- Filezilla Ftp Over Ssl
- Filezilla Ftp Over Ssl
- Filezilla Iis Ftp Ssl
- Filezilla Secure Ftp Server
- Filezilla Server Ftps Setup
- Filezilla Connect To Ssl Ftp
If FileZilla responds with Connection established, initializing TLS and it fails to open the connection, navigate to File- Site Manager and try changing your Encryption to Only use plain FTP (insecure).
by Robert McMurray
|IIS 7.5||The FTP 7.5 service ships as a feature for IIS 7.5 in Windows 7 and Windows Server 2008 R2.|
|IIS 7.0||The FTP 7.0 and FTP 7.5 services were shipped out-of-band for IIS 7.0, which required downloading and installing the service from the following URL: https://www.iis.net/download/FTP.|
- FileZilla is a popular free software, cross-platform FTP application comprising of FileZilla Client and FileZilla Server. Developed by Tim Kosse, the first FileZilla release dates back to June 21.
- Try connecting with FileZilla free S/FTP client. If FileZilla fails to connect, contact your web hosting provider to verify you have the proper log-in credentials and settings for you server. If FileZilla fails to connect, contact your web hosting provider to verify you have the proper log-in credentials and settings for you server.
Microsoft has created a new FTP service that has been completely rewritten for Windows Server® 2008. This FTP service incorporates many new features that enable web authors to publish content better than before, and offers web administrators more security and deployment options.
One of the features is FTP over Secure Sockets Layer (SSL), which allows sessions to be encrypted between an FTP client and server. This document walks you through: setting up an FTP site; and, configuring that site to use SSL with the new FTP user interface, which allows you to directly edit the IIS 7.0 configuration files. It contains:
This walk-through contains a series of steps where you log in to your FTP site using the local administrator account. These steps should only be followed on the server itself using the loopback address or over SSL from a remote server. If you prefer to use a separate user account instead of the administrator account, you must create the appropriate folders and set the correct permissions for that user account when necessary.
The following items are required to be installed to complete the procedures in this article:
IIS 7.0 must be installed on your Windows 2008 Server, and the Internet Information Services Manager must be installed.
The new FTP service. You can download and install the FTP service from the https://www.iis.net/ web site using one of the following links:
You will need to create a root folder for FTP publishing:
Create a folder at
Set the permissions to allow access for the administrators group:
- Open a command prompt.
- Type the following command:
ICACLS '%SystemDrive%inetpubftproot' /Grant administrators:F /T
- Close the command prompt.
The settings listed in this walkthrough specify
%SystemDrive%inetpubftproot as the path to your FTP site. You are not required to use this path; however, if you change the location for your site you must change the site-related paths that are used throughout this walkthrough.
OPTIONAL: Creating a Self-signed SSL Certificate
In this optional task you will create a self-signed SSL certificate that you will use for testing your FTP site.
If you are setting up an FTP site for Internet-based activity, you would obtain an SSL certificate from one of the many Certification Authorities, such as VeriSign, Thawte, DigiCert, etc. For more information, see Certification Authorities.
- Open the Internet Information Services (IIS 7.0) Manager.
- Click your computer at the top node of the Connections tree, then double-click the Server Certificates feature.
- Click Create Self-Signed Certificate in the Actions pane.
- Enter 'My FTP Certificate' as the name for the new certificate, then click OK.
Creating an SSL-enabled FTP Site Using the IIS 7.0 Manager
Step 1: Use the FTP Site Wizard to Create an SSL-based FTP Site
In this first step, you create a new FTP site that can only be opened using your administrator account.
Go to IIS 7.0 Manager. In the Connections pane, click the Sites node in the tree.
Right-click the Sites node in the tree and click Add FTP Site, or click Add FTP Site in the Actions pane.
When the Add FTP Site wizard appears:
Enter 'My New FTP Site' in the FTP site name box, then navigate to the
%SystemDrive%inetpubftprootfolder that you created in the Prerequisites section.
If you choose to type in the path to your content folder, you can use environment variables in your paths.
On the next page of the wizard:
Choose an IP address for your FTP site from the IP Address drop-down, or choose to accept the default selection of 'All Unassigned.' Because you will use the administrator account later in this walk-through, make sure that you restrict access to the server and enter the local loopback IP address for your computer by typing '127.0.0.1' in the IP Address box.
