ftp防火墻設置.docx

簡介 Microsoft has created a new FTP service that has been completely rewritten for Windows Server 2008.微軟已經(jīng)創(chuàng)建了一個新的FTP服務已經(jīng)完全改寫為Windows Server 2008。 This FTP service incorporates many new features that enable web authors to publish content better than before, and offers web administrators more security and deployment options.此FTP服務采用了許多新的功能，使Web作者發(fā)布內(nèi)容比以前更好，并為網(wǎng)站管理員提供更多的安全和部署選項。 This document walks you through configuring the firewall settings for the new FTP server.本文檔將引導您通過配置新的FTP服務器上的防火墻設置。 It contains:它包含： Prerequisites 先決條件 Use the FTP Site Wizard to Create an FTP Site With Anonymous Authentication 使用FTP站點向?qū)?，?chuàng)建匿名身份驗證FTP站點 Step 1: Configure the Passive Port Range for the FTP Service 第1步：配置FTP服務的被動端口范圍 Step 2: Configure the external IPv4 Address for a Specific FTP Site 第2步：配置一個特定的FTP站點的外部IPv4地址 (Optional) Step 3: Configure Windows Firewall Settings （可選）步驟3：配置Windows防火墻設置 More Information about Working with Firewalls 使用防火墻的更多信息 Prerequisites先決條件 The following items are required to be installed to complete the procedures in this article:需要安裝完成本文中的程序的下列項目： 1. IIS 7 must be installed on your Windows 2008 Server, and Internet Information Services (IIS) Manager must be installed. IIS 7中必須安裝在您的Windows 2008服務器，必須安裝Internet信息服務（IIS）管理。 2. The new FTP service.新的FTP服務。 You can download and install the FTP service from the / web site using one of the following links:您可以從下載并安裝FTP服務/網(wǎng)頁使用下面的鏈接之一的網(wǎng)站： FTP 7.5 for IIS 7 (x64) FTP 7.5 IIS 7（64） FTP 7.5 for IIS 7 (x86) 為IIS 7的FTP 7.5（X86 ） 3. You must create a root folder for FTP publishing:您必須創(chuàng)建一個FTP發(fā)布的根文件夾： Create a folder at %SystemDrive%inetpubftproot創(chuàng)建一個文件夾“SYSTEMDRIVE inetpub ftproot的” Set the permissions to allow anonymous access:將權(quán)限設置為允許匿名訪問： Open a command prompt.打開一個命令提示符。 Type the following command:鍵入以下命令： ICACLS %SystemDrive%inetpubftproot /Grant IUSR:R /T ICACLS“SYSTEMDRIVE inetpub ftproot的”/授予IUSR：R / T Close the command prompt.關閉命令提示符。 Important Notes : 注意事項 ： The settings listed in this walkthrough specify %SystemDrive%inetpubftproot as the path to your FTP site.在本演練中列出的設置指定為您的FTP站點的路徑“SYSTEMDRIVE的 inetpub ftproot”。 You are not required to use this path; however, if you change the location for your site you will have to change the site-related paths that are used throughout this walkthrough.您不需要使用此路徑，但是，如果您更改為您的網(wǎng)站的位置，你將不得不改變整個演練中使用的路徑的網(wǎng)站相關的。 Once you have configured your firewall settings for the FTP service, you must configure your firewall software or hardware to allow connections through the firewall to your FTP server.一旦你配置您的防火墻設置為FTP服務，您必須配置您的防火墻軟件或硬件，允許通過防火墻連接到您的FTP服務器。 If you are using the built-in Windows Firewall, see the ( Optional) Step 3: Configure Windows Firewall Settings section of this walkthrough.如果您使用的是內(nèi)置的Windows防火墻，請參閱（ 可選）步驟3：配置Windows防火墻設置本演練的部分。 If you are using a different firewall, please consult the documentation that was provided with your firewall software or hardware.