Use ShareFile with Citrix Endpoint Management
Citrix Endpoint Management has two options for integrating with ShareFile: Citrix Files and storage zone connectors.
You can configure Citrix Endpoint Management to provide access to your ShareFile account. That configuration:
- Gives mobile users access to the full ShareFile feature set, such as file sharing, file sync, and storage zone connectors.
- Can provide Citrix Files with single sign-on authentication of mobile productivity app users and comprehensive access control policies.
- Provides ShareFile configuration, service level monitoring, and license usage monitoring through the Citrix Endpoint Management console.
For more information about configuring Citrix Endpoint Management for Enterprise accounts, see SAML for single sign-on with Citrix Files.
Storage zone connectors
You can configure Citrix Endpoint Management to provide access only to storage zone connectors that you create through the Citrix Endpoint Management console. That configuration:
- Provides secure mobile access to existing on-premises storage repositories, such as SharePoint sites and network file shares.
- Doesn’t require that you set up a ShareFile subdomain or host Citrix Files data.
- Provides users with mobile access to data through the Citrix mobile productivity apps for Citrix Files for iOS and Android. Users can edit Microsoft Office documents. Users can also preview and annotate Adobe PDF files from mobile devices.
- Complies with security restrictions against leaking user information outside of the corporate network.
- Provides simple setup of storage zone connectors through the Citrix Endpoint Management console. If you later decide to use the full Citrix Files functionality with Citrix Endpoint Management, you can change the configuration in the Citrix Endpoint Management console.
For an Citrix Endpoint Management integration with storage zone connectors only:
- ShareFile uses your single sign-on configuration to Citrix Gateway to authenticate with storage zones controller.
- Citrix Endpoint Management doesn’t authenticate through SAML because the Citrix Files control plane isn’t used.
The following diagram shows the high-level architecture for Citrix Endpoint Management use with storage zone connectors.
- Minimum component versions:
- ShareFile for iOS (MDX) 5.3
- ShareFile for Android (MDX) 5.3
- Storage zones controller 5.11.20 This article contains instructions for how to configure storage zones controller 5.0
- Ensure that the server to run storage zones controller meets the system requirements. For requirements, see System requirements.
The requirements for storage zones for Citrix Files Data and for Restricted storage zones don’t apply to an Citrix Endpoint Management integration with storage zone connectors only.
Citrix Endpoint Management doesn’t support Documentum connectors.
- To run PowerShell scripts:
- Run the scripts in the 32-bit (x86) version of PowerShell.
Complete the following tasks, in the order presented, to install and set up storage zones controller. These steps are specific to Citrix Endpoint Management integration with storage zone connectors only. Some of these articles are in the storage zones controller documentation.
You can use Citrix Gateway as a DMZ proxy for storage zones controller.
A storage zones controller that hosts standard zones requires an SSL certificate. A storage zones controller that hosts restricted zones and uses an internal address doesn’t require an SSL certificate.
IIS and ASP.NET setup is required for storage zone connectors.
The storage zones controller console enables you to specify a proxy server for the storage zones controller. You can also specify a proxy server using other methods.
Configure the domain controller to support NTLM or Kerberos authentication on network shares or SharePoint sites.
To configure a storage zone for high availability, connect at least two storage zones controllers to it.
Download and install the storage zones controller software:
From the Citrix Files download page at https://www.citrix.com/downloads/sharefile.html, log on and download the latest storage zones controller installer.
Installing the storage zones controller changes the default website on the server to the installation path of the controller. Enable Anonymous Authentication on the default website.
On the server where you want to install storage zones controller, run StorageCenter.msi.
The storage zones controller setup wizard starts.
Respond to the prompts:
- In the Destination Folder page, if Internet Information Services (IIS) is installed in the default location, leave the defaults. If not, browse to the IIS installation location.
- When installation is complete, clear the checkbox for Launch Storage Zones Controller Configuration Page and then click Finish.
When prompted, restart the storage zones controller.
To test that the installation was successful, navigate to
https://localhost/. (If you get a certificate error, consider connecting with HTTP instead.) If the installation is successful, the Citrix Files logo appears.
If the Citrix Files logo does not appear, clear the browser cache and try again.
If you plan to clone the storage zones controller, capture the disk image before you continue with configuring the storage zones controller.
For an integration only with storage zone connectors, you don’t use the storage zones controller administrative console. That interface requires a Citrix Files administrator account, which isn’t necessary for this solution. As a result, you run a PowerShell script to prepare the storage zones controller for use without the Citrix Files control plane. The script does the following:
- Registers the current storage zones controller as a primary storage zones controller. You can later join a secondary storage zones controller to the primary controller.
- Creates a zone and sets the passphrase for it.
From your storage zones controller server, download the PsExec tool: Navigate to Microsoft Windows Sysinternals and then click Download PsTools. Extract the tool to the root of the C drive.
Run the PsExec tool: Open the Command Prompt as the Administrator User and then type the following:
``` cd c:\pstools PsExec.exe -i -u "NT AUTHORITY\NetworkService" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe <!--NeedCopy--> ```
When prompted, click Agree to run the Sysinternals tool.
