Restricted storage zones

Restricted storage zones are utilized to protect sensitive data. Only employees can access restricted storage.

Third-party user authentication is not supported in the restricted zone.

Note:

Restricted storage zones are End of Maintenance. This lifecycle policy is described in more detail under the Lifecycle Milestones Definitions. The creation of new restricted storage zones is not supported. Existing customers utilizing restricted storage zones will receive further communication about any future product milestones.

Restricted zone features

Zone authentication: In addition to logging on to ShareFile, users must authenticate separately to the storage zones controller to access documents stored in a restricted zone. Directory lookup ensures that the user logging on to ShareFile is the same one authenticating to the zone. This extra authentication requirement limits sharing. Documents can be shared only with others who have access to the storage zones controller and who can authenticate using enterprise credentials. In a restricted zone, files cannot be shared anonymously. Users must be granted permission to view a file and must always log on to receive a shared file.

Metadata encryption: All information about files and folders in the zone is encrypted with your key before being sent to ShareFile. As a result, no one outside of your organization can see folder or file names in restricted zones. Access to encryption keys, decrypted files, and metadata is available only through enterprise authentication to storage zones controller.

Internal address for storage zones controller: For a restricted zone, authorization occurs between storage zones controller and ShareFile clients instead of between storage zones controller and the ShareFile cloud. As a result, a storage zones controller that hosts restricted zones does not require an external address or external SSL certificate. When storage zones controller is configured with an internal-only address, users must connect to the company network or VPN to access documents in the restricted zone.

Email notifications from your mail server: When users receive email notifications about shared files and folders in a restricted zone, the email is sent from your internal mail server instead of a ShareFile server.

Differences between standard and restricted zones

Properties Standard zones Restricted zones
Storage zone servers can be managed by… Citrix or you you
User authentication is handled by… ShareFile.com or ShareFile.eu a combination of ShareFile.com or ShareFile.eu plus your on-premises storage zones controller
Files can be shared with… employees and third party users (that is, anyone with an email address) employees or other users who have a domain account
File and folder metadata stored in the ShareFile control plane is… stored in clear text, visible to some Citrix employees encrypted with your private keys, which are not available to Citrix
Email notifications are sent using… ShareFile mail servers or your SMTP servers your SMTP servers
An external address for the zone is… required not required

Standard and restricted storage zones

You can designate a storage zone as standard or restricted.

  • A standard storage zone is intended for non-sensitive data and enables employees to share data with non-employees.
  • A restricted storage zone protects sensitive data: Only employees can access the data stored in the zone.

The following table summarizes the differences between standard and restricted zones.

Properties Standard zones Restricted zones
Storage zone servers can be managed by… Citrix or you you
User authentication is handled by… ShareFile.com or ShareFile.eu a combination of ShareFile.com or ShareFile.eu plus your on-premises storage zones controller
Files can be shared with… employees and third party users (that is, anyone with an email address) employees or other users who have a domain account
File and folder metadata stored in the ShareFile control plane is… stored in clear text, visible to some Citrix employees encrypted with your private keys, which are not available to Citrix
Email notifications are sent using… ShareFile mail servers or your SMTP servers your SMTP servers
An external address for the zone is… required not required

In a Citrix-managed zone, the ShareFile cloud performs all operations except for employee authentication, which is handled by storage zones controller.

In the standard zone, website maintenance and updates, client and application updates, file metadata, upload and download authorization, email notifications (SMTP), third-party user authentication, and folder permissions are handled in the cloud. Employee authentication and file storage and encryption are handled by the controller.

In the restricted zone, website maintenance and updates, client and application updates, and folder permissions are handled in the cloud. Employee authentication, file storage and encryption, file metadata, upload and download authorization, and email notifications (SMTP) are handled by the controller. Third-party user authentication is not supported in the restricted zone.

ShareFile supports a mix of standard and restricted zones within an account. You can create multiple restricted zones, each with their own unique authentication requirements. For example, if users in Domain A should not be allowed to share files with users in Domain B, install a separate restricted zone for each domain.

The rest of this section describes the workflow in ShareFile-managed, standard, and restricted zones.

Proof-of-concept deployment for restricted storage zones

A storage zones controller configured for restricted zones does not need to accept in-bound connections from the ShareFile cloud: You can configure it with an internal address. The following figure indicates the traffic flow between user devices, the ShareFile cloud, and storage zones controller.

Proof-of-concept deployment for restricted zones

In this scenario, one firewall stands between the Internet and the secure network. Storage zones controller resides inside the firewall to control access. User connections to ShareFile must traverse the firewall and use the SSL protocol on port 443 to establish this connection. To support this connectivity, you must open port 443 on the firewall and install an SSL certificate, which can be private, on the IIS service of the storage zones controller.

For restricted zones, storage zones controller sends email notifications from your local SMTP server instead of from ShareFile.

High availability deployment for restricted zones

Storage zones controllers configured for restricted zones do not need to accept in-bound connections from the ShareFile cloud: You can configure each one with an internal address. The following figure shows a high availability deployment for restricted zones.

High availability deployment for restricted zones

In this scenario, one firewall stands between the Internet and the secure network. The storage zones controllers reside inside the firewall to control access. User connections to ShareFile must traverse the firewall and use the SSL protocol on port 443 to establish this connection. To support this connectivity, you must open port 443 on the firewall and install an SSL certificate, which can be private, on the IIS service of the storage zones controller.

For restricted zones, storage zones controller sends email notifications from your local SMTP server instead of from ShareFile.

Restricted zones

The following table describes the network connections that occur when a user logs on to ShareFile and then downloads a document from a restricted zone. All connections use HTTPS.

Step Source Destination
1. User logon request Client company.sharefile.com
2. If using ADFS, redirect to SAML IdP logon Client SAML Identity Provider URL
3. File/folder enumeration and download request Client szc.company.com
4. File download authorization and get encrypted metadata szc.company.com company.sharefile.com
5. File download Client szc.company.com

Deployment for restricted storage zones

The following figure shows a high availability deployment for restricted zones.

storage zones controllers with restricted zones

For restricted zones, storage zones controller sends email notifications from your local SMTP server instead of from ShareFile.

Network connections for restricted zones

The following diagram and table describe the network connections that occur when a user logs onto ShareFile and then uploads a document to a restricted zone. In this case, the account uses Active Directory Federation Services (ADFS) for SAML logon. Authentication traffic is handled by an ADFS proxy server that communicates with an ADFS server on the trusted network.

Network connections for restricted zones

Step Source Destination Protocol
1. ShareFile client or browser opens connection Client company.sharefile.com or company.sharefile.eu HTTPS
2. (Optional) Redirect to SAML IdP logon Client SAML Identity Provider URL HTTPS
3. ShareFile redirects user to storage zones controller Client company.sharefile.com or company.sharefile.eu HTTPS
4. Client submits Windows credentials to storage zones controller Client Storage zones controller HTTPS
5. Storage zones controller verifies credentials and grants client access Storage zones controller Domain controller Kerberos
6. Client uploads a file to storage zones controller Client Storage zones controller HTTPS
7. File is written to the storage repository for the restricted zone Storage zones controller Local storage CIFS
8. Storage zones controller encrypts file metadata and sends it to ShareFile Storage zones controller company.sharefile.com or company.sharefile.eu HTTPS

For restricted storage zones:

  • Use an internal or external host name.

  • Enable SSL for communications with ShareFile.

    If you use an internal host name, you can use a private certificate. The certificate must be trusted by user devices.

    If you use an external host name, the SSL certificate on the storage zones controller must be trusted by user devices and ShareFile web servers.

  • Provide outbound HTTP access from storage zones controller to one of the following service bus URIs:

    • ShareFile.com accounts: sf-zk-email-use.servicebus.windows.net
    • ShareFile.eu accounts: sf-zk-email-euw.servicebus.windows.net

    Be sure to arrange network dependencies with your networking team.

