Use Citrix Content Collaboration with Endpoint Management

Integration of Citrix Content Collaboration with Endpoint Management differs depending on whether your site is Workspace-enabled.

  • When using Citrix Workspace and Citrix Workspace app along with the Citrix Content Collaboration service, you deploy Citrix Content Collaboration from Citrix Workspace and your users access Citrix Files from Citrix Workspace. For information, see Deploy and Create or link a Content Collaboration (ShareFile) account to Citrix Cloud.

  • If Endpoint Management isn’t Workspace-enabled, Endpoint Management has two options for integrating with Citrix Content Collaboration: Citrix Files and storage zone connectors.

Citrix Files

You can configure Endpoint Management to provide access to your Content Collaboration account. That configuration:

  • Gives mobile users access to the full Content Collaboration feature set, such as file sharing, file sync, and storage zone connectors.
  • Can provide Citrix Files with single sign-on authentication of mobile productivity app users, AD-based user account provisioning, and comprehensive access control policies.
  • Provides Content Collaboration configuration, service level monitoring, and license usage monitoring through the Endpoint Management console.

For more information about configuring Endpoint Management for Enterprise accounts, see SAML for single sign-on with Citrix Files.

Storage zone connectors

You can configure Endpoint Management to provide access only to storage zone connectors that you create through the Endpoint Management console. That configuration:

  • Provides secure mobile access to existing on-premises storage repositories, such as SharePoint sites and network file shares.
  • Doesn’t require that you set up a Citrix Content Collaboration subdomain, provision users to Citrix Files, or host Citrix Files data.
  • Provides users with mobile access to data through the Citrix mobile productivity apps for Citrix Files for iOS and Android. Users can edit Microsoft Office documents. Users can also preview and annotate Adobe PDF files from mobile devices.
  • Complies with security restrictions against leaking user information outside of the corporate network.
  • Provides simple setup of storage zone connectors through the Endpoint Management console. If you later decide to use the full Citrix Files functionality with Endpoint Management, you can change the configuration in the Endpoint Management console.

For an Endpoint Management integration with storage zone connectors only:

  • Citrix Content Collaboration uses your single sign-on configuration to Citrix Gateway to authenticate with storage zones controller.
  • Endpoint Management doesn’t authenticate through SAML because the Citrix Files control plane isn’t used.

The following diagram shows the high-level architecture for Endpoint Management use with storage zone connectors.

Storage zones controller

Requirements

  • Minimum component versions:
    • ShareFile for iOS (MDX) 5.3
    • ShareFile for Android (MDX) 5.3
    • Storage zones controller 5.0 This article contains instructions for how to configure storage zones controller 5.0
  • Ensure that the server to run storage zones controller meets the system requirements. For requirements, see System requirements.

The requirements for storage zones for Citrix Files Data and for Restricted storage zones don’t apply to an Endpoint Management integration with storage zone connectors only.

Endpoint Management doesn’t support Documentum connectors.

  • To run PowerShell scripts:
    • Run the scripts in the 32-bit (x86) version of PowerShell.

Installation tasks

Complete the following tasks, in the order presented, to install and set up storage zones controller. These steps are specific to Endpoint Management integration with storage zone connectors only. Some of these articles are in the storage zones controller documentation.

  1. Configure NetScaler for storage zones controller

    You can use Citrix Gateway as a DMZ proxy for storage zones controller.

  2. Install an SSL certificate

    A storage zones controller that hosts standard zones requires an SSL certificate. A storage zones controller that hosts restricted zones and uses an internal address doesn’t require an SSL certificate.

  3. Prepare your server

    IIS and ASP.NET setup is required for storage zone connectors.

  4. Install storage zones controller

  5. Prepare storage zones controller for use with storage zone connectors-only

  6. Specify a proxy server for storage zones

    The storage zones controller console enables you to specify a proxy server for storage zones controller. You can also specify a proxy server using other methods.

  7. Configure the domain controller to trust the storage zones controller for delegation

    Configure the domain controller to support NTLM or Kerberos authentication on network shares or SharePoint sites.

