After implementing XenMobile MDM and the App Controller it’s time to implement Citrix ShareFile as last part of the Citrix XenMobile Enterprise suite. With Citrix ShareFile you can easily share (large) files with colleagues or people outside the organization in a secure manner. You can create folders online to organise your files and access them from almost any device you want and it also have the ability for Mac, Microsoft Windows and Microsoft Outlook integration.
By default, all data is saved in the cloud. For companies that do not want that, ShareFile Enterprise offers a solution with the ShareFile StorageZones controller. With the ShareFile StorageZones controller you are able to save data on premise within your own network and you even have the possibility to make CIFS Shares available within the ShareFile applications.
Scope for this blog
There are a few way’s to let users authenticate with ShareFile, in this blog I will only explain the XenMobile integration. For SAML authentication I will write a separate blog soon. In this blog I will also show you how to create the StorageZone share, how to install and configure the Citrix ShareFile StorageZones Controller, Configure the Web Server (IIS), Configuring the Citrix NetScaler for ShareFile and how to create Connectors and access them with a mobile device.
In my environment I have a NetScaler running in the DMZ, therefore I will install an SSL certificate trusted by an external CA on the NetScaler and an SSL trusted by the internal CA on the ShareFile server for secure internal traffic over port 443.
Prerequisites
The ShareFile StorageZones Controller can be installed on a Windows Server 2008 R2 SP1 or a Windows Server 2012 R2 server with a minimum of 2 CPUs and 4 GB RAM. Before starting the installation, make sure you have installed the following prerequisites first;
– Web Server (IIS) role including the following sub rolls;
- Static Content
- ASP.NET (4.5)
- Basic Authentication
– Microsoft .NET Framework 4.5
Preparations
Before starting the installation, make sure you have done the following preparations;
– Open port 443 on the firewall for inbound TCP requests
– Have an external IP address free
– Configured an external DNS record (for example sharefile.domain.com)
– Created a ShareFile Service Account in Active Directory
– Have a ShareFile Enterprise account
– Have a Citrix NetScaler up and running
– Have an SSL certificate trusted with an external CA (will create one in this blog)
– Have an internal Certificate Authority (CA) up and running
– Have two free IP address for configuring ShareFile on the Citrix NetScaler
Create and share a folder for the StorageZone Data
The first step is to create a folder for the StorageZone Controller.
Create a folder for the StorageZone, right click it and go to Share with > Specific people
Add the ShareFile Services Account and give it the Read/Write Permission Level. Click Share.
Click Done
Right click the folder again and go to Properties. Go to the Security tab and make sure that the ShareFile Service Account have Full Control permissions on the folder.
Configure the Web Server (IIS)
Open Internet Information Services (IIS) and go to ISAPI and CGI Restrictions
Make sure that the ASP.NET v4.0.30319 entries are Allowed
Go to Server Certificates
Click on Create Certificate Request
Enter the requested information and click Next
Select Microsoft RSA SChannel Cryptographic Provider and 2048 as Bit length. Click Next
Save it to a text file and click Finish
Open Internet Explorer and browse to http://<your Certification Authority server/certsrv
Click on Request a certificate
Click on advanced certificate request
Click on Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
Open the saved text file, select all text and copy the text into the Save Request field. Select Web Server as Certificate Template and click Submit
Select Base 64 encoded and click Download certificate to download the certificate file.
Go back to the Internet Information Services (IIS) Manager and click Complete Certificate Request
Browse to the certification file, enter a Friendly name, and select Personal as certificate store. Click OK
On the left side of the window, select Default Web Site, on the right side, click Bindings
Click Add
Select HTTPS as Type and select the ShareFile SSL certificate. Click OK
Select HTTP and click Remove and after removing, click Close
Navigate to C:\inetpub\wwwroot, right click the folder, open the Security tab and add the ShareFile service account, give it Full Control access
Open Internet Explorer and browse to the local website with HTTPS (for example https://sharefile.domain.local) to see if the SSL Certificate is working correct.
Configuring the Citrix NetScaler for ShareFile
At this moment it is recommend to use the Citrix NetScaler 10.1 build 120.1316.e or higher. This enhanced version of the NetScaler has a wizard for configuring Citrix ShareFile which saves you a lot of time! In the following steps I will install an SSL certificate trusted by an external CA and show you the steps of the NetScaler ShareFile wizard.
On the Configuration tab of the NetScaler browse to the Traffic Management > SSL menu, on the right side of the screen click on Create RSA Key
Key Filename: “name”.key, anything you like
Key Size (bits): 2048
Public Exponent Value: F4
Key Format: PEM
PEM Encoding Algorithm: DES3
PEM Passphrase: A password you like
Verify Rassphrase: Same as above
Click OK and then Close
The next step is to create a request that needs to send over to the CA. On the right side of the screen click Create CSR (Certificate Signing Request)
Request File Name: “name”.REQ, anything you like
Key File Name: Browse to the .KEY file you just created
Key Format: PEM
PEM Passphrase (For Encrypted Key): The password you specified in the previous step
Country: Your Country
Organization Name: The name of your organization
State or Province: You State or Province
Common Name: This is the address the users will type in their browsers
Challenge Password: A password you like
Click OK and then Close
The .REQ file needs to be download for importing it by the CA. Go to “Manage Certificates / Keys / CSRs”
Select the .REQ file and click Download. Click on Browse to give a “Save in” location, click onDownload and then Close.
Open the .REQ file in Notepad and copy all the text. Go to your CA (in my case Go Daddy) to create the key or re-key an existing certificate by pasting the text from the .REQ file.
After creating the certificate, download it. Select IIS7 as server type.
After downloading the certificate, go back to “Manage Certificates / Keys / CSRs” under the SSL menu of the NetScaler and Upload the .cer file.
Go to the menu Traffic Management > SSL > Certificates. On the upper right side on the screen click on Install..
Fill in the following information;
Certificate-Key Pair Name: Any name you want
Certificate File Name: Browse to the .cer file you just uploaded
Key File Name: Browse to the .KEY file created earlier
Password: The password entered when creating the request
Certificate Format: PEM
Click on Create and Close
After the installation you can see the status and the number of days the certificate expires.
Go to menu Traffic Management > Load Balancing, and click on Configure XenMobile ShareFile and NetScaler Gateway
Under ShareFile LB, click on Configure
Fill in a name (anything you like) and a free IP Address, select StorageZone Connector for Network File Shares/SharePoint and click Continue
Select Choose Certificate and select the certificate installed in previous steps
Fill in the information of the ShareFile StorageZone server and click Create
Click Done
Enter the following information;
AAAVServer IP Address: A free IP Address
LDAP Server IP Address: Your domain controller
Port: 389
Time out: 3 (is default)
Single Sign-on Domain: your domain name
Base DN (location of users): For example OU=Users,OU=PoC,DC=hobo,DC=lan
Administrator Bind DN: For example the ShareFile services account
Logon Name: sAMAccountName (is default)
Password: Password of the Administrator Bind DN
Click Continue
Click Done
Go to Traffic Management > Load Balancing > Virtual Servers to see if servers have the Up status
Installing and Configuring the Citrix ShareFile StorageZone Controller
Start the setup and click Next
Select I accept the terms in the License Agreement and click Next
Click Next
Click Install
Deselect Launch StorageZones Controller Configuration Page and click Finish
Click Yes to restart the server
After the reboot open the StorageZones Controller Configuration Page and login with your ShareFile Enterprise admin account
Fill in the following information;
Select: Create new Zone: Name of the zone (anything you like)
Hostname: the hostname of the StorageZone server
External Address: Name of your external DNS record
Select: Enable StorageZones for ShareFile Data
Select: Local network share
Network Share Location: location of the share created in the first steps
Network Share Username: Domain\ShareFile services account
Network Share Password: the password of the ShareFile services account
Scroll down and fill in the following information;
Select: Enable StorageZone Connector for Network File Shares
Allowed Paths: * (default)
Denied Paths: If you have any, enter it here
Click Register
After that the StorageZone had been configured successfully
Go to the Monitoring tab to see the status of the StorageZones Controller
If you go to the shared folder for the StorageZone controller you see that it is filled with files and folders used for the Zone configuration
Integrate ShareFile with XenMobile AppController
In this part I will show you how to integrate ShareFile with the XenMobile AppController and how to get users synced with the ShareFile Control Plane.
When the ShareFile account is created for you, the only account that exists within the Control Plane is the super user.
To get more users synced with the ShareFile Control Plane create a Security Group within the Active Directory and add the users you want to give ShareFile access to that group.
Keep in mind that all user accounts need to have a First Name, Last Name, E-Mail address and a User logon name filled in there account properties!
Login to the Citrix AppController console and go the Roles. On the left side click on Add role
Fill in a Role Name and a Role description. Click on the button next to No storage zone to get a list of available StorageZones
Fill in the ShareFile url and the username and password of the super user. Click Discover.
Select the StorageZone created in previous steps and click Next
Add the security group, created in the previous steps and click Save
Go to Apps & Docs > ShareFile and click on Edit
Select the correct Assigned role and click Save
Click on Sync
Click Ok
Now the users from the ShareFile security group are synced to the ShareFile Control Plane
Creating Connectors and access them with a mobile device
Go to the ShareFile Control Plane and open the Connectors tab. Click on Create Connector
Fill in the Path and the Name of the share and click Add Connector
Add the users that may access the share, you can also create and add a distribution group. Click Save Changes
Repeat this step for every share (connector) you want.
On your Mobile device, open Worx Home and open the ShareFile application
Go to File Share
Now you see the created connectors.
33 comments. Leave new
hello
how we can create a size limitation for each user ? i want to give each user 100 MB only
how can i do it ?
thanks and regards
Hi Tarek, yes that is possible. Go to the Sharefile admin panel open the Admin tab and go to Advanced Preferences. Under File Management you have the option to set a Storage quota. Regards, Robin
Hi Tarek, You may have to contact the sharefile support to get this feature enabled first on your enterprise account before you start using this policy.
Hi Robin
Great article and blog….
I have a question!
Lets say i want to use sharefile with a connector to an existing file-share on a windows domain-joined – File server!
Do i have to login to the internal domain at one point ?
Or or how does the sharefile website know my active directory credentials? How is sharefile accessing the connector share/files?
is it using th e credentials of the service account? How about the NFTS permissions i have on the Folders in the share?
thank you very much
Hi David, network file-shares (CIFS) are not available within the webinterface. Only with mobile ShareFile clients. When connecting to a CIFS share (connector) you need to re-authenticate. Regards, Robin
Hi Robin
I have problem with external address in storage zone configuration. I configured internal DNS to point external path but is not working. This need to be configured correctly with external ip and certificate I guess but where than NAT points, to previous netscaler configuration?
Here’s error
Could not connect to StorageCenter at xx.com
ok, it was wrong path
Great,
You just forget tis step: http://support.citrix.com/proddocs/topic/sharefile-storagezones-22/sf-storagezones-domain-controller-cfg.html in your article. If you don’t trust the storagezone controller you receive this error when you try to access cifs share: “504 gateway timeout”
You are right, thanks for the update!
Robin,
i have a question concerning the AAAVServer IP adress in the part where de netscaler is configured for the netscaler.
In the first part the loadbalancing is configured which in your case recieves the ipadress: 192.168.1.6
But then the AAAVserver ip adress receives the adress 192.168.1.7
Why? and what is it used for?
It’s optional, an AAA server is more secure. When using an AAA server authentication takes place on the NetScaler, if not using AAA server, authentication takes place on the StorageZone controller.
If i have file server with NTFS permission, How can i sync the folders with same NTFS permission
Means i am pointing my storagezone as my onpremise file server which already have data and permission. i want same folders with existing permission in share file. Is that possible?
Hi Labib, no you can’t. You have to upload the files to ShareFile that will save the files to the (local) StorageZone. After that you can set permissions to it by using the ShareFile control plane.
Hi Robin,
great work!! One question: I have Sharefile Enterprise and XenMobile enterprise for a customer. In the netscaler wizard for sharefile, after enter the ldap credentials. There comes message “Feature not licensed”. I have netscaler standard plattform 10.5.
So I need an enteprise license for Netscaler?
Thanks for your help!!
Hi Patrick, the wizard is trying to make a triple A server for authentication, and yes, this is a NetScaler Enterprise feature.
Thanks Robi for the answer. But is there a way without the triple A server and using the wizard? Because within the wizard, there is no choice to uncheck this or should I manually do the steps when I have only a netscaler standard plattform edition?
Hi Patrick, correct, there is no way to uncheck this. You can cancel the wizard at this step (it’s the last step and all previous steps are applied) or you can configure it manually.
Hi Robin,
We have a problem with our Enterprise setup of Sharefile portal. Our setup includes a Netscaler in dmz and on premise storagezone.
Now, when the users try to upload a file on the internal network in the sharefile portal, it just doesn’t upload anything and just sits there on the file upload progress screen saying calculating.
When the same user tries to upload the file on the external network (internet) in the same sharefile portal, it works absolutely fine.
Any information will be highly appreciated.
Thanks,
Hi Sailesh, is there an internal DNS record created with the external Sharefile FQDN pointing to a wrong server or IP ?
Trying to use connector to reach a fileshare on our network.
It works perfectly fine in the web portal however when on the tablet and phone it comes up with the error cannot connect to the network when selecting the connector.
What could be causing this?
Hi Daniel, If it works fine in the webinterface (cloud connectors) and not in Tablets/Phones it must have something to do with the NetScaler configuration. Did you use the wizard for the configuration?
Hi Robin, great work!
Our NetScaler MPX5500 (v10.5) is standard license which does not have AAA option nor ShareFile wizard. Is it possible to set up ShareFile AD authentication without using NetScaler AAA?
Yes you can, however it is less secure. Authentication will take place at the StorageZone controller and not on the NS. Just run the XM wizard to setup ShareFile on the NS and cancel the AAA step. Everything will work fine after that.
Hi Robin,
I´ve an issue uploading files to my sharefile,
the files doesnt stay on the sharefile,
any idea why it happends? i´ll appreciate your help, thanks
Hi Homer, Are the files uploaded and after that deleted, or can you not upload the files at all?
Hey Robin, great article!
One little question for my NetScaler Setup:
How did you calculate which VPX Version / License I need for my NetScaler in conjunction with the bandwith limit?
My thought is, when many Users or Costumers are uploading files from external to my internal storage zone via my NetScaler in my DMZ at the same time, so my NetScaler could reach his Bandwith Limit?
Or am I wrong? My Understanding is, that i only have to open port 443 from my NetScaler SNIP in DMZ to my Storage Zone in LAN. NAT to the VIP of the AAA vServer from external. So all the traffic for the file uploading went through my VPX Appliance, right?
Thank you in advance and best Regards,
Mark
Hi Mark, You can open port 443 or port 80 from traffic from the SNIP in the DMZ to you StorageZone controller(s). You must NAT your external sharefile ip address to the content switching VIP on the NetScaler.
Hey Robin
we currently have already Sharefile running.
Current setup is, NetScaler Standard, ADFS as authentication and then we have a Storage Zone CIFS share.
We also want to connect our Sharepoint and our standard user file shares via Sharefile. Our consultant said for this we need a NetScaler with the AAA feature. Is this true?
No, that is not true. Yes, triple AAA is recommended for security reasons, but No it is not needed. It will differently work with a NetScaler Standard edition (without AAA and caching). I did a lot of ShareFile implementations in this way.
Hi Robin,
thanks for this great blog.
We set up XMS 10.5 and ShareFile with SZC on premise. We want to use ShareFile MDX App. It works if we set MDX network policy to ‘unrestricted’. But it doesn’t work if we set it to ‘tunneled to the internal network’.
Do you have any suggestions?
Why do you want to create a Tunnel to the Internal Network with the ShareFile App? But If you do, make sure the NetScaler SNIP can connect to the ShareFile Control plane and the SZC external URL.
Hi Robin Hobo,,
we already install and configure sharefile and storagezone, but we have a problem in uploading the file,
we trying to upload one file, but the upload stuck in 0%
thank you
Make sure the external ShareFile URL is resolvable from the internal network. Can you try to upload a file from an external location or a 4g connection from a mobile phone?