Client requirements for restricted storage zones

The ShareFile web application supports restricted storage zones from the following web browsers:

  • Internet Explorer 11

    To enable access from the ShareFile web application to folders and connectors in restricted zones:

    1. Open Internet Explorer, go to Internet Options, click the Security tab, and then click Trusted Sites.
    2. Click Sites and then add your subdomain and the external storage zones controller address.
    3. Click Close and then click Custom Level.
    4. For Miscellaneous > Access data sources across domains, select Enable.
    5. For User Authentication > Logon, select Prompt for user name and password.
  • Chrome

  • Firefox

  • Safari

  • Secure Web

To support restricted storage zones, ShareFile clients must be upgraded to the following versions or later:

  • ShareFile Sync for Windows 3.1
  • ShareFile Outlook Plug-in 3.2.2
  • ShareFile for iOS 3.3
  • ShareFile for Android 3.4
  • ShareFile for Windows Phone 2.3.10

These ShareFile clients and tools are not supported for use with restricted storage zones as of the publication date of this article:

Note: For the latest information about ShareFile client capabilities, see the ShareFile support site or contact your ShareFile support representative.

  • Off-domain use of ShareFile Desktop Sync for Windows 3.1 and ShareFile Outlook Plug-in

    The clients must be on a domain-joined Windows desktop that is in the same Active Directory forest as the storage zones controller server. Clients can use NTLM or Kerberos for silent authentication to a restricted zone.

  • On-Demand Sync for Windows

  • Sync for Mac

  • ShareFile Enterprise Sync Manager

  • Secure Mail for iOS

  • ShareFile Desktop Widget

  • ShareFile for BlackBerry

  • ShareFile mobile website

The following alternative account access methods are not supported for use with restricted storage zones:

  • FTP
  • PowerShell
  • ShareFile Command Line Interface (SFCLI)
  • HTTPS API (V1)
  • WebDav
  • SMTP

Important

ShareFile does not officially support and does not recommend utilizing DFS replication. It has been known to cause locking failures for larger files. If DFS replication must be used, use separate backup solutions during off-peak hours when the zone is not actively in use.

Upgrade Restricted Storage Zone

When you upgrade a StorageZones Controller to the latest version, that controller continues to use standard zones. You cannot upgrade a standard zone to a restricted zone.

To replace a standard zone with a restricted zone, you must install a new storage zones controller and configure a restricted zone.

To support restricted zones or web access to connectors, you must perform additional Citrix ADC configuration after you complete the wizard. The configuration ensures that ShareFile clients send credentials only when logged on to a trusted ShareFile domain. To support web access to connectors, you also add a path (/ProxyService) to the content switching policy used for traffic to /cifs and /sp.

Additional restricted zones information

Support for restricted storage zones affects all aspects of the ShareFile service. As a result of protocol changes required to support metadata encryption and zone authentication, some ShareFile clients and features are not supported when working with documents in a restricted storage zone.

Contents

  • Clients and tools
  • Browsers
  • Features
  • Sync for Windows
  • Mobile Apps
  • Outlook Plug-in

Clients and tools

   
Sync for Windows 3.1 and up
Plug-in for Microsoft Outlook 3.2.2 and up
On-Demand Sync for Windows Not supported
Drive Mapper 3.01.171.0 and up
ShareFile for iOS 3.3 – MDX Only
ShareFile for Android 3.4 and up
ShareFile for Windows Phone 8 2.3.10 and up
Sync for Mac Not supported
ShareFile Desktop Not supported
XenMobile WorxMail for iOS Not supported
XenMobile WorxMail for Android Supported
Print to ShareFile Not supported
Mobile website Not supported
Other account access methods  
PowerShell Not supported
SFCLI Not supported
REST API(V3) Supported
HTTPS APT(V1) Not supported
RSZ Test Coverage Not supported
FTP Not supported
Email files to a folder Not supported
.Net SDK Supported

