About storage zones controller
ShareFile is a file sharing service that enables users to easily and securely exchange documents. ShareFile Enterprise provides enterprise-class service and includes storage zones controller and the User Management Tool.
Storage zones controller extends the ShareFile Software as a Service (SaaS) cloud storage by providing your ShareFile account with private data storage, referred to as storage zones for ShareFile Data. Managing your own data storage enables you to meet regulatory compliance requirements and to locate the storage close to users for optimized performance.
You can use the ShareFile-managed cloud storage by itself or in combination with storage that you maintain, called storage zones for ShareFile Data. The storage zones that you maintain can reside in your on-premises single-tenant storage system or in supported third-party cloud storage, such as Amazon S3 or Windows Azure.
Storage zones controller also provides users with secure access to SharePoint sites and network file shares through storage zone connectors. Connected file shares can include the same network home drives used in Citrix Virtual Apps and Desktops environments. Storage zone connectors enable you to provide secure mobile access to data residing behind your corporate firewall without the need to migrate data to the cloud.
Storage zone connectors enable ShareFile client users to browse, upload, or download documents. For documents stored in SharePoint, mobile users can download, check out, edit, and check in Microsoft Office documents and annotate Adobe PDF documents. The mobile content editor integrated with ShareFile provides mobile users with a secure, rich editing experience, even when working offline.
The components are:
ShareFile control subsystem — Maintained in Citrix Online data centers, the ShareFile control subsystem handles various operations not related to file contents and performs storage zones health checks.
Storage zones controller — Storage zones controller can host a private ShareFile storage subsystem for your data. Storage zones controller has a Web service that handles all HTTPS operations from end users and the ShareFile control subsystem.
Storage zones for ShareFile Data — This feature provides private data storage: You can store data in an on-premises network file share that you manage or in a supported third-party storage system. Either storage option requires a network share for your private data such as encryption keys, queued files, and other temporary items. If you use third-party storage, the network share is used for your private data storage. Each storage zones controller in a storage zone must use the same network share.
ShareFile Enterprise administrators can choose the per-folder storage location, either ShareFile-managed cloud storage or your private data storage. This feature enables you to optimize performance by locating data close to the users. It also enables you to address data sovereignty and compliance requirements.
Storage zone connectors — Storage zone connectors give mobile users secure access to documents on specified network file shares and to SharePoint sites, site collections, and document libraries.
Storage zone connectors are enabled on a storage zones controller and integrates with ShareFile Enterprise subdomains. You can deploy storage zone connectors in the same zone as storage zones for ShareFile Data. However, storage zones for ShareFile Data is not required to use storage zone connectors.
Storage zones controllers do not store any data for storage zone connectors. ShareFile.com stores the encrypted top level path for storage zone connectors.
Storage zone connectors are available to sites using ShareFile Enterprise or Citrix Endpoint Management.
By default, ShareFile stores data in the secure ShareFile-managed cloud storage. Storage zones controller provides private data storage, either an on-premises network share that you manage or a supported third-party storage system. With storage zones controller, you can optimize performance by locating data storage close to users and you control storage for compliance purposes.
High availability requires at least two storage zones controllers per storage zone. A storage zone must use a single file share for all of its storage zones controllers.
Based on your organization’s performance and compliance requirements, consider the number of storage zones you need and where to best locate them. For example, if you have users in Europe, storing the files in a storage zones controller located in Europe provides both performance and compliance benefits. In general, assigning users to the storage zone that is closest to them geographically is the best practice for optimizing performance.
Data storage security considerations
- In an enterprise environment where the network share for a storage zone is already secured by third-party tools, we recommend that you do not encrypt the files on the share. Although this additional security is offered as an option for maximum security when required, encrypting files on the share will make the disk unreadable by third-party tools such as antivirus scanners and filer tools, including data deduplication tools. ShareFile uses a file encryption key to confirm the validity of download requests and encrypt the storage.
- Place the storage zones controllers inside the network, with DMZ tools protecting them.
- For maximum security, use Citrix ADC or Citrix ADC VPX.
- Use SSL-encrypted connections to ensure the security of information transmitted between your users and storage zones. If you are not using DMZ proxy servers, install an SSL certificate on the IIS service of all storage zones controllers. For a DMZ proxy server that terminates the client connection and uses HTTP, install an SSL certificate on the proxy server. Public certificates are required for standard zones or for restricted zones that have an external host name.
- To control connections to ShareFile, IP whitelisting is not a recommended security practice because connections originate from a number of servers in the ShareFile-managed cloud storage, as well as from each individual user device. IP blacklisting, however, is an effective network-level control if your site needs additional security.
Security best practices
Your organization may need to meet specific security standards to satisfy regulatory requirements. This topic does not cover this subject, because such security standards change over time. For up-to-date information on security standards and Citrix products, consult
http://www.citrix.com/security/, or contact your Citrix representative.
Security best practices:
- Keep all computers in your environment up-to-date with security patches.
- Protect all computers in your environment with antivirus software.
- Protect all computers in your environment with perimeter firewalls, including at enclave boundaries as appropriate.
- Install a personal firewall on all computers in your environment.
- Secure and encrypt all network communications according to your security policy. You can secure all communication between Microsoft Windows computers using IPsec. Refer to your operating system documentation for information.
