Setup FTP Passive in your Windows Environment
- In Windows Server Manager go to Dashboard and run Manage > Add Roles and Features.
- In Add Roles and Features wizard:
- Proceed to Installation Type step and confirm Role-based or feature-based installation.
- Proceed to Server Roles step and check Web Server (IIS) role. Note that it is checked already, if you had IIS installed as a Web Server previously. Confirm installing IIS Management Console tool.
- Proceed to Web Server Role (IIS) > Role Services step and check FTP Server role service. Uncheck Web Server role service, if you do not need it.
- Proceed to the end of the wizard and click Install.
- Wait for the installation to complete.
Configuring FTP Passive on IIS
If your server is behind an external firewall/NAT, you need to tell the FTP server its external IP address, to allow passive mode connections.
- In IIS Manager, open FTP > FTP Firewall Support.
- Specify your server’s external IP address.
For Microsoft Azure Windows servers you will find the external IP address in Public IP address section of the virtual machine page.
When behind an external firewall, you need to open ports for data connections (obviously in addition to opening an FTP port 21 and possibly an implicit TLS/SSL FTP port 990). You won’t probably want to open whole default port range 1024-65535. In such case, you need to tell the FTP server to use only the range that is opened on the firewall. Use a Data Channel Port Rangebox for that. Any time you change this range, you will need to restart FTP service.
Click Apply action to submit your settings.
An internal Windows firewall is automatically configured with rules for the ports 21, 990 and 1024-65535 when IIS FTP server is installed.
The rules are not enabled initially though some versions of Windows.3 To enable or change the rules, go to Control Panel > System and Security > Windows Firewall > Advanced Settings > Inbound Rules and locate three “FTP server” rules. If the rules are not enabled, click on Actions > Enable Rule.
Restarting FTP Service
While the internal Windows firewall is automatically configured to open FTP ports when FTP server is installed, this change does not seem to apply, until FTP service is restarted. The same is true for changing data channel port range.
To restart FTP service go to Control Panel > System and Security > Administrative Tools and open Services. Locate Microsoft FTP Service and click Restart service.
Adding FTP Site
If you want to add a standalone FTP server to store/exchange files, locate Sites node (folder) of your Windows server in IIS Manager and:
- Click Add FTP Site action.
- In Add FTP Site wizard:
- On an initial Site Information step, give a name to your FTP site (if it’s the only site you are going to have, simple “FTP site” suffice) and specify a path to a folder on your server’s disk that is going to be accessible using FTP.
- On a Binding and SSL Settings step, select Require SSL to disallow non-encrypted connections and select your certificate.
- On Authentication and Authorization Information step, select Basic authentication and make sure Anonymous authentication is not selected. Select which users (Windows accounts) you allow to connect to the server with what permissions. You can choose All users or select only some. Do not select Anonymous users.
- Submit with Finish button.
Note that you must provide FTP user with read/write/delete permissions for both the directory and the files used in the relay server.
PS: Avoid any special character in your user’s password as Stage Now Barcode cannot pass them through.
FTP Time out setting
As we are going to use relay server to deploy numbers of apps on the devices which can be in any area with more or less connectivity it is important to change the time out of our server FTP to avoid the transfer to fail.
Follow setting below and increase the timeout:
Test your FTP server
I recommend to use Filezilla client FTP to confirm that your passive FTP is functional.
Create a Windows-Based Pull Service Relay Server
Configure a pull service relay server using a Windows FTP, Explicit FTPS, or SFTP server for use with product provisioning and staging. The pull service must be installed before you integrate the server with the Workspace ONE UEM console.
In order to setup the Windows Pull Service you will need to download it from MyWorkspaceOne portal.
You will also need to create a config file named: “PullServiceInstaller.config” which contain the below code:
When ready as below, execute WindowsPullServiceInstaller.exe and follow the steps until completion.
Your Windows based Relay server is now ready to be integrated with Workspace One UEM.
AirWatch Relay Server integration with Workspace One
On your WS1 instance go to Devices > Provisioning > Relay Servers > Add Relay Server
Name your relay server and select Relay Server Type to Pull.
Select which Organization Unit you want your relay sever to operate.
Insert below your FTP details to connect to your Relay server previously configured.
For the Pull Connection enter the local directory path for the server,
The Pull discovery text is the Private address IP of your server.
Pull Frequency is how many time the Pull happen between.
When done you Relay server will be added and look as below screenshot after your refreshed your browser:
You now need to turn on your relay server by clicking next to the red dot. The relay server would appear as below.
By now the transfer of file between Workspace One and your relay server has already started. To verify the status select your relay server > More Action > Advanced Info.