ftp防火墙设置.docx

简介 Microsoft has created a new FTP service that has been completely rewritten for Windows Server 2008.微软已经创建了一个新的FTP服务已经完全改写为Windows Server 2008。 This FTP service incorporates many new features that enable web authors to publish content better than before, and offers web administrators more security and deployment options.此FTP服务采用了许多新的功能，使Web作者发布内容比以前更好，并为网站管理员提供更多的安全和部署选项。 This document walks you through configuring the firewall settings for the new FTP server.本文档将引导您通过配置新的FTP服务器上的防火墙设置。 It contains:它包含： Prerequisites 先决条件 Use the FTP Site Wizard to Create an FTP Site With Anonymous Authentication 使用FTP站点向导，创建匿名身份验证FTP站点 Step 1: Configure the Passive Port Range for the FTP Service 第1步：配置FTP服务的被动端口范围 Step 2: Configure the external IPv4 Address for a Specific FTP Site 第2步：配置一个特定的FTP站点的外部IPv4地址 (Optional) Step 3: Configure Windows Firewall Settings （可选）步骤3：配置Windows防火墙设置 More Information about Working with Firewalls 使用防火墙的更多信息 Prerequisites先决条件 The following items are required to be installed to complete the procedures in this article:需要安装完成本文中的程序的下列项目： 1. IIS 7 must be installed on your Windows 2008 Server, and Internet Information Services (IIS) Manager must be installed. IIS 7中必须安装在您的Windows 2008服务器，必须安装Internet信息服务（IIS）管理。 2. The new FTP service.新的FTP服务。 You can download and install the FTP service from the / web site using one of the following links:您可以从下载并安装FTP服务/网页使用下面的链接之一的网站： FTP 7.5 for IIS 7 (x64) FTP 7.5 IIS 7（64） FTP 7.5 for IIS 7 (x86) 为IIS 7的FTP 7.5（X86 ） 3. You must create a root folder for FTP publishing:您必须创建一个FTP发布的根文件夹： Create a folder at %SystemDrive%inetpubftproot创建一个文件夹“SYSTEMDRIVE inetpub ftproot的” Set the permissions to allow anonymous access:将权限设置为允许匿名访问： Open a command prompt.打开一个命令提示符。 Type the following command:键入以下命令： ICACLS %SystemDrive%inetpubftproot /Grant IUSR:R /T ICACLS“SYSTEMDRIVE inetpub ftproot的”/授予IUSR：R / T Close the command prompt.关闭命令提示符。 Important Notes : 注意事项 ： The settings listed in this walkthrough specify %SystemDrive%inetpubftproot as the path to your FTP site.在本演练中列出的设置指定为您的FTP站点的路径“SYSTEMDRIVE的 inetpub ftproot”。 You are not required to use this path; however, if you change the location for your site you will have to change the site-related paths that are used throughout this walkthrough.您不需要使用此路径，但是，如果您更改为您的网站的位置，你将不得不改变整个演练中使用的路径的网站相关的。 Once you have configured your firewall settings for the FTP service, you must configure your firewall software or hardware to allow connections through the firewall to your FTP server.一旦你配置您的防火墙设置为FTP服务，您必须配置您的防火墙软件或硬件，允许通过防火墙连接到您的FTP服务器。 If you are using the built-in Windows Firewall, see the ( Optional) Step 3: Configure Windows Firewall Settings section of this walkthrough.如果您使用的是内置的Windows防火墙，请参阅（ 可选）步骤3：配置Windows防火墙设置本演练的部分。 If you are using a different firewall, please consult the documentation that was provided with your firewall software or hardware.如果您正在使用不同的防火墙，请参阅您的防火墙软件或硬件提供的文档。 Use the FTP Site Wizard to Create an FTP Site With Anonymous Authentication使用FTP站点向导，创建匿名身份验证FTP站点 In this section you, create a new FTP site that can be opened for Read-only access by anonymous users.在本节中，创建一个新的FTP站点可以为匿名用户只读访问打开。 To do so, use the following steps:要做到这一点，请使用下列步骤： 1. Go to IIS 7 Manager.转到IIS 7管理。 In the Connections pane, click the Sites node in the tree.在“ 连接 ”窗格中，单击树中的站点节点。 2. Right-click the Sites node in the tree and click Add FTP Site , or click Add FTP Site in the Actions pane.右键单击树中的站点节点，单击“ 添加”FTP站点 “，或单击” 操作 “窗格中添加FTP站点。 