Once your Azure VM has been deployed there are some post configuration steps to complete to start using this FTP Server
After logging into your VM via RDP the first step is to configure the FTP application and give your users access. Follow the following steps:
Step 1 – Network Connectivity / Active Directory
If you have deployed a new vNetwork as part of this deployment, you will have to make sure it has connectivity to your Active Directory. You can do this by peering this vNet with your production vNet
Instructions for peering vNetworks can be found on the following link: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
If you are using on prem Active Directory, make sure that your Active Directory is syncing with Azure AD
Step 2 – Enable Identity-based authentication for Azure Files
For the newly deployed storage account, we need to enable Azure identity based authentication for Azure Files. This allows you to use an Active Directory domain service (AD DS) either hosted on-premises or on Azure for authenticating user access to Azure Files. Within your Azure portal, navigate to the new storage account, and select ‘Configuration‘ and ‘Enable‘ Identity-based access for file shares.
Step 3 – Update DNS on vNet
This step is only required if you have a deployed a new vNetwork as part of this deployment.
After you have either peered your vNet with your production vNet or deployed Active Directory, you need to make sure your vNetwork has the correct DNS server IPs set to point to your Active Directory DNS.
Within your vNet, scroll down to DNS Servers and add the IP addresses of your domain controllers that host your DNS servers.
Step 4 – Add VM to Active Directory
Now you should be ready to add the FTP VM to Active Directory.
Open up Server Manager and under Local Server, click on WORKGROUP and add your domain name. For the username/password use an account that has Domain Administrator privileges for the domain. If you get an error that the domain couldn’t be contacted/found, check your DNS settings are correct and can reach your AD. If you updated the DNS server settings on your vNet, your server probably needs a restart to pick up the new DNS server addresses, or you can run ‘IPConfig /renew‘ from a command line to pick up the new DNS server settings.
Step 5 – Assign Azure RBAC permissions on Azure File Share
The FTP Server requires an AD account that has permission (Access Control IAM) to the Azure File Server.
Create an AD user account that will be used by the FTP Server, navigate to the Azure File Share within the newly created storage account and under ‘Access Control (IAM)‘ click on ‘Add Role Assignment‘
Under ‘Role‘, select ‘Storage File Data SMB Share Elevated Contributor‘ – and then select the FTP Server AD account to apply the permission to
Step 6 – Map network drive to Azure File Share
From the FTP Server, we now need to map a network drive to the Azure File Share.
From This PC > Select Computer / Map Network Drive
In the folder path, put the URL of your Azure File Share using back slashes \\ as in the screenshot. A box will pop up asking for username/password. Use the FTP Server AD Account you granted permission to the share previously.
To get the URL of your Azure File Share, simply look at the properties of the Azure File Share as below:
Step 7 – Set Filezilla Windows service with an Active Directory service account that has permission to Azure File Share
Within ‘Services‘ under Administrative tools within your FTP Server, you need to change the FileZilla Server FTP Server service to run under the AD account you have setup previously that has permission to the Azure File Share and restart the service.
Step 8 – Configure FileZilla Server
Launch the Filezilla server instance app, found on the desktop. On the launch screen press connect as shown below (password is blank):
You should now be connected. You may see connection errors and NAT errors, this is normal as we need to complete some configuration. From the menu select
> Edit > Settings > Passive Mode Settings
You’ll need to set a passive mode port range. Usually (50000-51000). These ports are used for data transfers to the server.
Set Public IP Address
For this next part you’ll need to make sure the VM has a public IP address to allow external clients to connect as shown in yellow.
To attach a public IP address to your VM, follow Microsoft’s guide
Add the ip address that you want users to connect to (Normally public IP) to the passive mode settings as shown below highlighted in yellow and also the passive port range:
Create Certificate (FTP over TLS)
The next step is to create a new private key and a self signed certificate, needed by FileZilla server to accept TLS connections.
Within the FileZilla server options, click on SSL/TLS settings. Check the Enable FTP over TLS support (FTPS).
Next click on Generate New Certificate > Fill in your company information.
IMPORTANT – In the common name (Server address) field make sure to add the public DNS name of your Azure VM. This can be found in the azure portal, as highlighted in yellow:
Save the key locally on the server and then press Generate certificate. No need to add a password.
Active Directory Integration
Open settings > LDAP and select enable LDAP support. Beta.
Add your private ip address of your local domain controller. Add port 389 and write the name of your domain name.
Step 9 – Adding Users
To add users you will need to use the desktop shortcut ‘CreateFTPUsers‘. The reason we have to use this custom made application is because the FileZilla GUI doesn’t support adding Azure File Shares, so we’ve developed our own app to accomplish this, that integrates with FileZilla Server.
On the first screen you need to add the UNC path to the Azure File Share using \\backslashes:
On the next screen add the UPN of the user you would like to add, e.g email@example.com :
If successful you will see the following screen:
Next you need to go back to your Azure File Share and give the user permission to access the share.
Navigate to your storage account / File Shares / open your Azure File Share, click on Access Control (IAM) and from here click on Add Role Assignment.
From the dropdown ‘Role‘ select ‘Storage File Data SMB Share Contributor‘, this will give the user ‘Read/Write/Delete‘ to their FTP directory. Then select the user or several users to apply the role to. If creating multiple users now would be a good time to apply the role to those users too.