Konica Minolta BizHub C3350 - Scan to Folder Stopped Working

[Distorted Vision]

Tried to test scan and it gives me message right away:

 

[ChatGPT]

Thanks — that screenshot from the MFP means the device failed to connect to the FTP server immediately (no transfer attempt). That narrows it to either: (A) the MFP never reached port 21 on the server (network / firewall / wrong port), or (B) the server rejected the connection before login (listener not bound / wrong listener), or (C) the MFP settings (port, passive mode, file path, username) are wrong. We’ll quickly isolate which.
Do these checks in order and paste back the outputs / log lines you see:
Step 1 — Watch the FileZilla admin log while you press Start on the MFP

• Open the FileZilla Server administration window (the one with the message area).
• Leave it visible and press Start on the MFP to do the test scan.
• Immediately look at the FileZilla admin log area — you should see a connection attempt (IP of the MFP), a USER and PASS line, or an error. Copy/paste the exact lines you see (or take a screenshot).
  If you see nothing in the FileZilla log when the MFP tries, the MFP never reached the server (network/firewall/port).

Step 2 — Confirm FileZilla is listening on port 21
Run these in an elevated PowerShell on 192.168.0.26 (copy/paste):

check a listener on port 21​

netstat -an | findstr ":21 "

or PowerShell alternate​

Get-NetTCPConnection -LocalPort 21 -State Listen
Expected: you should see an ENTRY with Local Address 0.0.0.0:21 or 192.168.0.26:21 and State LISTENING. Paste the output.
Step 3 — Confirm firewall rule exists and is enabled
In an elevated PowerShell run:
Get-NetFirewallRule -DisplayName "Allow FTP from MFP (control)","Allow FTP Passive from MFP" | Format-Table DisplayName,Enabled,Direction,Action,Profile
If those exact rules aren’t shown, run this to list any FTP-related rules:
Get-NetFirewallRule | Where-Object {$_.DisplayName -like "FTP"} | Format-Table DisplayName,Enabled,Direction,Action,Profile
Paste the output. If your rule shows RemoteAddress restricted, confirm it is 192.168.0.39.
Step 4 — Quick network test from another PC (isolates MFP)
From a different PC on the same network (not the FTP host), test with FileZilla Client or the built-in Windows ftp client. In FileZilla Client set:

• Host: 192.168.0.26
• Port: 21
• User: Scanner
• Password: (Scanner password)
• Transfer mode: Passive (PASV)

Try to connect and upload a small file. If that works, server and firewall are OK and the problem is MFP settings. If it fails to connect, post the client error message.
Step 5 — If no log entries in FileZilla when MFP tries: quickly test loosening the firewall for a moment
(Temporarily allow any remote to port 21 so we can confirm firewall filtering is the issue — only do this briefly)
Run as admin on the FTP host:
New-NetFirewallRule -DisplayName "Allow FTP from ANY (temp test)" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 21 -RemoteAddress Any
Then try an MFP test scan again. If it now connects, the initial firewall rule was blocking the MFP (likely because RemoteAddress didn’t match or MFP IP changed). If it still fails with no FileZilla log, revert the rule and we’ll continue deeper diagnostics.
Remove the temp rule when done:
Remove-NetFirewallRule -DisplayName "Allow FTP from ANY (temp test)"
Step 6 — Verify FileZilla user + mountpoint + passive settings (quick checklist)

• In FileZilla Settings → Rights management → Users:
  • User Scanner exists and “User is enabled” is checked.
  • Authentication set to Password (and password field filled).
  • Mountpoint present with Virtual path "/" mapped to Native path C:\Scans-Konica.
  • Permissions: List, Read and Write (and Create/Delete/Append) are checked.
• In Settings → Passive mode: the same port range you opened in firewall (e.g. 50000–50010) is set.
• In Server listeners: a listener exists for port 21 (IPv4).

Step 7 — MFP PageScope settings to re-check

• Protocol: FTP (not SMB)
• Host Address: 192.168.0.26
• Port: 21
• File Path: / (or blank) — try both
• Transfer Mode: Passive (PASV)
• User ID: Scanner
• Password: (exact password set in FileZilla)
• If you enabled FTPS in FileZilla and set “Require TLS”, make sure you enabled FTPS on the MFP as well and check certificate handling. For now, use plain FTP to get it working.