3. When the Add FTP Site wizard appears:当出现添加FTP站点向导： Enter My New FTP Site in the FTP site name box, then navigate to the %SystemDrive%inetpubftproot folder that you created in the Prerequisites section. Note : If you choose to type in the path to your content folder, you can use environment variables in your paths.进入“我的新FTP站点”， 在FTP站点名称 “框中，然后导航到”SYSTEMDRIVE的 inetpub ftproot“的”先决条件“一节中创建的文件夹，您注意：如果您选择的路径类型的内容文件夹，您可以使用您的路径中的环境变量。 Click Next .单击“ 下一步 ”。 4. On the next page of the wizard:在向导的下一页： Choose an IP address for your FTP site from the IP Address drop-down, or choose to accept the default selection of All Unassigned.您的FTP站点的IP地址 “下拉中选择一个IP地址，或者选择接受默认选择”全部未分配“ 。 Because you will be accessing this FTP site remotely, you want to make sure that you do not restrict access to the local server and enter the local loopback IP address for your computer by typing in the IP Address box.因为你会被远程访问此FTP站点，你要确保你不限制到本地服务器的访问， 并在IP地址框中输入“”为您的计算机进入本地环回IP地址。 You would normally enter the TCP/IP port for the FTP site in the Port box.您通常会在端口框中输入FTP站点的TCP / IP端口。 For this walk-through, you will choose to accept the default port of 21.这个步行通过，你会选择接受默认端口21。 For this walkthrough, you do not use a host name, so make sure that the Virtual Host box is blank.对于此演练，您不使用主机名，所以一定要确保虚拟主机方块是空白的。 Make sure that the Certificates drop-down is set to Not Selected and that the Allow SSL option is selected.确保该证书下拉设置为“未选定”和“ 允许SSL”选项被选中。 Click Next .单击“ 下一步 ”。 5. On the next page of the wizard:在向导的下一页： Select Anonymous for the Authentication settings.选择匿名的身份验证设置。 For the Authorization settings, choose Anonymous users from the Allow access to drop-down. 授权设置，选择“匿名用户”从“允许访问”下拉。 Select Read for the Permissions option.选择“读取” 权限 “选项。 Click Finish .单击“ 完成 ”。 6. Go to IIS 7 Manager.转到IIS 7管理。 Click the node for the FTP site that you created.单击您创建的FTP站点节点。 The icons for all of the FTP features display.所有的FTP功能，显示的图标。 Summary摘要 To recap the items that you completed in this step:回顾一下，你在这一步完成的项目： 1. You created a new FTP site named My New FTP Site, with the sites content root at %SystemDrive%inetpubftproot.您创建了一个新的FTP站点，名为“我的新的FTP站点”与该网站的内容根，在“SYSTEMDRIVE的 inetpub ftproot”。 2. You bound the FTP site to the local loopback address for your computer on port 21, choosing not to use Secure Sockets Layer (SSL) for the FTP site.您为您的计算机上的端口21，FTP站点的绑定本地回环地址，选择FTP站点不使用安全套接字层（SSL）。 3. You created a default rule for the FTP site to allow anonymous users Read access to the files.您创建了一个FTP站点的默认规则，以允许匿名用户“阅读”对文件的访问。 Step 1: Configure the Passive Port Range for the FTP Service第1步：配置FTP服务的被动端口范围 In this section, you configure the server-level port range for passive connections to the FTP service.在本节中，您可以配置为被动连接到FTP服务的服务器级别的端口范围。 Use the following steps:使用下列步骤： 1. Go to IIS 7 Manager.转到IIS 7管理。 In the Connections pane, click the server-level node in the tree.在“ 连接 ”窗格中，单击树中的服务器级节点。 2. Double-click the FTP Firewall Support icon in the list of features.双击FTP防火墙支持的功能列表中的图标。 3. Enter a range of values for the Data Channel Port Range .输入的数据通道端口范围值的范围。 4. Once you have entered the port range for your FTP service, click Apply in the Actions pane to save your configuration settings.一旦你进入你的FTP服务的端口范围，在“ 操作 ”窗格中单击应用以保存您的配置设置。 Notes : 注 ： 1. The valid range for ports is 1024 through 65535.端口的有效范围是1024到65535。 (Ports from 1 through 1023 are reserved for use by system services.) （从1到1023的端口是保留给系统服务使用。） 2. You can enter a special port range of 0-0 to configure the FTP server to use the Windows TCP/IP dynamic port range.