- Grant users only the capabilities they require.
TLS v1.2 support
As of storage zones controller 4.0, administrators can limit inbound connections to a storage zone controller to TLS v1.2. If protocols earlier than TLS V1.2 are disabled for inbound traffic to the storage zone controller, all client software components that interact with the storage zone must also support TLS v1.2.
The authentication method configured for your ShareFile Enterprise account is used to authenticate users accessing data stored in your storage zones and on network files shares or SharePoint servers made available through storage zone connectors. If a user needs to use different credentials to access connected files, the user must log out of ShareFile and then log on using the alternate credentials.
ShareFile recommends that you integrate your ShareFile account with third-party authentication, such as Active Directory (AD), using one of the following methods.
The following configurations have been tested and are supported for most environments.
|Citrix Endpoint Management||Download|
|ADFS 4.0 (Windows Server 2016)||Download|
|Dual IdP - ADFS and Citrix Endpoint Management||Download|
|NetScaler (version 12)||Download|
|Microsoft Azure AD||Direct Link|
These configurations have been successfully configured and tested by our engineering teams. The below configuration documentation is subject to change due to continued product enhancements and improvements. Therefore, configuration guides for the following are presented as is:
|G Suite for Business||Download|
|PingOne / PingID||Download|
Citrix Ready Partners
Standard and restricted storage zones
You can designate a storage zone as standard or restricted.
- A standard storage zone is intended for non-sensitive data and enables employees to share data with non-employees.
- A restricted storage zone protects sensitive data: Only employees can access the data stored in the zone.
The following table summarizes the differences between standard and restricted zones.
|Properties||Standard zones||Restricted zones|
|Storage zone servers can be managed by…||Citrix or you||you|
|User authentication is handled by…||
||a combination of
|Files can be shared with…||employees and third party users (that is, anyone with an email address)||employees or other users who have a domain account|
|File and folder metadata stored in the ShareFile control plane is…||stored in clear text, visible to some Citrix employees||encrypted with your private keys, which are not available to Citrix|
|Email notifications are sent using…||ShareFile mail servers or your SMTP servers||your SMTP servers|
|An external address for the zone is…||required||not required|
In a Citrix-managed zone, the ShareFile cloud performs all operations except for employee authentication, which is handled by storage zones controller.
In the standard zone, website maintenance and updates, client and application updates, file metadata, upload and download authorization, email notifications (SMTP), third-party user authentication, and folder permissions are handled in the cloud. Employee authentication and file storage and encryption are handled by the controller.
In the restricted zone, website maintenance and updates, client and application updates, and folder permissions are handled in the cloud. Employee authentication, file storage and encryption, file metadata, upload and download authorization, and email notifications (SMTP) are handled by the controller. Third-party user authentication is not supported in the restricted zone.
ShareFile supports a mix of standard and restricted zones within an account. You can create multiple restricted zones, each with their own unique authentication requirements. For example, if users in Domain A should not be allowed to share files with users in Domain B, install a separate restricted zone for each domain.
The rest of this section describes the workflow in ShareFile-managed, standard, and restricted zones.
ShareFile-managed storage zones
When a ShareFile client interacts with a ShareFile-managed zone, all requests and traffic go through the ShareFile cloud and all of your ShareFile data is stored in the ShareFile cloud.
Standard storage zones
When a ShareFile client interacts with a standard zone, ShareFile handles user log-on requests and then authorization occurs between the ShareFile cloud and storage zones controller. A storage zones controller that hosts standard zones must have an external address and external SSL certificate. The storage zone SSL certificate must be trusted by user devices and ShareFile web servers.
The ShareFile client interacts with storage zones controller during file upload or download operations. The controller stores files in the storage location defined for the zone and sends unencrypted metadata to the ShareFile cloud.
Users can share files that reside in standard zones with anyone who has an email address.
When users share or download files from a standard zone, ShareFile uses ShareFile SMTP servers to send email notifications.
Restricted storage zones
When a ShareFile client interacts with a restricted zone, ShareFile handles user log-on requests. Authorization occurs between the storage zones controller and ShareFile client instead of between storage zones controller and the ShareFile cloud.
As a result, a storage zones controller that hosts restricted zones can reside behind your firewall and does not require an external address or external SSL certificate. The SSL certificate on the storage zones controller must be trusted by user devices. When storage zones controller is configured with an internal address, users must connect to your company network or a VPN to access documents in a restricted zone.
Access to data stored in a restricted zone has these authentication requirements:
In addition to logging on to ShareFile, users must authenticate separately to the storage zones controller to access documents stored in a restricted zone. Directory lookup ensures that the same user logs on to ShareFile and the zone.
This extra authentication requirement limits sharing so that documents can only be shared with users who have access to the storage zones controller, who authenticate using enterprise credentials, and who have permission to view the documents. Users cannot anonymously share files that are stored in a restricted zone.
Access to encryption keys and metadata also requires enterprise authentication to storage zones controller.
The controller uses an authenticated proxy service to read and store encrypted data in the ShareFile cloud and to exchange unencrypted metadata with ShareFile clients. storage zones controller encrypts your metadata with an encryption key that is unique to your organization and not available to Citrix. As a result, no one outside of your organization can see folder or file names in restricted zones.
When users share or download files from a restricted zone, your SMTP servers send the email notifications.