Walkthrough: Hosting FTP on IIS 7.5 in a Windows Azure VM

I have been struggling yesterday and today to get FTP working on IIS 7.5 in a Windows Azure Virtual Machine and I just achieved victory! To remember all the steps myself and to help others in achieving the same, I’ll describe how to accomplish this.

Spin up a virtual machine

First of all, you need a virtual machine. I needed a Windows machine with a SQL Server database so I chose ‘Microsoft SQL Server 2012 Evaluation Edition’ from the available templates.

VM choice

Once the machine has booted, you can RDP into it via the connect option at the bottom of the management portal.

Connect via RDP


When you’re in, you need to configure IIS. A summary of the required steps:

  • Add the ‘Web Server (IIS)’ role to the server.
  • Add the IIS features you need.
  • Add a TCP endpoint to your VM in the management portal with public and private port 80.

To enable FTP, make sure you enable the ‘FTP Server’ role services for your IIS role:


Add and configure FTP site

The next step is to create the actual FTP site in IIS. Right-click on ‘Sites’ in IIS Manager and select ‘Add FTP Site…’:


Add FTP site

Specify the name and the local path for the site:

Site information

Specify binding and SSL information:



And finally specify who should have access to the FTP site. Note that I selected Basic Authentication and the administrator user. This corresponds to the local administrator account on the VM (the same account you use when you use RDP to login). This is definitely not the best solution. When you do not use SSL to secure access to the FTP site, your FTP credentials are sent in cleartext when logging in to the FTP site.


Local testing

You should now be able to access the FTP site from within the VM. Open a command prompt, type ‘ftp’ and login with your administrator account.

Local test

Well, that was the easy part. You now have an FTP site that you can access locally. When you try to access it from another machine, you will notice that you can’t get a connection.

We are now getting into the nitty gritty details of the FTP protocol. Whereas you may think that FTP only uses port 21, it actually doesn’t. I’m not going into the details but there’s a good explanation here.

Configuring remote connectivity

First of all, for active FTP, in theory you need to allow access to ports 21 (FTP command port) and 20 (FTP data port). So you need to add two endpoints to your VM:

FTP Active Endpoints

So far the theory. When attempting to connect to the FTP site using Filezilla, explicitly indicating that we’d like to use active mode, still no connection can be established. I haven’t figured out why exactly…

But of course we can still try to configure passive FTP. For this to work, we need to tell the IIS FTP server the port range it can use for data connections and we need to add endpoints to the VM that correspond to this port range.

First of all, configure the port range and external IP address for passive data connections. This can be found in IIS Manager:

Firewall support


Firewall support


The external IP address should be the Virtual IP address you can find in the Azure Management portal. Unfortunately, it seems impossible to specify the data channel port range here. To set this, we need the appcmd utility, which can be found in %windir%\system32\inetsrv.


appcmd set config /section:system.ftpServer/firewallSupport 
    /lowDataChannelPort:7000 /highDataChannelPort:7014


In the example, I chose ports 7000 to 7014 but you can choose any port range you like as long as it corresponds to the endpoints you configure for your Azure VM.

For configuring 15 extra endpoints for my VM I decided to use the Windows Azure Powershell cmdlets which you can download here. You can also add 15 endpoints in the management portal but you can only add them one by one which takes a considerable amount of time. To be able to use these cmdlets, you first need the publish settings file for your Azure account. There are a number of ways to download the publish settings file and one way is to start Windows Azure Powershell and use the cmdlet Get-AzurePublishSettingsFile. It opens a browser and allows you to download the publish settings file that corresponds to your Windows Live id.