What I need from you now

1. The FileZilla admin log lines that appear when you push Start on the MFP (or a screenshot). This is the single most useful item.
2. The outputs from Step 2 (netstat/Get-NetTCPConnection) and Step 3 (Get-NetFirewallRule).
3. The result of Step 4 (attempt to connect from another PC) — success or exact error message.

With those I’ll tell you exactly what’s blocking the connection and the minimal fix (usually a firewall rule tweak or a small PageScope field change).

 

[Distorted Vision]

FYI

 

[ChatGPT]

Good — the FileZilla log shows exactly what happened. Key lines:

• The MFP connected, sent USER Scanner, and FileZilla replied: “503 Use AUTH first.”
• That means the server is requiring an FTPS (TLS) handshake first, but the client (the MFP) tried to log in without starting TLS.

Two safe fixes (pick one)
A — Fast test (recommended): allow plain FTP temporarily

1. Open FileZilla Server → Server → Configure (or Settings) → FTP over TLS (FTPS).
2. Uncheck “Require TLS for user login” (or similar wording like “Force TLS”), then Apply/OK.
3. Retry the scan from the MFP (Protocol = FTP, Port = 21, Passive mode).
   Why: this lets the MFP log in with plain FTP (what it attempted). Use this only on your isolated/trusted LAN and with the firewall rule still restricting access to the MFP IP (192.168.0.39). If it now works you’ll see USER/PASS and STOR lines in the FileZilla log.

B — Proper secure fix: enable FTPS on the MFP (explicit TLS) and keep server requiring TLS

1. In FileZilla Server → FTP over TLS settings, ensure FTPS is enabled and you have a cert configured (you already generated one). Keep “Require TLS” checked.
2. On the bizhub PageScope settings for the FTP destination set:
   • Protocol: FTPS (or FTP over TLS / Enable TLS) — choose the explicit FTPS option if available
   • Host: 192.168.0.26, Port: 21 (explicit FTPS uses 21)
   • Transfer Mode: Passive (PASV)
   • User/Password: Scanner / the password
3. Test a scan. If FTPS fails, the MFP may be rejecting the server certificate (self‑signed). Options then:
   • Install a CA-signed cert on the FileZilla server (preferred), or
   • If the MFP can import/trust a certificate, import the self-signed cert into the MFP’s trusted cert store (some Konica models allow this), or
   • Temporarily disable “Require TLS” (option A) while you sort certificates.

What to do right now

• Easiest: uncheck “Require TLS” in FileZilla and try a scan. If it succeeds, tell me and we’ll either leave plain FTP but keep the firewall restricted to the MFP, or proceed to set up FTPS properly (preferred).
• If you prefer to go secure straight away, tell me whether the MFP page shows an explicit FTPS/TLS checkbox — I’ll give the exact PageScope steps to enable FTPS and the certificate options to try.

Extra checks / notes

• After a successful attempt, confirm in FileZilla log you see lines like:
  • USER Scanner
  • PASS ****
  • STOR <filename>
  • 226 Transfer complete
• If you choose FTPS and the MFP fails during TLS negotiation, paste the FileZilla log lines and I’ll tell you whether the MFP didn’t send AUTH TLS or rejected the certificate.
• Security: if you allow plain FTP even temporarily, keep the firewall restriction you already created (allow only 192.168.0.39). Don’t open FTP to the whole LAN/Internet.

If you want, I can give the exact UI clicks for your FileZilla screen to disable “Require TLS” (or re-enable it later) and the exact PageScope fields to set for FTPS. Which path do you want to take now — A (allow plain FTP to confirm) or B (enable FTPS on the MFP)?

 

[Distorted Vision]

In MFP settings I do not see:

On the bizhub PageScope settings for the FTP destination set:
- Protocol: FTPS (or FTP over TLS / Enable TLS) — choose the explicit FTPS option if available

 

[ChatGPT]

Thanks — that PageScope screenshot confirms the C3350’s Remote UI doesn’t expose an obvious “FTPS” checkbox on the address-book entry (some firmware builds don’t). Because FileZilla is currently set to require TLS, the MFP’s plain-FTP login is rejected with “503 Use AUTH first.” The quickest safe fix is to allow plain FTP on the FileZilla server (just for this MFP) and test; afterwards you can either leave plain FTP but keep it locked down to the MFP IP, or pursue FTPS if the MFP supports it.
Do this now (quick, copy/paste-free steps)
1) Turn off the “require TLS” option in FileZilla Server (temporary)

• In the FileZilla Server Administration window click Server → Configure...
• In the left tree pick “FTP and FTP over TLS (FTPS)” (or “FTP over TLS settings”).
• Uncheck the option that forces/requires TLS for login (wording may be “Require TLS for user login” or “Force TLS” / “Force SSL”).
• Click Apply / OK.

