea 'ML' Suatoni

unread,
May 28, 2021, 3:00:04 AM5/28/21
to ntsys...@googlegroups.com

Are you using Explicit or Implicit FTPS? There’s a difference between the two, and the fact you are not seeing port 990 open makes me think you are using Explicit FTPS:

 

https://www.advancedcyber.co.uk/it-security-blog/what-is-explicit-and-implicit-ftps

 

https://blogs.iis.net/robert_mcmurray/ftp-clients-part-2-explicit-ftps-versus-implicit-ftps

 

Andrea

 

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone


Sent: Thursday, May 27, 2021 10:08 PM
To: NTSysAdmin <ntsys...@googlegroups.com>

--

Michael B. Smith

unread,
May 28, 2021, 8:48:38 AM5/28/21
to ntsys...@googlegroups.com

Under “bindings and ssl settings” you can change the port to 990 if you want.

 

But, since IIS 7.5, the default has been 21.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Kurt Buff
Sent: Thursday, May 27, 2021 10:57 PM
To: ntsys...@googlegroups.com

Mike Leone

unread,
May 28, 2021, 12:26:33 PM5/28/21
to ntsys...@googlegroups.com
I am using implicit.

Mike Leone

unread,
May 28, 2021, 12:28:12 PM5/28/21
to ntsys...@googlegroups.com
On Fri, May 28, 2021 at 8:48 AM Michael B. Smith <mic...@smithcons.com> wrote:

Under “bindings and ssl settings” you can change the port to 990 if you want.


There is no protocol "ftps" shown, only "https". And choosing that, and a Port 990, didn't work.

Mike Leone

unread,
May 28, 2021, 12:32:38 PM5/28/21
to ntsys...@googlegroups.com


On Thu, May 27, 2021 at 10:57 PM Kurt Buff <kurt...@gmail.com> wrote:
Grasping at straws, but perhaps this will help:

That is the guide I Am following. :-(

Michael B. Smith

unread,
May 28, 2021, 12:57:08 PM5/28/21
to ntsys...@googlegroups.com

You would still choose ftp.

 

Read the IIS documentation on ftp with ssl.

 

https is literally a different protocol than http (not a lot, but different). That’s not true with ftp vs. ftps. Only the auth handshake is different (same as with smtp).

Kurt Buff

unread,
May 28, 2021, 12:57:33 PM5/28/21
to ntsys...@googlegroups.com
Certificate: Self-signed, Public or from an internal CA?

I'm running out of ideas...

Kurt

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bh6ENtA_dZBt7uVv2F097cRBJKfdyR1J-pCh_7ajRXMjg%40mail.gmail.com.

Mike Leone

unread,
May 28, 2021, 1:00:51 PM5/28/21
to NTSysAdmin
On Fri, May 28, 2021 at 12:57 PM Kurt Buff <kurt...@gmail.com> wrote:
Certificate: Self-signed, Public or from an internal CA?

Internal CA,. Which wouldn't cause a non-response on that port ....
 
I'm running out of ideas...

I ran out, before my first posting. LOL
 

Kurt Buff

unread,
May 28, 2021, 1:02:53 PM5/28/21
to ntsys...@googlegroups.com
Reboot? Uninstall then reinstall?

Kurt


To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BhMFnShwCZatbtWcG2XGUNBB2TYD7GqmGu8Vu6BC1wdJg%40mail.gmail.com.

Mike Leone

unread,
May 28, 2021, 1:03:21 PM5/28/21
to NTSysAdmin
On Fri, May 28, 2021 at 12:57 PM Michael B. Smith <mic...@smithcons.com> wrote:

You would still choose ftp.


If I did that, then it wouldn't respond to non-FTPS, right? It would only respond to port 990, and not the regular 21. Obviously, I don't want that, because I want to be able to support either FTP or FTPS, but clients attempt each on a different port. 


 Read the IIS documentation on ftp with ssl.


I have read the MS docs. If I understood it (or it was clear to me where I'm going wrong), then I woudn't be needing to ask for help. LOL 

Mike Leone

unread,
May 28, 2021, 1:03:44 PM5/28/21
to NTSysAdmin
On Fri, May 28, 2021 at 1:02 PM Kurt Buff <kurt...@gmail.com> wrote:
Reboot?

Tried that.
 
Uninstall then reinstall?

Tried that, too.

 

Michael B. Smith

unread,
May 28, 2021, 1:14:04 PM5/28/21
to ntsys...@googlegroups.com

In iis under “bindings and ssl settings” you can choose no cert, cert optional, and cert required.

 

If cert required, it’ll only use ftps even though it’s using port 21.

 

I’m done beating this horse. Good luck.

Mike Leone

unread,
May 28, 2021, 1:25:49 PM5/28/21
to ntsys...@googlegroups.com
On Fri, May 28, 2021 at 1:14 PM Michael B. Smith <mic...@smithcons.com> wrote:

In iis under “bindings and ssl settings” you can choose no cert, cert optional, and cert required.

