Secure File Transfer with Microsoft FTP over SSL and Forefront Threat Management Gateway (TMG) 2010
Today there are myriad ways to securely transfer files over the public Internet. Numerous file sharing sites exist (e.g. SykDrive, Box, Dropbox, etc.) and Peer-to-Peer file transfers are common too. In spite of the ubiquity of file sharing sites and services that are available, many organizations still require the ability to transfer files from one location to another directly. Accomplishing this in a secure manner can be challenging however. In this month’s article I’ll demonstrate how to build a secure file transfer solution using the Microsoft FTP server included with Windows Server 2012 R2 and the Forefront Threat Management Gateway (TMG) 2010 firewall.
FTP Protocol Background
The File Transfer Protocol (FTP) has been around since the earliest days of the Internet. Originally documented in RFC 765, the protocol itself was never designed with privacy or security in mind. The most serious security issue with FTP is the transmission of authentication credentials in clear text. Anyone with access to the communication stream would be able to capture this information with relative ease. If the credentials used for FTP are also domain credentials, an attacker would be able to gain access to other corporate resources using this information. In addition, FTP has no provision to encrypt data transfer, exposing the transmission of sensitive information to interception as well. FTP suffers from a variety of other security issues which are outlined in RFC 2577. To address some of these concerns, RFC 4217 described a mechanism to protect FTP communing using SSL and TLS, resulting in the FTPS protocol. It’s important to understand that FTPS differs fundamentally from SFTP, the SSH File Transfer Protocol. SFTP transfers files using Secure Shell (SSH) and shares little in common with FTPS, other than the fact that they are both secure methods of transferring files.
Considerations for Publishing FTPS with TMG
FTP is a complex protocol. It makes use of discrete control and data channels. When an FTP client connects to an FTP server, it establishes a connection to the FTP control channel on the default TCP port 21. It is over this control channel that authentication information is passed. Once the user is authenticated (if required) a data channel is negotiated between the FTP server and the client using a random port chosen from the ephemeral (dynamic) port range. When publishing standard (non-secure) FTP, TMG leverages an application filter, the FTP Access Filter, to listen in on the communication in the FTP control channel to effectively learn which TCP port the client and server will use for the data channel. When this occurs, the TMG firewall will dynamically open the necessary ports as required to allow the transfer to take place. FTP over SSL breaks this. With the control channel now encrypted, the TMG firewall is unable to listen in on this conversation to determine which ports to open for the data channel. As such, when we configure the TMG firewall to publish an FTP server that uses SSL, we’ll have to statically define the control channel port range accordingly.
Preparing the FTP Server
For this demonstration I’ll be using Windows Server 2012 R2. However, FTP over SSL has been available since IIS 7, so these instructions should similar for Windows Server 2008/R2. To begin, open an elevated PowerShell command window and execute the following command:
Install-WindowsFeature Web-Ftp-Server -IncludeManagementTools
Next we’ll request a certificate from our certificate authority (CA). Open a Microsoft management console (mmc.exe) and add the Certificates snap-in for the Computer account. Expand the Certificates (Local Computer) node in the navigation tree, and then right-click Personal and choose All Tasks and Request New Certificate. Note: Self-signed certificates are supported and can be used for testing. However, they should never be used in a production environment.
Click Next, then choose the option to request a certificate from the Active Directory Enrollment Policy. Click Next, select the Computer certificate template, and then click Enroll.
Open the IIS management console, right-click the root node in the navigation tree and choose Add FTP Site.
Provide a descriptive name for the FTP site, specify the physical path for the Content Directory, and then click Next. Be sure that NTFS permissions on the content directory allow the appropriate users read and/or write access as necessary.
Choose a specific IP address to bind the FTP site to, or leave the default setting All Unassigned. Make sure the option to Require SSL is checked and select the SSL Certificate you previously requested.
Because this is a secure file transfer site we’ll select the option to use Basic authentication. Basic authentication is passed in clear text, which in normal circumstances would be a bad idea. However, we’re using FTP over SSL, so the credential exchange is encrypted. Choose the appropriate authorization for your deployment. Here I’ve chosen to grant access only to a specific user. You can, however, grant access to all users or specific roles or user groups. In addition, select the necessary permissions to allow read and/or write access as required.
Highlight the root node in the navigation tree and double-click FTP Firewall Support.
In the Data Channel Port Range enter a value of 50000-50100. Remember this value, as you will specify this port range when you create the server publishing rule on the TMG firewall later. Note that depending on the number of concurrent sessions this FTP site will handle, it may be necessary to increase this value. Leave the External IP Address of Firewall field blank. Click Apply in the Actions pane on the right side of the IIS management console when finished.
Once configuration is complete, it may be necessary to issue an iisreset command or restart the server to enable FTP server functionality. In addition, it is recommended that you test access to the FTP server internally to ensure that it is working correctly before proceeding with publishing and external testing.
Configuring TMG Server Publishing Rule
In the TMG management console, right-click Firewall Policy in the navigation tree and choose New and Non-Web Server Protocol Publishing Rule.
Provide a descriptive name for the rule and choose Next.
Enter the IP address of the FTP server and choose Next.
FTP over SSL is not natively support in Forefront TMG 2010, so it will be necessary to create a new protocol object for this rule. Click New to proceed.
Provide a descriptive name for the new protocol object and choose Next.
Click New and select TCP for the protocol type, Inbound for the direction, and 21 for the port range and then click Ok.
Click New again and select TCP for the protocol type, Inbound for the direction, and 50000-50100 for the port range and click Ok.
Select No when asked about using secondary connections, and then click Next, Finish, and Next again to continue. Select the IP address(es) you wish to listen on and choose Next.
Review the summary and then click Finish, and then apply the configuration.
Testing FTP over SSL
Using an FTP client that supports FTP over SSL, establish a connection to the FTP site from the public Internet. Enter the hostname or IP address of the FTP site, and specify the appropriate username and password. Also, be sure to specify the use of Auth TLS when connecting to this FTP site.
Verify that the SSL certificate information is correct before accepting.
Once connected you’ll see that our session is now protected using TLSv1 with AES128-SHA1.
In my testing, the popular FTP client FileZilla did not work with my FTP site using SSL. However, other FTP clients worked without issue.
Although FTP has been around since the dawn of Internet time, it is still a useful and reliable file transfer mechanism. However, it falls short when it comes to protecting the authentication exchange and providing privacy for the transfer of sensitive information. Using the Microsoft FTP server and enabling protection with SSL/TLS effectively addresses these concerns. Using FTPS, the exchange of credentials and information is fully protected with strong encryption. Publishing an internal FTPS server using Forefront TMG can be done easily, although it does require taking a few additional steps to support the encrypted data channel. If you’re still using standard (non-secure) FTP for transferring data today, it’s time to consider migrating to a secure file transfer solution using Windows Server and Forefront TMG 2010.