Using FTPS with Azure App Services
Using FTPS is a very interesting area. I read a lot about it, but can’t really ever get to the point where I finish the article and know where I need to go then. Point is, using any form of SSL or TLS is a negotiation between a client and the server. Most of the articles I have read has mostly to do with the server side configuration and the support for FTPS, but not much about making the connection to it. To be honest, I haven’t found the client to use for making the deployment to an FTPS configured site, as I would recommend using Visual Studio Team Services or MSDEPLOY.
Note the following:
- If you are connecting to an FTPS configured server on port 990, then you are using Implicit SSL.
- If you are connecting to an FTPS configured server on port 21 or any port other than 990, then you are using Explicit SSL.
- See RFC 2228 and 4217
See here how to configure FTP SSL configuration policy on an IIS server. Notice that there are 2 channels, Control Channel and Data Channel. Where the control channel is focused on user control and encryption and data channel focuses on the SSL encryption of data transfers.
Implicit FTPS requires a successful SSL handshake before any FTP commands can (control or data) be sent and requires the entire FTP session to be encrypted. When using Explicit FTPS the connection can be made and then commands can be sent.
That being said, I used CURL to test if port 990 was enabled for my multi-tenant (I.e. not an ASE) hosted Azure App Service, using this command, also shown in Figure 1.
curl --user <appname\userId>:<password> ftps://waws-prod-***-***.ftp.azurewebsites.windows.net
Figure 1, using FTPS with an Azure App Service
But how do I know it was using port 990, I took a Wireshark trace, as seen in Figure 2.
Figure 2, using FTPS with an Azure App Service
Based on what I see, it is possible to use FTPS with implicit SSL with an Azure App Service. But the point is, you, as the user of the service must create or utilize a client that is designed for using FTPS implicitly or explicitly. And no, the FTP command run within the Command Console does not support FTPS.
An understanding of the FTP and FTPS concepts and having a clear goal will get you through the complexities of this.