如果您正在使用不同的防火墻，請參閱您的防火墻軟件或硬件提供的文檔。 Use the FTP Site Wizard to Create an FTP Site With Anonymous Authentication使用FTP站點向?qū)В瑒?chuàng)建匿名身份驗證FTP站點 In this section you, create a new FTP site that can be opened for Read-only access by anonymous users.在本節(jié)中，創(chuàng)建一個新的FTP站點可以為匿名用戶只讀訪問打開。 To do so, use the following steps:要做到這一點，請使用下列步驟： 1. Go to IIS 7 Manager.轉(zhuǎn)到IIS 7管理。 In the Connections pane, click the Sites node in the tree.在“ 連接 ”窗格中，單擊樹中的站點節(jié)點。 2. Right-click the Sites node in the tree and click Add FTP Site , or click Add FTP Site in the Actions pane.右鍵單擊樹中的站點節(jié)點，單擊“ 添加”FTP站點 “，或單擊” 操作 “窗格中添加FTP站點。 3. When the Add FTP Site wizard appears:當出現(xiàn)添加FTP站點向?qū)В?Enter My New FTP Site in the FTP site name box, then navigate to the %SystemDrive%inetpubftproot folder that you created in the Prerequisites section. Note : If you choose to type in the path to your content folder, you can use environment variables in your paths.進入“我的新FTP站點”， 在FTP站點名稱 “框中，然后導航到”SYSTEMDRIVE的 inetpub ftproot“的”先決條件“一節(jié)中創(chuàng)建的文件夾，您注意：如果您選擇的路徑類型的內(nèi)容文件夾，您可以使用您的路徑中的環(huán)境變量。 Click Next .單擊“ 下一步 ”。 4. On the next page of the wizard:在向?qū)У南乱豁摚?Choose an IP address for your FTP site from the IP Address drop-down, or choose to accept the default selection of All Unassigned.您的FTP站點的IP地址 “下拉中選擇一個IP地址，或者選擇接受默認選擇”全部未分配“ 。 Because you will be accessing this FTP site remotely, you want to make sure that you do not restrict access to the local server and enter the local loopback IP address for your computer by typing in the IP Address box.因為你會被遠程訪問此FTP站點，你要確保你不限制到本地服務器的訪問， 并在IP地址框中輸入“”為您的計算機進入本地環(huán)回IP地址。 You would normally enter the TCP/IP port for the FTP site in the Port box.您通常會在端口框中輸入FTP站點的TCP / IP端口。 For this walk-through, you will choose to accept the default port of 21.這個步行通過，你會選擇接受默認端口21。 For this walkthrough, you do not use a host name, so make sure that the Virtual Host box is blank.對于此演練，您不使用主機名，所以一定要確保虛擬主機方塊是空白的。 Make sure that the Certificates drop-down is set to Not Selected and that the Allow SSL option is selected.確保該證書下拉設置為“未選定”和“ 允許SSL”選項被選中。 Click Next .單擊“ 下一步 ”。 5. On the next page of the wizard:在向?qū)У南乱豁摚?Select Anonymous for the Authentication settings.選擇匿名的身份驗證設置。 For the Authorization settings, choose Anonymous users from the Allow access to drop-down. 授權(quán)設置，選擇“匿名用戶”從“允許訪問”下拉。 Select Read for the Permissions option.選擇“讀取” 權(quán)限 “選項。 Click Finish .單擊“ 完成 ”。 6. Go to IIS 7 Manager.轉(zhuǎn)到IIS 7管理。 Click the node for the FTP site that you created.單擊您創(chuàng)建的FTP站點節(jié)點。 The icons for all of the FTP features display.所有的FTP功能，顯示的圖標。 Summary摘要 To recap the items that you completed in this step:回顧一下，你在這一步完成的項目： 1. You created a new FTP site named My New FTP Site, with the sites content root at %SystemDrive%inetpubftproot.您創(chuàng)建了一個新的FTP站點，名為“我的新的FTP站點”與該網(wǎng)站的內(nèi)容根，在“SYSTEMDRIVE的 inetpub ftproot”。 2. You bound the FTP site to the local loopback address for your computer on port 21, choosing not to use Secure Sockets Layer (SSL) for the FTP site.