ShareFile use with Endpoint Management

Endpoint Management has two options for integrating with ShareFile: ShareFile Enterprise and StorageZone Connectors. Integration with ShareFile Enterprise or StorageZone Connectors requires Endpoint Management Enterprise Edition.

ShareFile Enterprise

If you have Endpoint Management Enterprise Edition, you can configure Endpoint Management to provide access to your ShareFile Enterprise account. That configuration:

  • Gives mobile users access to the full ShareFile feature set, such as file sharing, file sync, and StorageZone Connectors.
  • Can provide ShareFile with single sign-on authentication of mobile productivity app users, AD-based user account provisioning, and comprehensive access control policies.
  • Provides ShareFile configuration, service level monitoring, and license usage monitoring through the Endpoint Management console.

For more information about configuring Endpoint Management for ShareFile Enterprise, see SAML for single sign-on with ShareFile.

StorageZone Connectors

You can configure Endpoint Management to provide access only to StorageZone Connectors that you create through the Endpoint Management console. That configuration:

  • Provides secure mobile access to existing on-premises storage repositories, such as SharePoint sites and network file shares.
  • Doesn’t require that you set up a ShareFile subdomain, provision users to ShareFile, or host ShareFile data.
  • Provides users with mobile access to data through the Citrix mobile productivity apps for ShareFile for iOS and Android. Users can edit Microsoft Office documents. Users can also preview and annotate Adobe PDF files from mobile devices.
  • Complies with security restrictions against leaking user information outside of the corporate network.
  • Provides simple setup of StorageZone Connectors through the Endpoint Management console. If you later decide to use the full ShareFile functionality with Endpoint Management, you can change the configuration in the Endpoint Management console.
  • Requires Endpoint Management Enterprise Edition.

For a Endpoint Management integration with StorageZone Connectors only:

  • ShareFile uses your single sign-on configuration to NetScaler Gateway to authenticate with StorageZones Controller.
  • Endpoint Management doesn’t authenticate through SAML because the ShareFile control plane isn’t used.

The following diagram shows the high-level architecture for Endpoint Management use with StorageZone Connectors.

Image of StorageZone Controller

Requirements

  • Minimum component versions:
    • ShareFile for iOS (MDX) 5.3
    • ShareFile for Android (MDX) 5.3
    • ShareFile StorageZones Controller 5.0 This article contains instructions for how to configure ShareFile StorageZones Controller 5.0
  • Ensure that the server to run StorageZones Controller meets the system requirements. For requirements, see System requirements.

The requirements for StorageZones for ShareFile Data and for Restricted StorageZones don’t apply to a Endpoint Management integration with StorageZone Connectors only.

Endpoint Management doesn’t support Documentum connectors.

  • To run PowerShell scripts:
    • Run the scripts in the 32-bit (x86) version of PowerShell.

Installation tasks

Complete the following tasks, in the order presented, to install and set up StorageZones Controller. These steps are specific to Endpoint Management integration with StorageZone Connectors only. Some of these articles are in the StorageZones Controller documentation.

  1. Configure NetScaler for StorageZones Controller

    You can use NetScaler as a DMZ proxy for StorageZones Controller.

  2. Install an SSL certificate

    A StorageZones Controller that hosts standard zones requires an SSL certificate. A StorageZones Controller that hosts restricted zones and uses an internal address doesn’t require an SSL certificate.

  3. Prepare your server

    IIS and ASP.NET setup is required for StorageZone Connectors.

  4. Install StorageZones Controller

  5. Prepare StorageZones Controller for use with StorageZone Connectors-only

  6. Specify a proxy server for StorageZones

    The StorageZones Controllers console enables you to specify a proxy server for StorageZones Controllers. You can also specify a proxy server using other methods.

  7. Configure the domain controller to trust the StorageZones Controller for delegation

    Configure the domain controller to support NTLM or Kerberos authentication on network shares or SharePoint sites.

  8. Join a secondary StorageZones Controller to a StorageZone

    To configure a StorageZone for high availability, connect at least two StorageZones Controllers to it.

Install StorageZones Controller

  1. Download and install the StorageZones Controller software:

    1. From the ShareFile download page at https://www.citrix.com/downloads/sharefile.html, log on and download the latest StorageZones Controller installer.