 

If cert required, it’ll only use ftps even though it’s using port 21.

 

I’m done beating this horse. Good luck.


Sorry to bug you. 

The clients I've tried (Filezilla, WinSCP) all use Port 990 when you specify FTPS, even when when you tell them to use Port 21. And for vCenter backup, all you can specify if the URI (FTPS), not the port. So they all use Port 990, which is apparently the default Port for FTPS.

So if IIS will only use Port 21 for FTPS, then it's useless to me, unless I jump through hoops to redirect 990 to 21. 

Which isn't worth the aggravation, in my opinion (and for my internal case).

Dennis Pinckard

unread,
May 28, 2021, 5:39:42 PM5/28/21
to ntsys...@googlegroups.com

Never set up FTPS on IIS, but from: https://docs.plesk.com/en-US/obsidian/advanced-administration-guide-win/system-maintenance/switching-on-implicit-ftps.74258/

Switching On Implicit FTPS

By default IIS FTP site supports explicit FTPS only. To turn on implicit FTPS, follow these instructions:

  1. Open the IIS Manager. Go to Sites > FTP site, and click Bindings.
  2. Add a binding with the following properties:
    • Type = ftp
    • IP Address = All Unassigned
    • Port = 990
  3. Restart the FTP site and the DefaultAppPool application pool.


So my reading of that means that by default, IIS will listen to port 21 for all FTP/FTPS traffic and if FTPS is negotiated, then switch to port 990/989 for FTPS traffic.  That's the client explicitly requesting FTPS. (Or maybe server, I'm not really up on it, preferring SFTP)

But it sounds like you've done at least most of the steps listed above.  Did you restart the app pool?


Mike Leone

unread,
Jun 1, 2021, 9:54:04 AM6/1/21
to ntsys...@doomsdaypig.com, NTSysAdmin
That did it! At least for WinSCP and FileZilla. Both connected fine on port 990 with ftps as the protocol.  But it does *not* connect on port 21 with "ftp" as the protocol.

<SIGH>

Well, what I need more than anything is for my vCenter to do it's scheduled backups, and that only seems to work with "ftp" as the protocol and port 21. So that's what I will have to fall back to.

I suppose if I really needed it to, I could create a 2nd FTP site, and bind it as above. I'd have to specify the name of the host in the bindings, I think.

Well, anyway, to summarize - the above does work for "ftps" and port 990 on IIS. I just can't get my vCenter backup to do it that way. So I will fall back to port 21.

Thanks everybody. Sorry for all the aggravation.


--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

Henry Awad

unread,
Jun 1, 2021, 10:19:17 AM6/1/21
to ntsys...@googlegroups.com, ntsys...@doomsdaypig.com
What version of vCenter are you using because as of 7.0 you can use SMB and CIFS. I have it setup to use a Windows SMB share and it works perfectly.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BjtyNQHA45dTZCQPTob_EfAWdqtiynUhYijKgXAiuSVqQ%40mail.gmail.com.

Mike Leone

unread,
Jun 1, 2021, 10:30:25 AM6/1/21
to NTSysAdmin, ntsys...@doomsdaypig.com
On Tue, Jun 1, 2021 at 10:19 AM Henry Awad <aw...@cua.edu> wrote:
What version of vCenter are you using because as of 7.0 you can use SMB and CIFS. I have it setup to use a Windows SMB share and it works perfectly.

6.7. I have FTP, FTPS,HTTPS,NFS,SCP and SMB as options. I couldn't get SCP to work, and VMware support tells me I would need a Linux server to properly use SCP (which seems a little odd to me, but it's their product, they should know, I suppose ...)


Henry Awad

unread,
Jun 1, 2021, 1:37:06 PM6/1/21
to ntsys...@googlegroups.com
The problem with SMB support in 6.7 is that it only works with SMB v1 which is not secure and shouldn't be used unless you have a way to segregate the traffic to secure it. If you can upgrade vCenter to 7.0 (or even better 7.0.2 if your backup and monitoring systems will support it) then I would highly recommend it as you can use SMB v2 and you can also encrypt the backups (the encryption if I remember correctly is not exclusive of version 7.0)

Thanks,
Henry Awad
Senior Systems Engineer
Technology Services
The Catholic University of America


--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BjFP62%3Ds6CfMJZPCHUifwfCpKGR%2BeCG5oupA3x0fSQbvQ%40mail.gmail.com.

whiskered

unread,
Jun 2, 2021, 5:14:23 AM6/2/21
to ntsys...@googlegroups.com
Another Option would be to enable ssh on an ESXi and use SCP to save the Backup to the Local storage of the ESXi.
like:
scp://xxx.xxx.xxx.xxx:22/vmfs/volumes/esxi-local-datastore/vsphere-appliance-bkup
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages
Search
Clear search
Close search
Google apps
Main menu