您為您的計算機上的端口21，F(xiàn)TP站點的綁定本地回環(huán)地址，選擇FTP站點不使用安全套接字層（SSL）。 3. You created a default rule for the FTP site to allow anonymous users Read access to the files.您創(chuàng)建了一個FTP站點的默認規(guī)則，以允許匿名用戶“閱讀”對文件的訪問。 Step 1: Configure the Passive Port Range for the FTP Service第1步：配置FTP服務的被動端口范圍 In this section, you configure the server-level port range for passive connections to the FTP service.在本節(jié)中，您可以配置為被動連接到FTP服務的服務器級別的端口范圍。 Use the following steps:使用下列步驟： 1. Go to IIS 7 Manager.轉(zhuǎn)到IIS 7管理。 In the Connections pane, click the server-level node in the tree.在“ 連接 ”窗格中，單擊樹中的服務器級節(jié)點。 2. Double-click the FTP Firewall Support icon in the list of features.雙擊FTP防火墻支持的功能列表中的圖標。 3. Enter a range of values for the Data Channel Port Range .輸入的數(shù)據(jù)通道端口范圍值的范圍。 4. Once you have entered the port range for your FTP service, click Apply in the Actions pane to save your configuration settings.一旦你進入你的FTP服務的端口范圍，在“ 操作 ”窗格中單擊應用以保存您的配置設置。 Notes : 注 ： 1. The valid range for ports is 1024 through 65535.端口的有效范圍是1024到65535。 (Ports from 1 through 1023 are reserved for use by system services.) （從1到1023的端口是保留給系統(tǒng)服務使用。） 2. You can enter a special port range of 0-0 to configure the FTP server to use the Windows TCP/IP dynamic port range.你可以進入一個特殊的端口范圍“0-0”，配置FTP服務器，使用Windows的TCP / IP動態(tài)端口范圍。 3. For additional information, please see the following Microsoft Knowledge Base articles:如需詳細資訊，請參閱以下Microsoft知識庫文章： 174904 - Information about TCP/IP port assignments 174904 -關于TCP / IP端口分配的信息 929851 - The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008 929851 -默認為TCP / IP動態(tài)端口范圍，改變了在Windows Vista和Windows Server 2008中 4. This port range will need to be added to the allowed settings for your firewall server.此端口范圍內(nèi)，將需要被添加到您的防火墻服務器允許設置。 Step 2: Configure the external IPv4 Address for a Specific FTP Site第2步：配置一個特定的FTP站點的外部IPv4地址 In this section, you configure the external IPv4 address for the specific FTP site that you created earlier.在本節(jié)中，您可以配置特定的FTP站點，您在前面創(chuàng)建的外部IPv4地址。 Use the following steps:使用下列步驟： 1. Go to IIS 7 Manager.轉(zhuǎn)到IIS 7管理。 In the Connections pane, click the FTP site that you created earlier in the tree, Double-click the FTP Firewall Support icon in the list of features.在“ 連接 ”窗格中，單擊您在樹前面創(chuàng)建的FTP站點，雙擊FTP防火墻支持的功能列表中的圖標。 2. Enter the IPv4 address of the external-facing address of your firewall server for the External IP Address of Firewall setting.輸入您的防火墻設置的外部IP地址的防火墻服務器的外部地址的IPv4地址。 3. Once you have entered the external IPv4 address for your firewall server, click Apply in the Actions pane to save your configuration settings.一旦你進入您的防火墻服務器的外部IPv4地址，在“ 操作 ”窗格中單擊應用以保存您的配置設置。 Summary摘要 To recap the items that you completed in this step:回顧一下，你在這一步完成的項目： 1. You configured the passive port range for your FTP service.您為您的FTP服務配置的被動端口范圍。 2. You configured the external IPv4 address for a specific FTP site.您的外部IPv4地址配置為一個特定的FTP站點。 (Optional) Step 3: Configure Windows Firewall Settings （可選）步驟3：配置Windows防火墻設置 Windows Server 2008 contains a built-in firewall service to help secure your server from network threats. Windows Server 2008中包含一個內(nèi)置的防火墻服務，以幫助保護您的服務器的網(wǎng)絡威脅。 If you choose to use the built-in Windows Firewall, you will need to configure your settings so that FTP traffic can pass through the firewall.如果您選擇使用內(nèi)置的Windows防火墻，您需要配置您的設置，使FTP流量可以穿過防火墻。 There are a few different configurations to consider when using the FTP service with the Windows Firewall - whether you will use active or passive FTP connections, and whether you will use unencrypted FTP or use FTP over SSL (FTPS).有幾個不同的配置使用Windows防火墻的FTP服務時需要考慮的的 - ，你是否會使用主動或被動FTP連接，你是否會使用未加密的FTP或使用FTP通過SSL（FTPS）。 Each of these configurations are described below.每個這些配置如下所述。 Note : You will need to make sure that you follow the steps in this section walkthrough while logged in as an administrator. 注意 ：您將需要確保您遵循本節(jié)中的演練步驟，而在以管理員身份登錄。 This can be accomplished by one of the following methods:這可以通過下列方法之一： Logging in to your server using the actual account named Administrator.登錄到您的服務器使用的實際名為“Administrator”帳戶。 Logging on using an account with administrator privileges and opening a command-prompt by right-clicking the Command Prompt menu item that is located in the Accessories menu for Windows programs and selecting Run as administrator.使用具有管理員權(quán)限的的帳戶登錄，打開命令提示符，右鍵單擊位于Windows程序的附件菜單，選擇“以管理員身份運行”命令提示符“菜單項。 One of the above steps is required because the User Account Control (UAC) security component in the Windows Vista and Windows Server 2008 operating systems prevents administrator access to your firewall settings.上面的步驟之一是必需的，因為在Windows Vista和Windows Server 2008操作系統(tǒng)的用戶帳戶控制（UAC）的安全組件，防止管理員訪問您的防火墻設置。 For more information about UAC, please see the following documentation:欲了解更多關于UAC信息，請參閱下列文件： /fwlink/?LinkId=113664 /fwlink/?LinkId=113664 Note : While Windows Firewall can be configured using the Windows Firewall applet in the Windows Control Panel, that utility does not have the required features to enable all of the features for FTP. 注 ：雖然可以配置Windows防火墻使用Windows控制面板的Windows防火墻小程序，該實用程序沒有啟用FTP的所有功能所需的功能。 The Windows Firewall with Advanced Security utility that is located under Administrative Tools in the Windows Control Panel has all of the required features to enable the FTP features, but in the interests of simplicity this walkthrough will describe how to use the command-line Netsh.exe utility to configure the Windows Firewall. 具有高級安全工具的 Windows防火墻是在Windows控制面板的管理工具下位于所有所需的功能，使FTP功能的，但在簡單的利益本演練將介紹如何使用命令行通過Netsh.exe實用程序來配置Windows防火墻。 Using Windows Firewall with non-secure FTP traffic使用非安全的FTP流量的Windows防火墻 To configure Windows Firewall to allow non-secure FTP traffic, use the following steps:要配置Windows防火墻以允許非安全的FTP流量，請使用下列步驟： 1. Open a command prompt: click Start , then All Programs , then Accessories , then Command Prompt .打開一個命令提示符：單擊開始 ，然后所有程序 ，然后附件 ，然后命令提示符 。 