Creating and Configuring FTP Sites | IIS 6: The Complete Reference

Creating FTP sites on WS03 can be performed

by using iisftp script,
by processing a definition file, or
by using the MMC FTP Site Creation Wizard.

Regardless of the means used to create the FTP site, the following information is required:

Physical file path for the FTP root on the host server
Name of the FTP instance used to identify the FTP site

An FTP site must also have an IP address and port that it will use. Knowing the site's IP address and port is not required, because it will be assumed if the administrator does not actively set these values.

The MMC provides configurations in addition to those provided by the iisftp script. Iisftp, for example, does provide the ability to configure important parameters required to support the major tasks that are core to managing FTP sites. The MMC offers additional FTP site creation features such as the following:

The ability to configure the properties that all FTP sites can inherit using the FTP Sites node
The ability to export definition files of FTP sites that can be used to create an identical FTP site

Virtual directories may also be used to enhance management of a given FTP site. When using virtual directories, an abstraction can exist between the physical file structure on the host and the structural organization as it appears to the FTP consumer.

FTP Site Creation Wizard

The MMC's FTP Site Creation Wizard walks the user through the creation of an FTP site. Every property for a given FTP site, except the User Isolation Mode, can be changed after the site's creation using the MMC Properties window.

Here's how to use the MMC FTP Site Creation Wizard:

Right-click any node subordinate to the FTP Sites node in the left panel of the MMC, and choose New | FTP Site from the context-sensitive menu.
The FTP Site Creation Wizard opens with a window introducing the wizard. Click the Next button, and the wizard will prompt for the site description, as shown in Figure 3-4.
Enter a descriptive name for the FTP site. Then click Next.

Figure 3-4: Site Description window for the FTP Site Creation Wizard

Set Up IP Address and Port

Next, you'll set up the site's IP address and port.

Set the site's IP address and the port in the IP Address And Port Selection window. By default, the port is set to 21, the standard port number used for FTP, although the port could be set to any number ranging from 1 to 65535. The default IP setting is (All Unassigned), but a specific IP will be selected, as shown in Figure 3-5.

Figure 3-5: IP Address And Port Settings window
Choose (All Unassigned) to cause IIS to choose the IP address that is to be used, by allowing all IP addresses for the server not otherwise assigned to be used for another purpose for the given port, to support the FTP site being created. For any given server, the port number and IP address must be unique. On a server having a single IP address, the (All Unassigned) setting is ideal. If the server has more than one IP address, select the desired IP address. Explicitly assigning an IP address will reduce the risk that at some future date another IP address will be added to the FTP site.
Click Next to open the FTP User Isolation window.

User Isolation Modes

You can choose from among three modes for user isolation:

Do Not Isolate Users No intrinsic access control based on a user's home directory exists.
Isolate Users Users authenticate to local or domain accounts of the FTP host server, and intrinsic access control exists that establishes directories for users and excludes other users from accessing other users' directories.
Isolate Users Using Active Directory Users authenticate to an active directory, and intrinsic access control exists that is based on a FTP root file path and the user's home directory file path obtained for the user from an active directory server.

Each mode is identified on the FTP User Isolation dialog box as an option selection. The default option is the Do Not Isolate Users. Choose the Isolate Users option if you want to create an FTP site that has home directories without the support of an active directory server. The Isolate Users option most closely resembles the native functionality found on a UNIX server when FTP is enabled. The Isolate Users Using Active Directory option offers the greatest extendibility, because the authentication takes place on a separate server and the location of the user's home directory can be different for each user. The Isolate Users option limits the physical location of the user's home directory to the physical host. Using the Isolate Users Using Active Directory option on the FTP site, user's home directories can exist on many physical hosts, and the active directory can serve the credentials and configurations for many physical hosts.

An active directory server is not available for this example, since it requires a special configuration that is beyond the scope of this chapter. As shown in Figure 3-6, the Isolate Users mode is selected for this site. This mode will authenticate users to the local host or a domain. Before users can access the site, a directory must be created for them; otherwise, logon will fail. For users authenticating to the local host, a directory called LocalUser must be created in the FTP root. Subordinate to that directory is a directory named for the user's login name. For example, if the FTP root was located at C:\schmidlap_beer_FTP and a user with the login jschmidlap needed to access the site, the home directory for jschmidlap would need to be created at: C:\schmidlap_beer_FTP\ LocalUser\jschmidlap. If the users authenticate to a domain controller, the LocalUser directory would be replaced with the respective domain controller name in the file path. For example, if the login jschmidlap needed to access the site and jschmidlap authenticated to the Clowns domain, the home directory that would need to be created is C:\schmidlap_beer_FTP\Clowns\ jschmidlap.

