You can build an FTP site on a Windows Elastic Compute Service (ECS) instance so that you can transfer files to or from the instance after you connect to it. This topic describes how to build an FTP site on a Windows instance. This topic is applicable to Windows Server 2008 or later. In the examples, Windows Server 2016 is used.

Prerequisites

One or more Windows instances are created. In the examples, a Windows instance that has the following configurations is used:
  • Instance type: ecs.c6.large
  • Operating system: Windows Server 2016 64-bit

Step 1: Add Internet Information Services (IIS) and FTP server roles

You must install the IIS and FTP services before you can build an FTP site. If you have not installed the IIS and FTP services, perform the following steps to install the services.

  1. Connect to the Windows instance.
  2. In the left-lower corner of the Windows desktop, click the Start (Windows icon) icon. Then, find and click Server Manager.
  3. In the top navigation bar, choose Manage > Add Roles and Features.
    IIS win2016
  4. In the dialog box that appears, accept the default settings and click Next until you reach the Select server roles step.
  5. Select Web Server (IIS). In the dialog box that appears, click Add Features and then click Next.
    ftp2
  6. Accept the default settings and click Next until you reach the Select role services step.
  7. Select IIS Management Console and FTP Server and click Next.
    ftp3
  8. Click Install. After the IIS and FTP server roles are added, click Close.

Step 2: Create a Windows user to use to access the FTP site

Create a Windows user to use to access the FTP site to be built. If you want to access the FTP site as an anonymous user with the anonymous or ftp username, skip the steps described in this section.

  1. In the left-lower corner of the Windows desktop, click the Start (Windows icon) icon. Then, find and click Windows Administrative Tools.
  2. In the Administrative Tools window, find and double-click Computer Management.
  3. In the left-side navigation pane, choose System Tools > Local Users and Groups > Users.
    ftp4
  4. In the Actions column in the right part of the window, click More Actions and then click New User...
    ftp5Configure the following parameters or settings:
    • User name: In this example, the ftptest username is used.
    • Password and Confirm password: Enter a password.
      Note The password must contain uppercase letters, lowercase letters, and digits. Keep your password information confidential to prevent data security risks caused by password leaks.
    • Password-related settings: Select Password never expires.
  5. Click Create and close the New User dialog box.

Step 3: Configure permissions for sharing files

You must create a folder for sharing files with the FTP site and grant the access and modification permissions on the folder. Subsequently, when clients access the FTP site, all files are transferred by using this folder.

  1. On a disk of the Windows instance, create a folder for the FTP site to use.
    In this example, a folder named ftp is created on Disk C.
  2. Right-click the ftp folder and click Properties.
  3. Click the Security tab and then click Edit.
  4. Click Add.
  5. In the dialog box that appears, enter ftptest as the object name and click Check Name.
  6. Confirm that the entered object name is correct and click OK.
  7. In the Group or user names section, click the ftptest username, configure permissions in the Permissions for ftptest section, and then click OK.
    In this example, all permissions in the Allow column are selected. You can select or clear permissions in the Allow or Deny column based on your business requirements. username

