Configure Citrix ADC manually

As of version 10.1 build 120.1316, Citrix ADC includes a wizard that configures the settings needed for storage zones controller data and connectors.

The steps in this section describe the Citrix ADC settings needed for storage zones controller. All links are for the NetScaler 10.1 documentation. Similar topics are available for later versions of Citrix ADC.

To check for valid URI signatures on all incoming messages

  1. Create an HTTP callout named sf_callout:
    1. In the Configure HTTP Callout dialog box, click Virtual Server or IP Address and specify the address.

    2. Under Request to send to the server, click Attribute-based and then click Configure Request Attributes.

    3. Select Get Method.

    4. In Host Expression enter the virtual server IP address or the host IP address for any of the storage zone controllers.

    5. In URL Stem Expression, enter:

      "/validate.ashx?RequestURI=" + HTTP.REQ.URL.BEFORE\_STR("\&h").HTTP\_URL\_SAFE.B64ENCODE + "\&h="+ HTTP.REQ.URL.QUERY.VALUE("h")
      
    6. Click OK and then return to the Configure HTTP Callout dialog box.

    7. Under Server Response, choose a Return Type of Bool.

    8. In Expression, to extract data from the response, enter:

      HTTP.RES.STATUS.EQ(200).NOT

    9. Click Create. For more information, see HTTP Callouts.

  2. Follow the preceding steps to configure an HTTP callout named sf_callout_y. Use the same settings except for the expression:
    • In URL Stem Expression, enter:

      "/validate.ashx?RequestURI=" + HTTP.REQ.URL.HTTP\_URL\_SAFE.B64ENCODE + "\&h="

  3. Configure a responder policy:
    1. In the Configure Responder Policy dialog box: For Action, choose Drop.

    2. In Expression, enter:

      http.REQ.URL.CONTAINS("\&h=") && http.req.url.contains("/crossdomain.xml").not && http.req.url.contains("/validate.ashx?requri").not && SYS.HTTP\_CALLOUT(sf\_callout) || http.REQ.URL.CONTAINS("\&h=").NOT && http.req.url.contains("/crossdomain.xml").not && http.req.url.contains("/validate.ashx?requri").not && SYS.HTTP\_CALLOUT(sf\_callout\_y)
      

      For more information, see Responder.

  4. Bind the responder policy to the load balancer virtual server and configure SSL session-based persistence.

To load balance

  1. Configure token-based load balancing.

    Use the rule expression: “http.REQ.URL.QUERY.VALUE("uploadid")”

    Token-based load balancing is required for storage zones controllers in a high availability deployment. Round-robin load balancing will result in intermittent download or upload failures because a client request for an upload or download can get directed to a storage zones controller other than the one that received the authorization request from ShareFile.com.

  2. Configure Citrix ADC to terminate SSL connections.

    For information, see Configuring SSL Offloading and its subtopics.

To configure content switching and authentication for connectors

  1. Enable content switching, as described in Enabling Content Switching.

  2. Create a content switching policy for user requests for ShareFile data from your on-premises storage zone:

    1. In the Configure Content Switching Policy dialog box: Enter a name for the content switching policy. These steps use the name Data_Requests.

    2. Enter the expression:

      HTTP.REQ.HOSTNAME.CONTAINS("StorageZonesControllerHostName") && HTTP.REQ.URL.CONTAINS("/cifs/").NOT && HTTP.REQ.URL.CONTAINS("/sp/").NOT

    3. Click OK.

      For more information, see Content Switching.

  3. Create a content switching policy for user requests for data accessed from storage zone connectors.

    1. In the Configure Content Switching Policy dialog box: Specify a name for the content switching policy. These steps use the name Connector_Requests.

    2. Enter the expression:

      HTTP.REQ.HOSTNAME.CONTAINS("StorageZonesControllerFQDN") && (HTTP.REQ.URL.CONTAINS("/cifs/") || HTTP.REQ.URL.CONTAINS("/sp/"))

      Be sure to replace “StorageZonesControllerFQDN” with the FQDN of your controller.

    3. Click OK.

  4. Create a content switching virtual server.

  5. Set the content switching policy targets:

    • In the Configure Virtual Server (Content Switching) dialog box: For the Data_Requests policy, specify the load balancer virtual server for storage zones for ShareFile data.

      This load balancer virtual server is the one to which you bound the responder policy in Step 4 of To check for valid URI signatures on all incoming messages and to load balance.

    • For the Connector_Requests policy, specify the load balancer virtual server for storage zone connectors.

  6. Configure the authentication virtual server for storage zone connectors:

    Although authentication to Citrix ADC is optional, it is a recommended best practice.

    1. In the navigation pane, expand Load Balancing, select the name of the load balancer virtual server for storage zone connectors, and then click Open.

    2. In the Configure Virtual Server (Load Balancing) dialog box, click the Advanced tab and then expand Authentication Settings.

    3. Select the check box for 401 Based Authentication and then choose the Authentication virtual server.

    4. Click the Method and Persistence tab.

    5. For Persistence, choose COOKIEINSERT.

    6. For Time-out (min), enter 240.

      A time-out value of 240 minutes is recommended. The minimum value should be greater than 10 minutes.

      For more information, see Configuring the Authentication Virtual Server.

  7. Use the Configure Authentication Server dialog box to create and configure an authentication server.

    In SSO Name Attribute, enter userPrincipalName.

    For more information about other settings, see Authentication Policies.

  8. Configure an authentication policy for the authentication server just created:

    1. In the Configure Authentication Policy dialog box: Enter a Name for the policy and then select the authentication Server configured in the previous step.

    2. Enter the expression:

      ns_true

    For more information, see Configure an authentication policy.

  9. Configure a session profile for single sign-on:

    1. In the Configure Session Profile dialog box, enter a name for the profile.
    2. Select the check box for single sign-on to Web Applications.
    3. For Credential Index, select PRIMARY.
    4. In the single sign-on domain, enter the domain name for your storage zones controller.
    5. Select the Override Global check boxes for each of the preceding three items.

    For more information, see Session Profiles.

  10. Configure a session policy for single sign-on:

    1. In the Configure Session Policy dialog box, enter a name for the policy.

    2. For Request Profile, select the name of the session profile configured in the previous step.

    3. Enter the expression:

      ns_true

    For more information, see Session Policies.

  11. Create an authentication virtual server:

    1. In the Configure Virtual Server (Authentication) dialog box, enter a name and the IP Address for the server.
    2. Click the Authentication tab and for Protocol, select SSL.
    3. Select the check box for Authenticate Users.
    4. Under Authentication Policies, click Primary and then choose the authentication policy you configured in Step 7.
    5. Click the Policies tab, click Session, and then choose the session policy you configured in Step 9.

    For more information, see Configuring the Authentication Virtual Server.