IIS 7.5 FTPS external access – 534 Policy requires SSL

ftpsiis-7.5windows-server-2008

I have setup a FTP site that requires SSL but when I try connect to it externally I get the error:

220 Microsoft FTP Service
534 Policy requires SSL.

I know – I set it so! Why doesnt it fetch the SSL cert from the site and allow me to logon?!

(Incidentally beware of all the tutorials that Allow but do not Require SSL – while that will solve the problem it will be because SSL is not being used!).

I suspect it may be I need a client that supports FTPS (FTP over SSL) and Windows explorer just uses IE which does not. But trying FileZilla and WinSCP I get a little further but then it hangs on TLS/SSL negotiation expecting a response from the server….

UPDATE: I have tried (from: http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/):

  1. Configure the Passive Port Range for the FTP Service.
  2. Configure the external IPv4 Address for a Specific FTP Site.
  3. Configure the firewall to allow the FTP service to listen on all ports that it opens.
  4. Disabling stateful FTP filtering so that Windows Firewall will not block FTP traffic.

And still I get (in FileZilla trying both Active and Passive):

Status: Connecting to 203.x.x.x:21...
Status: Connection established, waiting for welcome message...
Response:   220 Microsoft FTP Service
Command:    AUTH TLS
Response:   234 AUTH command ok. Expecting TLS Negotiation.
Status: Initializing TLS...
Error:  Connection timed out
Error:  Could not connect to server

The Windows firewall logs unhelpfully have nothing to say..

UPDATE2: Turning the firewall off does not resolve the problem.

I cannot believe how difficult it is to get something so simple to work and even once following the documentation it does not work.

UPDATE3: Running FileZilla locally connecting through the loopback works in Active mode, in Passive mode I get up to:

Command:    LIST
Response:   150 Opening BINARY mode data connection.
Error:  GnuTLS error -53: Error in the push function.

Turning the firewall off at both ends I can still not connect the client and get the same error as above.

Best Answer

You're correct that FileZilla or WinSCP are needed. Basically those FTP settings say that anyone trying to use the normal method over port 21 should be denied, and it doesn't attempt to reestablish a different type of connection. Thus IE and the command line options won't work.

A good test is to install FileZilla locally on the FTP server, or on another server that doesn't have a firewall in-between. Get it working there to prove that it works, and then start looking at your firewall policy to allow it through. Most likely you're running again a firewall rule that blocks the dynamic ports necessary for FTPS.

In FileZilla, use "explicit FTP over TLS" and test using active and passive mode. Active and passive require different firewall ports.

Related Topic