FTPS Server-In Explicit mode, FTPS conscious & unconscious clients can work together. It is also called FTPES. The client must first explicitly request security from the FTPS server & the server will reply accordingly & they will approve the parameters. If the client does not request, the server can allow it in normal mode or can refuse.

In the implicit method, the client & server must know FTPS. There are no security negotiations here. The client needs to start communication using the FTPS control message. And if the message is not received, the server will disconnect. In this mode, the server listens at 990 for control messages & 989 for data channels, but the data channel ports can be changed. FTPS Server

Note: for client connectivity, we must use FileZilla or WinSCP. Both IE and Windows Explorer do not support the FTPS protocol

Because I have a Windows 2012 server test with IIS 8.0. So I will use the same. The steps are the same for Windows 2008 R2 which is equipped with IIS 7.5.
  • Install the Role of IIS - FTP Server Service

  1. Using Powershell "Add-WindowsFeature Web-FTP-Service, WEB-Mgmt-Console"
  2. Or Use Server Manager and Install FTP Services from the IIS Web Role

  • Open IIS Manager, Right-click the Site folder & Click Add FTP Site

  • If you want to bind the IP address type details.
  • Type 990 as the FTPS Control Channel Port
  • Virtual Host Depends on whether you will host several FTP Servers.
  • Click and tick to "Start FTP Sites Automatically"
  • If you explicitly build an FTPS server, select Require SSL & Select your SSL Certificate that is installed & click next
  • Because I installed Cert SSL from my internal Windows Certificate Authority. FTPS Server

  • If you create an Anonymous site, choose another, choose Basic
  • Choose the right authorization policy. This policy will be applied at the site level & FTP Virtual Directory will inherit it.
  • I prefer "certain roles or user groups" with Local Group & Read Permissions.
  • According to my FTP administration procedure, I always add FTP users to that group. So all members of that group can enter this FTP site with read access.
  • So by default this configuration will have all my FTP users have read access to all virtual directories. Then if I need special settings for them, I modify Authorization at the virtual directory level. Will be discussed later. FTPS Server


  • Now your FTPS site is ready;
  • Let's check what has been configured by double-clicking on the specific icon on the site's home page

  • Authentication & Authorization
  • Directory Search style as MS-DOS, FTP FTP Settings as we configured at the beginning

  • I chose "user's home directory" as the user's entry point. You can limit them to checking other users' folders too.
  • The other main configuration point is the Data Channel Port. This is the Passive Port range. We determine which server ports & clients need to transfer data.
  • You must configure it on IIS Server Level. So select the IIS server name & configure the Data Channel Port. I configured them to 5000-5001. You can choose your number one.
  • FTP sites on this IIS server will inherit these numbers.
  • If you are going to publish this server to the internet through a firewall & publishing this server to the internet using NAT rules. Make sure you configure the Public IP address in the External IP Address box. FTPS Server.

  • Until now our FTPS server is ready, let's talk to your External Firewall Administrator & ask him to open ports 990, 5000-50001 on this Public IP Address.
  • While he does that, let's create a Virtual Directory & configure access to related users so we can test our FTPS server.
  • Create Local Windows Users as "Brajesh"
  • Create Local Windows User Groups as "FTPUsers"
  • Add the Brajesh user above to the "FTPUsers" group & delete it from the "Users" group
  • Create a folder called "Brajesh" in the FTP Root folder, for example Inside e: \ FTPRoot. Because E: \ FTPRoot is our FTP Website's Root Folder. Be sure to save the folder name as Brajesh, so it will function as a Home Directory.
  • Right-click FTP Site & Add Virtual Directory. FTPS Server.

  •     Leave the alias as Brajesh & select the Brajesh Folder that we created under E: \ FTPRoot

  •     Now you can choose Brajesh virtual directory & check its configuration
  • Under Brajesh FTP Authorization Rules, you can see FTPUsers groups added with Reading Permission
  • Add the user "Brajesh" as a particular user with permission to read & write & delete FTPU from this Authorization rule.

  • We are ready with FTPS servers & Virtual Directories

Please download Filezilla & WinSCP to test the FTPS connection.  Note that both IE and Windows
  • Explorer do not support the FTPS protocol On the Filezilla client, for hosts, just type ftps: // FTP server URL or IP, then username & password.
  • You can see it will be connected to port 990. If your certificate is trusted publicly, it won't ask you for a message of trust. In my case this is an internal certificate, so he asked me to believe it. So I will click "Always trust the certificate in the next session" and click OK. If you do not trust the certificate, it will be connected but will not let you upload any data. Because it will not be able to authenticate SSL channels!
Free Download Client:

FileZilla
Free Download
WinSCP
Free Download


  • Let's see the FileZilla connection message.
  • Do you see the message "227 Entering Passive Mode (10,10,10,105,19,136)? It has two contents namely. IP Address & Port Server Data Channels are listening to the connection.
  • 10.10.10.105 is the server IP Address & 19.136 makes the port eg. (19 x 256) +136 = 5000. Remember we configured the Data Channel port as 5000 & 5001.  FTPS Server.
Now let's try with WinSCP. For WinSCP, you must change the protocol to FTP / SSL / TLS implicit encryption

  • Select accept & choose Trust if there is an SSL certificate warning

Incoming Search Terms :

Discussion: