How to Setup FTP Server using Azure File Share

To use Azure File Share with FileZilla® FTP server, use our Azure FTP Server solution. Its a custom built Windows Server, using a modified version of FileZilla® FTP server that will allow you to use FTP / FTPS and allow your users to connect and share files using Azure Files. Simply deploy our server straight from the Azure marketplace below:

FTP Server Azure File Share

Setup FTP Server for Azure File Share

Azure File Share FTP Server Features

  • Deploys FTP Server on Windows Server
  • Use an existing vNet or deploy a new one
  • Deploys a new storage account and sets up a new Azure File Share.
  • The FTP Server connects to the Azure File Share
  • Securely share files using SSL encryption over FTP/FTPS
  • Add the VM to Azure AD
  • Enable Identity-based authentication for Azure Files
  • Control file access based on Azure RBAC in Azure.

Table of Contents

Getting Started with FTP Server

Once your Azure VM has been deployed there are some post configuration steps to complete to start using this FTP Server.

 

After logging into your VM via RDP the first step is to configure the FTP application and give your users access. Follow the following steps:

Step 1 – Network Connectivity / Active Directory

If you have deployed a new vNetwork as part of this deployment, you will have to make sure it has connectivity to your Active Directory. You can do this by peering this vNet with your production vNet.

 

Instructions for peering vNetworks can be found on the following link: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

 

If you dont currently have Active Directory, you can either deploy Active Directory in Azure or use Azure AD DS.

 

If you are using on prem Active Directory, make sure that your Active Directory is syncing with Azure AD

Step 2 – Enable Identity-based authentication for Azure Files

For the newly deployed storage account, we need to enable Azure identity based authentication for Azure Files. This allows you to use an Active Directory domain service (AD DS) either hosted on-premises or on Azure for authenticating user access to Azure Files.

 

Within your Azure portal, navigate to the new storage account, and select Configuration and Enable Identity-based access for file shares.

Update: If you don’t see the option to enable identity-based authentication within your Azure portal, you will have to enable via Powershell.  Follow the following tutorials:

 

For on-prem Active Directory:

https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable

 

For Azure Active Directory Domain Services:

https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable

Step 3 – Update DNS on vNet

This step is only required if you have a deployed a new vNetwork as part of this deployment.

 

After you have either peered your vNet with your production vNet or deployed Active Directory, you need to make sure your vNetwork has the correct DNS server IPs set to point to your Active Directory DNS.

 

Within your vNet, scroll down to DNS Servers and add the IP addresses of your domain controllers that host your DNS servers.

Step 4 – Add VM to Active Directory

Now you should be ready to add the FTP VM to Active Directory.

 

Open up Server Manager and under Local Server, click on WORKGROUP and add your domain name.

 

For the username/password use an account that has Domain Administrator privileges for the domain.  If you get an error that the domain couldn’t be contacted/found, check your DNS settings are correct and can reach your AD.

 

If you updated the DNS server settings on your vNet, your server probably needs a restart to pick up the new DNS server addresses, or you can run IPConfig /renew from a command line to pick up the new DNS server settings.

Step 5 – Assign Azure RBAC permissions on Azure File Share

The FTP Server requires an AD account that has permission (Access Control IAM) to the Azure File Server.

 

Create an AD user account that will be used by the FTP Server, navigate to the Azure File Share within the newly created storage account and under ‘Access Control (IAM) click on ‘Add Role Assignment‘.

 

Under Role, select ‘Storage File Data SMB Share Elevated Contributor – and then select the FTP Server AD account to apply the permission to :

Step 6 – Map network drive to Azure File Share

From the FTP Server, we now need to map a network drive to the Azure File Share.

 

From This PC > Select Computer / Map Network Drive.

In the folder path, put the URL of your Azure File Share using back slashes \\ as in the screenshot. A box will pop up asking for username/password. Use the FTP Server AD Account you granted permission to the share previously.

To get the URL of your Azure File Share, simply look at the properties of the Azure File Share as below:

Step 7 – Set Filezilla Windows Service with AD Account

Set Filezilla Windows service with an Active Directory service account that has permission to Azure File Share, as follows:

 

Within ‘Services‘ under Administrative tools within your FTP Server, you need to change the FileZilla Server FTP Server service to run under the AD account you have setup previously that has permission to the Azure File Share and restart the service.

Step 8 – Configure FileZilla Server

Launch the Filezilla server instance app, found on the desktop.  On the launch screen press connect as shown below (password is blank):

Passive Mode

You should now be connected. You may see connection errors and NAT errors, this is normal as we need to complete some configuration.  From the menu select

Edit > Settings > Passive Mode Settings

 

You’ll need to set a passive mode Port range. Usually (50000-51000). These ports are used for data transfers to the server.