2. To open port 21 on the firewall, type the following syntax then hit enter:要在防火墻上打開端口21，鍵入下面的語法，然后按下回車鍵： netsh advfirewall firewall add rule name=FTP (non-SSL) action=allow protocol=TCP dir=in localport=21 netsh advfirewall防火墻添加規(guī)則名稱=“FTP（非SSL）”操作=允許協(xié)議= TCP DIR =的LocalPort = 21 3. To enable stateful FTP filtering that will dynamically open ports for data connections, type the following syntax then hit enter:為了使狀態(tài)FTP過濾，將動態(tài)數(shù)據(jù)連接打開的端口，鍵入下面的語法，然后按下回車鍵： netsh advfirewall set global StatefulFtp enable 的netsh advfirewall設置全局StatefulFtp啟用 Important Notes : 注意事項 ： Active FTP connections would not necessarily covered by the above rules; an outbound connection from port 20 would also need to be enabled on server.主動FTP連接不一定會受上述規(guī)則;從20端口的出站連接，還需要在服務器上啟用。 In addition, the FTP client machine would need to have its own firewall exceptions setup for inbound traffic.此外，F(xiàn)TP客戶端的機器需要有自己的防火墻例外設置入站流量。 FTP over SSL (FTPS) will not be covered by these rules; the SSL negotiation will most likely fail because the Windows Firewall filter for stateful FTP inspection will not be able to parse encrypted data.通過SSL（FTPS）的FTP將無法覆蓋這些規(guī)則; SSL協(xié)商將最有可能失敗，因為狀態(tài)的FTP檢查Windows防火墻的過濾器將無法解析加密的數(shù)據(jù)。 (Some 3rd-party firewall filters recognize the beginning of SSL negotiation, eg AUTH SSL or AUTH TLS commands, and return an error to prevent SSL negotiation from starting.) （有些第三方的防火墻過濾承認SSL協(xié)商，例如AUTH SSL或AUTH TLS命令的開頭，并返回一個錯誤，以防止啟動SSL協(xié)商。） Using Windows Firewall with secure FTP over SSL (FTPS) traffic使用Windows防火墻通過SSL（FTPS）交通與安全的FTP The stateful FTP packet inspection in Windows Firewall will most likely prevent SSL from working because Windows Firewall filter for stateful FTP inspection will not be able to parse the encrypted traffic that would establish the data connection.在Windows防火墻的狀態(tài)FTP包檢測將最有可能無法正常工作SSL，因為Windows防火墻狀態(tài)的FTP檢查過濾器將無法解析加密的流量，將建立數(shù)據(jù)連接。 Because of this behavior, you will need to configure your Windows Firewall settings for FTP differently if you intend to use FTP over SSL (FTPS).由于這種行為，您將需要您的Windows防火墻設置不同的配置FTP，如果你打算使用通過SSL的FTP（FTPS）。 The easiest way to configure Windows Firewall to allow FTPS traffic is to list the FTP service on the inbound exception list.配置Windows防火墻以允許FTPS交通最簡單的方法是，名單上的入站例外列表FTP服務。 The full service name is the Microsoft FTP Service, and the short service name is ftpsvc.完整的服務名稱是“微軟的FTP服務”，以及短期服務的名稱是“FTPSVC”。 (The FTP service is hosted in a generic service process host (Svchost.exe) so it is not possible to put it on the exception list though a program exception.) （FTP服務托管在一個通用的服務過程中的主機（Svchost.exe的）的，所以它是不可能把它雖然程序例外的例外列表中。） To configure Windows Firewall to allow secure FTP over SSL (FTPS) traffic, use the following steps:要配置Windows防火墻以允許通過SSL（FTPS）通信安全的FTP，請使用下列步驟： 1. Open a command prompt: click Start , then All Programs , then Accessories , then Command Prompt .打開一個命令提示符：單擊開始 ，然后所有程序 ，然后附件 ，然后命令提示符 。 