Step 4: Create and configure an FTP site

  1. In the left-lower corner of the Windows desktop, click the Start (Windows icon) icon. Then, find and click Server Manager.
  2. In the top navigation bar, choose Tools > Internet Information Services (IIS) Manager.
    ftp8
  3. In the left-side navigation pane, choose <Hostname of the Windows instance> > Sites. Then, in the Actions column in the right part, click Add FTP Site...
    ftp9
  4. In the dialog box that appears, configure parameters and click Next.
    10Configure the following parameters:
    • FTP site name: Enter a name for the FTP site. Example: ftptest.
    • Content Directory: Specify the path to the shared folder required by FTP. In this example, the shared folder is the ftp folder created on Disk C.
  5. Configure the IP address and SSL settings and click Next.
    Binding and SSL SettingsConfigure the following parameters:
    • IP Address: Accept the default settings.
    • SSL: In this example, No SSL is selected, which indicates that SSL encryption is not required. If you want to secure data transfers and already have an SSL certificate, select Allow SSL or Require SSL.
      • No SSL: SSL encryption is not required.
      • Allow SSL: The FTP server is allowed to support both non-SSL and SSL connections with a client.
      • Require SSL: SSL encryption is required for communication between the FTP server and a client.
    • Accept the default settings for other parameters.
  6. Configure authentication and authorization information and click Finish.
    Authentication and Authorization InformationConfigure the following parameters:
    • Authentication: In this example, only Basic is selected. Then, you can use the ftptest user that you created to access the FTP site. If you do not have security requirements on data transfers, you can select Anonymous so that you can access the FTP site as an anonymous user.
      • Anonymous: allows users that provides the anonymous or ftp username to access content.
      • Basic: requires users to provide valid usernames and passwords to access content. Basic authentication transmits unencrypted passwords across the network. We recommend that you use basic authentication only when you are certain that the connection between the client and the FTP server is secure, such as when SSL encryption is used.
    • Authorization: In this example, Allow access to is set to Specified users, and ftptest is entered.
      • All users: All users are allowed to access the shared folder corresponding to the FTP site.
      • Anonymous users: Anonymous users can access the shared folder corresponding to the FTP site.
      • Specified roles or user groups: Only specified roles or members of specified groups can access the shared folder corresponding to the FTP site. Enter roles or groups in the corresponding field.
      • Specified users: Only specified users can access the shared folder corresponding to the FTP site. Enter usernames in the corresponding field. In this example, ftptest is entered.
    • Permissions: Select both Read and Write.
    After the preceding steps are performed, you can view the built FTP site in Internet Information Services (IIS) Manager. 13
  7. Configure the firewall of the FTP site.
    1. In the Internet Information Services (IIS) Manager window, double-click the FTP site name ftptest to go to the ftptest Home page.
    2. Double-click FTP Firewall Support.
      FTP Firewall Support
    3. In the External IP Address of Firewall field, enter <Public IP address of the Windows instance>.
    4. In the Actions column on the right, click Apply. In the message that appears, click OK.

Step 5: Configure security groups and the firewall

After you build the FTP site on the Windows instance, you must add inbound rules to the security groups of the instance to allow traffic to port 21 and the passive port range of 1024 to 65535 of the FTP server.

  1. In the security groups of the Windows instance, add inbound rules to allow traffic to port 21 and ports in the range of 1024 to 65535.
    For more information, see Add security group rules.
    Note For more information about security groups, see Security groups for different use cases and Common ports used by applications.
  2. Optional:Configure the firewall of the Windows instance.
    By default, the firewall of the Windows instance is disabled. If your firewall is enabled, allow traffic on TCP port 21 and ports in the range of 1024 to 65535 for the FTP service.

    For more information about firewall settings, see Build an FTP Site on IIS.

Step 6: Use a client to test access to the FTP site

Windows File Explorer, command-line tools, browsers, or third-party FTP connection tools can be used to test the FTP server. In this example, a Windows computer is used as an FTP client and Windows File Explorer is used to access the FTP site.

  1. On the Windows computer, open Windows File Explorer and enter ftp://<Public IP address of the FTP site>:21 in the address bar.
    In this example, Window 10 is used.Windows File Explorer
  2. In the Log On As dialog box, configure logon credentials and click OK.
    In this example, the ftptest username and its corresponding password are used as credentials to log on to the FTP site. Log on to the FTP siteWhen you use Windows File Explorer to access the FTP site, if Use Passive FTP is not enabled for the IE browser on Windows, you cannot access the FTP site. The error codes 200 and 501 are returned. You can perform the following steps to enable Use Passive FTP for the IE browser and then access the FTP site again.
    1. In the Windows computer, open the IE browser.
    2. In the upper-right corner, click the Tools (Tools icon in the IE browser) icon and select Internet Properties.
    3. Click the Advanced tab. In the Settings section, find and select Use Passive FTP (for firewall and DSL modem compatibility). Use Passive FTP
    4. Click Apply and then click OK.
    After you access the shared ftp folder that corresponds to the FTP site, you can create a test folder named test. New test folderThen, you can log on to the Windows instance again. If the FTP site is built and can be used for data transfers, you can find the test folder in the ftp folder on Disk C. ftp folder on the instance

What to do next

  • You can reinforce the security of FTP. For more information, see FTP anonymous logon and weak password vulnerabilities.
  • If you want to manage files stored in Object Storage Service (OSS) based on FTP, you can install ossftp. For more information, see Overview.

    After ossftp receives a common FTP request, ossftp maps operations on files and folders as operations on OSS.