How to publish 2 WebDAV/ ftp sites- one secure and one open- in IIS 7.5.
Ideally, you’d have a server with at least 2 physical ethernet ports. It just makes mental mapping easier if you can visualize the “open” site going to one port and the “secure” site going to another although I can’t think why you couldn’t just assign multiple IP addresses to the same port. Create 3 file-system folders with appropriate name; one will be open, the others will be hidden behind SSL sites (you might think I’ve over-complicated this which is fair enough, but I will explain). Create 1 ftp site, 1 normal website (with WebDAV publishing), point them both at the “open” directory. By the time you’ve created fairly open rules (including WebDAV authoring rules) these 2 sites should work pretty easily. The data in here is supposed to be accessible by anyone, anywhere, using just one set of credentials.
The next bit is tricker. Under 1 of the 2 remaining folders, create a LocalUser folder and a <YourDomain> folder (by this I mean a folder named after your Active Directory NetBIOS domain, not your domain’s FQDN, although I have to say that I haven’t tested using an FQDN so don’t know if it would work). Point your secure ftp site to the top-level folder (the one that contains LocalUser and <YourDomain>. Any users local to the server automatically look for a folder with their name under LocalUser (this is with the most strict user isolation mode turned on). Any domain users look under <YourDomain>. If the folders aren’t there, login will fail because they have no home directory. Next, point a new WebDAV folde (running on 443) to the last of the “physical” folders. Obviously there’s nothing there. That’s ok; publish each user folder as a virtual folder under the WebDAV site. This should enable people to see the data as a network drive, but- from what I’ve seen- hides the user folders when your try to look at the site through a regular web browser.
I haven’t gone in to security a lot here (will do at some point) but (a) be really strict about NTFS permissions (b)test it; I found at one point that the configuration I had running allowed any authorized user to go in to the “secured” section and just do what they liked to anyone’s data, regardless of NTFS permissions.
I’m not going to finish the rest of the stop error because it’s pointless, the rest of it seems to be entirely random depending on your exact Windows 7 installation.
However, Tim Hoover- and subsequently thiswoot (my preferred fix)- seem to have solved this:
This is turning into a steep learning curve. It seems that neither Vista nor Windows 7 can handle SSL-encrypted WebDAV, although this could still be a self-signed certificate issue (XP and Ubuntu can, they just warn you as expected). Even when you do get SLL-encrypted WebDAV working, it’s VITAL you change the authentication on each subfolder/ virtual directory to “Interactive” from “Clear Text” otherwise- from my experience with XP- all users can do whatever they like to any other user’s data, regardless of any security (even NTFS perms, which it seems to ignore- ?). It’s al very well the connection being encypted, but if any user can trash everyone else’s data then it’s a bit useless. Also, the port range isolation for IIS 7.5 ftp is set at the server level, which is why it’s greyed out when you look at the site level.
Okay, after days (yup, from Monday ’till now) of messing about it now seems that setting up ftp/ webdav is very easy on Server 2008 R2. The problem is with Microsoft’s most recent clients; I’ve got 4 sites running now (ftp, ftpes, WebDAV, WebDAV over SSL) and the first 3 run easily on 7. The 4th not so; I can access the site from a browser but not from 7’s WebDAV mini-redirector. However, after making the sites available externally I’ve just mapped the ssl-encrypted WebDAV folder on my Nokia N8 and seen exactly what I expected to, so it’s basically a fault with Vista/ 7 when accessing ssl-encrypted WebDAV folders.
Disk space seems to vanish more and more these days. Our new TMG web filtering box has just been gobbling the stuff up. Checked all the usual culprits first- ran “cleanmgr /sagerun:65535”, deleted \windows\temp etc. Nothing- not worthwhile anyway.
Then by chance I decided to check in %programfiles%\Microsoft Forefront Threat Management Gateway\Logs. Whoa. so many .llq files. 11GB in fact. That could explain a lot. So I’m deleteing any. llq’s before today, which should sort the problem out.
Once you get over the slightly surreal feel of it, swype is actually a really fast way to type. It doesn’t nail every word first time but in the cases it can’t it’s usually highlighted the right one. What a weird but genius app.
Right, I’ve given up on WingFTP + WSFTP (not due to them being innapropriate, just time pressures). I now have a few different ways of accessing the same site; using IIS 7.5 (downloadable for Seerver 2008, built-in to Server 2008 R2) I now have an “insecure” and a “secure” ftp site (the secure one running on port 22 because of having to fight the firewall!). Additionally, I’ve created an “insecure” and a “secure” web site with WebDAV configured (pointing to the same data stores) so that- depending on how people log in- you can map a network drive straight to the ftp location rather than having to use an ftp client.
I’ll post more once it’s fully functional, but for now it’s accepting anonymous logins through ftp (and WebDAV connections) without encryption, and a secure ftp site running on a different IP address which is currently only accepting FTPES (this is really important- it’s not SFTP, it’s FTP with explicit TLS/SSL encryption), not WebDAV unfortunately (I know it’s asking for WebDAV credentials but it just ain’t working from my Windows 7 client for some reason).