A PowerShell widow opens.
In the PowerShell window, type the following:
``` Import-Module "C:\inetpub\wwwroot\Citrix\StorageCenter\Tools\SfConfig\SfConfig.dll" New-Zone -Passphrase passphrase -ExternalAddress https://szcfqdn.com <!--NeedCopy--> ```
Passphrase: Is the passphrase that you want to assign to the site. Make a note of it. You cannot recover the passphrase from the controller. If you lose the passphrase, you cannot reinstall storage zones, join more storage zones controllers to the storage zone, or recover the storage zone if the server fails.
ExternalAddress: Is the external fully qualified domain name of the storage zones controller server.
Your primary storage zones controller is now ready.
Before you log in to Citrix Endpoint Management to create storage zone connectors: Complete the following configuration, if applicable:
To create storage zone connectors, see Define storage zones controller connections in Citrix Endpoint Management.
To configure a storage zone for high availability, connect at least two storage zones controllers to it. To join a secondary storage zones controller to a zone, install a storage zones controller on a second server. Then join that controller to the zone of the primary controller.
Open a PowerShell window on the storage zones controller server that you want to join to the primary server.
In the PowerShell window, type the following:
Join-Zone -Passphrase \<passphrase\> -PrimaryController \<HostnameOrIP>
Join-Zone -Passphrase secret123 -PrimaryController 10.10.110.210
Before you add storage zone connectors, you configure connection information for each storage zones controller enabled for storage zone connectors. You can define storage zones controllers as described in this section, or when you add a connector.
On your first visit to the Configure > ShareFile page, the page summarizes the differences between using Citrix Endpoint Management for Enterprise accounts and storage zone connectors.
Click Configure Connectors to continue with the configuration steps in this article.
In Configure > ShareFile, click Manage Storage Zones.
In Manage Storage Zones, add the connection information.
- Name: A descriptive name for the storage zone, used to identify the storage zone in Citrix Endpoint Management. Don’t include a space or special characters in the name.
- FQDN and Port: The fully qualified domain name and port number for a storage zones controller that is reachable from the Citrix Endpoint Management server.
- Secure Connection: If you use SSL for connections to storage zones controller, use the default setting, On. If you don’t use SSL for connections, change this setting to Off.
- Administrator user name and Administrator password: An administrator service account user name (in the form domain\admin) and password. Alternatively, a user account with read and write permissions on the storage zones controllers.
To test the connection, verify that the Citrix Endpoint Management server can reach the fully qualified domain name of the storage zones controller on port 443.
To define another storage zones controller connection, click the Add button in Manage Storage Zones.
To edit or delete the information for a storage zones controller connection, select the connection name in Manage Storage Zones. Then, click Edit or Delete.
Add a storage zone connector in Citrix Endpoint Management
Go to Configure > ShareFile and then click Add.
On the Connector Info page, configure these settings:
- Connector Name: A name that identifies the storage zone connector in Citrix Endpoint Management.
- Description: Optional notes about this Connector.
- Type: Choose either SharePoint or Network.
- Storage zone: Choose the storage zone associated with the connector. If the storage zone isn’t listed, click Manage Storage Zones to define the storage zones controller.
Location: For SharePoint, specify the URL of the SharePoint root-level site, site collection, or document library, in the form
https://sharepoint.company.com. For a network share, specify the fully qualified domain name of the Uniform Naming Convention (UNC) path, in the form \\server\share.
On the Delivery Group Assignment page, optionally assign the Connector to delivery groups. Alternatively, you can associate connectors to delivery groups using Configure > Delivery Groups.
On the Summary page, you can review the options you configured. To adjust the configuration, click Back.
Click Save to save the connector.
Test the connector:
When you wrap the Citrix Files clients, set the Network access policy to Tunneled - Web SSO.
In this mode of tunneling, the MDX framework terminates SSL/HTTP traffic from an MDX app. MDX then initiates new connections to internal connections on behalf of the user. This policy setting enables the MDX framework to detect and respond to authentication challenges issued by web servers.
Add the Citrix Files clients to Citrix Endpoint Management. For details, see To add Citrix Files clients to Citrix Endpoint Management.
From a supported device, verify single sign-on to Citrix Files and connectors.
In the following samples, SharefileDev is the name of a connector.
You can filter the list of storage zone connectors by connector type, assigned delivery groups, and storage zone.
Go to Configure > ShareFile and then click Show filter.
Expand the filter headings to make selections. To save a filter, click Save This View, type the filter name, and click Save.
To rename or delete a filter, click the arrow icon beside the filter name.
After integrating storage zone connectors with Citrix Endpoint Management, you can later switch to the full Enterprise feature set. Citrix Endpoint Management retains your existing storage zone connector integration settings.
Go to Configure > ShareFile, click the Storage Zone Connectors drop-down menu, and then click Configure ShareFile.
For information about configuring Enterprise accounts, see SAML for single sign-on with Citrix Files.