  8. Join a secondary storage zones controller to a storage zone

    To configure a storage zone for high availability, connect at least two storage zones controllers to it.

Install storage zones controller

  1. Download and install the storage zones controller software:

    1. From the Citrix Files download page at https://www.citrix.com/downloads/sharefile.html, log on and download the latest storage zones controller installer.

    2. Installing storage zones controller changes the default website on the server to the installation path of the controller. Enable Anonymous Authentication on the default website.

  2. On the server where you want to install storage zones controller, run StorageCenter.msi.

    The storage zones controller setup wizard starts.

  3. Respond to the prompts:

    • In the Destination Folder page, if Internet Information Services (IIS) is installed in the default location, leave the defaults. If not, browse to the IIS installation location.
    • When installation is complete, clear the check box for Launch Storage Zones Controller Configuration Page and then click Finish.

    setup wizard

  4. When prompted, restart the storage zones controller.

  5. To test that the installation was successful, navigate to https://localhost/. (If you get a certificate error, consider connecting with HTTP instead.) If the installation is successful, the Citrix Files logo appears.

    If the Citrix Files logo does not appear, clear the browser cache and try again.

    Important:

    If you plan to clone the storage zones controller, capture the disk image before you proceed with configuring the storage zones controller.

Prepare storage zones controller for use with storage zone connectors-only

For an integration only with storage zone connectors, you don’t use the storage zones controller administrative console. That interface requires a Citrix Files administrator account, which isn’t necessary for this solution. As a result, you run a PowerShell script to prepare the storage zones controller for use without the Citrix Files control plane. The script does the following:

  • Registers the current storage zones controller as a primary storage zones controller. You can later join secondary storage zones controller to the primary controller.
  • Creates a zone and sets the passphrase for it.
  1. From your storage zones controller server, download the PsExec tool: Navigate to Microsoft Windows Sysinternals and then click Download PsTools. Extract the tool to the root of the C drive.

    PsTool download

  2. Run the PsExec tool: Open the Command Prompt as the Administrator User and then type the following:

    ```
    cd c:\pstools
    PsExec.exe -i -u "NT AUTHORITY\NetworkService" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    ```
    

    PsTool command

  3. When prompted, click Agree to run the Sysinternals tool.

    PsTool license agreement

    A PowerShell widow opens.

  4. In the PowerShell window, type the following:

    ```
    Import-Module "C:\inetpub\wwwroot\Citrix\StorageCenter\Tools\SfConfig\SfConfig.dll"
    New-Zone -Passphrase passphrase -ExternalAddress https://szcfqdn.com
    ```
    

    Where:

    Passphrase: Is the passphrase you want to assign to the site. Make a note of it. You cannot recover the passphrase from the controller. If you lose the passphrase, you cannot reinstall storage zones, join more storage zones controllers to the storage zone, or recover the storage zone if the server fails.

    ExternalAddress: Is the external fully qualified domain name of the storage zones controller server.

    PowerShell commands

    Your primary storage zones controller is now ready.

    Before you log in to Endpoint Management to create storage zone connectors: Complete the following configuration, if applicable:

    Specify a proxy server for storage zones

    Configure the domain controller to trust the storage zones controller for delegation

    Join a secondary storage zones controller to a storage zone

    To create storage zone connectors, see Define storage zones controller connections in Endpoint Management.

Join a secondary storage zones controller to a storage zone

To configure a storage zone for high availability, connect at least two storage zones controllers to it. To join a secondary storage zones controller to a zone, install storage zones controller on a second server. Then join that controller to the zone of the primary controller.

  1. Open a PowerShell window on the storage zones controller server that you want to join to the primary server.

  2. In the PowerShell window, type the following:

    Join-Zone -Passphrase \<passphrase\> -PrimaryController \<HostnameOrIP>

    For example:

    Join-Zone -Passphrase secret123 -PrimaryController 10.10.110.210

Define storage zones controller connections in Endpoint Management

Before you add storage zone connectors, you configure connection information for each storage zones controller enabled for storage zone connectors. You can define storage zones controllers as described in this section, or when you add a connector.

