How to Run Secure File Transfer On-Premises — A Complete Guide

How to Run Secure File Transfer On-Premises

On-premises file transfer means your transfer platform runs on infrastructure you control — not as a SaaS service routing your data through a third-party cloud.

This guide covers deploying and operating Xferity on-premises.

Why on-premises matters for enterprise file transfer

Transfer workflows often carry:

customer financial data
healthcare records
partner contracts
pre-publication financial reports

Routing these through a SaaS vendor’s cloud adds a data processor relationship, increases the attack surface, and creates dependency on external service availability. On-premises removes all of these.

Deployment options

Xferity on-premises runs in three modes:

1. Single binary on Linux

./xferity run-service --config ./config/config.yaml

No runtime dependencies. The Go binary includes all dependencies. Runs as a systemd service or directly.

2. Docker

docker run --rm \
  -v $(pwd)/config:/app/config \
  -v $(pwd)/flows:/app/flows \
  -v $(pwd)/partners:/app/partners \
  xferity/xferity:latest run-service

3. Docker Compose (recommended for production)

services:
  xferity:
    image: xferity/xferity:latest
    volumes:
      - ./config:/app/config
      - ./flows:/app/flows
      - ./partners:/app/partners
      - ./keys:/app/keys
      - ./audit:/app/audit
    environment:
      XFERITY_STATE_BACKEND: postgres
      XFERITY_DB_DSN: postgres://user:pass@postgres:5432/xferity
    restart: unless-stopped
  postgres:
    image: postgres:15
    environment:
      POSTGRES_DB: xferity
      POSTGRES_USER: xferity
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
    volumes:
      - postgres_data:/var/lib/postgresql/data

4. Windows Server

Xferity compiles as a native Windows binary. Runs as a Windows Service or directly from Command Prompt/PowerShell. See Deployment: Windows.

State backend

For single-instance deployments: the file-backed state backend requires no external dependencies.

For multi-worker deployments, HA, or persistent UI sessions: use the Postgres-backed state backend. See Deployment: Postgres and Workers.

Network requirements

Xferity makes outbound connections to partner endpoints. Required outbound access depends on configured protocols:

SFTP: TCP port 22 (or partner-configured port)
FTPS: TCP port 21 (control) + passive data ports (partner-configured range)
AS2: TCP port 443 or partner HTTP port
S3: HTTPS to S3 endpoint (port 443)
WebDAV: HTTPS to WebDAV endpoint
Azure Blob: HTTPS to storage account endpoint

Xferity does not require inbound network access unless:

AS2 inbound messages are being received (requires an inbound HTTPS endpoint)
The web UI is exposed for operator access

Secrets for on-premises

Credentials for partner endpoints must not be stored in plaintext configuration files.

Options for on-premises secret management:

Environment variables — env:PARTNER_PASS
Docker secrets / file mounts — file:/run/secrets/partner_key
HashiCorp Vault (self-hosted) — vault:secret/data/partner#pass
Local vault (encrypted in Postgres) — managed through the Xferity UI when Postgres-backed

Enable hardened mode to reject any plaintext credentials at startup:

security:
  hardened_mode: true

Air-gapped deployments

Xferity runs without outbound internet access. There are no telemetry calls, no license servers to reach at runtime, and no cloud SDKs that require external connectivity.

For truly air-gapped environments:

distribute the binary or container image through your artifact repository
copy configuration files through your approved change process
use local secret references (environment variables or file mounts)

See Deployment: Air-Gapped.

Operations on-premises

# Validate configuration before starting
xferity validate

# Run diagnostics against a partner endpoint
xferity diag <flow-name>

# Run a flow once manually
xferity run <flow-name>

# View service logs
xferity logs --follow

# Check flow history
xferity flow history <flow-name>

# Trace a specific file
xferity trace orders-2026-03-16.csv