A Cloud File Server For Windows, Without Moving Any Files

What is a cloud file server for Windows?

A cloud file server for Windows is a setup where the SMB shares on your existing Windows file server are published to the internet over HTTPS. Users reach them from a browser, a mapped drive client, or a phone, and they don't have to dial into a VPN to do it. The underlying file server doesn't change in any meaningful way. Active Directory keeps doing authentication, NTFS permissions keep enforcing access, file locking still works for the apps that need it, and your backups run the same way they always have. The “cloud” part is the access path, not the storage.

That's what MyWorkDrive provides. You install it on a Windows Server inside your domain, point it at the shares you want exposed, and put an SSL certificate on the IIS site it creates. Users sign in with the same AD or Entra ID credentials they already use, and they see a familiar share layout in a browser. From your side as IT, the security model is whatever it was yesterday.

Why this problem has gotten harder, not easier

Most enterprises and SMBs still run their primary file storage on Windows file servers, and there are good reasons for that. AD integration is mature. Gigabit LAN performance is unbeatable for the price (roughly 125 MB/s versus around 12.5 MB/s on a typical 100 Mbps internet link). And anyone who's tried to move 8 TB of departmental files with messy permissions into a cloud repository will tell you the migration economics rarely pencil out.

The catch is that SMB was never designed to face the internet. The traditional workaround of tunneling port 445 over a corporate VPN has aged badly. It widens the ransomware blast radius, gives security auditors heartburn, and creates the kind of standing network trust that most modern security frameworks now consider a liability rather than a feature.

The cloud-only alternatives have their own problems. SharePoint Online imposes a 15 GB file size cap, 5,000-item display limits, 100,000-file sync limits, lost NTFS metadata, no real SMB file locking for CAD or accounting apps, and storage that runs roughly ten times the per-GB price of Azure Files. Azure File Sync is a legitimate option if your goal is storage modernization, but it's a replication project with its own planning curve, and most teams underestimate how much of one until they're a few weeks in.

What a lot of organizations actually want is narrower than any of those options: keep the file server, lose the VPN.

How MyWorkDrive's cloud file server works

MyWorkDrive sits between users and your file shares. It doesn't make a copy of your data, doesn't sync files to client devices, and can't grant access beyond what users already have on the underlying NTFS or tenant permissions. What it does is broker TLS-encrypted HTTPS access to the shares you've already published, with your existing identity provider doing the actual authentication work.

The architecture is built around three layers that intentionally stay loosely coupled:

• Identity stays with your IdP. Whether you're on traditional AD with SAML through ADFS, native Entra ID sign-in, Okta, or any OIDC provider, MyWorkDrive doesn't replace your authentication path. MFA, Conditional Access, and risk-based policies all enforce where they already do, which means your IdP team doesn't have to learn a new product to keep your access policies working.
• The app runs on a Windows Server box in IIS. File contents pass through the application in memory and never get written to disk on the MyWorkDrive server itself. If the box went down tomorrow, no customer files would be sitting on it to recover or to worry about.
• Storage stays put. Files keep living on whatever you already have: Windows SMB shares, Azure Files, Azure NetApp Files, Amazon FSx for NetApp ONTAP, SharePoint, OneDrive, or Azure Blob with Data Lake Gen2. The existing ACLs are the access model. MyWorkDrive can restrict further by policy, but it can never escalate beyond what the user already has on the underlying storage.

On the user side, that translates to three access paths: a browser-based Web File Manager, a Windows mapped drive client that runs over HTTPS instead of SMB, and native iOS and Android apps. None of them require a VPN, and all of them respect the file server's existing permissions because they don't have any other choice. The underlying ACLs are still doing the gatekeeping.

Where MyWorkDrive fits in a Zero Trust rollout

If you've been tasked with implementing Zero Trust at your organization, file access is often one of the harder pieces to get right. VPN-based file sharing fails the test on day one because it grants broad network-level trust before the user has done anything useful. MyWorkDrive starts from the opposite assumption: every request needs to authenticate, and the network can't be trusted with anything.

Some networks won't let you open any inbound ports at all, which is increasingly common in regulated environments. For that case there's the Cloud Web Connector, which uses an outbound-only Cloudflare tunnel on port 7844. Publication happens with zero firewall changes, and in our experience that's often the difference between a security review approving a deployment in days versus quarters.