2) Re-run the test scan on the MFP

• On the MFP choose the FTP destination and press Start.
• Watch the FileZilla admin log immediately.

What you should see in FileZilla log on success

• 220 FileZilla Server...
• USER Scanner
• 331 Password required for Scanner
• PASS ****
• 230 Login successful
• PASV (or PORT) then STOR <filename>
• 226 Transfer complete

If you see that sequence the upload succeeded — check C:\Scans-Konica for the file.
If it still fails immediately with “Connection Failed”

• Paste (or screenshot) the FileZilla admin log lines that appear during the attempt. That will tell whether the MFP reaches the server and what the server replies.

Why this is safe (brief)

• Plain FTP sends credentials in clear text. Because you already limited the firewall rules to allow port 21 and the passive range only from the MFP IP (192.168.0.39), exposure is limited to a single trusted device on your LAN. Keep it that way if you leave plain FTP enabled.

If you prefer FTPS (encrypted) long‑term

• Two possibilities:
  a) The MFP supports explicit FTPS but the firmware UI hides the option on the address entry — check PageScope → FTP Settings → FTP TX Settings (there may be an FTPS enable or certificate import page). If you find a TLS/FTPS option there, enable it and re‑set the address entry to use FTPS. I can point to the exact PageScope subpage if you paste that screen.
  b) If the MFP lacks FTPS client support, you’ll need to use plain FTP (with firewall restriction) or another transport (WebDAV over HTTPS, or an SMB solution after firmware/tech support).

If you want to re-enable required TLS later (after enabling FTPS on the MFP)

• Re-enable “Require TLS” in FileZilla Server (reverse of step 1) and test. If the MFP fails to negotiate TLS, you may need to import the server certificate into the MFP (some Konica models allow importing CA or self-signed certs).

Extra troubleshooting notes (if the test still fails)

• Confirm Passive mode on MFP (PASV) — Konica generally uses PASV.
• Confirm FileZilla passive port range matches your firewall rules.
• Check FileZilla log for “530”, “503”, “421” or “550” responses and paste them here; I’ll decode them.
• If you want to attempt FTPS and FileZilla is set to require TLS already, tell me whether the PageScope’s FTP TX Settings page shows any TLS/SSL options — paste a screenshot and I’ll look.

Which do you want to do now?

• I can walk you through the exact FileZilla option to uncheck (I can show a screenshot of the FileZilla dialog lines to change), or
• If you’d rather try finding FTPS settings on the MFP first, open PageScope → FTP Settings → FTP TX Settings and paste a screenshot and I’ll tell you what to change.

 

[Distorted Vision]

There is no option:

• Uncheck the option that forces/requires TLS for login (wording may be “Require TLS for user login” or “Force TLS” / “Force SSL”).

 

[ChatGPT]

You’re right — that specific checkbox (“Force TLS for user login”) isn’t on the FTP-over‑TLS page in your screenshot. Two likely causes and fixes:
1) The “force TLS” setting is a per-user option (not on the main FTPS page)

• Open FileZilla Server Interface → Edit → Users (or click Users in the left pane).
• Select the user/account you want the scanner to use.
• Look on the user’s General / Account page for the checkbox labeled “Force TLS for user login” (uncheck it to allow plain FTP). Omnisecu’s FileZilla FTPS guide shows that the per‑user option is where you set “Force TLS for user login”.

2) If you don’t see the per‑user checkbox either (or any FTPS checkboxes), either the dialog is scrolled/cropped in your screenshot or you’re on a version/skin where the layout moved

• Resize the Settings window or scroll the left panel — the top of the FTP-over‑TLS dialog normally contains the “Enable FTP over TLS support (FTPS)” and “Disallow plain unencrypted FTP” checkboxes. If “Disallow plain unencrypted FTP” is checked, plain FTP logins are blocked. CheapSSLWeb and other FileZilla guides show those checkboxes live on the FTP over TLS settings screen.

If you want the scanner to keep using plain FTP (not recommended for security), make sure:

• In Edit → Settings → FTP over TLS settings: either leave FTPS disabled or leave “Disallow plain unencrypted FTP” unchecked.
• In Users → select the scanner user: ensure “Force TLS for user login” is unchecked.
  After changes, restart the FileZilla Server service or at least reconnect the admin interface so settings take effect.

If you prefer to secure the scanner (recommended):

• Configure the BizHub to use Explicit FTPS (AUTH TLS) on port 21 (many Konica Minolta models support this). Generate/load a certificate on FileZilla Server and set the scanner to use FTPS — that’s the safer option. FileZilla’s FTPS guides explain explicit vs implicit FTPS and how to generate a cert.

Tell me:

• Which FileZilla Server version are you running (Help → About)?
• Can you post a screenshot of the Users dialog for the account the BizHub uses?

I’ll walk you step‑by‑step from there (or, if you want, I can give exact Konica Minolta scan-to-FTP FTPS settings).

 

[Distorted Vision]

Is it this?

 

[ChatGPT]

Yes — that screenshot is the per‑user "Protocol policies" page for the Scanner account. It tells you what protocol types the account is allowed to use.
What those two lines mean (from your screenshot)

• FTP authentication (insecure): Determined by groups or system policies — the user will follow whatever the group/server policy says about plain (unencrypted) FTP.
• FTPS (FTP over TLS) authentication: Disabled — this user is explicitly not allowed to use FTPS (this user cannot use TLS). (The “- overrides groups policies” note means the user setting takes precedence over any group setting.)

If your goal is to let the BizHub use plain FTP (no TLS), do this checklist (step‑by‑step):
1) Make the user allow plain FTP

• In Users → select Scanner → Protocol policies:
  • Change “FTP authentication (insecure)” from “Determined by groups or system policies” to an option that allows / enables insecure FTP for that user (or set the group policy accordingly). If there’s no explicit “Allow” option, you’ll need to change the group or system policy (next step).

2) Check the group / system policy

• Rights management → Groups → select the group the Scanner belongs to (or system user) → Protocol policies:
  • Ensure the group policy allows plain FTP (not “disallowed” or “required TLS only”).

3) Check the global FTPS settings (this is often the real blocker)

• Edit → Settings → Protocols settings → FTP and FTP over TLS (FTPS) → Connection Security (or top of that page):
  • Look for a box like “Disallow plain unencrypted FTP” (or “Require TLS for user login” in older UIs). Make sure that box is NOT checked if you want to accept plain FTP logins server‑wide.
• If that box is checked, it overrides user/group settings and will prevent plain FTP.

4) Verify server listeners and ports

• Edit → Settings → Server listeners:
  • Confirm you have a listener on port 21 (FTP) and/or the port your BizHub is trying to use.
  • If only an implicit FTPS listener (e.g. port 990) is present, plain FTP clients will fail.

5) Apply and restart

• Click Apply / OK and then restart FileZilla Server service or reconnect the admin interface so changes take effect.

If it still doesn’t work, tell me:

• The exact error/message the BizHub shows when it tries to scan.
• FileZilla Server version (Help → About).
• Whether the BizHub is configured to use plain FTP or FTPS (AUTH TLS / explicit FTPS / implicit FTPS) and which IP/port it’s using.
• Whether the server is behind a firewall/NAT (passive mode port range and firewall rules may be needed).

Security note: allowing plain FTP sends credentials in clear text. If possible, configure the BizHub to use Explicit FTPS (AUTH TLS) and enable FTPS on FileZilla (with a valid certificate) — I can walk you through that if you want.

 

[Distorted Vision]

I got working! Test scan was successful.

This was the setting page:

 

[ChatGPT]

Nice — glad you got the test scan to work. That Server listeners setting is exactly why:

• Your listeners are set to "Explicit FTP over TLS and insecure plain FTP" on port 21 for all addresses, so the server will accept either an AUTH TLS (FTPS) connection or a plain (unencrypted) FTP login. Your BizHub was able to connect with plain FTP, so the scan succeeded.

A few quick notes and recommended next steps (to keep it short):
1) Security warning

• Right now credentials and file data can be sent in clear text when the scanner uses plain FTP. If this device is on an untrusted network or the server is reachable from the Internet, this is risky. Consider enabling FTPS only once you finish testing.

2) How to switch to FTPS-only

• Edit → Settings → Server listeners → change the Protocol for the listener(s) from the option that mentions “insecure plain FTP” to the FTPS-only option (the one that does not say “insecure” or “plain”).
• Make sure you have a valid TLS certificate set under Protocols settings → FTP and FTP over TLS (FTPS). You can use the built-in self-signed cert for testing, but use a trusted cert (or Let’s Encrypt) for production.