click to expand
Figure 3-6: FTP User Isolation window

Home Directory

After you set up user isolation modes in the wizard, click Next to open the FTP Site Home Directory window, as shown in Figure 3-7. The path for the FTP root must be entered here. This path represents the physical path on the host where the FTP-related content and home directories for users reside. Users accessing the FTP site will not have access to file paths above or outside of this directory.

click to expand
Figure 3-7: FTP Site Home Directory window

Site Access Permissions

After you click the Next button, the FTP Site Access Permissions window opens, where you'll indicate whether the site will enable read or write access permissions. The choices are not mutually exclusive, so either or both options may be selected. As shown in Figure 3-8, both Read and Write are selected so that users can download, upload, and delete files from the server. The Write permission allows users to upload and delete files from the FTP site. The Read permission provides access for files to be downloaded. The FTP server permissions are still subject to the Windows files permissions established by the host on the file system. The FTP server permissions will function as expected in so much as they do not conflict with the existing Windows file permissions.

click to expand
Figure 3-8: FTP Site Access Permissions window

Note

Oddly enough, it is possible not to select either option, which will result in an FTP site that will run but will not allow any users to log in because they do not have access to the site.

Click the Next button, and you'll see the FTP Site Creation Wizard's final screen, which indicates that the FTP site will be created after you click the Finish button. After the wizard completes the creation of the site, the site node is added to the nodes of the existing FTP site listed subordinate to the FTP Sites node in the MMC.

Creating FTP Sites Using the iisftp Script

Using the iisftp script, an administrator can create an FTP site on a host to which he or she has console access or on a remote host to which the administrator has administrative permissions. The script provides the same functionality as the FTP Site Creation Wizard of the MMC. The script supports the following syntax:

iisftp [/s <server> [/u <username> [/p <password>]]] /create <root> <name> [/b <port>] [/i <ip>] [/dontstart] [/isolation <isomode> [/ADDomain <domain> /ADAdmin <admin> /ADPass <password>]]

iisftp Switches and Arguments Used in FTP Site Creation

The primary switch that is unique to the creation of an FTP site is the /create switch, which requires a root argument for the physical file path of the FTP root and a name argument for the name of the FTP site. Optionally, the port and IP address may be specified using the /b and /i switches, respectively. If neither the /b or /i switch is specified, the port is assumed to be port 21 and the IP address will be set to (All Unassigned).

If the /dontstart switch is passed, the site will not be started after creation; otherwise, the site will be started automatically after creation. The optional /s, /u, and /p switches are common to every command supported by the iisftp script for providing credentials that the script should utilize during execution. If the /s switch is not specified, the local server will be assumed as the host on which the script will create the FTP site. The /u and /p switches are the user name and password credentials, respectively, that the script runs under. If the /u and /p switches are not specified, the credentials of the current user are assumed.

If the /isolation switch is passed, either the argument local or AD must be passed to specify whether the user isolation mode should use the local system or domain controller accounts or an active directory. In the absence of the use of the /isolation switch, no user isolation is assumed during the creation of the FTP site. When the /isolation switch is set with the AD argument, the credentials for the active directory server must be set using the /ADDomain, /ADAdmin, and /ADPass switches along with the respective arguments for each switch.

For a summary of the switches and their usage, refer to Table 3-1.

Table 3-1: Summary of iisftp Script Switches for Creating an FTP Site
Switch	Argument	Required	Description	Default
/s	Server Name	No	Name of server hosting the FTP site	Local host
/u	Username	No	Username under which to execute the request; may be specified in the form <domain>\<username> or <username>	Current user's login
/p	Password	No	Password for the username specified	Current user's password
/create	Root file path	Yes	File path on the physical host to the root of the FTP site; path is created if it does not already exist	N/A
/create	Site Name	Yes	Name of the FTP site maintained by IIS for administrative purposes; this name is displayed in MMC and must be in quotes	N/A
/b	Port	No	Number of the port that the FTP site will utilize	21
/i	IP address	No	IP address that the FTP site will utilize	(All Unassigned)
/dontstart	N/A	No	Indicates that the site should not be started after creation if it is passed	Site is started after creation
/isolation	Local or AD	No	Sets the site to use user isolation mode	Site does not support user isolation

To see an example of the script making a simple FTP site named doc site with a root located at C:\FTPSites\docs, refer to Figure 3-9.

click to expand
Figure 3-9: Creating a simple FTP site using iisftp script

Using Export Definition Files

The MMC allows you to export the information required to produce an FTP site into an XML file. Here's how to make a configuration file: Right-click the FTP Sites node in the left panel of the MMC, and choose All Tasks | Save Configuration To A File. A window prompting for a filename will open. As shown in Figure 3-10, the option to protect the data by encrypting the file content with a password is also available. The encryption will not affect all of the element or attribute data. The XML element and attribute identifiers are also not encrypted.

click to expand
Figure 3-10: Save a configuration to a file

Select a file, and then click the OK button. The prompt is dismissed, and the XML file is created. In the example shown in Figure 3-10, the file was named AllFTPSites.

