FileZilla FTP Server with TLS

Hello guys

Today we will see how to setup FileZilla FTP server with TLS. Well there are many documents explaining it, however, as usual I am going one step ahead and explain few elements those are missed by most of those posts.

Once installed (accept the defaults, letting FileZilla run as a Windows service) you can start configuring it for PASSIVE mode transfers and TLS.

As you could see, the installation sets port 21 as default listening port for FTP. If you choose to, can change it an available port. Usually you don’t have to do it.

If your FTP server/desktop machine has multiple IP addresses, you may assign a particular IP for the FTP Server under “IP Bindings”

Leaving it to default will not hurt you, usually.

Setting up Passive Mode can be bit tricky, especially when you are going to let users from internet to access your FTP server. Let us consider you have a router that is the gateway for all your computers in the network. So any communication that is leaving your network passes through this router. This is called a NAT network. Getting a FTP server to respond to a request from internet could be quite confusing for someone who doesn’t understand the NAT properly (I don’t, all the time)

Usually such a requirement is handled by forwarding the requests received by the router to one of the servers or computers hosting the FTP or other services.

Here for FileZilla, the router should forward port 21 to the server that is hosting the FTP server, to that the communication and transfer could happen. So basically, your router should have an entry like below. With the given example, FTP Server software is installed on a computer that has STATIC IP address 192.168.1.200, hence the below entry. Please make sure that all your computers/servers those host services have STATIC IP addresses.

Please note, based on the manufacturer, Applications & Gaming tab will be labelled differently. You need to check the router manual to find out where exactly you can locate “Single Port Forwarding”. If you are lucky enough, you may able to pick FTP from an available dropdown list, like the one I have. Else, just create one entry like the one you could see with this image for FTP.

Now you need to configure the ports for Passive mode, which most of the modern FTP clients will try to use for the transfer. I believe, without configuring the passive mode, FileZilla FTP server fails to establish connections.

Here you could see that I am using a custom port range for Passive mode. Most of the people who successfully configured FileZilla recommend using the port range between 50000-51000. You can try the ranges like 50000-50100 or like the one I have, which is approximately a 1000 ports.

Next couple of points are going to be vital for users from internet. I have a static IP address from ISP, hence for the area External IP address, I can use it safely. However, this may not be the case of most home users, as ISP provide them dynamic IP addresses which keep on change once in a pre-planned interval. So http://www.noip.com is your friend and I suggest you create a ddns.net hostname for yourself before proceeding. You can use their client software to keep update your host IP address against ddns.net hostname. You can use your hostname, eg: johwick3.ddns.net in the place of external IP address.

OR

You can try the “Retrieve external IP address from” option as well. I cannot guarantee the success rate.

The other important setting on this page is “Don’t use External IP for local connections”. You must not uncheck this box in case if your FTP server has external IP configured and expecting both local and external users to access the server.

Once set, you need to open the range of ports on your router. This time you need to access the page “Port range forwarding” and create an entry like the seen below.

This completes the initial level settings for the FTP server. Let us configure TLS in the next step. This involves creating a self signed certificate and secret key (secret key is not mandatory). Luckily FileZilla has built-in ability to create a self-signed certificate for you!

Once you are on the FTP over TLS settings page, you can use generate new certificate button to bring this window up. Fill in correct information & generate the certificate. FileZilla will automatically setup the certificate for you. “Save key and certificate to this file:” should be chosen wisely. Your certificate is accessed from this location, so make sure that you will generate the certificate in a location/folder which is not accidently prone to get deleted.

Now we will create a new user & setup few details for the testing.

In the above step, I have created a user with read only privileges and assigned a single directory access. As long as you want your users NOT to upload files to your FTP server, this setup is sufficient for a normal user. Please refer FileZilla documents for in-depth knowledge about creating groups and users.

Finally, we will configure Windows Firewall in order to establish the connection. Please note, I am against disabling firewall and other security suites those are installed/configured on any environment, unless for testing. You must NOT disable them permanently. If your browsing and other internet activities are limited to reputed websites and services, I can insure that you don’t need a commercial product to protect your Windows box. The built in Defender suite does a wonderful job protecting your computer. Follow the below images to create an incoming rule for the FTP traffic in the very server/computer on with you have install FileZilla FTP server.

Please note, there is no need to open the port 990 that is used for TLS. Unfortunately while I was trying everything, included the port in my setup. You only need to allow TCP Ports 21 & the range 50000-51000 (or the port range that you prefer to use)

That’s all take for setup. We can try to connect to our FTP server now!

Download and install FileZilla FTP Client/Or one of the other FTP clients available (You may not succeed to connect to FTP server using Windows built in command line FTP, as it doesn’t support TLS)

As you could see from the quick connections area, I have connected to FTP server from both local and internet & both attempts were successful.

I hope, if you are desperately looking for FileZilla FTP server setup guidelines, this post helps.

regards,

rajesh

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.