Set Public IP Address

For this next part you’ll need to make sure the VM has a public IP address to allow external clients to connect as shown in yellow. 

 

To attach a public IP address to your VM, follow Microsoft’s guide

 

Add the ip address that you want users to connect to (Normally public IP) to the passive mode settings as shown below highlighted in yellow and also the passive port range:

Create Certificate (FTP over TLS)

The next step is to create a new private key and a self signed certificate, needed by FileZilla server to accept TLS connections. 

 

Within the FileZilla server options, click on SSL/TLS settings. 

 

Check the Enable FTP over TLS support (FTPS).

 

Next click on Generate New CertificateFill in your company information.

IMPORTANT – In the common name (Server address) field make sure to add the public DNS name of your Azure VM.  This can be found in the azure portal, as highlighted in yellow:

Save the key locally on the server and then press Generate certificate.  No need to add a password.

Active Directory Integration

Open settings > LDAP and select enable LDAP support. Beta.

 

Add your private IP address of your local domain controller. Add port 389 and write the name of your domain name.

Step 9 – Adding Users

To add users you will need to use the desktop shortcut CreateFTPUsers. The reason we have to use this custom made application is because the FileZilla GUI doesn’t support adding Azure File Shares, so we’ve developed our own app to accomplish this, that integrates with FileZilla Server.

The application replicates the settings that have been applied to the masteruser so its important to make sure this user doesn’t get deleted. If it does, simply create it again.

 

To see this user, open up FileZilla interface / Edit / Users settings. Here you can see, change the default settings you would like applied to new users. Its best to leave as default. We’ve set it to use Active Directory.

 

No need to check ‘Force SSL’ as this is already enabled within your SSL/TLS settings and applied to all users automatically.

Back to our application, On the first screen you need to add the UNC path to the Azure File Share using \\backslashes:

On the next screen add the UPN of the user you would like to add, e.g john@domain.com :

 

If successful you will see the following screen:

Next you need to go back to your Azure File Share and give the user permission to access the share. 

 

Navigate to your storage account /  File Shares / open your Azure File Share, click on Access Control (IAM) and from here click on Add Role Assignment.

 

From the dropdown Role select ‘Storage File Data SMB Share Contributor‘, this will give the user ‘Read/Write/Delete to their FTP directory.  Then select the user or several users to apply the role to. If creating multiple users now would be a good time to apply the role to those users too.

The user should now be able to connect via FTP. Once they connect via their FTP client, they will only see and have access to their FTP directory. Their username and password will be their UPN and AD password. 

 

If you need to change any settings for a particular user, you can use the ‘FileZilla interface / Edit / Users Settings’. Once you make a change, launch the Reload FTP Config from the desktop, this saves you having to restart the FileZilla FTP Service to apply the changes.

Client FTP Software

To allow clients to connect, users can use any FTP client.  You can use FileZillas FTP Client

FTP Server Firewall Ports / Rules

If you have NSG’s or firewall appliances in Azure you will need to open access to the following ports:

 

  • Port: 21 (Used for FTP)
  • Port: 990 (Used for FTPS)
  • Port: 14147 (Used for FTP Server Administration)
  • Passive Port Range: 50000 – 51000 (Used for data transfer)

 

To setup Azure firewall rules refer to – Azure Network Security Groups

FTP Server Azure File Share Support

For issues regarding setup of this solution, leave a message in the comments below or contact us directly.

Common Questions

Q: I receive the following error when connecting via my FTP client ‘425 Can’t open data connection.’

A: The passive port range (50,000 – 51,000) is being blocked by your firewall. Typically its usually not setup on your Azure Network Security Group (NSG).  

 

Within the Azure portal, if you open the VM properties and under ‘Networking’ you should see ‘Network Security Groups

 

The following guide explains how to edit the rules

 

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/nsg-quickstart-portal

 

Add a new rule to allow port ’50,000 – 51,000’ over TCP to Allow Source ‘Any’ Destination ‘Any’

 

Once you’ve added the rule, reboot the VM and it should now work.

Disclaimer: This FTP server solution is built using a modified version of Filezilla® server opensource software. This solution is provided under GPLv2 licence. The respective trademarks mentioned in the offering are owned by the respective companies. No warrantee of any kind, express or implied, is included with this software

– Use at your risk, responsibility for damages (if any) to anyone resulting from the use of this software rest entirely with the user
– The author is not responsible for any damage that its use could cause.

Avatar for Andrew Fitzgerald
Andrew Fitzgerald

Cloud Solution Architect. Helping customers transform their business to the cloud. 20 years experience working in complex infrastructure environments and a Microsoft Certified Solutions Expert on everything Cloud.

3.7 3 votes
Article Rating
Subscribe
Notify of
0 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x