3) Passive mode and firewall/NAT (very common cause of problems)

• Settings → FTP and FTP over TLS → Passive mode: set a port range (e.g. 50000–51000) and configure your router/firewall to forward that range to the server.
• In the same passive settings specify the server’s external IP or hostname if the scanner is on a different network.
• Allow port 21 (or your chosen FTP port) and the passive range in the server firewall.

4) Hardening recommendations

• Restrict the Scanner user to only the required home folder (Users → Scanner → General).
• Use the Protocol policies tab to explicitly allow/disallow FTP or FTPS per user.
• If the scanner has a fixed IP, restrict access by IP (Windows firewall rules, router ACL, or FileZilla IP filters).
• Remove duplicate listeners you don’t need (IPv6 :: and IPv4 0.0.0.0 both listen; keep only what you need).

5) Test checklist after changes

• Test from the BizHub (scan).
• Test from a PC FTP client (FileZilla client) both plain and FTPS modes to confirm behavior.
• Check FileZilla Server logs for connection/auth details if anything fails.

If you want I can:

• Walk you through switching to FTPS-only and installing/using Let’s Encrypt from inside FileZilla Server, or
• Walk you through passive port range, firewall and NAT steps for your router/firewall.

Which would you like to do next?

 

[Distorted Vision]

We're done here. Let's wrap things up.

@ChatGPT Summarise thread.

 

[ChatGPT]

Here’s a concise summary of the thread, Distorted Vision — what happened, how it was diagnosed, and what fixed it.
Summary

• Problem: After an in-place Windows repair the Konica Minolta bizhub C3350 stopped scanning to the shared folder (C:\Scans‑Konica). The Canon MFP had a similar issue earlier but was fixed by re-creating the share; the Konica continued to fail.
• Initial troubleshooting: We checked SMB/NTLM and share/ACLs because the MFP can fail when Windows only supports SMB2/3 or rejects older NTLM dialects. Commands and checks (Get‑SmbServerConfiguration, Test‑NetConnection, net use, Event Viewer 4625) were suggested to narrow SMB vs auth vs network causes.
• Alternate path chosen: Since PageScope showed FTP/WebDAV options and SMB compatibility was uncertain, we set up FileZilla Server as an FTP target (so the MFP could upload via FTP instead of SMB). Guided FileZilla / PageScope settings were given (host, port 21, user Scanner, passive mode).
• Key log finding: FileZilla’s admin log showed the MFP sent USER Scanner and the server replied “503 Use AUTH first.” That indicated the server was requiring an FTPS/TLS handshake but the MFP attempted plain FTP. Two fixes were recommended: temporarily allow plain FTP or configure the MFP to use explicit FTPS.
• Resolution: You adjusted the FileZilla listener/policy so the server accepted explicit FTP over TLS and insecure plain FTP on port 21 (allowing the MFP to use plain FTP). After that a test scan succeeded.
• Post‑fix recommendations (security / hardening & common gotchas):
  • Prefer FTPS (explicit AUTH TLS) for production — either install a trusted cert or import/trust the server cert on the MFP. If you require FTPS, re‑enable “require TLS” and set the MFP to use FTPS.
  • Use a passive port range and open/forward that range in your firewall/NAT if the MFP is on a different network; keep port 21 (or chosen FTP port) permitted only from the MFP IP.
  • Restrict the Scanner FTP user to the upload folder, give minimal NTFS/share rights, and lock firewall rules to the MFP’s IP.
  • If SMB is still desired later, check firmware for the bizhub (some firmware adds SMB2/3 support) rather than enabling SMB1 on Windows (SMB1 is insecure).

Outcome

• The immediate problem is resolved: test scan succeeded after allowing plain FTP on the FileZilla listener. Next steps were provided to secure the setup if you want to move to FTPS and lock down access.

If you want, I can now:

• Walk through switching to FTPS-only (generate/install cert or use Let’s Encrypt) and show the exact PageScope FTPS fields; or
• Show the exact firewall/passive‑port rules to apply and test commands to verify them.

Happy to close this thread whenever you are — or I can post the follow-up steps you prefer.

 

[Distorted Vision]

@ChatGPT Close this thread

 

[ChatGPT]

Done — thread closed per your request.
Quick final note: issue resolved by allowing plain FTP on the FileZilla listener so the bizhub could connect; recommended next step was to move to FTPS and lock firewall rules when convenient. If you want the thread locked or marked “Solved” for the forum, or want me to post the final steps you followed into the thread, say so and I’ll do it.