Project FTP 7.5: Tips on installing Windows FTP 7.5 for IIS 7 on Windows Server 2008 in a clustered environment with shared configuration files.

Purpose
The purpose of this documentation is to provide tips on installing Windows FTP 7.5 for IIS 7 on Windows Server 2008 in a clustered environment with shared configuration files; the second part will focus on adding FTP space and adding users as well as isolating their access to their FTP space. FTP 7.5 for IIS 7 on Windows Server 2008 is a lot better than the previous versions of FTP for Windows Server. If you are not in a clustered server environment (that is, a single server), I imagine installation is a breeze. If you are using clustered servers/NLB and/or DFS, well, you've got a bit of an adventure ahead of you. Are you ready?

First, you can get FTP 7.5 for IIS 7 on Windows Server 2008 (standard or R2) here (you'll need the x32 or x64 version depending on what you've got): http://technet.microsoft.com/en-us/library/dd722761%28WS.10%29.aspx. If you are using the existing FTP service on the servers I don't know if you would need to do anything different in this regard as I, while FTP was installed, it was not being actively used.

PART 1: Let's Get Started

Stop the server in the NLB cluster (that is, change the state to Stopped and retain that state after reboot).
Uninstall the existing FTP 6.0 server via Server Manager -> Server roles -> Web Server -> Role Services -> Remove Role Services. I unchecked "FTP Publishing Services", "FTP Server" and "FTP Management Console". The uninstall process will take quite a while.
Disable the shared configuration on the server. This is found at IIS Manager -> Server Name -> Management -> Shared Configuration. Double-click it, uncheck "Enable shared configuration" and then click on "Apply". Be sure to allow use of the configuration files and keys from the shared configuration location so they become local to the server.
Need to restart IIS Manager -> Close and reopen the IIS Manager.
Need to restart Management Service -> IIS Manager - Management - Management Services. Restart the management service from the right side - Actions -> Manage Server -> Restart.
Close IIS Manager.
Install the most appropriate version of FTP 7.5 for IIS 7 (as administrator): http://technet.microsoft.com/en-us/library/dd722761%28WS.10%29.aspx.
Open IIS Manager. Under "Connections" expand server and under "Sites" right-click to verify that "Add FTP Site..." is available.
I repeated step 1 - 8 above for each of the servers in the cluster that are stopped (this becomes relevant in a moment).
I left one server in the NLB cluster untouched so it can continue to serve content while I change the others.
At this point the remaining server in the NLB cluster (the one that is started) stays in the NLB cluster as started but I disabled the shared configuration on the server.
At this point none of the servers should be referencing the shared configuration files.
Now it's time to manually fiddle with the administration.config and applicationHost.config files. This is because, although you've installed the FTP 7.5 application on the applicable servers, the only configuration files that changed (to reflect the new FTP 7.5) are those local to each server. Well, in a shared configuration environment that is not tremendously useful. The adventure begins!
Make a copy of the shared administration.config and applicationHost.config files just in case they may be needed.
At this point you possibly could (1) copy the administration.config and applicationHost.config files from one of the servers that now has FTP 7.5 to the shared configuration location, or, (2) manually modify the shared configuration files yourself. I prefer #2 since changes could occur to one of the shared files that may not be reflected in a local server copy but requires a more side-by-side comparison of the files.

Assuming #2, then crack open the shared applicationHost.config file and:

Find: </configSections>

Paste:

<sectionGroup name="system.ftpServer">
	<section name="log" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
	<section name="serverRuntime" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
	<section name="firewallSupport" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
	<section name="caching" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
	<section name="providerDefinitions" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
	<sectionGroup name="security">
		<section name="ipSecurity" overrideModeDefault="Deny" />
		<section name="requestFiltering" overrideModeDefault="Deny" />
		<section name="authorization" overrideModeDefault="Deny" />
	</sectionGroup>
</sectionGroup>
</configSections>

NOTE: You can find the code in the locally created applicationHost.config file that was created on the server when you disabled the shared configuration. The applicationHost.config file should be found at: C:\Windows\System32\inetsrv\config

Assuming #2, crack open the shared administration.config file and:

Find: </configuration>

Paste:

	<system.ftpServer>
		<providerDefinitions>
			<add name="IisManagerAuth" type="Microsoft.Web.FtpServer.Security.IisManagerAuthenticationProvider,Microsoft.Web.FtpServer,version=7.5.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35" />
			<add name="AspNetAuth" type="Microsoft.Web.FtpServer.Security.AspNetFtpMembershipProvider,Microsoft.Web.FtpServer,version=7.5.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35" />
		</providerDefinitions>
	<security>
		<requestFiltering>
			<hiddenSegments>
			<add segment="_vti_bin" />
			</hiddenSegments>
		</requestFiltering>
	</security>
	</system.ftpServer>
</configuration>

NOTE: You can find the code in the locally created administration.config file that was created on the server when you disabled the shared configuration. The administration.config file should be found at: C:\Windows\System32\inetsrv\config

Re-enable the shared configuration on the server.
Need to restart IIS Manager -> Close and reopen the IIS Manager.
Need to restart Management Service -> IIS Manager - Management - Management Services. Restart the management service from the right side - Actions -> Manage Server -> Restart.
Close IIS Manager.
Download security updates for the FTP 7.5. Most likely you'll have to restart.
Start (in NLB Manager) one of the servers which has FTP 7.5, the security updates, and is using the shared configuration (you could probably do more than one at this point).
Drainstop the remaining server(s) in the cluster that you did not install FTP 7.5 on.
Slap FTP 7.5 and so forth on the last server(s), following what you did for the other servers.