You would normally enter the TCP/IP port for the FTP site in the Port box. For this walk-through, choose to accept the default port of 21.
For this walk- through, you do not use a host name, so make sure that the Virtual Host box is blank.
Make sure that the Certificates drop-down is set to your SSL certificate. For example, if you followed the optional step to create a self-signed certificate, the drop-down box should say 'My FTP Certificate'.
Make sure that the Allow SSL option is selected.
On the next page of the wizard:
Select Basic for the Authentication settings.
For the Authorization settings:
- Choose 'Specified users' from the Allow access to drop-down.
- Type 'administrator' for the user name.
- Select Read and Write for the Permissions option.
When you have completed these items, click Finish.
You have successfully created a new SSL-based FTP site using the new FTP service.
To recap the items that you completed in this step:
- You created a new FTP site named 'My New FTP Site', with the site's content root at
- You bound the FTP site to the local loopback address for your computer on port 21.
- You chose to require Secure Sockets Layer (SSL) for the FTP site, and selected your SSL certificate.
- You enabled Basic Authentication and created an authorization rule for the local administrator account for Read and Write access.
Step 2: Configuring Additional FTP SSL Settings
The SSL policy for FTP is customizable on a site-by-site basis. Different settings can be specified for the control and data channels. In this step, you configure additional SSL settings for your FTP site that ensure that all user credentials are encrypted, even if all other FTP activity is not.
Go to the IIS 7.0 Manager. Click the node for the FTP site that you created in Step 1. The icons for all of the FTP features display.
In order to configure the SSL options, double-click the FTP SSL Settings icon to open the SSL settings feature page.
When the FTP SSL Settings page displays, select the Custom option, and then click the Advanced button.
When the Advanced SSL Policy dialog box is displayed:
Select the Require only for credentials option for the control channel.
This setting requires that all user names and password are encrypted via SSL, but the client can choose whether to encrypt all other control channel activity.
Select the Allow option for the data channel.
This setting allows the client to choose whether to encrypt any data channel activity.
When you have completed these items, click OK.
On the FTP SSL Settings page, click Apply in the Actions pane to save the SSL settings.
To recap the items that you completed in this step:
- You configured the control channel SSL policy to require that all user credentials are encrypted, and allowed FTP clients to determine whether to encrypt all other control channel activity.
- You configured the data channel SSL policy to allow FTP clients to determine whether to encrypt any data channel activity.
Logging in To Your FTP Site
In Step 1, you created an FTP site that can be accessed by the administrator account. In Step 2, you configured the control channel SSL policy to require that all user credentials are encrypted while allowing FTP clients to choose whether or not all other control channel and data channel activity be encrypted.
When logging in to the FTP server using an SSL-capable FTP client, the FTP server supports the following explicit security options:
- TLS-C/TLS - Use TLS for the connection with RFC2228 defaults. This means that there is no implicit protection of the data connection.
- TLS-P/SSL - Use TLS for the connection. This means that the data connection is implicitly protected.
These settings can be configured when specifying the SSL connection options in most 3rd-part FTP clients.
Adding SSL-based FTP Publishing by Editing the IIS 7.0 Configuration Files
You can also add SSL-based FTP publishing to an existing Web site by editing the IIS 7.0 configuration files.
Editing your applicationHost.config file requires full administrative permissions. Use one of two methods:
- Log in to your computer using the local 'administrator' account.
Filezilla Ftp Over Ssl
- If you are logged in using an account with administrative permissions that is not the local 'administrator' account, open Notepad using the 'Run as Administrator' option.
One of the above steps is required because the User Account Control (UAC) security component in the Windows Vista and Windows Server 2008 operating systems prevents access to your applicationHost.config file. For more information about UAC, see User Account Control.
The following steps walk you through all of the required settings to add FTP publishing for the Default Web Site.
Step 1: Retrieve the Hash for your SSL Certificate:
- In the Server Certificates feature, double-click your SSL certificate. For example, if you followed the optional step to create a self-signed certificate, you would double-click the certificate that is named 'My FTP Certificate'.
- Click the Details tab.
- Scroll through the fields until you locate the Thumbprint value.
- Highlight the Thumbprint value, the data displays as:
'57 68 6F 61 20 44 75 64 65 2C 20 49 49 53 20 52 6F 63 6B 73'
- Copy the hex data from the text box and paste it in the clipboard. Then, open Windows Notepad and paste the data into a blank document.