    2. Installing StorageZones Controller changes the default website on the server to the installation path of the controller. Enable Anonymous Authentication on the default website.

  2. On the server where you want to install StorageZones Controller, run StorageCenter.msi.

    The ShareFile StorageZones Controller Setup wizard starts.

  3. Respond to the prompts:

    • In the Destination Folder page, if Internet Information Services (IIS) is installed in the default location, leave the defaults. If not, browse to the IIS installation location.
    • When installation is complete, clear the check box for Launch StorageZones Controller Configuration Page and then click Finish.

    Image of setup wizard

  4. When prompted, restart the StorageZones Controller.

  5. To test that the installation was successful, navigate to https://localhost/. (If you get a certificate error, consider connecting with http instead.) If the installation is successful, the ShareFile logo appears.

    If the ShareFile logo does not appear, clear the browser cache and try again.

    Important:

    If you plan to clone the StorageZones Controller, capture the disk image before you proceed with configuring the StorageZones Controller.

Prepare StorageZones Controller for use with StorageZone Connectors-only

For an integration only with StorageZone Connectors, you don’t use the StorageZones Controller administrative console. That interface requires a ShareFile administrator account, which isn’t necessary for this solution. As a result, you run a PowerShell script to prepare the StorageZones Controller for use without the ShareFile control plane. The script does the following:

  • Registers the current StorageZones Controller as a primary StorageZones Controller. You can later join secondary StorageZones Controllers to the primary controller.
  • Creates a zone and sets the passphrase for it.
  1. From your StorageZone Controller server, download the PsExec tool: Navigate to Microsoft Windows Sysinternals and then click Download PsTools. Extract the tool to the root of the C drive.

    Image of PsTool download

  2. Run the PsExec tool: Open the Command Prompt as the Administrator User and then type the following:

    ```
    cd c:\pstools
    PsExec.exe -i -u "NT AUTHORITY\NetworkService" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    ```
    

    Image of PsTool command

  3. When prompted, click Agree to run the Sysinternals tool.

    Image of PsTool license agreement

    A PowerShell widow opens.

  4. In the PowerShell window, type the following:

    ```
    Import-Module "C:\inetpub\wwwroot\Citrix\StorageCenter\Tools\SfConfig\SfConfig.dll"
    New-Zone -Passphrase passphrase -ExternalAddress https://szcfqdn.com
    ```
    

    Where:

    Passphrase: Is the passphrase you want to assign to the site. Make a note of it. You cannot recover the passphrase from the controller. If you lose the passphrase, you cannot reinstall StorageZones, join more StorageZones Controllers to the StorageZone, or recover the StorageZone if the server fails.

    ExternalAddress: Is the external fully qualified domain name of the StorageZones Controller server.

    Image of powershell commands

    Your primary StorageZones Controller is now ready.

    Before you log in to Endpoint Management to create StorageZone Connectors: Complete the following configuration, if applicable:

    Specify a proxy server for StorageZones

    Configure the domain controller to trust the StorageZones Controller for delegation

    Join a secondary StorageZones Controller to a StorageZone

    To create StorageZone Connectors, see Define StorageZones Controller connections in Endpoint Management.

Join a secondary StorageZones Controller to a StorageZone

To configure a StorageZone for high availability, connect at least two StorageZones Controllers to it. To join a secondary StorageZones Controller to a zone, install StorageZones Controller on a second server. Then join that controller to the zone of the primary controller.

  1. Open a PowerShell window on the StorageZones Controller server that you want to join to the primary server.

  2. In the PowerShell window, type the following:

    Join-Zone -Passphrase \<passphrase\> -PrimaryController \<HostnameOrIP>

    For example:

    Join-Zone -Passphrase secret123 -PrimaryController 10.10.110.210

Define StorageZones Controller connections in Endpoint Management

Before you add StorageZone Connectors, you configure connection information for each StorageZones Controller enabled for StorageZone Connectors. You can define StorageZones Controllers as described in this section, or when you add a connector.

On your first visit to the Configure > ShareFile page, the page summarizes the differences between using Endpoint Management with ShareFile Enterprise and with StorageZone Connectors.

Image of ShareFile configuration

Click Configure Connectors to continue with the configuration steps in this article.

