Storage zones controller

System requirements

Important:

Microsoft is ending support for Windows Server 2012R2 on October 10, 2023. It is important to migrate your server to a newer version before the end of support date.

Storage zones controller

  • A dedicated physical or virtual machine with 2 CPUs and 4 GB RAM
  • Windows Server 2012 R2 (Datacenter, Standard, or Essentials)
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022

For standard storage zones:

  • Use a publicly resolvable Internet host name (not an IP address).
  • Enable SSL for communications with ShareFile.
    • The SSL certificate on the storage zones controller must be trusted by user devices and ShareFile web servers. If you use SSL directly with IIS, refer to http://support.microsoft.com/kb/298805 for information about configuring SSL.
  • Allow inbound TCP requests on port 443 through your firewall.
  • Allow outbound TCP requests to the ShareFile control plane on port 443 through your firewall.

For the server health check used only for storage zones for ShareFile Data:

  • Open port 80 on the localhost.

For a high availability production environment:

  • A minimum of two servers with storage zones controller installed.

  • If you are not using DMZ proxy servers, install an SSL certificate on the IIS service.

    For information about supported certificates, see the certificate requirements for standard zones above.

For a DMZ proxy deployment:

  • One or more DMZ proxy servers, such as Citrix ADC VPX instances.

  • For a DMZ proxy server that terminates the client connection and uses HTTP, install an SSL certificate on the proxy server.

    If communications between the DMZ proxy server and the storage zones controller are secure, you can use HTTP. However, HTTPS is recommended as a best practice. If you use HTTPS, you can use a private (Enterprise) certificate on the storage zones controller if it is trusted by the DMZ proxy. The external address exposed by the DMZ proxy must use a commercially trusted certificate. For information about supported certificates, see the certificate requirements for standard zones above.

Other requirements

Note:

ShareFile does not officially support and does not recommend utilizing DFS replication. It has been known to cause locking failures for larger files. If DFS replication must be used, use separate backup solutions during off-peak hours when the zone is not actively in use.

  • The storage zones controller installer requires administrative privileges.
  • For remote administration of storage zones controller, use a remoting protocol, such as RDP or Citrix ICA, to connect to the server and then open the storage zones controller console.

Supported third-party storage systems

  • Amazon Simple Storage Service (Amazon S3)
  • Microsoft Azure

Supported Data Loss Prevention solutions

  • Storage zones controller integrates with any ICAP-compliant DLP solution, including:
    • Symantec Data Loss Prevention
    • McAfee DLP Prevent
    • Websense TRITON AP-DATA
    • RSA Data Loss Prevention

Storage zones for ShareFile Data

Storage zones for ShareFile Data is an optional feature that you enable on a storage zones controller.

Requirements:

  • ShareFile Enterprise account, with the storage zone feature enabled
  • A ShareFile user account that includes permission to create and manage zones
  • A CIFS share for private data storage

If you plan to store ShareFile files in a supported third-party storage system, the CIFS share is used for temporary files (encryption keys, queued files) and as a temporary storage cache.

Note: Access to a ShareFile account from an FTP client is not compatible with storage zones for ShareFile Data.

Storage zone connector for SharePoint

Storage zone connector for SharePoint is an optional feature that you enable on a storage zones controller.

Requirements:

  • ShareFile Enterprise account, with the storage zone feature enabled, or Citrix Endpoint Management.
  • Only Microsoft SharePoint Server 2010 and newer are supported.
  • The storage zones controller server must be a domain member, in the same forest as the SharePoint server.
  • The Web Server (IIS) role and ASP.NET 4.x. For more information, see Prepare your server for ShareFile data.
  • SharePoint policies:
    • The default maximum upload file size for a Web application in SharePoint 2013 is 250 MB and in SharePoint 2010 is 50 MB. To change the default: In SharePoint Central Administration, go to the Web Application General Settings page and change the Maximum Upload Size. The upload file size limit for SharePoint is 2 GB.
    • ShareFile clients always attempt to check in a major version (publish) of a file. However, SharePoint policies determine whether a file is checked in as a major or minor version.
    • The SharePoint View-Only permission does not enable a user to download files. To read a file from a ShareFile client, a SharePoint user must have Read permission.
  • User devices: For the latest information about user device support for storage zone connectors, refer to the ShareFile Knowledge Base.

Storage zone connector for SharePoint authentication

After authenticating the user, the storage zones controller server makes connections to the SharePoint server on the authenticated user’s behalf and responds to authentication challenges presented by the SharePoint server. Storage zone connector for SharePoint supports the following authentication methods on the SharePoint server.

  • Basic

    Requires that you add <add key="CacheCredentials" value="1" \> to C:\inetpub\wwwroot\Citrix\StorageCenter\sp\AppSettingsRelease.config.

  • Negotiate (Kerberos)

  • Windows Challenge/Response (NTLM)

ShareFile mobile clients use Basic authentication over HTTPS to authenticate to the storage zones controller or DMZ proxy. Single sign-on to SharePoint is governed by the authentication requirements set on the SharePoint server. To use Kerberos or NTLM authentication on the SharePoint server: Configure the domain controller to trust the storage zones controller for delegation.

If your SharePoint server is configured for Kerberos authentication: Configure a service principal name (SPN) for the named user service accounts for the SharePoint server application pool. For more information, see “Configure trust for delegation for Web parts” in http://support.microsoft.com/kb/832769.

For deployments with Citrix ADC, it is possible to terminate basic authentication at the Citrix ADC and then perform other types of authentication to the storage zones controller.

Storage zone connector for Network File Shares

Storage zone connector for Network File Shares is an optional feature that you enable on a storage zones controller.

Requirements:

  • ShareFile Enterprise or Citrix Endpoint Management account.
  • The storage zone connector server must be a domain member, in the same forest as the network file servers.
  • The Web Server (IIS) role and ASP.NET 4.x. For more information, see Prepare your server for ShareFile data.
  • User devices: For the latest information about user device support for storage zone connectors, see the ShareFile Knowledge Base.

Connector for Network File Shares authentication

After authenticating the user, the storage zones controller server makes connections to the network file server on the authenticated user’s behalf and responds to authentication challenges presented by the file server. Storage zone connector for Network File Shares supports the following authentication methods on the file server.

  • Negotiate (Kerberos)
  • Windows Challenge/Response (NTLM)

To use Kerberos or NTLM authentication on the storage zones controller: Configure the domain controller to trust the storage zones controller for delegation.

For deployments with Citrix ADC: To provide users with a single sign-on experience when Citrix ADC is configured for basic authentication, configure the connector for both Negotiate (Kerberos) and NTLM authentication.

PowerShell scripts and commands

The storage zones controller installation includes several PowerShell scripts and commands, located in C:\inetpub\wwwroot\Citrix\StorageCenter\Tools\.

  • Run the scripts in the 32-bit (x86) version of PowerShell.

  • For best results, upgrade to PowerShell 4.0 or later, included with Windows Management Framework.

    PowerShell 2.0 causes significant problems due to compatibility issues with .NET Framework 4.

System requirements