Storage zones controller 5.x
Storage zones controller information in this documentation applies to both customers using Citrix Workspace and customers using ShareFile.
ShareFile is a file sharing service that enables users to easily and securely exchange documents. ShareFile Enterprise provides enterprise-class service and includes storage zones controller and the User Management Tool.
Managing your own data storage enables you to meet regulatory compliance requirements and to locate the storage close to users for optimized performance.
You can use the ShareFile-managed cloud storage by itself or in combination with storage that you maintain, called storage zones for ShareFile Data. The storage zones that you maintain can reside in your on-premises single-tenant storage system or in supported third-party cloud storage, such as Amazon S3 or Windows Azure.
Storage zones controller also provides users with secure access to SharePoint sites and network file shares through storage zone connectors. Connected file shares can include the same network home drives used in Citrix Virtual Apps and Desktops environments. Storage zone connectors enable you to provide secure mobile access to data residing behind your corporate firewall without the need to migrate data to the cloud.
Storage zone connectors enable ShareFile client users to browse, upload, or download documents. For documents stored in SharePoint, mobile users can download, check out, edit, and check in Microsoft Office documents and annotate Adobe PDF documents. The mobile content editor integrated with ShareFile provides mobile users with a secure, rich editing experience, even when working offline.
For information about new features, see What’s new.
The components are:
ShareFile control subsystem — Maintained in Citrix Online data centers, the ShareFile control subsystem handles various operations not related to file contents and performs storage zones health checks.
Storage zones controller — Storage zones controller can host a private ShareFile storage subsystem for your data. Storage zones controller has a Web service that handles all HTTPS operations from end users and the ShareFile control subsystem.
Storage zones for ShareFile Data — This feature provides private data storage: You can store data in an on-premises network file share that you manage or in a supported third-party storage system. Either storage option requires a network share for your private data such as encryption keys, queued files, and other temporary items. If you use third-party storage, the network share is used for your private data storage. Each storage zones controller in a storage zone must use the same network share.
ShareFile Enterprise administrators can choose the per-folder storage location, either ShareFile-managed cloud storage or your private data storage. This feature enables you to optimize performance by locating data close to the users. It also enables you to address data sovereignty and compliance requirements.
Storage zone connectors — Storage zone connectors give mobile users secure access to documents on specified network file shares and to SharePoint sites, site collections, and document libraries.
Storage zone connectors are enabled on a storage zones controller and integrates with ShareFile Enterprise subdomains. You can deploy storage zone connectors in the same zone as storage zones for ShareFile Data. However, storage zones for ShareFile Data is not required to use storage zone connectors.
Storage zones controllers do not store any data for storage zone connectors. ShareFile.com stores the encrypted top level path for storage zone connectors.
Storage zone connectors are available to sites using ShareFile Enterprise or Citrix Endpoint Management.
By default, ShareFile stores data in the secure ShareFile-managed cloud storage. Storage zones controller provides private data storage, either an on-premises network share that you manage or a supported third-party storage system. With storage zones controller, you can optimize performance by locating data storage close to users and you control storage for compliance purposes.
High availability requires at least two storage zones controllers per storage zone. A storage zone must use a single file share for all of its storage zones controllers.
Based on your organization’s performance and compliance requirements, consider the number of storage zones you need and where to best locate them. For example, if you have users in Europe, storing the files in a storage zones controller located in Europe provides both performance and compliance benefits. In general, assigning users to the storage zone that is closest to them geographically is the best practice for optimizing performance.
Data storage security considerations
- In an enterprise environment where the network share for a storage zone is already secured by third-party tools, we recommend that you do not encrypt the files on the share. Although this additional security is offered as an option for maximum security when required, encrypting files on the share will make the disk unreadable by third-party tools such as antivirus scanners and filer tools, including data deduplication tools. ShareFile uses a file encryption key to confirm the validity of download requests and encrypt the storage.
- Place the storage zones controllers inside the network, with DMZ tools protecting them.
- For maximum security, use Citrix ADC or Citrix ADC VPX.