你可以进入一个特殊的端口范围“0-0”，配置FTP服务器，使用Windows的TCP / IP动态端口范围。 3. For additional information, please see the following Microsoft Knowledge Base articles:如需详细资讯，请参阅以下Microsoft知识库文章： 174904 - Information about TCP/IP port assignments 174904 -关于TCP / IP端口分配的信息 929851 - The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008 929851 -默认为TCP / IP动态端口范围，改变了在Windows Vista和Windows Server 2008中 4. This port range will need to be added to the allowed settings for your firewall server.此端口范围内，将需要被添加到您的防火墙服务器允许设置。 Step 2: Configure the external IPv4 Address for a Specific FTP Site第2步：配置一个特定的FTP站点的外部IPv4地址 In this section, you configure the external IPv4 address for the specific FTP site that you created earlier.在本节中，您可以配置特定的FTP站点，您在前面创建的外部IPv4地址。 Use the following steps:使用下列步骤： 1. Go to IIS 7 Manager.转到IIS 7管理。 In the Connections pane, click the FTP site that you created earlier in the tree, Double-click the FTP Firewall Support icon in the list of features.在“ 连接 ”窗格中，单击您在树前面创建的FTP站点，双击FTP防火墙支持的功能列表中的图标。 2. Enter the IPv4 address of the external-facing address of your firewall server for the External IP Address of Firewall setting.输入您的防火墙设置的外部IP地址的防火墙服务器的外部地址的IPv4地址。 3. Once you have entered the external IPv4 address for your firewall server, click Apply in the Actions pane to save your configuration settings.一旦你进入您的防火墙服务器的外部IPv4地址，在“ 操作 ”窗格中单击应用以保存您的配置设置。 Summary摘要 To recap the items that you completed in this step:回顾一下，你在这一步完成的项目： 1. You configured the passive port range for your FTP service.您为您的FTP服务配置的被动端口范围。 2. You configured the external IPv4 address for a specific FTP site.您的外部IPv4地址配置为一个特定的FTP站点。 (Optional) Step 3: Configure Windows Firewall Settings （可选）步骤3：配置Windows防火墙设置 Windows Server 2008 contains a built-in firewall service to help secure your server from network threats. Windows Server 2008中包含一个内置的防火墙服务，以帮助保护您的服务器的网络威胁。 If you choose to use the built-in Windows Firewall, you will need to configure your settings so that FTP traffic can pass through the firewall.如果您选择使用内置的Windows防火墙，您需要配置您的设置，使FTP流量可以穿过防火墙。 There are a few different configurations to consider when using the FTP service with the Windows Firewall - whether you will use active or passive FTP connections, and whether you will use unencrypted FTP or use FTP over SSL (FTPS).有几个不同的配置使用Windows防火墙的FTP服务时需要考虑的的 - ，你是否会使用主动或被动FTP连接，你是否会使用未加密的FTP或使用FTP通过SSL（FTPS）。 Each of these configurations are described below.每个这些配置如下所述。 Note : You will need to make sure that you follow the steps in this section walkthrough while logged in as an administrator. 注意 ：您将需要确保您遵循本节中的演练步骤，而在以管理员身份登录。 This can be accomplished by one of the following methods:这可以通过下列方法之一： Logging in to your server using the actual account named Administrator.登录到您的服务器使用的实际名为“Administrator”帐户。 Logging on using an account with administrator privileges and opening a command-prompt by right-clicking the Command Prompt menu item that is located in the Accessories menu for Windows programs and selecting Run as administrator.使用具有管理员权限的的帐户登录，打开命令提示符，右键单击位于Windows程序的附件菜单，选择“以管理员身份运行”命令提示符“菜单项。 One of the above steps is required because the User Account Control (UAC) security component in the Windows Vista and Windows Server 2008 operating systems prevents administrator access to your firewall settings.上面的步骤之一是必需的，因为在Windows Vista和Windows Server 2008操作系统的用户帐户控制（UAC）的安全组件，防止管理员访问您的防火墙设置。 