Step 2: Add FTP to your Default Web Site
Using a text editor such as Windows Notepad, open your applicationHost.config file, which is located in your
%SystemRoot%System32inetsrvconfigfolder by default.
Locate the section for your Default Web Site. It should resemble the following example:
Create a new binding element in the bindings collection. Set the value of the protocol attribute on the new binding element to contain 'ftp', then change the port value of the bindingInformation attribute to contain '21'. Your Default Web Site's settings should now resemble the following example:
Add an <ftpServer> section beneath the closing <bindings> tag that will contain your authentication and SSL settings.
The authentication settings for FTP sites are configured at the site-level, unlike authentication for Web sites, which can be configured per URL.
Copy and paste the thumbprint data from the SSL certificate into the serverCertHash attribute of the SSL element. Remove all the spaces from the thumbprint data.
If you do not convert the hex data to uppercase, it will not show up in IIS Manager later.
Your Default Web Site settings should now contain something like the following example:
Scroll to the bottom of your applicationHost.config file and add a location section for your Default Web Site that will contain your authorization settings.
As shown in this example, the authorization settings for FTP sites are configured per URL.
Save your applicationHost.config file.
You should now be able to log in to your Default Web Site using an SSL-based FTP client.
In this task you added SSL-based FTP publishing to your Default Web Site by editing the IIS 7.0 configuration files. To recap the items that you completed in this task:
- You added an FTP binding to the Default Web Site.
- You enabled FTP basic authentication and disabled FTP anonymous authentication for the Default Web Site.
- You configured the site to require SSL for all control channel and data channel activity.
- You configured the administrator account for Read/Write permissions for the Default Web Site.
Filezilla: The server’s certificate is unknown error prevents you from connecting to your server over secure FTP connection.
As now all is moving to https it’s also good to enable SSL/TLS for FTP to protect plain text login credentials.
As you can see on the above screenshot, the server SSL certificate seems to be expired, even though we know that this is not the case.
Obviously the FTP server is pulling the the wrong certificate.
Step #1: Find the SSL Server Configuration File
Let’s click on “Status” of the FTP Server:
This is what we see:
From this wee see that the configuration file is
Step #2: Find The SSL Certificate File Used By FTP Server
You can see it on the following line:
Step #3: Examine The SSL Certificate File
Let’s enter the following date in the SSH Console or Putty:
Filezilla Ftp Over Ssl
As we can see, the certificate contained in this file expired on Jan 4, 2020
This expiration date matches the date shown in red on Filezilla (see featured image of this post).
Step #4: Install SSL for FTP
Our instruction will guide you to install and configure pure-ftpd to use SSL/TLS.
Hostname certificate needs to be already installed, check that these files exist:
In this case
- Main SSL folder = /etc/pki/tls/
- Certificate folder = /etc/pki/tls/certs/
- Private key folder = /etc/pki/tls/
Create Certificate File for pure-ftpd
Warning: Make sure the above paths, file names and extensions are fully correct.
Filezilla Iis Ftp Ssl
The above commands simply create a hostname.pem file by merging your host’s private key and its certificate.
Then the permission is set to 600.
Step #5: Failed To Retrieve Directory Listing (Explicit FTP over TLS)
Unless you modify your server settings, you will get this error:
Filezilla Secure Ftp Server
Status: Connection established, waiting for welcome message…
Command: USER XXXXXX
Password required for user
Command: PASS *********
Status: Retrieving directory listing…
Error: Failed to retrieve directory listing
Therefore the following steps are needed:
To to allow FTP and TLS sessions, set TLS to 1:
Then remove the # in front of the following 2 lines and make sure they point to the right file:
Set Passive Port Range in PureFTPD:
and save the altered configuration file.
Note: On some servers you may be unable to directly edit the configuration file. In that case download it from the server, edit it in Notepad and re-upload it.
Filezilla Server Ftps Setup
Now configure the firewall to accept incoming connections on CSF firewall.
You can do the following steps:
Filezilla Connect To Ssl Ftp
- Edit /etc/csf/csf.conf and look for the line that begins with: TCP_IN
- add 60000:60100 to TCP_IN section.
- Reload the config in the firewall