I'm having trouble connecting to SFTP on my Intune-managed workstations because it seems like something is blocking port 22. The connection works perfectly fine on an older hybrid machine right next to it on the same network. I'm getting an instant 'Connection refused' error when I try to connect using Filezilla or the command line. Here are the details I've gathered:
* It's something local since the connection doesn't show up in the firewall logs at all.
* I completely disabled Windows Firewall, but it still doesn't work.
* There's nothing using port 22 when I check the connections.
* Interestingly, the workstations can connect to SFTP when they're off the office network.
* DNS is resolving correctly to the server's IP.
* Just for testing, I managed to connect to SFTP on port 2222, so the issue seems isolated to port 22.
If anyone has any ideas about what could be causing this issue, I'd really appreciate your help. I've reviewed my Intune configurations (CIS L1+L2), but nothing jumps out that should be blocking this traffic based on the network location.
3 Answers
Have you considered that EDR clients like Defender for Endpoint or Crowdstrike might be blocking the connection? Even if you turned off the Windows Firewall, these services can still impose restrictions.
Since it works off the network but not on, it sounds very much like a network rule might be causing issues. Is it possible there's a firewall or NAC rule that’s causing this? Also, just to confirm, is everything on the same subnet?
Yeah, they’re all on the same subnet, and I’m monitoring the traffic. No connections seem to even hit the network firewall—it doesn’t log any attempts from the new workstation, while the old one connects without a hitch.
It sounds like something on your network setup is preventing the connection. Have you checked if DNS resolution in your office is pointing to a different location? Sometimes the internal vs external DNS can get tricky.
Nope, I verified it—a ping and SFTP connection attempt both return the correct IP address.
I have Defender for Endpoint active and licensed. I also have attack surface reduction rules in place, but I created a new policy to allow port 22. Still waiting to see if it works after the policy applies; I’m not very experienced with Defender.