has his own directory and that user cannot touch other users' directories or change to root directory. In linux, it is similar to "chroot" option after the user has logged into his home directory, but it further needs configuring directory permissions.
Today, I will show you how to make ftp with user isolation in IIS 8.5 (also tested on server 2008R2 with IIS 7.5) with Domain user accounts in graphical Mode. Also, I have made a good powershell script to automate this ftp setup process for thousand of users ;P. All Active Directory users must be already created before you do this ftp setup. (If you need to create bulk AD users in nested OUs automatically by powershell, you can make it easy with the script I created earlier here. It will create 1,500 users in 3 minutes from your csv or excel file.;P)
1) if you are using GUI method, you only need to install FTP Server role and IIS
Management Console. And then, you manually have to create folders and users and give each users the access right to ftp site. But if you create a security group add AD users to that group. You don't need to deal with each users for permission issue.Directory module for Windows Powershell, Windows Process Activation Service. So,
totally there are 4 roles you need to install before using scripting method. Don't worry, I include installing these 4 roles automatically while you are running the script. Or if you like to install it separately before the script run, you can do it in one powershell command.
Add-WindowsFeature RSAT-AD-Powershell,Web-Ftp-Server,Web-Mgmt-Console,
WAS-Process-ModelYou need either local admin permission or domain admin permission to do this. And, I assume that the computer where you want to install FTP service have already been joined to domain.
We will do the below steps for this GUI configuration mode.
- Create new security group for ftp users
- Install FTP Service and IIS Management Console
- Create new FTP Site and Virtual Directory
- Configure FTP user isolation mode.
- dc1.contoso.com (domain controller where we will create users and group)
- node2.contoso.com (domain member computer where ftp server will be installed and do necessary ftp configurations)
- And another client computer where we will test access to our ftp site
1) Create new group for ftp users
On the Domain Controller computer or the computer where Remote Server Administration Tool is installed, create a new security group in the OU where ftp users are located. Later, we will add the ftp users to that group and give permission on that group to access to our ftp site. Let's say we create a group for our sales department users "sales_group" in "Sales Users" OU. See Figure-1.
Figure-1: Create new ftp group
Next, we have to add users in the OU to our newly created group. Since, we don't want to give ftp access to "Admin" and "Jenny", we skipped these users. Also, don't forget to create folders for each user in our ftp root directory. All users folders will be under ftp root directory. Here, I give "ftproot" for root folder and create each user subfolders. See Fig-2.
Figure-2: Create folder for each user, folders' names are same as users' names
ii) Install FTP Service and IIS Management Console
We need to install FTP Service and IIS Management Console for our setup. Open Server Manager >> Add roles and features >> Server Roles
On the Server Role page, select Web Server(IIS) and go next until you find the Role Service.
On the Role Service page, select FTP Service and IIS Management Console and install these roles. See Fig-3.
Figure-3: Install FTP Service and IIS Management Console
iii) Create new FTP Site and Virtual Directory
Now it's time to create our first ftp site and give necessary permissions.
Go Start >> Administrative Tools >> Internet Information Services (IIS) Manager
Expand until you see the "Sites" in the left pane, right-click and Add FTP Site. See Fig-4.
Figure-4: Create new FTP site and Virtual directory
On the next page, give ftp site name and physical path. For me, I give it sales-ftp
and c:\ftproot. On the next page, select the binding interface you want to give FTP service with port number. Also, you can select SSL if you have a valid SSL certificate (either self-signed or the purchased one). Do not Enable Virtual Host Names since it's used only when you are using different domain names with a single public IP address, mostly used by public web hostings. Then Enable Start FTP site automatically. You can also select Allow SSL if you have a valid SSL certificate. See Fig-5.
Figure-5: Setting up Binding interface and SSL certificate
On the next page, we select Authentication type to Basic and give ftp permission to our newly created FTP_Group with Read,Write permission. And click Finish. See Fig-6.
Figure-6: Setting FTP authentication and permissions
Now, you can create virtual directory. From IIS Manager, select the site you have created (here sales-ftp), right-click and choose Add Virtual Directory. See Fig-7.
Figure-8: Adding Virtual directory
On the next Page, give the Alias name and physical path. See Fig-8. Here, our physical path is c:\ftproot and Alias name is CONTOSO. The alias name is our domain's NetBIOS name. You must use only the NetBIOS name as virtual directory, otherwise it will not be working. You can get the NetBIOS name in two ways:
- From the Active Directory Users and Computers console on domain controller, select your domain, right-click and choose Properties. On the General tab, you will see Domain Name (pre-Windows 2000). See Fig-9.
- You can also run this powershell command on either domain joined server or domain controller to fetch thr name.
Figure-8: Setting Virtual directory info
Figure-9: We can also get NetBIOS domain name from here (on dc1 computer)
iv) Configure FTP user isolation mode, SSL setting
Now, it's time to configure user isolation. From IIS Management console, select our sales-ftp and double-click FTP User Isolation in the middle pane of the console.
On the next page, choose User name directory(disable global virtual directories) and click Apply. See Fig-10.
Figure-10: Users isolation setting in IIS management console
So, far we have configure user isolation mode and SSL settings.
Restart the ftp service for the firwall rules to take effect. And now each users can connect to his own directory by using Filezilla or WinSCP from our another client computer. See Fig-11.
Figure-11: Testing FTP with WinSCP Client
Method-2: Using Powershell script to setup FTP with user isolation
For faster setup when we deal with hundreds or thousands of users, I created this setup script. This script is tested on Server 2012R2 (with IIS 8.5) and Server 2008R2 (IIS 7.5). I hope it works well on Server 2012 also. But, I do suggest you doing on your testing machine first with the same OS/IIS version as production one, before you actually go on production machine. Powershell 3.0 is needed to run the script. Images on my testing machines are shown for your quick reference.
Figure-12: Running the script to setup FTP with domain users isolation
Figure-13: Getting Help
Techsaga, as Digital marketing company in Noida experts, deliver inspiring, eye-catching designs and measurable campaigns that connect with target audiences, boost online marketing and encourage business growth. We can help you meet your needs across a range of full service online marketing services. Are you looking for help with great content, SEO, PPC campaigns, a full digital marketing strategy, campaign, or something else? No matter what you need, our experts can help you.
ReplyDelete