DNS for multiple FTP sites on a single server

  • Thread starter Thread starter mmac
  • Start date Start date
M

mmac

This may not be the right place for this but it seems DNS will be involved
so here goes:

I want to enable some of my web authors to be able to FTP their content
into their web directories from wherever they are. I know I have to figure
out how to set up the multiple FTP part, redirect IIS into those directories
either real or Virtual, but can you tell me if I will have to make DNS
entries for them and what would those entries look like? I didn't see any
reference to a FTP record being available so perhaps a CNAME?

I would like them to be able to type in ftp.website1.com or ftp.website.org
instead of my hosting domain ftp.domain.com:portnumber or having to navigate
to thier directory as some examples show. I need it to be set up so they can
only acess thier own directory

I'm just guessing and I have much to figure out, but this is a start.

BTW Hi Ace!

mmac
 
In
mmac said:
This may not be the right place for this but it seems DNS will be
involved so here goes:

I want to enable some of my web authors to be able to FTP their
content into their web directories from wherever they are. I know I
have to figure out how to set up the multiple FTP part, redirect IIS
into those directories either real or Virtual, but can you tell me if
I will have to make DNS entries for them and what would those entries
look like? I didn't see any reference to a FTP record being available
so perhaps a CNAME?

I would like them to be able to type in ftp.website1.com or
ftp.website.org instead of my hosting domain
ftp.domain.com:portnumber or having to navigate to thier directory as
some examples show. I need it to be set up so they can only acess
thier own directory

I'm just guessing and I have much to figure out, but this is a start.

BTW Hi Ace!

mmac
Click to expand...

This is an interesting issue and depends on how you want to do it. This is
more of an IIS issue. You can create a "home" folder, pointing at the
webroot as the home folder, with your customer folders for their sites under
that. Set NTFS permissions so only they can get to them and no others. But,
using FTP under W2k, when they connect to the home folders, they can "see"
the other customer folders but they cannot access them. I really don;t like
that myself. It's a limitation with FTP under W2k that was corrected wtih
Win2003.

If using W2k, my only suggestion to clean this up is to use a 3rd party FTP
service, such as ServU, which discriminates each home folder for each user
account created under it. It also supports resuming broken
downloads/uploads, provided they use a client the supports that resuming
feature.

The other way, in IIS, create mutliple virtual FTP services for each client,
each with a different port number (so you can use the same IP address), as
you hinted at. Each service would of course point to the respective client's
folders. But the only thing is that they need to know their ports.

In DNS, either way you choose, they would still connect to ftp.domain.com
and point to the one IP. But with the second method, they would need to
supply the port. So if customer 1 needed to get in, and if using a browser,
then they would use ftp.domain.com:9999 , where 9999 is their port number.
If using an FTP client or Dreamweaver, they they'll have to supply the port
number in the app's config.




--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
I am using the virtual directories under the FTPROOT and the
dirrectories are on another drive so they don't even show up when you
connect to ftp.domain.com. but if you typed ftp.domain.com/testfolder you
are taken straight there. This might be well enough?
If I used the port number method, could I leave port 21 blocked in my
router while only allowing the other port numbers? i.e. ftp.domain.com:6525?
To my feeble mind this would allow a bit more security since the standard
FTP port would be blocked so hopfully an intruder wouldn't try to look at
the other ports for ftp.
And there isn't a way to give a domain:portnumber a DNS name is there?


"Ace Fekay [MVP]"
 
Mike,

Didn't realize it was you until I looked at the name again! Hope things are
well.

See below...

In
mmac said:
I am using the virtual directories under the FTPROOT and the
dirrectories are on another drive so they don't even show up when you
connect to ftp.domain.com. but if you typed ftp.domain.com/testfolder
you are taken straight there. This might be well enough?
Click to expand...

Sure, this sounds like a solution. If they are using an ftp client, then
you would have to instruct them to connect to that specific remote directory
in their client config.
If I used the port number method, could I leave port 21 blocked
in my router while only allowing the other port numbers? i.e.
ftp.domain.com:6525?
Click to expand...

Actually there are two ports to open for this. You need that port and
port-1. Eg. TCP 6525 and TCP 6524. The first is the control channel, the
second is the data channel. Then you would need UDP 1024-65535 also. Yes, it
sounds drastic, but test it to see what I mean.
To my feeble mind this would allow a bit more
security since the standard FTP port would be blocked so hopfully an
intruder wouldn't try to look at the other ports for ftp.
Click to expand...

Yes, this is true.
And there isn't a way to give a domain:portnumber a DNS name is there?
Click to expand...

Not by ports for this function. Very few apps use the SRV records, if that's
what you're thinking of.

Cheers!

Ace
 
Yep it's me again! Thanks for remembering.
Leaving all those UDP ports open sounds like a bad idea... They aren't required
if I stick with the normal port 21?
 
You got it! So use that in conjunction with either specifying the manual
remote folder, or use W2k3 or go 3rd party, but all being accessed by one
URL.

If going to stick with W2k, and you want to hide the other customer folders,
I would suggest to create subfolders by naming them based on an arbitray
number for each customer and let them know what number their folder is and
when they click on it, they can see their actual folder inside. Kind of
cumbersome, but it works. Otherwise, you can get the Web Edition of W2k3 or
use ServU.

Most firewalls when setting a pre-set or using one of their built in
templates for default services, such as FTP, takes care of the traffic for
you. I know with my Cisco access-lists it;s a PITA (pain in the butt) to set
without those upper ports opened.

Cheers!

Ace

In
 
Thanks again Ace. I thought of that random number name too. That sounds like
the right way for the moment.
I have the license for win2003srv just not the nerve to set it up. I still
don't have exchange 2000 working yet and I have the license for exchange2003
too!
So many toys, so little time...
 
Ahh, go ahead, install it. you'll like how easy and friendly it is. Kind of
like a combo between W2k server and XP.
:-)

Ace

In
 
I'll have to have you look in at the mess I have someday. It would probably be
easier to format all these machines and start over than to try to fix the little
bugaboos I have . The worst one is the 2gb C drives that most of the servers
have, left over from the NT4 days. That is cintinually wreaking havoc with NTFRS
which wants 528mb and I have to keep dumping temp files and such to keep 750 mb
free on that drive or NTFRS fails.
but hey, it keeps me occupied and off the streets
 
Yeah, keeps you out of trouble! Send me an email and let me know when you
want me to remote in.
:-)

Ace


In
mmac said:
I'll have to have you look in at the mess I have someday. It would
probably be easier to format all these machines and start over than
to try to fix the little bugaboos I have . The worst one is the 2gb C
drives that most of the servers have, left over from the NT4 days.
That is cintinually wreaking havoc with NTFRS which wants 528mb and I
have to keep dumping temp files and such to keep 750 mb free on that
drive or NTFRS fails.
but hey, it keeps me occupied and off the streets

"Ace Fekay [MVP]"
Click to expand...



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top