ShareFile use with Endpoint Management
Endpoint Management has two options for integrating with ShareFile: ShareFile Enterprise and StorageZone Connectors. Integration with ShareFile Enterprise or StorageZone Connectors requires Endpoint Management Enterprise Edition.
If you have Endpoint Management Enterprise Edition, you can configure Endpoint Management to provide access to your ShareFile Enterprise account. That configuration:
- Gives mobile users access to the full ShareFile feature set, such as file sharing, file sync, and StorageZone Connectors.
- Can provide ShareFile with single sign-on authentication of mobile productivity app users, AD-based user account provisioning, and comprehensive access control policies.
- Provides ShareFile configuration, service level monitoring, and license usage monitoring through the Endpoint Management console.
For more information about configuring Endpoint Management for ShareFile Enterprise, see SAML for single sign-on with ShareFile.
You can configure Endpoint Management to provide access only to StorageZone Connectors that you create through the Endpoint Management console. That configuration:
- Provides secure mobile access to existing on-premises storage repositories, such as SharePoint sites and network file shares.
- Doesn’t require that you set up a ShareFile subdomain, provision users to ShareFile, or host ShareFile data.
- Provides users with mobile access to data through the Citrix mobile productivity apps for ShareFile for iOS and Android. Users can edit Microsoft Office documents. Users can also preview and annotate Adobe PDF files from mobile devices.
- Complies with security restrictions against leaking user information outside of the corporate network.
- Provides simple setup of StorageZone Connectors through the Endpoint Management console. If you later decide to use the full ShareFile functionality with Endpoint Management, you can change the configuration in the Endpoint Management console.
- Requires Endpoint Management Enterprise Edition.
For a Endpoint Management integration with StorageZone Connectors only:
- ShareFile uses your single sign-on configuration to NetScaler Gateway to authenticate with StorageZones Controller.
- Endpoint Management doesn’t authenticate through SAML because the ShareFile control plane isn’t used.
The following diagram shows the high-level architecture for Endpoint Management use with StorageZone Connectors.
- Minimum component versions:
- ShareFile for iOS (MDX) 5.3
- ShareFile for Android (MDX) 5.3
- ShareFile StorageZones Controller 5.0 This article contains instructions for how to configure ShareFile StorageZones Controller 5.0
- Ensure that the server to run StorageZones Controller meets the system requirements. For requirements, see System requirements.
The requirements for StorageZones for ShareFile Data and for Restricted StorageZones don’t apply to a Endpoint Management integration with StorageZone Connectors only.
Endpoint Management doesn’t support Documentum connectors.
- To run PowerShell scripts:
- Run the scripts in the 32-bit (x86) version of PowerShell.
Complete the following tasks, in the order presented, to install and set up StorageZones Controller. These steps are specific to Endpoint Management integration with StorageZone Connectors only. Some of these articles are in the StorageZones Controller documentation.
You can use NetScaler as a DMZ proxy for StorageZones Controller.
A StorageZones Controller that hosts standard zones requires an SSL certificate. A StorageZones Controller that hosts restricted zones and uses an internal address doesn’t require an SSL certificate.
IIS and ASP.NET setup is required for StorageZone Connectors.
The StorageZones Controllers console enables you to specify a proxy server for StorageZones Controllers. You can also specify a proxy server using other methods.
Configure the domain controller to support NTLM or Kerberos authentication on network shares or SharePoint sites.
To configure a StorageZone for high availability, connect at least two StorageZones Controllers to it.
Install StorageZones Controller
Download and install the StorageZones Controller software:
From the ShareFile download page at https://www.citrix.com/downloads/sharefile.html, log on and download the latest StorageZones Controller installer.
Installing StorageZones Controller changes the default website on the server to the installation path of the controller. Enable Anonymous Authentication on the default website.
On the server where you want to install StorageZones Controller, run StorageCenter.msi.
The ShareFile StorageZones Controller Setup wizard starts.
Respond to the prompts:
- In the Destination Folder page, if Internet Information Services (IIS) is installed in the default location, leave the defaults. If not, browse to the IIS installation location.
- When installation is complete, clear the check box for Launch StorageZones Controller Configuration Page and then click Finish.
When prompted, restart the StorageZones Controller.
To test that the installation was successful, navigate to
https://localhost/. (If you get a certificate error, consider connecting with http instead.) If the installation is successful, the ShareFile logo appears.
If the ShareFile logo does not appear, clear the browser cache and try again.
If you plan to clone the StorageZones Controller, capture the disk image before you proceed with configuring the StorageZones Controller.
Prepare StorageZones Controller for use with StorageZone Connectors-only
For an integration only with StorageZone Connectors, you don’t use the StorageZones Controller administrative console. That interface requires a ShareFile administrator account, which isn’t necessary for this solution. As a result, you run a PowerShell script to prepare the StorageZones Controller for use without the ShareFile control plane. The script does the following:
- Registers the current StorageZones Controller as a primary StorageZones Controller. You can later join secondary StorageZones Controllers to the primary controller.
- Creates a zone and sets the passphrase for it.
From your StorageZone Controller server, download the PsExec tool: Navigate to Microsoft Windows Sysinternals and then click Download PsTools. Extract the tool to the root of the C drive.
Run the PsExec tool: Open the Command Prompt as the Administrator User and then type the following:
``` cd c:\pstools PsExec.exe -i -u "NT AUTHORITY\NetworkService" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ```
When prompted, click Agree to run the Sysinternals tool.
