Configuring FTP Firewall Support for dynamic IP in IIS 7.5

You may also like...

13 Responses

  1. Cool Guy says:

    I am confused about the data port and External firewall IP in IIS 7.5
    My GPRS clients are not able to do the FTP, they are not external clients, but outside the firewall
    Now tell me which External firewall IP I should configure here,
    One more question that is default CMD utility which is with Windows 7 does support passive FTP.

  2. Lewis says:

    @Cool Guy – I cannot see how your clients can be both “not external” yet outside the network. They either are outside the network (in which case they would use your external IP address) or they are not (they would use the internal IP address). If you are trying to support both internal and external clients then you must not configure the FTP Firewall Support feature of IIS and instead rely on either:
    – A good router/firewall solution, capable of performing NAT loopback (most don’t!) or reverse proxy like UAG/TMG.
    – The FTP client understanding it has been sent an internal IP and changing to the external IP by itself.
    – Your firewall/IDS providing FTP helper features that automatically translate the IP address to the external IP as it attempts to traverse the firewall.

    That last option gives you more hurdles to jump through however. Please see another post of mine which discusses FTP helpers getting in the way of FTPS command and data traffic: http://www.lewisroberts.com/2010/08/06/scripting-ftpes-explicit-tlsssl-with-curl/

  3. nightmare1942 says:

    thx mate, that helped me alot

  4. Colmoschin says:

    Hi,
    my isp is providing a Dynamic Public IP address that i’m using to access to my home network from the WAN.
    It also provides me a “middle, let’s say” IP which should be the ISP Internal network Address of my router.
    If i use the script posted above, it sets the FTP firewall ip box with the “Middle IP” which of course is not reachable from the WAN.
    How do I fix this? Is there any other commands that i could use to get the real external IP Address?

    Thanks.

  5. Lewis says:

    @Colmoschin – how are you finding out the actual external address? I personally would use this with something like DynDNS.
    If you visit for example: https://showextip.azurewebsites.net – do you see the correct external address? If so, there’s a more recent PowerShell script of mine that scrapes the IP from the response and you can use that to update the FTP firewall IP field instead.

  6. Matteo says:

    @lewis, thanks for the reply, i’m checking my external ip via whatsmyip.org or No-Ip (I’ve a registered domain there).
    I’ve also tried to mess around a bit with the code and so far i’ve found:
    1) $ip=(Invoke-WebRequest ifconfig.me/ip).Content

    This line retrieves the correct external ip.

    But if i combine it with the 3rd line of your script to update the ip box nothing happens and the box appears empty.
    I’ve also found that if i change “$ip” in the 3rd line with something like an ip address (xxx.xxx.xxx.xxx) it actually sets the given value in the box.
    Have you any ideas about what i’m doing wrong?

    The last script line I have used:

    Import-Module WebAdministration
    $ip=(Invoke-WebRequest ifconfig.me/ip).Content
    Set-WebConfigurationProperty -filter “/system.applicationHost/sites/site[@name=’KANTFTP’ and @id=’1′]/ftpServer/firewallSupport” -name externalIp4Address -value $ip

    Thanks! =)

  7. Matteo says:

    @lewis
    PS: forgot to tell, yes, https://showextip.azurewebsites.net retrives the right ip + port.

    would you share the newer script with me? =)

    Thanks Again =)

  8. Lewis says:

    Your version looks fine to me.

    Try this:

    Import-Module WebAdministration
    
    Function Get-ExternalIP {
        Try {
            $ExternalIP = Invoke-WebRequest -Uri "https://showextip.azurewebsites.net/" -Method Get -TimeoutSec 30 -UseBasicParsing
        }
        Catch { Return $false }
     
        $IPregex='(?<Address>(\b(([01]?\d?\d|2[0-4]\d|25[0-5])\.){3}([01]?\d?\d|2[0-4]\d|25[0-5])\b))'
        If ($ExternalIP.Content -Match $IPregex) {Return $Matches.Address}
        Else {Return $false}
    }
    
    $ip = Get-ExternalIP
    Set-WebConfigurationProperty -filter "/system.applicationHost/sites/site[@name='nameofsite' and @id='1']/ftpServer/firewallSupport" -name externalIp4Address -value $ip
    
    

    Also, try changing the last line to make the change at the server level. There’s half a chance that the config change isn’t taking because the site you’re updating on inherits its settings from the parent (the server root config). This line updates the ftpFirewall setting for the entire server (and anything that inherits that setting.

    Set-WebConfigurationProperty -filter "/system.applicationHost/sites/siteDefaults/ftpServer/firewallSupport" -name externalIp4Address -value $ip
    

    -Lewis

  9. Matteo says:

    Simple the best! =)
    Tried your script and works great, i made only a small modification since changing the last line to set the ip at the server root config did not update the ip box at the site level.

    So the final and working version should be the following:

    Import-Module WebAdministration
     
    Function Get-ExternalIP {
        Try {
            $ExternalIP = Invoke-WebRequest -Uri "https://showextip.azurewebsites.net/" -Method Get -TimeoutSec 30 -UseBasicParsing
        }
        Catch { Return $false }
      
        $IPregex='(?(\b(([01]?\d?\d|2[0-4]\d|25[0-5])\.){3}([01]?\d?\d|2[0-4]\d|25[0-5])\b))'
        If ($ExternalIP.Content -Match $IPregex) {Return $Matches.Address}
        Else {Return $false}
    }
     
    $ip = Get-ExternalIP
    Set-WebConfigurationProperty -filter "/system.applicationHost/sites/siteDefaults/ftpServer/firewallSupport" -name externalIp4Address -value $ip
    Set-WebConfigurationProperty -filter "/system.applicationHost/sites/site[@name='mysitename' and @id='1']/ftpServer/firewallSupport" -name externalIp4Address -value $ip
    

    Thanks again, you really solved a huge problem to me! =)

  10. Lewis says:

    You’re welcome.

  11. Erik says:

    Just wanted to give you a big thanks, this Little script really helped me out.

  12. Simon says:

    For some reason I can’t get this to return anything in the $matches table. It appears null. I’m using 2012r2. Any ideas?

  13. Lewis says:

    @Simon – all I can suggest is to break down the script and see where the issue is. For example, run this line from the server:

    $Response = Invoke-WebRequest -Uri "https://showextip.azurewebsites.net/" -Method Get -TimeoutSec 30 -UseBasicParsing
    $Response.Content
    

    Is the IP address you expect to see in there? If not, then the server may not be able to access https://showextip.azurewebsites.net/

    If it is there, then try the next lines that should do something (I should say that the “final” script posted by Matteo omits a fairly important “name” for the match (called Address in my script above), which could be why you’re not getting any results):

    $IPregex='(?<Address>(\b(([01]?\d?\d|2[0-4]\d|25[0-5])\.){3}([01]?\d?\d|2[0-4]\d|25[0-5])\b))'
    $Response.Content -Match $IPregex
    $Matches.Address # Should spew the IP address out if there was a match.
    

Leave a Reply

Your email address will not be published. Required fields are marked *