Restricted storage zones

Customers utilizing storage zones controller (version 3 or later) can utilize restricted zones to better control employee access to data.


Not all features and apps may be utilized with data stored on a restricted zone.

Additional restricted zones information

Restricted zone features

Zone authentication: In addition to logging on to ShareFile, users must authenticate separately to the storage zones controller to access documents stored in a restricted zone. Directory lookup ensures that the user logging on to ShareFile is the same one authenticating to the zone. This extra authentication requirement limits sharing. Documents can be shared only with others who have access to the storage zones controller and who can authenticate using enterprise credentials. In a restricted zone, files cannot be shared anonymously. Users must be granted permission to view a file and must always log on to receive a shared file.

Metadata encryption: All information about files and folders in the zone is encrypted with your key before being sent to ShareFile. As a result, no one outside of your organization can see folder or file names in restricted zones. Access to encryption keys, decrypted files, and metadata is available only through enterprise authentication to storage zones controller.

Internal address for storage zones controller: For a restricted zone, authorization occurs between storage zones controller and ShareFile clients instead of between storage zones controller and the ShareFile cloud. As a result, a storage zones controller that hosts restricted zones does not require an external address or external SSL certificate. When storage zones controller is configured with an internal-only address, users must connect to the company network or VPN to access documents in the restricted zone.

Email notifications from your mail server: When users receive email notifications about shared files and folders in a restricted zone, the email is sent from your internal mail server instead of a ShareFile server.

Differences between standard and restricted zones

Properties Standard zones Restricted zones
Storage zone servers can be managed by… Citrix or you you
User authentication is handled by… or a combination of or plus your on-premises storage zones controller
Files can be shared with… employees and third party users (that is, anyone with an email address) employees or other users who have a domain account
File and folder metadata stored in the ShareFile control plane is… stored in clear text, visible to some Citrix employees encrypted with your private keys, which are not available to Citrix
Email notifications are sent using… ShareFile mail servers or your SMTP servers your SMTP servers
An external address for the zone is… required not required