A PowerShell widow opens.
In the PowerShell window, type the following:
``` Import-Module "C:\inetpub\wwwroot\Citrix\StorageCenter\Tools\SfConfig\SfConfig.dll" New-Zone -Passphrase passphrase -ExternalAddress https://szcfqdn.com ```
Passphrase: Is the passphrase you want to assign to the site. Make a note of it. You cannot recover the passphrase from the controller. If you lose the passphrase, you cannot reinstall StorageZones, join more StorageZones Controllers to the StorageZone, or recover the StorageZone if the server fails.
ExternalAddress: Is the external fully qualified domain name of the StorageZones Controller server.
Your primary StorageZones Controller is now ready.
Before you log in to Endpoint Management to create StorageZone Connectors: Complete the following configuration, if applicable:
To create StorageZone Connectors, see Define StorageZones Controller connections in Endpoint Management.
Join a secondary StorageZones Controller to a StorageZone
To configure a StorageZone for high availability, connect at least two StorageZones Controllers to it. To join a secondary StorageZones Controller to a zone, install StorageZones Controller on a second server. Then join that controller to the zone of the primary controller.
Open a PowerShell window on the StorageZones Controller server that you want to join to the primary server.
In the PowerShell window, type the following:
Join-Zone -Passphrase \<passphrase\> -PrimaryController \<HostnameOrIP>
Join-Zone -Passphrase secret123 -PrimaryController 10.10.110.210
Define StorageZones Controller connections in Endpoint Management
Before you add StorageZone Connectors, you configure connection information for each StorageZones Controller enabled for StorageZone Connectors. You can define StorageZones Controllers as described in this section, or when you add a connector.
On your first visit to the Configure > ShareFile page, the page summarizes the differences between using Endpoint Management with ShareFile Enterprise and with StorageZone Connectors.
Click Configure Connectors to continue with the configuration steps in this article.
In Configure > ShareFile, click Manage StorageZones.
In Manage StorageZones, add the connection information.
- Name: A descriptive name for the StorageZone, used to identify the StorageZone in Endpoint Management. Don’t include a space or special characters in the name.
- FQDN and Port: The fully qualified domain name and port number for a StorageZones Controller that is reachable from the Endpoint Management server.
- Secure Connection: If you use SSL for connections to StorageZones Controller, use the default setting, ON. If you don’t use SSL for connections, change this setting to OFF.
- Administrator user name and Administrator password: An administrator service account user name (in the form domain\admin) and password. Alternatively, a user account with read and write permissions on the StorageZones Controllers.
To test the connection, verify that the Endpoint Management server can reach the fully qualified domain name of the StorageZones Controller on port 443.
To define another StorageZones Controller connection, click the Add button in Manage StorageZones.
To edit or delete the information for a StorageZones Controller connection, select the connection name in Manage StorageZones. Then, click Edit or Delete.
Add a StorageZone Connector in Endpoint Management
Go to Configure > ShareFile and then click Add.
On the Connector Info page, configure these settings:
- Connector Name: A name that identifies the StorageZone Connector in Endpoint Management.
- Description: Optional notes about this Connector.
- Type: Choose either SharePoint or Network.
- StorageZone: Choose the StorageZone associated with the Connector. If the StorageZone isn’t listed, click Manage StorageZones to define the StorageZones Controller.
Location: For SharePoint, specify the URL of the SharePoint root-level site, site collection, or document library, in the form
https://sharepoint.company.com. For a network share, specify the fully qualified domain name of the Uniform Naming Convention (UNC) path, in the form \\server\share.
On the Delivery Group Assignment page, optionally assign the Connector to delivery groups. Alternatively, you can associate connectors to delivery groups using Configure > Delivery Groups.
On the Summary page, you can review the options you configured. To adjust the configuration, click Back.
Click Save to save the Connector.
Test the connector:
When you wrap the ShareFile clients, do the following:
- Set the Network access policy to Tunneled to the internal network.
In this mode of operation, the Endpoint Management MDX framework intercepts all network traffic from the ShareFile client. The traffic redirects through NetScaler Gateway by using an app-specific micro VPN.
- Set the Preferred VPN mode policy to Secure browse.
In this mode of tunneling, the MDX framework terminates SSL/HTTP traffic from an MDX app. MDX then initiates new connections to internal connections on behalf of the user. This policy setting enables the MDX framework to detect and respond to authentication challenges issued by web servers.
Add the ShareFile clients to Endpoint Management. For details, see To add ShareFile clients to Endpoint Management.
From a supported device, verify single sign-on to ShareFile and connectors.
In the following samples, SharefileDev is the name of a connector.
Filter the StorageZone Connectors list
You can filter the list of StorageZone Connectors by Connector type, assigned delivery groups, and StorageZone.
Go to Configure > ShareFile and then click Show filter.
Expand the filter headings to make selections. To save a filter, click Save This View, type the filter name, and click Save.
To rename or delete a filter, click the arrow icon beside the filter name.
Switch to ShareFile Enterprise
After integrating StorageZone Connectors with Endpoint Management, you can later switch to the full ShareFile Enterprise feature set. Use of the ShareFile Enterprise feature set requires Endpoint Management Enterprise Edition. Endpoint Management retains your existing StorageZone Connector integration settings.
Go to Configure > ShareFile, click the StorageZone Connectors drop-down menu, and then click Configure ShareFile Enterprise.
For information about configuring ShareFile Enterprise, see SAML for single sign-on with ShareFile.