Image of ShareFile configuration

  1. In Configure > ShareFile, click Manage StorageZones.

    Image of ShareFile configuration

  2. In Manage StorageZones, add the connection information.

    Image of ShareFile configuration

    • Name: A descriptive name for the StorageZone, used to identify the StorageZone in Endpoint Management. Don’t include a space or special characters in the name.
    • FQDN and Port: The fully qualified domain name and port number for a StorageZones Controller that is reachable from the Endpoint Management server.
    • Secure Connection: If you use SSL for connections to StorageZones Controller, use the default setting, ON. If you don’t use SSL for connections, change this setting to OFF.
    • Administrator user name and Administrator password: An administrator service account user name (in the form domain\admin) and password. Alternatively, a user account with read and write permissions on the StorageZones Controllers.
  3. Click Save.

  4. To test the connection, verify that the Endpoint Management server can reach the fully qualified domain name of the StorageZones Controller on port 443.

  5. To define another StorageZones Controller connection, click the Add button in Manage StorageZones.

    To edit or delete the information for a StorageZones Controller connection, select the connection name in Manage StorageZones. Then, click Edit or Delete.

Add a StorageZone Connector in Endpoint Management

  1. Go to Configure > ShareFile and then click Add.

    Image of ShareFile configuration

  2. On the Connector Info page, configure these settings:

    Image of ShareFile configuration

    • Connector Name: A name that identifies the StorageZone Connector in Endpoint Management.
    • Description: Optional notes about this Connector.
    • Type: Choose either SharePoint or Network.
    • StorageZone: Choose the StorageZone associated with the Connector. If the StorageZone isn’t listed, click Manage StorageZones to define the StorageZones Controller.
    • Location: For SharePoint, specify the URL of the SharePoint root-level site, site collection, or document library, in the form https://sharepoint.company.com. For a network share, specify the fully qualified domain name of the Uniform Naming Convention (UNC) path, in the form \\server\share.
  3. On the Delivery Group Assignment page, optionally assign the Connector to delivery groups. Alternatively, you can associate connectors to delivery groups using Configure > Delivery Groups.

Image of ShareFile configuration

  1. On the Summary page, you can review the options you configured. To adjust the configuration, click Back.

  2. Click Save to save the Connector.

  3. Test the connector:

    1. When you wrap the ShareFile clients, do the following:

      • Set the Network access policy to Tunneled to the internal network.

      In this mode of operation, the Endpoint Management MDX framework intercepts all network traffic from the ShareFile client. The traffic redirects through NetScaler Gateway by using an app-specific micro VPN.

      • Set the Preferred VPN mode policy to Secure browse.

      In this mode of tunneling, the MDX framework terminates SSL/HTTP traffic from an MDX app. MDX then initiates new connections to internal connections on behalf of the user. This policy setting enables the MDX framework to detect and respond to authentication challenges issued by web servers.

    2. Add the ShareFile clients to Endpoint Management. For details, see To add ShareFile clients to Endpoint Management.

    3. From a supported device, verify single sign-on to ShareFile and connectors.

    In the following samples, SharefileDev is the name of a connector.

    Image of ShareFile configuration

    Image of ShareFile configuration

Filter the StorageZone Connectors list

You can filter the list of StorageZone Connectors by Connector type, assigned delivery groups, and StorageZone.

  1. Go to Configure > ShareFile and then click Show filter.

    Image of ShareFile configuration

  2. Expand the filter headings to make selections. To save a filter, click Save This View, type the filter name, and click Save.

    Image of ShareFile configuration

  3. To rename or delete a filter, click the arrow icon beside the filter name.

    Image of ShareFile configuration

Switch to ShareFile Enterprise

After integrating StorageZone Connectors with Endpoint Management, you can later switch to the full ShareFile Enterprise feature set. Use of the ShareFile Enterprise feature set requires Endpoint Management Enterprise Edition. Endpoint Management retains your existing StorageZone Connector integration settings.

Go to Configure > ShareFile, click the StorageZone Connectors drop-down menu, and then click Configure ShareFile Enterprise.

Image of ShareFile configuration

For information about configuring ShareFile Enterprise, see SAML for single sign-on with ShareFile.

ShareFile use with Endpoint Management