On your first visit to the Configure > Content Collaboration page, the page summarizes the differences between using Endpoint Management for Enterprise accounts and storage zone connectors.

Content Collaboration configuration

Click Configure Connectors to continue with the configuration steps in this article.

Content Collaboration configuration

  1. In Configure > Content Collaboration, click Manage Storage Zones.

    Content Collaboration configuration

  2. In Manage Storage Zones, add the connection information.

    Content Collaboration configuration

    • Name: A descriptive name for the storage zone, used to identify the storage zone in Endpoint Management. Don’t include a space or special characters in the name.
    • FQDN and Port: The fully qualified domain name and port number for a storage zones controller that is reachable from the Endpoint Management server.
    • Secure Connection: If you use SSL for connections to storage zones controller, use the default setting, ON. If you don’t use SSL for connections, change this setting to OFF.
    • Administrator user name and Administrator password: An administrator service account user name (in the form domain\admin) and password. Alternatively, a user account with read and write permissions on the storage zones controllers.
  3. Click Save.

  4. To test the connection, verify that the Endpoint Management server can reach the fully qualified domain name of the storage zones controller on port 443.

  5. To define another storage zones controller connection, click the Add button in Manage Storage Zones.

    To edit or delete the information for a storage zones Controller connection, select the connection name in Manage Storage Zones. Then, click Edit or Delete.

Add a storage zone connector in Endpoint Management

  1. Go to Configure > Content Collaboration and then click Add.

    Content Collaboration configuration

  2. On the Connector Info page, configure these settings:

    Content Collaboration configuration

    • Connector Name: A name that identifies the storage zone connector in Endpoint Management.
    • Description: Optional notes about this Connector.
    • Type: Choose either SharePoint or Network.
    • Storage zone: Choose the storage zone associated with the connector. If the storage zone isn’t listed, click Manage Storage Zones to define the storage zones controller.
    • Location: For SharePoint, specify the URL of the SharePoint root-level site, site collection, or document library, in the form https://sharepoint.company.com. For a network share, specify the fully qualified domain name of the Uniform Naming Convention (UNC) path, in the form \\server\share.
  3. On the Delivery Group Assignment page, optionally assign the Connector to delivery groups. Alternatively, you can associate connectors to delivery groups using Configure > Delivery Groups.

Content Collaboration configuration

  1. On the Summary page, you can review the options you configured. To adjust the configuration, click Back.

  2. Click Save to save the connector.

  3. Test the connector:

    1. When you wrap the Citrix Files clients, set the Network access policy to Tunneled - Web SSO.

      In this mode of tunneling, the MDX framework terminates SSL/HTTP traffic from an MDX app. MDX then initiates new connections to internal connections on behalf of the user. This policy setting enables the MDX framework to detect and respond to authentication challenges issued by web servers.

    2. Add the Citrix Files clients to Endpoint Management. For details, see To add Citrix Files clients to Endpoint Management.

    3. From a supported device, verify single sign-on to Citrix Files and connectors.

    In the following samples, SharefileDev is the name of a connector.

    Content Collaboration configuration

    Content Collaboration configuration

Filter the storage zone connectors list

You can filter the list of storage zone connectors by connector type, assigned delivery groups, and storage zone.

  1. Go to Configure > Content Collaboration and then click Show filter.

    Content Collaboration configuration

  2. Expand the filter headings to make selections. To save a filter, click Save This View, type the filter name, and click Save.

    Content Collaboration configuration

  3. To rename or delete a filter, click the arrow icon beside the filter name.

    Content Collaboration configuration

Switch to Enterprise account

After integrating storage zone connectors with Endpoint Management, you can later switch to the full Enterprise feature set. Endpoint Management retains your existing storage zone connector integration settings.

Go to Configure > Content Collaboration, click the Storage Zone Connectors drop-down menu, and then click Configure Content Collaboration.

Content Collaboration configuration

For information about configuring Enterprise accounts, see SAML for single sign-on with Citrix Files.

Use Citrix Content Collaboration with Endpoint Management