- Use SSL-encrypted connections to ensure the security of information transmitted between your users and storage zones. If you are not using DMZ proxy servers, install an SSL certificate on the IIS service of all storage zones controllers. For a DMZ proxy server that terminates the client connection and uses HTTP, install an SSL certificate on the proxy server. Public certificates are required for standard zones.
- To control connections to ShareFile, IP whitelisting is not a recommended security practice because connections originate from a number of servers in the ShareFile-managed cloud storage, as well as from each individual user device. IP blacklisting, however, is an effective network-level control if your site needs additional security.
Security best practices
Your organization may need to meet specific security standards to satisfy regulatory requirements. This topic does not cover this subject, because such security standards change over time. For up-to-date information on security standards and Citrix products, consult
http://www.citrix.com/security/, or contact your Citrix representative.
Security best practices:
- Keep all computers in your environment up-to-date with security patches.
- Protect all computers in your environment with antivirus software.
- Protect all computers in your environment with perimeter firewalls, including at enclave boundaries as appropriate.
- Install a personal firewall on all computers in your environment.
- Secure and encrypt all network communications according to your security policy. You can secure all communication between Microsoft Windows computers using IPsec. Refer to your operating system documentation for information.
- Grant users only the capabilities they require.
TLS v1.2 support
As of storage zones controller 4.0, administrators can limit inbound connections to a storage zone controller to TLS v1.2. If protocols earlier than TLS V1.2 are disabled for inbound traffic to the storage zone controller, all client software components that interact with the storage zone must also support TLS v1.2.
The authentication method configured for your ShareFile Enterprise account is used to authenticate users accessing data stored in your storage zones and on network files shares or SharePoint servers made available through storage zone connectors. If a user needs to use different credentials to access connected files, the user must log out of ShareFile and then log on using the alternate credentials.
ShareFile recommends that you integrate your ShareFile account with third-party authentication, such as Active Directory (AD), using one of the following methods.
The following configurations have been tested and are supported for most environments.
|Citrix Endpoint Management||Download|
|ADFS 4.0 (Windows Server 2016)||Download|
|Dual IdP - ADFS and Citrix Endpoint Management||Download|
|NetScaler (version 12)||Download|
|Microsoft Azure AD||Direct Link|
These configurations have been successfully configured and tested by our engineering teams. The below configuration documentation is subject to change due to continued product enhancements and improvements. Therefore, configuration guides for the following are presented as is:
|G Suite for Business||Download|
|PingOne / PingID||Download|
Citrix Ready Partners
Standard storage zone
The following table summarizes the properties of a storage zone.
| Properties | Standard zones |
| — | — |
| Storage zone servers can be managed by… | Citrix or you |
| User authentication is handled by… |
| Files can be shared with… | employees and third party users (that is, anyone with an email address) |
| File and folder metadata stored in the ShareFile control plane is… | stored in clear text, visible to some Citrix employees |
| Email notifications are sent using… | ShareFile mail servers or your SMTP servers |
| An external address for the zone is | required |
In a Citrix-managed zone, the ShareFile cloud performs all operations except for employee authentication, which is handled by storage zones controller.
In the standard zone, website maintenance and updates, client and application updates, file metadata, upload and download authorization, email notifications (SMTP), third-party user authentication, and folder permissions are handled in the cloud. Employee authentication and file storage and encryption are handled by the controller.
The rest of this section describes the workflow in ShareFile-managed and standard storage zones.
ShareFile-managed storage zones
When a ShareFile client interacts with a ShareFile-managed zone, all requests and traffic go through the ShareFile cloud and all of your ShareFile data is stored in the ShareFile cloud.
Standard storage zones
When a ShareFile client interacts with a standard zone, ShareFile handles user log-on requests and then authorization occurs between the ShareFile cloud and storage zones controller. A storage zones controller that hosts standard zones must have an external address and external SSL certificate. The storage zone SSL certificate must be trusted by user devices and ShareFile web servers.
The ShareFile client interacts with storage zones controller during file upload or download operations. The controller stores files in the storage location defined for the zone and sends unencrypted metadata to the ShareFile cloud.
Users can share files that reside in standard zones with anyone who has an email address.
When users share or download files from a standard zone, ShareFile uses ShareFile SMTP servers to send email notifications.