For more information about UAC, please see the following documentation:欲了解更多关于UAC信息，请参阅下列文件： /fwlink/?LinkId=113664 /fwlink/?LinkId=113664 Note : While Windows Firewall can be configured using the Windows Firewall applet in the Windows Control Panel, that utility does not have the required features to enable all of the features for FTP. 注 ：虽然可以配置Windows防火墙使用Windows控制面板的Windows防火墙小程序，该实用程序没有启用FTP的所有功能所需的功能。 The Windows Firewall with Advanced Security utility that is located under Administrative Tools in the Windows Control Panel has all of the required features to enable the FTP features, but in the interests of simplicity this walkthrough will describe how to use the command-line Netsh.exe utility to configure the Windows Firewall. 具有高级安全工具的 Windows防火墙是在Windows控制面板的管理工具下位于所有所需的功能，使FTP功能的，但在简单的利益本演练将介绍如何使用命令行通过Netsh.exe实用程序来配置Windows防火墙。 Using Windows Firewall with non-secure FTP traffic使用非安全的FTP流量的Windows防火墙 To configure Windows Firewall to allow non-secure FTP traffic, use the following steps:要配置Windows防火墙以允许非安全的FTP流量，请使用下列步骤： 1. Open a command prompt: click Start , then All Programs , then Accessories , then Command Prompt .打开一个命令提示符：单击开始 ，然后所有程序 ，然后附件 ，然后命令提示符 。 2. To open port 21 on the firewall, type the following syntax then hit enter:要在防火墙上打开端口21，键入下面的语法，然后按下回车键： netsh advfirewall firewall add rule name=FTP (non-SSL) action=allow protocol=TCP dir=in localport=21 netsh advfirewall防火墙添加规则名称=“FTP（非SSL）”操作=允许协议= TCP DIR =的LocalPort = 21 3. To enable stateful FTP filtering that will dynamically open ports for data connections, type the following syntax then hit enter:为了使状态FTP过滤，将动态数据连接打开的端口，键入下面的语法，然后按下回车键： netsh advfirewall set global StatefulFtp enable 的netsh advfirewall设置全局StatefulFtp启用 Important Notes : 注意事项 ： Active FTP connections would not necessarily covered by the above rules; an outbound connection from port 20 would also need to be enabled on server.主动FTP连接不一定会受上述规则;从20端口的出站连接，还需要在服务器上启用。 In addition, the FTP client machine would need to have its own firewall exceptions setup for inbound traffic.此外，FTP客户端的机器需要有自己的防火墙例外设置入站流量。 FTP over SSL (FTPS) will not be covered by these rules; the SSL negotiation will most likely fail because the Windows Firewall filter for stateful FTP inspection will not be able to parse encrypted data.通过SSL（FTPS）的FTP将无法覆盖这些规则; SSL协商将最有可能失败，因为状态的FTP检查Windows防火墙的过滤器将无法解析加密的数据。 (Some 3rd-party firewall filters recognize the beginning of SSL negotiation, eg AUTH SSL or AUTH TLS commands, and return an error to prevent SSL negotiation from starting.) （有些第三方的防火墙过滤承认SSL协商，例如AUTH SSL或AUTH TLS命令的开头，并返回一个错误，以防止启动SSL协商。） Using Windows Firewall with secure FTP over SSL (FTPS) traffic使用Windows防火墙通过SSL（FTPS）交通与安全的FTP The stateful FTP packet inspection in Windows Firewall will most likely prevent SSL from working because Windows Firewall filter for stateful FTP inspection will not be able to parse the encrypted traffic that would establish the data connection.在Windows防火墙的状态FTP包检测将最有可能无法正常工作SSL，因为Windows防火墙状态的FTP检查过滤器将无法解析加密的流量，将建立数据连接。 Because of this behavior, you will need to configure your Windows Firewall settings for FTP differently if you intend to use FTP over SSL (FTPS).由于这种行为，您将需要您的Windows防火墙设置不同的配置FTP，如果你打算使用通过SSL的FTP（FTPS）。 The easiest way to configure Windows Firewall to allow FTPS traffic is to list the FTP service on the inbound exception list.配置Windows防火墙以允许FTPS交通最简单的方法是，名单上的入站例外列表FTP服务。 The full service name is the Microsoft FTP Service, and the short service name is ftpsvc.完整的服务名称是“微软的FTP服务”，以及短期服务的名称是“FTPSVC”。 (The FTP service is hosted in a generic service process host (Svchost.exe) so it is not possible to put it on the exception list though a program exception.) （FTP服务托管在一个通用的服务过程中的主机（Svchost.exe的）的，所以它是不可能把它虽然程序例外的例外列表中。） To configure Windows Firewall to allow secure FTP over SSL (FTPS) traffic, use the following steps:要配置Windows防火墙以允许通过SSL（FTPS）通信安全的FTP，请使用下列步骤： 1. Open a command prompt: click Start , then All Programs , then Accessories , then Command Prompt .打开一个命令提示符：单击开始 ，然后所有程序 ，然后附件 ，然后命令提示符 。 2. To configure the firewall to allow the FTP service to listen on all ports that it opens, type the following syntax then hit enter:要配置防火墙，以允许FTP服务，它会打开所有的端口上侦听，键入下面的语法，然后按下回车键： netsh advfirewall firewall add rule name=FTP for IIS7 service=ftpsvc action=allow protocol=TCP dir=in netsh advfirewall防火墙添加规则名称=“IIS7的FTP”服务= FTPSVC行动=允许协议= TCP DIR = 3. To disable stateful FTP filtering so that Windows Firewall will not block FTP traffic, type the following syntax then hit enter:要禁用状态的FTP过滤，以便Windows防火墙不会阻止FTP通信，键入下面的语法，然后按下回车键： netsh advfirewall set global StatefulFtp disable 的netsh advfirewall全球StatefulFtp禁用 More Information about Working with Firewalls使用防火墙的更多信息 It is often challenging to create firewall rules for FTP server to work correctly, and the root cause for this challenge lies in the FTP protocol architecture.它往往是具有挑战性的创建FTP服务器的防火墙规则，正确工作，这一挑战的根本原因在于FTP协议的体系结构。 Each FTP client requires two connections to be maintained between client and server:每个FTP客户端需要保持客户端和服务器之间的两个连接： FTP commands are transferred over a primary connection called the Control Channel , which is typically the well-known FTP port 21. FTP命令传送一个主连接，称为控制通道，通常是众所周知的FTP端口21。 FTP data transfers, such as directory listings or file upload/download, require a secondary connection called Data Channel . FTP的数据传输，如目录列表或文件，上传/下载，需要一个辅助连接的数据通道。 Opening port 21 in a firewall is an easy task, but this means that an FTP client will only be able to send commands, not transfer data.在防火墙中打开端口21是一件容易的事，但是这意味着一个FTP客户端将只能够发送命令，不传输数据。 This means that the client will be able to use the Control Channel to successfully authenticate and create or delete directories, but the client will not be able to see directory listings or be able to upload/download files.这意味着，客户端将能够使用的控制通道，成功地验证，并创建或删除目录，但客户端将无法看到目录列表，或可以上传/下载文件。 This is because data connections for FTP server are not allowed to pass through the firewall until the Data Channel has been allowed through the firewall.这是因为FTP服务器的数据连接是不允许通过防火墙，直到已被允许通过防火墙的数据通道。 Note : This may appear confusing to an FTP client, because the client will seem to be able to successfully log in to the server, but the connection may appear to timeout or stop responding when attempting to retrieve a directory listing from the server. 注意 ：这可能会出现混乱的FTP客户端，因为客户端似乎能够成功登录到服务器，但可能会出现连接超时或停止响应时，试图从服务器检索目录列表。 The challenges of working with FTP and firewalls doesnt end with the requirement of a secondary data connection; to complicate things even more, there are actually two different ways on how to establish data connection: FTP和防火墙工作的挑战并没有结束与一个辅助数据连接的要求;事情变得更加复杂，其实有两个不同的方式对如何建立数据连接： Active Data Connections : In an active data connection, an FTP client sets up a port for data channel listening and the server initiates a connection to the port; this is typically from the servers port 20. 活动数据连接 ：在一个积极的数据连接，FTP客户端设置了一个数据通道听取和服务器的端口，启动一个端口的连接，这通常是从服务器的端口20。 Active data connections used to be the default way of connecting to FTP server; however, active data connections are no longer recommended