How to Setup FTP Server using Azure File Share

Getting Started


Once your Azure VM has been deployed there are some post configuration steps to complete to start using this FTP Server

 

After logging into your VM via RDP the first step is to configure the FTP application and give your users access. Follow the following steps:

Step 1 – Network Connectivity / Active Directory

 

If you have deployed a new vNetwork as part of this deployment, you will have to make sure it has connectivity to your Active Directory. You can do this by peering this vNet with your production vNet

 

Instructions for peering vNetworks can be found on the following link: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

 

If you dont currently have Active Directory, you can either deploy Active Directory in Azure or use Azure AD DS.

 

If you are using on prem Active Directory, make sure that your Active Directory is syncing with Azure AD

Step 2 – Enable Identity-based authentication for Azure Files

 

For the newly deployed storage account, we need to enable Azure identity based authentication for Azure Files. This allows you to use an Active Directory domain service (AD DS) either hosted on-premises or on Azure for authenticating user access to Azure Files. Within your Azure portal, navigate to the new storage account, and select ‘Configuration‘ and ‘Enable‘ Identity-based access for file shares.

 

Enable-AzureADDS-StorageAccount

Step 3 – Update DNS on vNet

 

This step is only required if you have a deployed a new vNetwork as part of this deployment.

 

After you have either peered your vNet with your production vNet or deployed Active Directory, you need to make sure your vNetwork has the correct DNS server IPs set to point to your Active Directory DNS.

 

Within your vNet, scroll down to DNS Servers and add the IP addresses of your domain controllers that host your DNS servers.

Add-DNS-Servers

Step 4 – Add VM to Active Directory

 

Now you should be ready to add the FTP VM to Active Directory.

 

Open up Server Manager and under Local Server, click on WORKGROUP and add your domain name. For the username/password use an account that has Domain Administrator privileges for the domain.  If you get an error that the domain couldn’t be contacted/found, check your DNS settings are correct and can reach your AD. If you updated the DNS server settings on your vNet, your server probably needs a restart to pick up the new DNS server addresses, or you can run ‘IPConfig /renew‘ from a command line to pick up the new DNS server settings.

Server-Manager

Step 5 – Assign Azure RBAC permissions on Azure File Share

 

The FTP Server requires an AD account that has permission (Access Control IAM) to the Azure File Server.

 

Create an AD user account that will be used by the FTP Server, navigate to the Azure File Share within the newly created storage account and under ‘Access Control (IAM)‘ click on ‘Add Role Assignment

 

Under ‘Role‘, select ‘Storage File Data SMB Share Elevated Contributor‘ – and then select the FTP Server AD account to apply the permission to 

 

Azure-RBAC-SMB-Elevated-Contributor

Step 6 – Map network drive to Azure File Share

 

From the FTP Server, we now need to map a network drive to the Azure File Share.

 

From This PC > Select Computer / Map Network Drive

Map-Network-Drive

In the folder path, put the URL of your Azure File Share using back slashes \\ as in the screenshot. A box will pop up asking for username/password. Use the FTP Server AD Account you granted permission to the share previously.

Map-Network-Drive-Path

 

To get the URL of your Azure File Share, simply look at the properties of the Azure File Share as below:

Azure-File-UNC

Step 7 – Set Filezilla Windows service with an Active Directory service account that has permission to Azure File Share

 

Within ‘Services‘ under Administrative tools within your FTP Server, you need to change the FileZilla Server FTP Server service to run under the AD account you have setup previously that has permission to the Azure File Share and restart the service.

Set-Service-Account

 

 

Step 8 – Configure FileZilla Server

 

Launch the Filezilla server instance app, found on the desktop.  On the launch screen press connect as shown below (password is blank):

 

Filezilla server instance

 

Passive Mode

 

You should now be connected. You may see connection errors and NAT errors, this is normal as we need to complete some configuration.  From the menu select

 

Edit > Settings > Passive Mode Settings

 

You’ll need to set a passive mode port range. Usually (50000-51000). These ports are used for data transfers to the server.

 

Set Public IP Address

 

For this next part you’ll need to make sure the VM has a public IP address to allow external clients to connect as shown in yellow. 

 

To attach a public IP address to your VM, follow Microsoft’s guide

 

Add the ip address that you want users to connect to (Normally public IP) to the passive mode settings as shown below highlighted in yellow and also the passive port range:

 

 

Create Certificate (FTP over TLS)

 

The next step is to create a new private key and a self signed certificate, needed by FileZilla server to accept TLS connections. 

 

Within the FileZilla server options, click on SSL/TLS settings.  Check the Enable FTP over TLS support (FTPS).

 

Next click on Generate New Certificate > Fill in your company information.

 

 

IMPORTANT – In the common name (Server address) field make sure to add the public DNS name of your Azure VM.  This can be found in the azure portal, as highlighted in yellow:

 

Public-DNS

 

Save the key locally on the server and then press Generate certificate.  No need to add a password.

 

Active Directory Integration

 

Open settings > LDAP and select enable LDAP support. Beta.

 

Add your private ip address of your local domain controller. Add port 389 and write the name of your domain name.

 

Active-Directory-FTP-Filezilla

 

Step 9 – Adding Users

 

To add users you will need to use the desktop shortcut ‘CreateFTPUsers‘. The reason we have to use this custom made application is because the FileZilla GUI doesn’t support adding Azure File Shares, so we’ve developed our own app to accomplish this, that integrates with FileZilla Server.

FTP-Desktop-icon

 

On the first screen you need to add the UNC path to the Azure File Share using \\backslashes:

 

Add-FTP-Users

 

On the next screen add the UPN of the user you would like to add, e.g john@domain.com :

Add-FTP-Users-UPN

 

If successful you will see the following screen:

FileZilla-Users-Azure

 

Next you need to go back to your Azure File Share and give the user permission to access the share. 

 

Navigate to your storage account /  File Shares / open your Azure File Share, click on Access Control (IAM) and from here click on Add Role Assignment.

 

From the dropdown ‘Role‘ select ‘Storage File Data SMB Share Contributor‘, this will give the user ‘Read/Write/Delete‘ to their FTP directory.  Then select the user or several users to apply the role to. If creating multiple users now would be a good time to apply the role to those users too.

Azure-RBAC-FTP-Users

 

 

 

Andrew Fitzgerald

Cloud Solution Architect. Helping customers transform their business to the cloud. 20 years experience working in complex infrastructure environments and a Microsoft Certified Solutions Expert on everything Cloud

No Comments

Post a Comment

Comment
Name
Email
Website