Configuring FTP Firewall Support for dynamic IP in IIS 7.5
If like me you’re stuck with a dynamic IP address on your Internet connection but still wish to provide FTP services from IIS7.5 on Windows Server 20008R2, you may have noticed that when connecting to the FTPS server with an FTP client, you receive the internal IP address of your FTP server in the control commands which leaves some FTP clients flustered and unable to communicate with your FTP server.
If you’re hosting your server beyond a NAT device, the correct solution is to complete the external IP address under the FTP Firewall Support section within IIS 7.5, but if like me you have a dynamic IP address you’re going to be kept busy doing just that!
Using a three line PowerShell script, you can keep your FTP site’s FTP Firewall Support IP address up to date automatically. Just combine it with Task Scheduler to update at your desired frequency.
1 2 3 |
Import-Module WebAdministration $ip=[System.Net.Dns]::GetHostAddresses("host.domain.com")| Select-Object -ExpandProperty IPAddressToString Set-WebConfigurationProperty -filter "/system.applicationHost/sites/site[@name='nameofsite' and @id='1']/ftpServer/firewallSupport" -name externalIp4Address -value $ip |
FileZilla FTP Client is one of the FTP clients which is intelligent enough to detect when it has been sent an internal IP address in the command response and automatically changes it to the external IP address of the server but relying on this as a long term solution is not feasible.
-Lewis
I am confused about the data port and External firewall IP in IIS 7.5
My GPRS clients are not able to do the FTP, they are not external clients, but outside the firewall
Now tell me which External firewall IP I should configure here,
One more question that is default CMD utility which is with Windows 7 does support passive FTP.
@Cool Guy – I cannot see how your clients can be both “not external” yet outside the network. They either are outside the network (in which case they would use your external IP address) or they are not (they would use the internal IP address). If you are trying to support both internal and external clients then you must not configure the FTP Firewall Support feature of IIS and instead rely on either:
– A good router/firewall solution, capable of performing NAT loopback (most don’t!) or reverse proxy like UAG/TMG.
– The FTP client understanding it has been sent an internal IP and changing to the external IP by itself.
– Your firewall/IDS providing FTP helper features that automatically translate the IP address to the external IP as it attempts to traverse the firewall.
That last option gives you more hurdles to jump through however. Please see another post of mine which discusses FTP helpers getting in the way of FTPS command and data traffic: http://www.lewisroberts.com/2010/08/06/scripting-ftpes-explicit-tlsssl-with-curl/
thx mate, that helped me alot
Hi,
my isp is providing a Dynamic Public IP address that i’m using to access to my home network from the WAN.
It also provides me a “middle, let’s say” IP which should be the ISP Internal network Address of my router.
If i use the script posted above, it sets the FTP firewall ip box with the “Middle IP” which of course is not reachable from the WAN.
How do I fix this? Is there any other commands that i could use to get the real external IP Address?
Thanks.
@Colmoschin – how are you finding out the actual external address? I personally would use this with something like DynDNS.
If you visit for example: https://showextip.azurewebsites.net – do you see the correct external address? If so, there’s a more recent PowerShell script of mine that scrapes the IP from the response and you can use that to update the FTP firewall IP field instead.
@lewis, thanks for the reply, i’m checking my external ip via whatsmyip.org or No-Ip (I’ve a registered domain there).
I’ve also tried to mess around a bit with the code and so far i’ve found:
1) $ip=(Invoke-WebRequest ifconfig.me/ip).Content
This line retrieves the correct external ip.
But if i combine it with the 3rd line of your script to update the ip box nothing happens and the box appears empty.
I’ve also found that if i change “$ip” in the 3rd line with something like an ip address (xxx.xxx.xxx.xxx) it actually sets the given value in the box.
Have you any ideas about what i’m doing wrong?
The last script line I have used:
Import-Module WebAdministration
$ip=(Invoke-WebRequest ifconfig.me/ip).Content
Set-WebConfigurationProperty -filter “/system.applicationHost/sites/site[@name=’KANTFTP’ and @id=’1′]/ftpServer/firewallSupport” -name externalIp4Address -value $ip
Thanks! =)
@lewis
PS: forgot to tell, yes, https://showextip.azurewebsites.net retrives the right ip + port.
would you share the newer script with me? =)
Thanks Again =)
Your version looks fine to me.
Try this:
Also, try changing the last line to make the change at the server level. There’s half a chance that the config change isn’t taking because the site you’re updating on inherits its settings from the parent (the server root config). This line updates the ftpFirewall setting for the entire server (and anything that inherits that setting.
-Lewis
Simple the best! =)
Tried your script and works great, i made only a small modification since changing the last line to set the ip at the server root config did not update the ip box at the site level.
So the final and working version should be the following:
Thanks again, you really solved a huge problem to me! =)
You’re welcome.
Just wanted to give you a big thanks, this Little script really helped me out.
For some reason I can’t get this to return anything in the $matches table. It appears null. I’m using 2012r2. Any ideas?
@Simon – all I can suggest is to break down the script and see where the issue is. For example, run this line from the server:
Is the IP address you expect to see in there? If not, then the server may not be able to access https://showextip.azurewebsites.net/
If it is there, then try the next lines that should do something (I should say that the “final” script posted by Matteo omits a fairly important “name” for the match (called Address in my script above), which could be why you’re not getting any results):
Thank you so much for this script! That version with https://showextip.azurewebsites.net/ as source for my ext IP was exactly what I was looking for.
Thanks!!!
Thanks for this. This PowerShell script worked for me, for 1 FTP site for external use:
Import-Module WebAdministration
$ip=(Invoke-WebRequest ifconfig.me/ip).Content
Set-WebConfigurationProperty -filter “/system.applicationHost/sites/siteDefaults/ftpServer/firewallSupport” -name externalIp4Address -value $ip
updated code ….
$ip = (Invoke-WebRequest -uri “http://ifconfig.me/ip”).Content
Set-WebConfigurationProperty -filter “/system.applicationHost/sites/siteDefaults/ftpServer/firewallSupport” -name externalIp4Address -value $ip
Set-WebConfigurationProperty -filter “/system.applicationHost/sites/site[@name=’alnahar’ and @id=’2′]/ftpServer/firewallSupport” -name externalIp4Address -value $ip
The updated code
$ip = (Invoke-WebRequest -uri “http://ifconfig.me/ip”).Content
Set-WebConfigurationProperty -filter “/system.applicationHost/sites/siteDefaults/ftpServer/firewallSupport” -name externalIp4Address -value $ip
Set-WebConfigurationProperty -filter “/system.applicationHost/sites/site[@name=’alnahar’ and @id=’2′]/ftpServer/firewallSupport” -name externalIp4Address -value $ip