You can create FTP sites under IIS so that your users can perform file operations by using FTP clients. One IIS FTP site is normally sufficient for most companies. However, you may need some extra configuration to allow both external and internal users to access this site.
If you are fine with creating two FTP sites, you can create one for internal users and one for external users. The difference would be setting “External IP Address of Firewall” field for the external site.
What if you want to use the same IIS FTP site for both external and internal users? It becomes a little bit tricky at this point because if you set “External IP Address of Firewall” field for this site, your internal users (If they are using Passive Mode) will be redirected to this external IP. You may not want them to go through this public route.
Before we go further, let’s remember what Passive Mode and Active Mode are:
There are two types of FTP connections: Active mode and passive mode. In active mode, the client opens a port. The server connects to this port for transferring data. In passive mode, the server opens a port. The client connects to this port to transfer data. In order to configure IIS for supporting passive mode, enter a port range and external IP address in “IIS > Server name > FTP Firewall Support” page.
Source: 530 User cannot log in, home directory inaccessible
Configure IIS FTP to accept both internal and external FTP users
If you want to use the same FTP site for both internal and external clients, there are two options:
- Use Active Mode for internal users, Passive Mode for external users
- Point both internal and external users to the external IP. You can do this by:
- In internal DNS, changing the IP address of the domain with the external IP (There won’t be a certificate warning as the FTP client will use domain address to connect to IIS)
- Match external IP with the domain name in Hosts file of internal users’ machines (No certificate warning neither)
- Use external IP for the internal FTP clients (There will be a certificate warning because of the IP usage instead of domain. If the certificate warning is fine, use this option)
Note: You may need to open a port range in your firewall for your external users to connect IIS FTP site. If you want to open only a single port, check this post out: Using a single port for IIS FTP in passive mode
Official documentation for IIS FTP is here.