System requirements

Storage zones controller

  • A dedicated physical or virtual machine with 2 CPUs and 4 GB RAM
  • Windows Server 2012 R2 (Datacenter, Standard, or Essentials)
  • Windows Server 2008 R2, 64-bit edition, SP1 (Datacenter, Standard, or Essentials)
  • Windows Server 2016

For standard storage zones:

  • Use a publicly resolvable Internet host name (not an IP address).
  • Enable SSL for communications with ShareFile.
    • The SSL certificate on the storage zones controller must be trusted by user devices and ShareFile web servers. If you use SSL directly with IIS, refer to http://support.microsoft.com/kb/298805 for information about configuring SSL.
  • Allow inbound TCP requests on port 443 through your firewall.
  • Allow outbound TCP requests to the ShareFile control plane on port 443 through your firewall.

For restricted storage zones:

  • Use an internal or external host name.

  • Enable SSL for communications with ShareFile.

    If you use an internal host name, you can use a private certificate. The certificate must be trusted by user devices.

    If you use an external host name, the SSL certificate on the storage zones controller must be trusted by user devices and ShareFile web servers.

  • Provide outbound HTTP access from storage zones controller to one of the following service bus URIs:

    • ShareFile.com accounts: sf-zk-email-use.servicebus.windows.net
    • ShareFile.eu accounts: sf-zk-email-euw.servicebus.windows.net

    Be sure to arrange network dependencies with your networking team.

For the server health check used only for storage zones for ShareFile Data:

  • Open port 80 on the localhost.

For a high availability production environment:

  • A minimum of two servers with storage zones controller installed.

  • If you are not using DMZ proxy servers, install an SSL certificate on the IIS service.

    For information about supported certificates, see the certificate requirements for standard and restricted zones above.

For a DMZ proxy deployment:

  • One or more DMZ proxy servers, such as Citrix ADC VPX instances.

  • For a DMZ proxy server that terminates the client connection and uses HTTP, install an SSL certificate on the proxy server.

    If communications between the DMZ proxy server and the storage zones controller are secure, you can use HTTP. However, HTTPS is recommended as a best practice. If you use HTTPS, you can use a private (Enterprise) certificate on the storage zones controller if it is trusted by the DMZ proxy. The external address exposed by the DMZ proxy must use a commercially trusted certificate. For information about supported certificates, see the certificate requirements for standard and restricted zones above.

Other requirements

  • The storage zones controller installer requires administrative privileges.
  • For remote administration of storage zones controller, use a remoting protocol, such as RDP or Citrix ICA, to connect to the server and then open the storage zones controller console.
  • If you use User Management Tool to provision user accounts, User Management Tool 1.7.3 is required for restricted zones.

Supported third-party storage systems

  • Amazon Simple Storage Service (Amazon S3)
  • Microsoft Azure

Supported Data Loss Prevention solutions

  • Storage zones controller integrates with any ICAP-compliant DLP solution, including:
    • Symantec Data Loss Prevention
    • McAfee DLP Prevent
    • Websense TRITON AP-DATA
    • RSA Data Loss Prevention

Storage zones for ShareFile Data

Storage zones for ShareFile Data is an optional feature that you enable on a storage zones controller.

Requirements:

  • ShareFile Enterprise account, with the storage zone feature enabled
  • A ShareFile user account that includes permission to create and manage zones
  • A CIFS share for private data storage

If you plan to store ShareFile files in a supported third-party storage system, the CIFS share is used for temporary files (encryption keys, queued files) and as a temporary storage cache.

Note: Access to a ShareFile account from an FTP client is not compatible with storage zones for ShareFile Data.

Storage zone connector for SharePoint

Storage zone connector for SharePoint is an optional feature that you enable on a storage zones controller.