Browsers

   
Windows Internet Explorer 11, Firefox (latest version), Chrome (latest version)
macOS Safari (latest version), Firefox (latest version), Chrome (latest version)
iOS Safari, Secure Web
Android Secure Web

Features

End user actions: Working with files:

   
Browse and download files Supported
Upload files (uploader type) HTML5: Supported; Flash: Not supported; Java: Not supported; Standard HTML form: Not supported
Recycle Bin Supported
Bulk download and delete Supported
File Box View: Supported; Delete: Supported; Upload: Supported; Download: Not supported; Send from Filebox: Not supported
File Preview (thumbnails) Not supported
View documents in web browser Not supported
File reupload Not supported
Multiple versions per file Not supported
Search Restricted Zone items not included in search results
Mark a folder as a favorite Not supported
Copy or move files Not supported
Edit Folder Options: Folder expiration date, file retention policy Supported
Shared Folder Bubbling Not supported

End user actions: Sharing and collaboration:

   
Send a file: requiring upload, send email suing ShareFile, give me a link I can copy, require user to log on, limit number of downloads Supported
Receive and download a shared file Supported
Create a shared folder in a restricted storage zone Supported
Add users to a folder: control permissions for upload and download Supported
Request a file Supported
Request a file with “Require ShareFile Login” enabled Not supported
Email notifications Supported
Inbox: Files sent to me Supported
Inbox: Sent messages View, expire, resend, edit: supported
View activity log Supported
Get signature (via RightSignature) Not supported

Administrative actions:

   
Create a user in a restricted zone Supported
Migrate user to a different zone Not supported
Reporting: Access audit, usage report, messaging report, bandwidth report, storage report HTML viewer: supported; Excel/CSV/PDF viewers: encrypted metadata is shown
Zone Administration  
Monitor storage usage Supported
Monitor bandwidth usage Supported
Monitor file activity Supported
Recover files Not supported
Reconcile files Not supported
Delete zone Supported
High availability Supported

Sync for Windows

Minimum version - 3.1

   
Authenticate from a domain-joined client - NTLM or Kerberos Supported
Authenticate from a non-domain client - User prompted for password Supported
Sync “My Files and Folders” in a restricted zone Supported
Sync shared folders from a restricted zone Supported
Upload, download, sync Supported
On-demand Sync for XenApp and XenDesktop environments Not supported
View favorite folders Not available for restricted storage zone folders
Right-click > Copy link Supported
Right-click > Email file Supported

Mobile apps

See the app-specific tables below:

iOS - Minimum version 3.3

   
Browse and download files Supported
View content offline Supported
Create a folder Supported
Create or edit a file Supported
Upload photo or video Supported
Authenticate with username/password Supported
Single sign-on with Worx micro VPN Supported
Share: Copy a link Supported
Share: Share by email Not supported
Add or edit folder notes Not supported
Create a note or edit existing notes Not supported
Add people to folder or edit existing folder permissions Not supported
Mark/unmark a folder as a favorite Not supported
Request a file Not supported
Thumbnail previews Not supported
Multi-item delete Not supported
Make folder available offline Supported except for root-level “Shared with me” folders
Share a folder Supported except for root-level “Shared with me” folders
Create a connector in a restricted storage zone Not supported

Android - Minimum version 3.4

   
Browse and download files Supported
View content offline Supported
Send a file Supported
Create a folder Supported
Create or edit a file Supported
Upload files Supported
Authenticate with username/password Supported
Single sign-on with Worx micro VPN Supported
Request a file Not supported
Create a note Not supported
Overwrite existing file after upload Not supported

Outlook plug-in

   
Authenticate from a domain-joined client - NTLM or Kerberos Supported
Authenticate from a non-domain client - User prompted for password Supported
Browse and select files from ShareFile Supported
Browse and select files from ShareFile with “Require recipients to log in” enabled Not supported
Convert attachment to ShareFile link Supported
Convert attachment to ShareFile link with “Require recipients to log in” enabled Not supported
Request a file Supported
Request a file with “Require recipients to log in” enabled Not supported