PART 2: Users and FTP Space
Like I had mentioned before, there's a lot you can do with FTP 7.5. Here I'll be focusing on using a single FTP site to support multiple clients, each with their own accounts and FTP space. The isolation feature keeps clients in their own FTP space (folder). However, the isolation feature in the IIS Manager is about as intuitive to understand what's "truly" going on as cooking pancakes in space without a heating element - translation: after weeding through countless IIS forums and Microsoft "documentation" decided I would go ghetto instead. But before I show you the ghetto way, which does work, let's take a look at what I intuitively did in the IIS Manager interface to try to perform the rather "trivial" need to isolate a user, to a folder with the user's logon under the FTP site, as that user exists in Acive Directory and with Basic Authentication being used.

The first thing is to create an OU in Active Directory for FTP clients (if you don't have one already).
You can add a new User to that OU which would be the account of an FTP client. Some things you also may want to do is specify that the user cannot change their password and that it never expires as well as briefly describing some of the details for the client that will be using the account.
Once the account has been created open IIS 7 Manager and under "Sites" locate the FTP site (hopefully you set it up so that it uses an SSL certificate - or self-signed certificate - and that it will only accept secure connections and basic authentication).
Select FTP User Isolation. Under "Isolate users. Restrict users to the following directory:". Select "User name directory (disable global virtual directories)" and then click "Apply".
You will want to create a folder in the FTP site that is the logon name of the user account you created in Active Directory.
With the new folder created, select it in the IIS Manager. Double-click on "FTP Authorization Rules".
The "Add Allow Authorization Rule" pane will appear. Select "Specific users:". In the text area enter the logon name of the user account.
Under "Permissions" select "Read" and "Write" and click "OK".
This is simple, intutitive and easy to maintain. This, unfortunately, is not quite twisted enough (FTP will ALWAYS fail for the user). Let's go ghetto to get something to work "approximately like" what the user isolation feature mis-communicates.

PART 2: Ghetto, but it works
This method "approximates" user isolation. A user will be taken to their "home directory" when they FTP to the FTP site. However, if the user goes up a directory from their "home directory" they can see all of the other "home directories". They won't be able to enter any of those other "home directories" or read/write files.

The first thing is to create an OU in Active Directory for FTP clients (if you don't have one already).
You can add a new User to that OU which would be the account of an FTP client. Some things you also may want to do is specify that the user cannot change their password and that it never expires as well as briefly describing some of the details for the client that will be using the account.
Once the account has been created open IIS 7 Manager and under "Sites" locate the FTP site (hopefully you set it up so that it uses an SSL certificate - or self-signed certificate - and that it will only accept secure connections and basic authentication).
You will want to create a physical folder in the FTP site that is the logon name of the user account you created in Active Directory.
Go back to IIS Manager. Select the FTP site (where the physical folder is located inside of). You will have many options. Select "FTP User Isolation". Under "Do not isolate users. Start users in:" select "User name directory" and then "Apply".
Now select "FTP Authorization Rules". Select "Add Allow Rule". Select "Specified users:" and enter the logon of the user account. Be sure to select "Read".
At this point that user, because it was added to the root FTP site, will be able to read all folders and contents by default, including their own (but hey, at least FTP for clients will work now).
Now select the user's folder specifically.
Open "FTP Authorization Rules". Select the user who's already joined to it with "Read". Click on "Edit". Click on "Write" (both "Read" and "Write" will be selected) and then "OK".
Now, let's get twisted...
The user you added to the root of the FTP site will automatically be allowed to read all folder and files in the FTP site. Naturally, this is not what we want.
Grab a cup of coffee; maybe a bagel if you have a lot of folders off of the FTP site.
Select a folder you don't want the user having access to. Select the user that will automatically have been added to the folder under "FTP Authorization Rules"; delete that rule. Now add a new deny rule. Add the user. Ensure both "Read" and "Write" are selected and click "OK".
At this point the user will not have any permissions to do anything in that folder.

How to FTP to a user folder
Because FTP has been setup to put a user into their folder (named the same as their logon) when they logon, at least FTP for the client is fairly simple. Below shows how to get FileZilla set-up to connect:

Under site manager enter the host (this will be the domain name of the FTP site).
Enter the port.
For "Protocol:" select "FTP - File Transfer Protocol".
For "Encryption:" select "Require Explicit FTP over TLS".
For "Logon Type:" select "Normal".
Then enter the username and password.