How to set up scan to FTP or SFTP on your office MFP
The protocol choice, server side configuration, MFP destination setup, and the security considerations — most offices should use SFTP rather than plain FTP, and this guide explains why and how.
Scan-to-FTP and scan-to-SFTP are the right answer when scan output needs to travel beyond the office network — to a partner organisation, a centralised document processing service, a remote office's file server, or any other off-network destination. Within a single office, scan-to-folder over SMB usually fits better. Across organisational boundaries, FTP-family protocols are the practical option. This guide focuses on SFTP specifically because plain FTP has security characteristics that should rule it out for most modern use cases.
Two protocols, very different security stories
FTP (port 21)
Plain FTP transmits credentials and file contents in cleartext over the network. Anyone who can capture network traffic between MFP and server sees the username, password, and every scanned page.
Acceptable only on isolated networks where capture is implausible, or where the receiving server requires it specifically. Document the choice and the risk acceptance.
SFTP (port 22)
SFTP runs over SSH and encrypts the entire session — credentials, file metadata, and file contents. Modern office MFPs (firmware from roughly 2018+) support SFTP natively.
The right default for any scan-to-server workflow that crosses untrusted networks. Slightly slower than FTP due to encryption overhead but the difference is invisible for typical scan jobs.
Step-by-step SFTP setup
Provision the SFTP server
Most Linux servers support SFTP via OpenSSH (already installed by default on Ubuntu, Debian, RHEL, etc.). Windows Server 2019+ includes OpenSSH as an optional feature — enable via Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 then Start-Service sshd. Confirm the server listens on port 22.
Create a dedicated SFTP user account
Create a system user svc-mfp-sftp with a strong password. Restrict the user to SFTP-only (no shell access): on Linux set the user's shell to /sbin/nologin and configure ChrootDirectory in sshd_config to lock the user to a specific directory subtree.
Configure the chroot directory
The SFTP user should land in a specific folder and be unable to navigate above it. Edit /etc/ssh/sshd_config on Linux: add a Match User block restricting svc-mfp-sftp to ChrootDirectory /var/sftp/scans with ForceCommand internal-sftp. Restart sshd.
Set directory permissions correctly
The chroot directory itself must be owned by root with 755 permissions (SSH refuses to chroot to user-writable directories). Create a subdirectory inside owned by the SFTP user where files actually land: chown root:root /var/sftp/scans; chmod 755 /var/sftp/scans; mkdir /var/sftp/scans/uploads; chown svc-mfp-sftp:svc-mfp-sftp /var/sftp/scans/uploads.
Test connectivity from a workstation
Before configuring the MFP, verify the SFTP server works using FileZilla or command-line sftp svc-mfp-sftp@server. Confirm login succeeds, file upload works, and the file lands in the expected directory.
Configure the MFP scan destination
On the MFP web admin interface, add a new scan destination. Type: SFTP (or "Secure FTP"). Server address: SFTP server hostname or IP. Port: 22 (default). Username: svc-mfp-sftp. Password: the account password. Path: /uploads (relative to the chroot).
Set MFP to accept the server's host key
On first connection, the MFP receives the server's SSH host key. Either accept it automatically (first-use trust) or pre-load the host key fingerprint via the MFP's web admin if it supports manual key trust. Pre-loading is more secure.
Send a test scan
Initiate a scan from the device touchscreen to the SFTP destination. Verify the file appears on the SFTP server within 30-60 seconds.
SFTP configuration parameters at a glance
Server→sftp.empresa.com or IP
Port→22 (default)
Username→svc-mfp-sftp
Authentication→password or SSH key
Path→/uploads (chroot-relative)
Encryption→automatic (SSH transport)
Passive mode→N/A (SFTP-specific)
SSH key authentication as an upgrade
Password authentication works but SSH key authentication is more secure and avoids the password-rotation problem. Some MFPs support uploading an SSH private key for SFTP authentication. The flow: generate an SSH key pair on a workstation (ssh-keygen -t ed25519 -f mfp-sftp-key), copy the public key to the SFTP server's ~/.ssh/authorized_keys for the svc-mfp-sftp user, upload the private key to the MFP, and configure the MFP to use key authentication instead of password.
Key authentication eliminates credential transmission entirely. Even if the MFP is compromised the attacker cannot recover the SSH key in usable form (most MFPs encrypt stored keys with a device-specific key). For high-security environments key authentication is the right choice; for typical office environments password authentication is acceptable provided the password is strong and rotated annually.
When FTP/SFTP fits, when SMB fits
Picking the right protocol for the destination
- SMB scan-to-folderWithin the office network, to a Windows file server with AD authentication
- SFTPCrossing organisational boundaries, to a partner organisation, to a cloud-hosted intake server
- SFTPTo a Linux file server where SMB is not available or configured
- Plain FTPOnly when the receiving service requires it and the network path is fully trusted
- WebDAV / HTTPSSome modern MFPs support HTTPS-based file upload as an alternative — check device capabilities
Firewall considerations
SFTP uses only port 22 outbound from the MFP, simplifying firewall configuration compared to plain FTP which uses port 21 plus dynamic data ports requiring connection tracking. Most office firewalls already permit outbound port 22; if not, the firewall rule to add is straightforward: allow MFP IP outbound on TCP 22 to the SFTP server IP. Inbound rules are not required — the MFP initiates the connection.
Filename templates and metadata
By default the MFP names scanned files with a timestamp pattern (e.g., scan_20260319_142847.pdf). Configure a more descriptive template in the MFP scan settings: include the authenticated username, the originating device, and a sequence number alongside the timestamp. The result maria_MFP01_20260319_142847_001.pdf is far more useful for the receiving system to route, especially if multiple devices feed the same destination.
Common SFTP setup issues
Three issues recur. The first is the chroot directory permissions trap — SSH refuses to chroot to a user-writable directory, so the parent of the writable target must be owned by root. The second is the MFP's failure to accept the server's host key on first connection; resolve by configuring the MFP to auto-accept on first use or by pre-loading the fingerprint. The third is firewall rules blocking outbound port 22 from the MFP's VLAN — diagnose with a workstation on the same VLAN attempting SSH to the server.