Guide

How to replace a Windows SFTP server with a managed cloud gateway

Running SFTP on Windows (OpenSSH, IIS, or a commercial server) means patching, licensing, and local-disk storage. Here's how to replace it with managed SFTP backed by your own cloud bucket.

Plenty of teams run SFTP on a Windows box, whether that’s the built-in OpenSSH server, IIS, or a commercial product like Rebex, Syncplify, Titan, or Cerberus. They all work, and they all carry the same overhead: you patch and maintain a Windows server, you may pay per-seat licensing, and your files sit on local disk that you have to back up and scale. Replacing that with a managed gateway in front of cloud storage removes the server entirely.

Here’s how to make the switch.

What you’re replacing

  • From: an SFTP server on Windows (OpenSSH / IIS / commercial), files on local disk, you own the OS, patching, and often a per-user licence.
  • To: a managed SFTP gateway in front of a cloud bucket you own. No server, no licence, cloud-durable storage.

Two honest differences to weigh:

  • Firepipe is SFTP only. Windows servers that also serve FTP/FTPS won’t map one-to-one if you depend on those protocols.
  • If your Windows server authenticated users against Active Directory, Firepipe uses its own per-user credentials (SSH keys or passwords) rather than AD. Plan how you’ll issue and revoke those.

Step 1, create a cloud bucket

Pick an S3, Azure Blob, GCS, or S3-compatible bucket in an account you own. Keep it private.

Step 2, copy existing files up (one-time)

Move the contents of the server’s SFTP home directories into the bucket once, keeping the folder layout so each user’s prefix matches their current home:

# PowerShell + AWS CLI
aws s3 sync "D:\sftp\home" s3://your-bucket/

# Or rclone for any backend (S3 / Azure / GCS / S3-compatible)
rclone copy "D:\sftp\home" remote:your-bucket

Step 3, connect the bucket to the gateway

Point Firepipe at the bucket. S3 uses a scoped cross-account role; Azure, GCS, and S3-compatible stores use a scoped access key, stored encrypted and revocable.

Step 4, recreate users and path jails

For each Windows SFTP account, create a Firepipe credential (SSH key or password) jailed to the prefix matching its old home directory. Issuing SSH keys per partner means you can revoke one without touching the rest.

Step 5, cut over and decommission

Hand out the new hostname and credentials, run in parallel briefly to confirm behaviour, then stop the Windows SFTP service and retire (or repurpose) the box. The licensing and patching overhead goes with it.

What you gain

  • No Windows server to patch, licence, or back up.
  • Cloud-durable storage in a bucket you own, files streamed rather than custodied.
  • Per-user credentials, path jails, exportable audit trail, instant revoke, and optional per-credential source-IP pinning.

Start with the SFTP to S3 walkthrough, or read SFTP compatibility & known limitations so you know exactly which filesystem behaviours object storage can and can’t offer before you cut over.

Try it on your own bucket

Connect a bucket you already own, Amazon S3, Azure Blob, Google Cloud Storage, or an S3-compatible store, and hand out a clean SFTP endpoint in minutes. Your files stay in your cloud.

Start free

← All guides