MyWorkDrive vs Azure File Sync: side-by-side

Azure File Sync gets pulled into this comparison constantly, so it's worth being precise about what it actually is. Azure File Sync is a replication tool. It pushes the contents of your Windows file shares up to Azure Files, with optional tiering so the cold data lives in the cloud and the hot blocks cache locally. It solves storage modernization. It does not solve remote access, at least not in the way most teams searching for “cloud file server” mean.

If what you actually want is for your users to reach the files from outside the LAN, you don't necessarily need to move the files at all. Here's how the two products line up against each other for that use case:

Feature comparison between MyWorkDrive and Azure File Sync

Both tools have a real use case. If you're closing data centers, decommissioning branch office servers, or consolidating onto Azure storage with caching at the edge, Azure File Sync is what it was built for and it's good at it. If you want to keep the file server you already have and just give your users a way to reach it from outside the LAN, that's MyWorkDrive's lane. The mistake is treating them as competing answers to the same question. They aren't.

How to convert a Windows file server to a cloud file server

What follows is a working production deployment, not a lab walkthrough. We've done versions of this for organizations ranging from 50 users up to several thousand, and the steps don't change much at scale. The slowest step is usually whoever owns SSL certificates internally.

1. 01

   Provision a Windows Server

   Stand up a dedicated Windows Server 2019, 2022, or 2025 instance, either on-premises or in any cloud or hypervisor. Typical sizing runs 2 to 8 cores, 4 to 32 GB RAM, and a 120 GB disk for deployments up to a thousand or so users. Domain-join it if you're using Active Directory.

2. 02

   Run the MyWorkDrive installer

   The installer deploys into IIS, configures the Windows services, and auto-detects your Active Directory or Entra ID domain. A single-server deployment needs no separate database. For multi-server HA you can add SQL Server, PostgreSQL, or Azure SQL to coordinate sessions and file locks across nodes.

3. 03

   Wire in your identity provider

   On Active Directory, the server's domain join is enough on its own. Users and groups come along automatically. For modern SSO, configure SAML through ADFS, Entra ID, Okta, or any compliant provider. Whatever MFA and Conditional Access rules you already have keep enforcing, since the IdP is still doing the actual auth work.

4. 04

   Publish your shares

   In the admin console, point at the SMB shares, Azure Files mounts, SharePoint sites, OneDrive accounts, or Azure Blob containers you want exposed. Restrict each to specific AD groups if you want a smaller initial blast radius for a pilot. NTFS and tenant permissions are honored as-is.

5. 05

   Add SSL and decide how you're publishing externally

   Install an SSL certificate on the IIS site. From there you have four publishing options, in rough order from most direct to most firewall-friendly: direct HTTPS on port 443, behind a reverse proxy or WAF like F5, NGINX, Cloudflare, or Kemp, through Microsoft Entra Application Proxy, or via the Cloud Web Connector for environments where opening any inbound ports is a non-starter.

6. 06

   Smoke test from outside, then start the rollout

   Get off the corporate network and act like an end user. Sign in via SSO, browse a share, open a Word doc and save your changes, install the mapped drive client, and send yourself a public share link. If those five things work, the install is sound. From there it becomes a question of communications and rollout pacing rather than technical readiness.

What you get with MyWorkDrive Cloud File Server

The capabilities below all operate against the storage you already have. There's no migration step, no sync agent running on user laptops, and no proprietary repository sitting in the middle of your data.

A note on customer outcomes

What this actually buys you

• The Windows file server, the Microsoft 365 entitlements, and the on-prem storage you already paid for all keep doing useful work instead of getting replaced in the name of “modernization.”
• No more VPN client to deploy or troubleshoot, and the SMB-over-VPN attack surface that security teams have been trying to retire for years goes away.
• Storage stays cheap. Files on existing SMB or Azure Files cost around $0.0255/GB. SharePoint storage costs roughly $0.20/GB. At a few terabytes that gap is real money every month.
• Files never leave the environment they're already in, which is what keeps HIPAA, GDPR, CMMC, and FedRAMP-aligned workloads on the right side of an audit.
• You can modernize at whatever pace fits the organization. Add cloud access today, change storage in a year, or never change storage at all if what you have is fine. The decision doesn't have to be coupled.