Publishing FTPS on TMG 2010.

For instructions on creating FTP site on IIS read this post - Creating FTP or FTPS on IIS 8.5 (with Active Directory User isolation).
I. Configure FTP for Firewall Support (IIS 8.5)
1. Open IIS Manager, in connections pane select your FTPS server and in Features View double click FTP Firewall Support
 2. Enter port range for Data Channel for example we will be using 50100-50200. Also enter external IP of your firewall in this example yyy.yyy.yyy.yyy and in Actions pane click Apply.
Note: do not forget to allow this port range on your FTPS servers windows firewall, if it is not added automatically.
3. Repeat same step on FTP site level. Select your FTP site and in Feature View double click FTP Firewall Support.
 4. Data Channel Port Range should be greyed out with the value you specified earlier. For External IP Address of Firewall enter your firewalls external IP: yyy.yyy.yyy.yyy and in Actions pane click Apply.
II. Create Publishing rule on TMG
1. Open Forefront TMG console, right click Firewall Policy and choose New->Create new Non-Web Server Protocol Publishing Rule...
2. Enter the name of your FTPS rule for example "FTPS" and click Next
3. Enter IP address of your FTPS server
3. Click New... to create new protocol definition
4. Specify name for you protocol definition for example "FTPS Custom" and click Next
4. Click New to add port range for your protocol definition
5. Specify the following
Protocol type: TCP
Direction: Inbound
Port Range: From: 21 To: 21
and click OK
6. In New Protocol Definition Wizard click New one more time to add port range for data channel we specified in step I.2.
Specify the following
Protocol type: TCP
Direction: Inbound
Port Range: From: 50100 To: 50200
and click OK
7. Check if protocol configuration is fine and click Next
8. On following step leave the default No selected and click Next
9. Double check the settings and click Finish
10. After protocol definition has been created we can proceed with the rule. Click Next
11. Select checkbox next to External network and click Address... to specify external IP on which the FTPS service rule will be listening
12. Select Specified IP addressess on the Forefront TMG computer in the selected network and add the IP you specified in step I.2 (in this example yyy.yyy.yyy.yyy). After that click OK
13. Click Next to proceed
14. Click Finish to end the Publishing Rule Wizard
 15. Click Apply in TMG console and then click OK. Wait a few minutes and you are ready to test your FTPS server from external client.


Creating FTP or FTPS on IIS 8.5 (with Active Directory User isolation).

The goal of this article is to describe how to create FTP(S) on IIS  so we can use Active Directory accounts to authenticate to FTP. And configure AD user isolation, so  the users have individual home folders.
1. Install IIS Role and required features
In Server Manager click on Add roles and features
Click Next
Installation Type - choose Role-based or feature-based installation and click Next
Server Selection - choose your server and click Next
Server Roles - select Web Server (IIS) and confirm required features by clicking Add Features in the popup window, click Next
In the Features and Web Server Role (IIS) sections click Next
Role Services - deselect the roles you don't need, if it's going to be dedicated FTP server then leave only FTP Server/FTP Service and Management Tools/IIS management Console selected and click Next
Confirmation - click Install
2. Create FTP users and Groups
In active directory create your FTP users for example:
And create FTP users security group:
FTP Users
Add all ftp users to the membership of "FTP Users" group.
3. Create folders and assign permissions
Prepare folder structure on your preferred location. In this example we will be using Fileserver as FTP root so users can access ftp folders directly via file share while they are connected to company network.
Share a folder on Fileserver
Set sharing permissions for group "FTP Users" to Full Control.
Set NTFS permissions (security tab) for "FTP Users" group to List folder contents.
Next we will create home folder for every user group that needs to be isolated.
For example users FTPuser1 and FTPuser2 will share same home folder, because they are colleagues and are working with the same data and FTPuser3 is from another department, so he will have separate home folder.
Add security permissions for users FTPuser1 and FTPuser2 and set them to Modify
Add security permissions for user FTPuser3 and set them to Modify
4. Configure IIS
Open IIS Manager in Control Panel->Administrative Tools->Internet Information Services (IIS) Manager
In IIS Manager expand your server, right click Sites and choose Add FTP Site...
Enter site name: myFTP
Physical path: \\Fileserver\FTProot
If you want to run FTPS select Require SSL and select your SSL Certificate, otherwise select No SSL.
Select Specified roles or user groups from drop-down menu.
Type FTP Users.
Select Read and Write checkboxes.
Click Finish.
Next configure FTP User Isolation.
Under myFTP site open FTP User Isolation.
Select Isolate users. Restrict users to the following directory:
FTP home directory configured in Active Directory
and enter credentials of user that has access to read AD properties.
5. Configure user AD properties
Open Active Directory Users and Computers (ADUC) and modify properties for your FTPusers.
To be able to modify attributes, first in ADUC select View and turn on Advanced Features.
Now you should see Attribute Editor tab in user properties.
Configure AD properties as follows:
msIIS-FTPDir: \Home1
msIIS-FTPRoot: \\Fileserver\FTProot\
msIIS-FTPDir: \Home1
msIIS-FTPRoot: \\Fileserver\FTProot\
msIIS-FTPDir: \Home2
msIIS-FTPRoot: \\Fileserver\FTProot\
6. Login
For testing login we will use FileZilla FTP client.
Configure connection as follows.
Host: address of your FTP server
Protocol: FTP File Transfer Protocol
Port: 21
Encryption: if your FTP requires SSL select Require explicit FTP over TLS, otherwise select Only use plain FTP (insecure)
Logon type: Ask for password
User: FTPuser1
Click Connect, enter your password and click OK.
7. Conclusion
If everything went to plan users FTPuser1 and FTPuser2 should login to \\Fileserver\FTProot\Home1 folder and user FTPuser3 should login to \\Fileserver\FTProot\Home2.