When you have downloaded the publish settings file, you can import it using the Import-AzurePublishSettingsFile cmdlet and we’re ready to start adding endpoints. I simply created a text file containing the list of commands I wanted to run and copied that into the Powershell window:


Get-AzureVM -ServiceName 'myServiceName' -Name 'ftpportal' 
    | Add-AzureEndpoint -Name 'FTPPassive00' -Protocol 'TCP' 
                        -LocalPort 7000 -PublicPort 7000 
    | Update-AzureVM
Get-AzureVM -ServiceName 'myServiceName' -Name 'ftpportal' 
    | Add-AzureEndpoint -Name 'FTPPassive01' -Protocol 'TCP' 
                        -LocalPort 7001 -PublicPort 7001 
    | Update-AzureVM

We’re almost there. Although the Windows firewall seems to allow all traffic that’s required, you also need to enable stateful FTP filtering on the firewall:


netsh advfirewall set global StatefulFtp enable

Finally, restart the FTP Windows service and we should be up and running:

net stop ftpsvc
net start ftpsvc

Testing with Filezilla confirms that we can now successfully connect to our new FTP site, hosted on a Windows Azure VM:


Filezilla test

Adding extra user accounts

As I said before, using the default administrator account for accessing your FTP site is a BAD idea because credentials are sent in clear-text. Therefore, create a new local user account on the VM and add an FTP authorization rule to allow access to your FTP site.


I had some help writing this article, mainly from this article by Angelo Laris that describes how to add active and passive FTP functionality to an Azure Web or Worker Role.
Other references include:

10 replies
  1. Michael Bruce says:

    This was very helpful. One thing that you can do for the range of IP address in your setup for FTP Firewall is to set it at the server root in IIS instead of the site level.

    “The external IP address should be the Virtual IP address you can find in the Azure Management portal. Unfortunately, it seems impossible to specify the data channel port range here. To set this, we need the appcmd utility, which can be found in %windir%\system32\inetsrv.”

  2. Josh Jondle says:

    Did you ever get Active Mode working successfully? I have the same issue. Using WS FTP Server on Windows Azure VM. I can connect fine in Active from local connections, and I can connect fine in Passive from external connections, but I cannot get an Active Mode connection to work from outside the Azure network and Azure support was no help.

      • Josh Jondle says:

        Thank you for the response.

        After working with Azure support for 2 weeks, their assessment of the problem was essentially that “Active Mode FTP uses a series of random ports from a large range for the data channel from the client to the server. You can only add 150 endpoints to an Azure VM so you couldn’t possibly add all those ports and get Active FTP working 100%. In order to do this you would need to use “Instance level public IP” and essentially bypass the endpoint mechanism all together and put your VM directly on the internet and rely entirely on the native OS firewall for protection.


        Unless my technician was wrong, that tells me that Active Mode FTP is not possible on Azure without compromising security.

        Hope this helps someone else, and if someone has Active FTP working without this compromise, please chime in.

        • Josh Jondle says:

          UPDATE: Azure Support provided an official response today:


          First of all thanks with your patience on this. As I mentioned in my last email I was working with our Technical Advisors which are Support Escalation Engineers on reproducing this environment in Azure.
          Our tests were configured using WS_FTP 7.7 (Your version 7.1) and WS_FTP 12 client as well as the Windows FTP client. The results of our testing were the same as you are experiencing. We were able to log in to the server, but we get the same Command Port/List failures.

          As we discussed previously Active FTP uses a random port for the data plane on the client side. The server connects via 21 and 20, but the incoming port is a random ephemeral port. In Passive FTP, this can be defined and therefore endpoints can be created for each port you use for part of the data plane.

          Based on our extensive testing yesterday I would not expect any other Active FTP solution to work. The escalation Engineer that assisted yesterday also discussed this with other members of his team and they have not seen any successful Active FTP deployments in Azure.

          In conclusion, my initial thoughts have been confirmed with our testing and Active FTP will not work in the Azure environment at this time. We are always striving to improve Azure’s offering so this may be something that will work in the future as we continue to grow.

          You will need to move to a passive FTP setup if you are going to host this FTP server in Azure.

  3. Don says:

    FTP server port range is not configurable per site, so it’s grayed out there. Its a server level configuration, so you need to use the server level branch (the top level where the server name is in IIS) to set it.


Trackbacks & Pingbacks

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *