Citrix

Product Documentation



Download full document

Install StorageZones Controller and create a StorageZone

Mar. 29, 2015

Important: Verify that your environment meets the system requirements before you start the installation.

When you install a StorageZones Controller, you either create a zone and configure a primary StorageZones Controller or join secondary StorageZones Controllers to a zone.

While configuring a primary StorageZones Controller, you can enable either or both of these features:

  • StorageZones for ShareFile Data, to specify private data storage, either a private network share or a supported third-party storage system.
  • StorageZone Connectors, to give users access to documents on SharePoint sites or specified network file shares.

The following steps describe how to install StorageZones Controller, configure authentication for the IIS default web site, create a zone, and enable features.

  1. Download and install the StorageZones Controller software:
    1. From the ShareFile download page at http://www.citrix.com/downloads/sharefile.html, log on and download the latest StorageZones Controller installer.
      Note: Installing StorageZones Controller changes the Default Web Site on the server to the installation path of the controller.
    2. On the server where you want to install StorageZones Controller, run StorageCenter.msi.

      The ShareFile StorageZones Controller Setup wizard starts.

    3. Respond to the prompts. When installation is complete, clear the check box for Launch StorageZones Controller Configuration Page and then click Finish.
    4. Restart the StorageZones Controller.
  2. To test that the installation was successful, navigate to http://localhost/. If the installation is successful, the ShareFile logo appears.

    If the ShareFile logo does not appear, clear the browser cache and try again.

  3. After the ShareFile logo appears, configure authentication for the IIS default web site:
    1. Open the IIS Manager console, navigate to Default Web Site, and under IIS double-click Authentication.
    2. Right-click Basic Authentication and select Enabled.
    Important: If you plan to clone the StorageZones Controller, capture the disk image before you proceed with configuring the StorageZones Controller.
  4. To use an S3-compatible storage provider with ShareFile, perform the following steps before creating or configuring a StorageZone.
    1. Open Windows Registry Editor (Run > regedit.exe).
    2. Find the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\StorageCenter registry key.
    3. Create a new REG_SZ value under this key:
      • Value name: S3EndpointAddress
      • Value type: REG_SZ
      • Value data: Enter the HTTPS URL that corresponds to your S3-compatible storage endpoint.
    4. If the storage provider supports only path-style container access (see http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html), create another value under this key.
      • Value name: S3ForcePathStyle
      • Value type: REG_SZ
      • Value data: true
    5. Restart the StorageZones Controller application pool (StorageCenterAppPool).
    6. Gather the following information from your S3-compatible storage system:
      • The name of an S3 bucket to use for ShareFile dataAccess key ID
      • Access key ID
      • Secret access key
    7. Continue with the following steps to create a new StorageZone and choose Amazon S3 as the persistent storage location. StorageZone Controller will use the custom endpoint address you entered instead of the actual Amazon S3 service. When configuring the S3 details, choose the bucket name you created above.
  5. Navigate to the StorageZones Controller console: Open http://localhost/configservice/login.aspx or start the configuration tool from the Start screen or menu. For information about using the Start screen shortcut in Windows 8, refer to Manage StorageZones Controllers.
  6. In the StorageZones Controller Logon page, enter the email address, password, and subdomain, such as ShareFile.com or ShareFile.eu, for your ShareFile account and then click Log On.
  7. To set up your primary StorageZones Controller, click Create new Zone and provide the zone information:
    Option Description
    Zone A name that appears in the ShareFile Administrator console.
    Primary Zone Controller Defaults to http://localhost/ConfigService. If you use SSL, change http to https. Keep in mind that ShareFile supports only valid, trusted public SSL certificates for standard zones. If you have problems configuring a secondary StorageZone host, ensure that you can resolve the ConfigService URL in a local browser on that server, with no SSL errors.

    localhost resolves to the server IP address. You can specify a server name instead (such as https://servername.subdomain.com/ConfigService). The server name must be resolvable by a secondary StorageZones Controller server.

    Hostname A unique identifier for your StorageZones Controller.

    ShareFile recommends that you use the server hostname as the identifier. This should be a friendly name and not the FQDN. This name appears in the ShareFile Administrator console.

    External Address The FQDN for this StorageZones Controller. If this StorageZones Controller will be used for standard zones, the URL must be accessible from the Internet. For use with restricted zones, you can specify an internal address instead. If you are using a load balancer, enter its address.

    When you submit the page, ShareFile validates the address.

  8. To specify private data storage:
    1. Select the check box for Enable StorageZones for ShareFile Data.
    2. To configure a restricted zone, select the Create a restricted zone check box.

      To configure a standard zone, clear the check box.

      Note: After you configure a StorageZones Controller, you cannot change its zone type.
    3. If you selected Create a restricted zone and your user accounts are in a different, trusted Active Directory domain, select User accounts are in a trusted Active Directory domain and then enter the service account credentials for the Active Directory domain.

      StorageZones Controller uses the service account credentials to connect to the trusted Active Directory domain server for email address lookup.

    4. Choose a Storage Repository.

      For information about the storage repository settings and additional configuration required for restricted zones, see Configure StorageZones for ShareFile Data, in this section.

  9. If you do not want to enable StorageZone Connectors:
    1. Click Register to register StorageZones Controller with ShareFile.
    2. Continue with Step 10.
  10. If you are using S3-compatible storage, create these additional registry entries after the StorageZone registers:
    1. Open Windows Registry Editor (Run > regedit.exe).
    2. Find the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\StorageZone\CloudStorageUploaderConfig registry key.
    3. Create a new REG_SZ value under this key:
      • Value name: S3EndpointAddress
      • Value type: REG_SZ
      • Value data: Enter the HTTPS URL that corresponds to your S3-compatible storage endpoint.
    4. If the storage provider supports only path-style container access (see http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html), create another value under this key.
      • Value name: S3ForcePathStyle
      • Value type: REG_SZ
      • Value data: true
    5. Restart the StorageZones Controller application pool (StorageCenterAppPool).
  11. To enable StorageZone Connectors:
    1. Select the check box for each connector type you want to use: Enable StorageZone Connector for Network File Shares and Enable StorageZone Connector for SharePoint.

      For information about the connector settings, see Configure StorageZone Connectors, in this section.

    2. Click Register. Your StorageZones Controller information appears.
    3. If you specified Allowed Paths or Denied Paths for StorageZone Connectors, restart the IIS server.

    Enabling the Connectors creates the IIS apps "cifs" (Connector for Network File Shares) and "sp" (Connector for SharePoint).

  12. To configure secondary StorageZones Controllers, refer to Manage StorageZones Controllers.
Important: A StorageZones Controller is installed on your local site and you are responsible for backing it up. To protect your deployment, you should take a snapshot of the StorageZones Controller server, back up the StorageZones Controller configuration, and prepare StorageZones Controller for disaster recovery.

Configure StorageZones for ShareFile Data

Note: StorageZones for ShareFile Data is available for XenMobile Enterprise Edition and is not available for other XenMobile editions.

You can configure StorageZones for ShareFile Data from the StorageZones Controller wizard when you create a StorageZone or from the StorageZones Controller console. Use the ShareFile Data tab to configure settings for private network shares or supported third-party storage systems.

For restricted StorageZones, you must also configure your local SMTP server settings because email notifications are sent from your local SMTP server instead of from ShareFile.

Network share settings

Option Description
Storage Repository Choose Local network share. After you create the zone, you cannot change the Storage Repository option. For example, to switch from a local network share to third-party storage, you must create a new zone.
Network Share Location The UNC path to the network share you will use for private data storage and for data such as encryption keys, queued files, and other temporary items. Specify the path in the form \\server\share.

StorageZones Controllers belonging to the same StorageZone must use the same file share for storage.

Caution: StorageZones Controller will overwrite any data in this path with a proprietary storage format. Never specify a path to a location with file data. Reserve this storage location for StorageZones for ShareFile Data only.

StorageZones Controllers access the share using the IIS Account Pool user. By default, application pools operate under the Network Service user account, which has low-level user rights. A StorageZones Controller uses the Network Service account by default.

The Network Service account must have full access to this storage location.

Network Share Username and Network Share Password The credentials for the UNC path of your network share location.

To use a named user account instead of the Network Service account to access the share, specify those credentials. You can continue to run the IIS application pool and the Citrix ShareFile Services using the Network Service account.

Enable Encryption Select the check box only if you want to encrypt the file content stored on your file share. In an enterprise environment where the network share is inside your network and already secured by third-party tools, we recommend that you do not encrypt the files on the share.

This setting does not relate to metadata. Metadata is not encrypted for standard zones. StorageZones Controller always encrypts metadata for restricted zones.

Although this additional security is offered as an option for maximum security when required, encrypting files on the share will make the disk unreadable by third-party tools such as antivirus scanners and filer tools, including data deduplication tools. ShareFile uses a file encryption key to confirm the validity of download requests and encrypt the storage.

Passphrase A phrase used to protect your file encryption key. Be sure to archive the passphrase and encryption key in a secure location.

You must use the same passphrase for each StorageZones Controller in a zone. The passphrase is not the same as your account password and cannot be recovered if lost. If you lose the passphrase, you cannot reinstall StorageZones, join additional StorageZones Controllers to the StorageZone, or recover the StorageZone if the server fails.

Note: The encryption key appears in the root of the shared storage path. Losing the encryption key file, SCKeys.txt, immediately breaks access to all StorageZone files. Be sure to back up the encryption key file as part of your normal datacenter procedures.

Shared Cache Configuration settings

Option Description
Shared cache location The path to a network share that will contain your storage cache and data such as encryption keys, queued files, and other temporary items. Specify the path in the form \\server\share.

StorageZones Controllers belonging to the same StorageZone must use the same file share for storage.

Caution: StorageZones Controller will overwrite any data in this path with a proprietary storage format. Never specify a path to a location with file data. Reserve this storage location for StorageZones for ShareFile Data only.