An individual FTP site node or virtual directory site node can also be saved to a configuration file. The MMC will export the configuration for the selected node in the MMC and all subordinate configurations.

Here's how to create a site from a configuration file:

Right-click any node subordinate to the FTP Sites node in the left panel of the MMC. Then choose New | FTP Site (From File).
In the Import Configuration window, choose the file AllFTPSites, which was exported previously. Then click the Read File button. As shown in Figure 3-11, the existing FTP sites that were hosted when the configuration file was produced are listed.

Figure 3-11: Import Configuration window with an FTP site selected
After selecting a site to create, the OK button will become enabled; click it to close the dialog.
Because the site already exists within the host on which this example is being performed, a window appears, asking whether a new site should be created or whether the existing site should be replaced. As shown next, the option to create a new site is selected.
Click OK, and the site will be created; this site will be identical to the original site in every aspect, except that it will likely not run because it is assigned the same port and IP as the existing site on the same host, thereby causing a binding conflict to occur. If the configuration file were used to create a site on a different host that was not already occupying the same port or IP for a use, it would function after executing the file prompt.

Creating Virtual FTP Directories

Virtual directories may be created under existing FTP sites or virtual directories. Virtual directories allow an FTP site to emulate the existence of a physical path being subordinate to the FTP root when it does not physically exist subordinate to the FTP root. To the FTP site user, the virtual directory appears as another directory, even though the host file structure may not be organized that way.

The virtual directory in an FTP site can also support a configuration that may be different from that of the parent FTP site. The configurations for a virtual directory are as follows:

Physical File Path of Virtual Directory Local file path on the host or network path using the Universal Naming Convention (UNC) path
Read Permissions Permissions to download files from the directory
Write Permissions Permission to upload files to the directory or delete files from the directory
Log Visits Access to the virtual directory will be logged if the FTP site logging is enabled
Directory Security IP restriction may be established such that users from a given IP may or may not be allowed access to the virtual directory

The MMC must be used to create or configure the virtual directories, since this functionality is not available in the iisftp script. To create a virtual directory, the Virtual Directory Creation Wizard must be invoked unless you generate the virtual directory from a file. Except for the screen prompting for the user isolation mode and a screen prompting for IP address and port number, the same steps used to create an FTP site using the FTP Site Creation Wizard are used in the Virtual Directory Creation Wizard.

To start the MMC Virtual Directory Creation Wizard, right-click the FTP site node or virtual directory site node in the left pane of the MMC to which the intended virtual directory should be subordinate.
Choose New | Virtual Directory.
The Virtual Directory Creation Wizard will open with a window introducing the wizard and the purpose of the wizard. Follow the steps described in the section 'FTP Site Creation Wizard' earlier in this chapter. Skip the steps under 'User Isolation Modes' and 'Set Up IP Address and Port.'

If you make a mistake in the Virtual Directory Creation Wizard, you can change any of the properties of the virtual directory. Right-click on the virtual directory, select Properties, and configure any of the properties using the Properties window.

FTP Sites Node Configuration

The FTP Sites node in the MMC provides a means for you to set the properties that affect all the existing FTP sites for the FTP server host through inheritance. To access the FTP Sites properties, right-click the FTP Sites node in the left panel of the MMC and choose Properties. The Properties window for the FTP Sites node is identical to the Properties window of a given FTP site. Some properties for the FTP Sites node cannot be edited, because inheriting the values would not make sense-for example, the following items are not editable at the FTP Sites level:

Name Name of the FTP site in the MMC
IP Address IP address that the FTP site uses
Port Port number for the FTP site
Root Path Physical file path for the FTP root

By configuring properties for the FTP Sites node, existing sites can inherit the settings and all future FTP sites created will inherit the settings. As expected, individual FTP sites can be configured with alternative property configurations that differ from the FTP Sites node properties if they are configured separately.

For example, a welcome banner may be set in the FTP Sites node that differs from the existing welcome banner used in many of the existing FTP sites. Some of the FTP sites may not have a welcome banner specified at all. The sites that do not have a banner specified will get the new banner placed in the FTP Sites node property for the welcome banner when it is entered and applied. When the welcome banner is set in the FTP Sites Properties window by clicking OK or Apply, a prompt appears, indicating that existing FTP sites include a value for the welcome banner. The prompt will ask whether the existing values should be changed or remain unchanged. The FTP sites that should have their welcome banner changed should be selected in the prompt, and those sites that do not require the change should not be selected. When the prompt is dismissed, the changes will be applied to the selected sites.