I was setting up a new virtual machine in Windows Azure today and wanted to host an FTP server. Having spent most of my career isolated inside corporate environments and largely disconnected from server administration this was fairly new ground for me.
I knew going into it that I was going to have to tweak some firewall rules and whatnot but establishing communication was a bit more involved than I initially expected.
The FTP solution I selected was FileZilla Server. It’s a rather robust solution that provides the security I wanted with minimal configuration. Getting the server components installed was effortless as was creating the security groups and users. Once I had everything configured the way I wanted I created the rules to allow traffic to hit ports 21 and 990 on the server through the Windows Firewall with Advanced Security control panel.
For my first test I simply tried to FTP to localhost on the server itself. Both accounts I’d configured worked perfectly. Then, to test the firewall rules I tried to connect from my development workstation but was unable to connect.
After scratching my head for a bit I remembered seeing endpoint configuration in the Azure portal. I added two endpoints, one for port 25 and one for port 990 and was then able to connect but the FTP client kept failing to retrieve a directory list. The log showed that the client was attempting to use passive mode which requires additional ports. I quickly found the passive mode settings in the FileZilla server options. From there I was able to specify a custom range which I could then allow to pass through the firewall. The other thing I needed to change was the IPv4 specific setting to force the server to use the server’s public virtual IP address as listed on the VM’s dashboard in the Azure Portal.
Just as before, simply adding the firewall rules wasn’t enough to allow communication. I had to add the passive mode ports as endpoints as well. I initially found this to be more than a bit tedious but fortunately the Add-AzureEndpoint PowerShell cmdlet eased some of the pain.
Once all the rules and endpoints were in place I was able to successfully connect from my development workstation to the server and get directory listings.