2. To configure the firewall to allow the FTP service to listen on all ports that it opens, type the following syntax then hit enter:要配置防火墻，以允許FTP服務，它會打開所有的端口上偵聽，鍵入下面的語法，然后按下回車鍵： netsh advfirewall firewall add rule name=FTP for IIS7 service=ftpsvc action=allow protocol=TCP dir=in netsh advfirewall防火墻添加規(guī)則名稱=“IIS7的FTP”服務= FTPSVC行動=允許協(xié)議= TCP DIR = 3. To disable stateful FTP filtering so that Windows Firewall will not block FTP traffic, type the following syntax then hit enter:要禁用狀態(tài)的FTP過濾，以便Windows防火墻不會阻止FTP通信，鍵入下面的語法，然后按下回車鍵： netsh advfirewall set global StatefulFtp disable 的netsh advfirewall全球StatefulFtp禁用 More Information about Working with Firewalls使用防火墻的更多信息 It is often challenging to create firewall rules for FTP server to work correctly, and the root cause for this challenge lies in the FTP protocol architecture.它往往是具有挑戰(zhàn)性的創(chuàng)建FTP服務器的防火墻規(guī)則，正確工作，這一挑戰(zhàn)的根本原因在于FTP協(xié)議的體系結(jié)構(gòu)。 Each FTP client requires two connections to be maintained between client and server:每個FTP客戶端需要保持客戶端和服務器之間的兩個連接： FTP commands are transferred over a primary connection called the Control Channel , which is typically the well-known FTP port 21. FTP命令傳送一個主連接，稱為控制通道，通常是眾所周知的FTP端口21。 FTP data transfers, such as directory listings or file upload/download, require a secondary connection called Data Channel . FTP的數(shù)據(jù)傳輸，如目錄列表或文件，上傳/下載，需要一個輔助連接的數(shù)據(jù)通道。 Opening port 21 in a firewall is an easy task, but this means that an FTP client will only be able to send commands, not transfer data.在防火墻中打開端口21是一件容易的事，但是這意味著一個FTP客戶端將只能夠發(fā)送命令，不傳輸數(shù)據(jù)。 This means that the client will be able to use the Control Channel to successfully authenticate and create or delete directories, but the client will not be able to see directory listings or be able to upload/download files.這意味著，客戶端將能夠使用的控制通道，成功地驗證，并創(chuàng)建或刪除目錄，但客戶端將無法看到目錄列表，或可以上傳/下載文件。 This is because data connections for FTP server are not allowed to pass through the firewall until the Data Channel has been allowed through the firewall.這是因為FTP服務器的數(shù)據(jù)連接是不允許通過防火墻，直到已被允許通過防火墻的數(shù)據(jù)通道。 Note : This may appear confusing to an FTP client, because the client will seem to be able to successfully log in to the server, but the connection may appear to timeout or stop responding when attempting to retrieve a directory listing from the server. 注意 ：這可能會出現(xiàn)混亂的FTP客戶端，因為客戶端似乎能夠成功登錄到服務器，但可能會出現(xiàn)連接超時或停止響應時，試圖從服務器檢索目錄列表。 The challenges of working with FTP and firewalls doesnt end with the requirement of a secondary data connection; to complicate things even more, there are actually two different ways on how to establish data connection: FTP和防火墻工作的挑戰(zhàn)并沒有結(jié)束與一個輔助數(shù)據(jù)連接的要求;事情變得更加復雜，其實有兩個不同的方式對如何建立數(shù)據(jù)連接： Active Data Connections : In an active data connection, an FTP client sets up a port for data channel listening and the server initiates a connection to the port; this is typically from the servers port 20. 活動數(shù)據(jù)連接 ：在一個積極的數(shù)據(jù)連接，F(xiàn)TP客戶端設置了一個數(shù)據(jù)通道聽取和服務器的端口，啟動一個端口的連接，這通常是從服務器的端口20。 Active data connections used to be the default way of connecting to FTP server; however, active data connections are no longer recommended