Requirements:

  • ShareFile Enterprise account, with the storage zone feature enabled, or Citrix Endpoint Management.
  • Only Microsoft SharePoint Server 2010 and newer are supported.
  • The storage zones controller server must be a domain member, in the same forest as the SharePoint server.
  • The Web Server (IIS) role and ASP.NET 4.5. For more information, see Prepare your server for ShareFile data.
  • SharePoint policies:
    • The default maximum upload file size for a Web application in SharePoint 2013 is 250 MB and in SharePoint 2010 is 50 MB. To change the default: In SharePoint Central Administration, go to the Web Application General Settings page and change the Maximum Upload Size. The upload file size limit for SharePoint is 2 GB.
    • ShareFile clients always attempt to check in a major version (publish) of a file. However, SharePoint policies determine whether a file is checked in as a major or minor version.
    • The SharePoint View-Only permission does not enable a user to download files. To read a file from a ShareFile client, a SharePoint user must have Read permission.
  • User devices: For the latest information about user device support for storage zone connectors, refer to the ShareFile Knowledge Base.

Storage zone connector for SharePoint authentication

After authenticating the user, the storage zones controller server makes connections to the SharePoint server on the authenticated user’s behalf and responds to authentication challenges presented by the SharePoint server. Storage zone connector for SharePoint supports the following authentication methods on the SharePoint server.

  • Basic

    Requires that you add <add key="CacheCredentials" value="1" \> to C:\inetpub\wwwroot\Citrix\StorageCenter\sp\AppSettingsRelease.config.

  • Negotiate (Kerberos)

  • Windows Challenge/Response (NTLM)

ShareFile mobile clients use Basic authentication over HTTPS to authenticate to the storage zones controller or DMZ proxy. Single sign-on to SharePoint is governed by the authentication requirements set on the SharePoint server. To use Kerberos or NTLM authentication on the SharePoint server: Configure the domain controller to trust the storage zones controller for delegation.

If your SharePoint server is configured for Kerberos authentication: Configure a service principal name (SPN) for the named user service accounts for the SharePoint server application pool. For more information, see “Configure trust for delegation for Web parts” in http://support.microsoft.com/kb/832769.

For deployments with Citrix ADC, it is possible to terminate basic authentication at the Citrix ADC and then perform other types of authentication to the storage zones controller.

Storage zone connector for SharePoint

Storage zone connector for SharePoint is an optional feature that you enable on a storage zones controller.

Requirements:

  • ShareFile Enterprise account, with the storage zone feature enabled, or Citrix Endpoint Management.

  • Only Microsoft SharePoint Server 2010 and newer are supported.

  • The storage zones controller server must be a domain member, in the same forest as the SharePoint server.

  • The Web Server (IIS) role and ASP.NET 4.5. For more information, see Prepare your server for ShareFile data.

  • SharePoint policies:
    • The default maximum upload file size for a Web application in SharePoint 2013 is 250 MB and in SharePoint 2010 is 50 MB. To change the default: In SharePoint Central Administration, go to the Web Application General Settings page and change the Maximum Upload Size. The upload file size limit for SharePoint is 2 GB.
    • ShareFile clients always attempt to check in a major version (publish) of a file. However, SharePoint policies determine whether a file is checked in as a major or minor version.
    • The SharePoint View-Only permission does not enable a user to download files. To read a file from a ShareFile client, a SharePoint user must have Read permission.
  • User devices: For the latest information about user device support for storage zone connectors, see ShareFile Knowledge Base.

Storage zone connector for SharePoint authentication

After authenticating the user, the storage zones controller server makes connections to the SharePoint server on the authenticated user’s behalf and responds to authentication challenges presented by the SharePoint server. Storage zone connector for SharePoint supports the following authentication methods on the SharePoint server.

  • Basic

    Requires that you add <add key="CacheCredentials" value="1" /> to C:\inetpub\wwwroot\Citrix\StorageCenter\sp\AppSettingsRelease.config.

  • Negotiate (Kerberos)

  • Windows Challenge/Response (NTLM)

ShareFile mobile clients use basic authentication over HTTPS to authenticate to the storage zones controller or DMZ proxy. Single sign-on to SharePoint is governed by the authentication requirements set on the SharePoint server. To use Kerberos or NTLM authentication on the SharePoint server: Configure the domain controller to trust the storage zones controller for delegation.