The Network Service account (or the account the Citrix ShareFile Management Service is configured to run as) must have full access to this storage location.

Shared cache Logon and Shared cache Password The credentials for the UNC path of your shared cache location.
Enable Encryption Select the check box to encrypt the files stored in your shared cache.

Windows Azure storage container settings

Option Description
Storage Repository Choose Azure storage container. After you create the zone, you cannot change the Storage Repository option. For example, to switch from a local network share to Azure-based storage, you must create a new zone.
Account Name The name of your Azure storage account. These names are always lower case.
Access Key The primary or secondary access key for your Azure storage. Copy the key from the Manage Access Keys screen of the Windows Azure Management Portal.
Validate Click the button to validate the Azure access key. You cannot proceed with configuration until the validation is completed and the Container Name drop-down menu includes all available containers for the specified account.
Container Name Select the Azure container to use for all StorageZones Controllers in this StorageZone. This list is empty until your Azure access key is validated.

Amazon S3 storage bucket settings

Option Description
Storage Repository Choose Amazon S3 storage bucket. After you create the zone, you cannot change the Storage Repository option. For example, to switch from a local network share to Amazon S3 storage, you must create a new zone.
Access Key Id The access key ID for your Amazon S3 storage.
Secret Access Key The secret access key for your Amazon S3 storage.
Validate Click the button to validate the Amazon S3 secret access key. You cannot proceed with configuration until the validation is completed and the Bucket Name drop-down menu includes all available buckets for the specified account.
Bucket Name Select the Amazon S3 bucket to use for all StorageZones Controllers in this StorageZone. This list is empty until your Amazon S3 secret access key is validated.

SMTP settings

Option Description
SMTP server address and SMTP port number Your local SMTP server hostname and port.
Use SSL Select the check box to connect to the SMTP server over a secure connection.
Username and Password The username and password for your local SMTP server.
Authentication mode The Default authentication mode uses the most secure method available to connect from StorageZones Controller to the SMTP server.
Sender address The email address that appears in the From field.

Configure StorageZone Connectors

StorageZone Connectors give users access to documents on SharePoint sites or specified network file shares. You do not have to enable StorageZones for ShareFile Data to use StorageZone Connectors.

Note: StorageZones for ShareFile Data and the StorageZones Connectors features can share a zone. However, StorageZones Controller keeps the data and access rules for the two data types separate.

You can configure StorageZone Connectors when you create a zone using the StorageZones Controller wizard or from the StorageZones Controller console.

To control access to particular network file shares or SharePoint document libraries, specify a list of Allowed Paths and/or Denied Paths. After you save your changes, restart the IIS server.

In-bound connections to StorageZone Connectors are first checked against the allowed paths. If the connection is allowed, the path is then checked against the denied paths. For example, to provide access to \\myserver\teamshare and all of its subfolders except for \\myserver\teamshare\restricted, specify an allowed path of \\myserver\teamshare and a denied path of \\myserver\teamshare\restricted.

  • All connections are allowed by default, indicated by an Allowed Paths value of *. The value * is not valid for Denied Paths.
  • If the allowed and denied paths conflict with each other, the most restrictive path is enforced.
  • Entries are comma-separated.
  • For connectors to network file shares, specify the allowed UNC paths.

    Example with FQDN: \\fileserver.acme.com\shared

    You can use the following variables in the UNC path:

    • %UserName%

      Redirects to a user's home directory. Example path: \\myserver\homedirs\%UserName%

    • %HomeDrive%

      Redirects to a user's home folder path, as defined in the Active Directory property Home-Directory. Example path: %HomeDrive%

    • %TSHomeDrive%

      Redirects to a user's Terminal Services home directory, as defined in the Active Directory property ms-TS-Home-Directory. The location is used when a user logs on to Windows from a terminal server or Citrix XenApp server. Example path: %TSHomeDrive%

      In the Active Directory Users and Computers snap-in, the ms-TS-Home-Directory value is accessible on the Remote Desktop Services Profile tab when editing a user object.

    • %UserDomain%

      Redirects to the NetBIOS domain name of the authenticated user. For example, if the authenticated user logon name is "abc\johnd", the variable is substituted with "abc". Example path: \\myserver\%UserDomain%_%UserName%

    The variables are not case sensitive.

  • For a connector to a root-level SharePoint site, specify the root-level path.

    Example: https://sharepoint.company.com

  • For a connector to a SharePoint site collection:

    Example: https://sharepoint.company.com/site/SiteCollection

  • For connectors to SharePoint 2010 document libraries, specify the URLs (not including path terminators, such as file.aspx or /Forms).
    Examples:
    • https://mycompany.com/sharepoint/
    • https://mycompany.com/sharepoint/sales-team/Shared Documents/
    • https://mycompany.com/sharepoint/sales-team/Shared Documents/Forms/AllItems.aspx

    The default SharePoint 2013 URL (when Minimal Download Strategy is enabled) is in the form: https://sharepoint.company.com/_layouts/15/start.aspx#/Shared%20Documents/.

Back to Top