Installing and configuring SFTP server on Windows Server 2016

For a recent customer engagement we needed to provide internal and external users with the ability to upload/download files through SFTP to a specific backend-server. For security reasons we decided to tunnel the SFTP traffic through the customer’s Netscaler, and so for this setup you need to do some Netscaler configuration and then the actual SFTP server configuration on the backend server.

The native FTP software available as an addon in IIS does not support SFTP, and we do not wish to use regular FTP since username/passwords will be sent in clear text over the network. FTPS was not an option for us since the FTP client the users will be using does not support it.

Another important factor or requirement is to have AD authentication available, so admins don’t have to manage specific SFTP accounts and also so users don’t have to remember an additional username/password for SFTP. So I looked at a few freeware options for SFTP server (Turbo SFTP for example), but none of them really worked that great. Finally I ended up using the OpenSSH version for Windows ( since this satisfied all the requirements.

Below are the steps to installing and configuring OpenSSH for Windows.

  1. Download ”” from
  2. Extract downloaded zip file
  3. Create folder ”C:\Program Files (x86)\OpenSSH-Win64\” and copy the extracted files there
  4. Run below in cmd (run cmd as admin):
    powershell.exe -file ”C:\Program Files (x86)\OpenSSH-Win64\install-sshd.ps1”
  5. Run services.msc and change Startup Type from Manual to Automatic for the two new services ”OpenSSH Authentication Agent” and ”OpenSSH SSH Server”
  6. Edit file ”C:\ProgramData\ssh\sshd_config” in notepad and add below text at top of file. Note that any group names and folder paths specified in the config must be specified using lowercase letters (but whether the real group/folder names are lowercase or not doesn’t matter). See for more info
  7. Restart service ”OpenSSH SSH Server” (any changes to config file above won’t take effect until service is restarted)
  8. Optional: Open port 22 in the Windows Firewall on the backend server so Netscaler can communicate with it.
  9. Now you can use SFTP to connect to this server using AD credentials (just entering sAMAccountName is sufficient). Only users in AD grup ’mydomain\SomeRandomADGroup’ are allowed to logon. Access to any subfolders in C:\inetpub\wwwroot\ftp\ through SFTP will be dictated by NTFS rights. I suggest using AD groups + NTFS rights to control which subfolders the users should be able to read/write to.


The Netscaler configuration is quite trivial. After below you probably want to create an internal and external dns, such as ’’, pointing to internally and the external IP (which gets NATed to in firewall) so that users can specify ’’ in their SFTP client (instead of IP addresses).





Disclaimer: All information on this blog is offered "as is" with no warranty. It is strongly recommended that you verify all information and validate all scripts in isolated test environments before using them in production environments.