If your SharePoint server is configured for Kerberos authentication: Configure a service principal name (SPN) for the named user service accounts for the SharePoint server application pool. For more information, see “Configure trust for delegation for Web parts” in http://support.microsoft.com/kb/832769.

For deployments with Citrix ADC, it is possible to terminate basic authentication at the Citrix ADC and then perform other types of authentication to the storage zones controller.

Storage zone connector for Network File Shares

Storage zone connector for Network File Shares is an optional feature that you enable on a storage zones controller.

Requirements:

  • ShareFile Enterprise or Citrix Endpoint Management account.
  • The storage zone connector server must be a domain member, in the same forest as the network file servers.
  • The Web Server (IIS) role and ASP.NET 4.5. For more information, see Prepare your server for ShareFile data.
  • User devices: For the latest information about user device support for storage zone connectors, see the ShareFile Knowledge Base.

Connector for Network File Shares authentication

After authenticating the user, the storage zones controller server makes connections to the network file server on the authenticated user’s behalf and responds to authentication challenges presented by the file server. Storage zone connector for Network File Shares supports the following authentication methods on the file server.

  • Negotiate (Kerberos)
  • Windows Challenge/Response (NTLM)

To use Kerberos or NTLM authentication on the storage zones controller: Configure the domain controller to trust the storage zones controller for delegation.

For deployments with Citrix ADC: To provide users with a single sign-on experience when Citrix ADC is configured for basic authentication, configure the connector for both Negotiate (Kerberos) and NTLM authentication.

PowerShell scripts and commands

The storage zones controller installation includes several PowerShell scripts and commands, located in C:\inetpub\wwwroot\Citrix\StorageCenter\Tools\.

  • Run the scripts in the 32-bit (x86) version of PowerShell.

  • For best results, upgrade to PowerShell 4.0, included with Windows Management Framework 4.0.

    PowerShell 2.0 causes significant problems due to compatibility issues with .NET Framework 4.

Client requirements for restricted storage zones

The ShareFile web application supports restricted storage zones from the following web browsers:

  • Internet Explorer 11

    To enable access from the ShareFile web application to folders and connectors in restricted zones:

    1. Open Internet Explorer, go to Internet Options, click the Security tab, and then click Trusted Sites.
    2. Click Sites and then add your subdomain and the external storage zones controller address.
    3. Click Close and then click Custom Level.
    4. For Miscellaneous > Access data sources across domains, select Enable.
    5. For User Authentication > Logon, select Prompt for user name and password.
  • Chrome

  • Firefox

  • Safari

  • Secure Web

To support restricted storage zones, ShareFile clients must be upgraded to the following versions or later:

  • ShareFile Sync for Windows 3.1
  • ShareFile Outlook Plug-in 3.2.2
  • ShareFile for iOS 3.3
  • ShareFile for Android 3.4
  • ShareFile for Windows Phone 2.3.10

These ShareFile clients and tools are not supported for use with restricted storage zones as of the publication date of this article:

Note: For the latest information about ShareFile client capabilities, see the ShareFile support site or contact your ShareFile support representative.

  • Off-domain use of ShareFile Desktop Sync for Windows 3.1 and ShareFile Outlook Plug-in

    The clients must be on a domain-joined Windows desktop that is in the same Active Directory forest as the storage zones controller server. Clients can use NTLM or Kerberos for silent authentication to a restricted zone.

  • On-Demand Sync for Windows

  • Sync for Mac

  • ShareFile Enterprise Sync Manager

  • Secure Mail for iOS

  • ShareFile Desktop Widget

  • ShareFile for BlackBerry

  • ShareFile mobile website

The following alternative account access methods are not supported for use with restricted storage zones:

  • FTP
  • PowerShell
  • ShareFile Command Line Interface (SFCLI)
  • HTTPS API (V1)
  • WebDav
  • SMTP

Important

ShareFile does not officially support and does not recommend utilizing DFS replication as it has been known to cause locking failures for larger files. If DFS replication must be used, use separate backup solutions during off-peak hours when the zone is not actively in use.