Use this guide when Integrate.io ETL needs to land output files on a Windows file share (SMB or CIFS) that you do not want to expose to the public internet. The Windows host runs OpenSSH Server, opens an outbound reverse SSH tunnel to Integrate.io, and accepts writes from your package over standard SFTP. No inbound firewall rules are required. If your Windows host has a public IP and whitelisting Integrate.io’s IP range is an option, you can skip the reverse stage and connect directly over SFTP. See Connecting to SFTP and the IP list.Documentation Index
Fetch the complete documentation index at: https://www.integrate.io/docs/llms.txt
Use this file to discover all available pages before exploring further.
How it works
- OpenSSH Server runs on a Windows host that has access to the SMB share (either the file server itself, or a jump host that has write rights to the share over the network).
- The Windows host opens an outbound reverse SSH tunnel to an Integrate.io bastion. The tunnel exposes the host’s local SFTP port back to the Integrate.io worker.
- The package uses a standard SFTP destination component pointed at the tunnel endpoint, with a dedicated, chrooted SFTP user that has write access to a single output subfolder.
Pre-flight
- Windows 10/11 or Windows Server 2019+ (OpenSSH Server ships in-box).
- Local administrator rights on the Windows host.
- Access to the Integrate.io app to create the SFTP connection and the reverse tunnel endpoint.
- A writable location on the file share. If the OpenSSH host is not itself the file server, the SFTP user must have network write rights to the UNC path.
1. Install OpenSSH Server on Windows
Open PowerShell as Administrator and run:2. Create a dedicated SFTP user
Create a non-admin local user that exists only to serve this connection.Users.
3. Prepare the chroot and grant write access
OpenSSH on Windows requires theChrootDirectory to be owned by SYSTEM or BUILTIN\Administrators and not writable by the SFTP user. The pattern below puts the chroot at a parent folder and grants write only on a child subfolder, so the user can create files but cannot escape or tamper with the chroot itself.
- Symlink the output subfolder to the UNC target (
New-Item -ItemType SymbolicLink ...) and make sureintegrateio-sftphas share and NTFS write rights on the file server. - Run a post-job step on Windows that moves files from
C:\integrateio-sftp\outto the UNC target. This avoids granting the SFTP user direct network rights.
4. Lock sshd to the SFTP user
Append aMatch User block at the end of C:\ProgramData\ssh\sshd_config so the SFTP user is restricted to internal-sftp inside the chroot. Other users are unaffected.
5. Open the reverse SSH tunnel from Windows
Two keypairs are involved, in opposite directions:| Keypair | Generated on | Private key on | Public key goes to |
|---|---|---|---|
| Tunnel auth | Windows host | Windows host | Integrate.io (Settings, SSH Public Keys) |
| SFTP auth | Integrate.io (created with the SFTP connection) | Integrate.io worker | Windows host (C:\Users\integrateio-sftp\.ssh\authorized_keys) |
6. Install the SFTP public key on Windows
Once the SFTP connection is created in Integrate.io (next step), it produces a public key for the worker. Paste that key into the SFTP user’sauthorized_keys:
integrateio-sftp is in the Administrators group, the key file location is C:\ProgramData\ssh\administrators_authorized_keys instead. Keep the SFTP user out of Administrators so the standard location applies.
7. Create the SFTP connection in Integrate.io
In the Integrate.io app, follow Connecting to SFTP, with these field values:- Access type: Reverse SSH tunnel.
- Hostname:
127.0.0.1(the worker connects through the tunnel). - Port:
22(the loopback port sshd is bound to on Windows). - Username:
integrateio-sftp. - Authentication method: Public key. Copy the SFTP public key shown in the connection form into Windows as in Step 6.
- Bastion host and Bastion forwarding port: the values shown on the connection screen. These are the endpoint the Windows host targets when it opens the reverse tunnel in Step 5.
8. Build the package
Add an SFTP destination component to your package and set:- Connection: the SFTP connection from Step 7.
- Target path: a path inside the writable subfolder, for example
/out. - Filename pattern: how each output part should be named, for example
orders-{job_id}-{part}.csv. - File format: CSV, JSON, Parquet, and so on.
test.csv to /out and confirm the file appears in C:\integrateio-sftp\out on Windows.
Common failure modes
| Symptom | Likely cause | Fix |
|---|---|---|
| Tunnel connects, SFTP auth fails | ACLs on authorized_keys are too permissive, or the file is in the wrong location for the user. | Reapply icacls from Step 6. If the user is in Administrators, move the key to C:\ProgramData\ssh\administrators_authorized_keys. |
| Job runs but writes no files | NTFS ACLs on the output subfolder do not grant Modify to integrateio-sftp, or the path lands at the chroot root (which is read-only by design). | Reapply icacls from Step 3 and write into /out, not /. |
Permission denied writing to UNC path | The SFTP user has no rights on the file server share. | Either grant share and NTFS rights on the file server, or use a post-job move step on Windows. |
| sshd will not start | Port 22 already in use by another service, or sshd_config has a syntax error. | Open Event Viewer, Applications and Services, OpenSSH, Operational. |
| Test connection times out | Reverse tunnel is not running, or the bastion port does not match. | Re-run the ssh -R command from Step 5 and confirm the port matches the connection form. |
Bad ownership or modes for chroot directory | C:\integrateio-sftp is writable by the SFTP user. | Re-run the ACL commands in Step 3. The chroot root must be owned by SYSTEM or Administrators and not writable by integrateio-sftp. |
Tear-down
- Stop the reverse-tunnel PowerShell window (or disable the Scheduled Task).
- In Integrate.io, delete the SFTP connection and remove the tunnel public key under Settings, SSH Public Keys.
- On Windows: