Sometimes users request FTP access to a server so that they can upload files without having to bastion or rdp in. To achieve this you’ll need to follow the below documentation.
1. Launch Server Manager, Click on Manage, Click on Add Roles and Features
2.Click Next and Role-based or feature based installation, next and next again.
3.Select IIS (If not Installed already) and Add Features
4. Click next until you’re on the “Role Services” section, select FTP Server and then click next and Install then restart the server.
5. Now open Start Menu and launch “lusrmgr.msc” and create a local user that we will use for FTP.
6. Now we will launch File Explorer and create a file path for FTP. I would highly advise creating this on the data drive and not the C drive, if available:
7. Now right-click the folder you created and click “Properties” and go to the “Security” tab and add the user to this folder and provide him with Full Control or Modify depending on the needs of the request then click OK:
8. Launch IIS, right click the server on the left and click “Add FTP Site” give it a name and select the Physical path of the folder you created:
9. In the next section leave IP address as “All Unassigned” and make sure Port 21 is in place. Then tick “Start FTP site automatically” if not ticked already. If you have a SSL you should select “Require SSL” if not click “No SSL” the former is preferred depending on the request and longevity:
10. In the next section, tick “Basic” and set “Allow access” to “Specified users” and type the username of the user you created and tick “Read” and “Write” and click “Finish”
11. Now create a FW rule on the server to allow FTP Inbound):
12. Tick all 3, click Next and tick “Allow the connection and click “Finish”. Repeat this step but select ports and type 50000-50100. So you should have two rules one allowing FTP on 21 and one Allowing Ports 50000-50100.
13. Now on IIS Overview Page, click on “FTP Firewall Support”:
14. Enter the port range, 50000-50100 in the “Data Channel Port Range” and the Public IP of the server IF it is not behind a FW (not using a FW’s Public IP, has it’s own Public IP) and click “Apply”:
15. Now on IIS click on the FTP site and on the right click “Restart”
16. Now to finalise make sure you create the rules in the NSG, and the FW if the VM has a FW (similar to LabTech's Tenancy where we have a Fortigate FW). Ensure you set Source to the Public IPs that need this service.