About ShareFile StorageZones Controller
ShareFile is a file sharing service that enables users to easily and securely exchange documents. ShareFile Enterprise provides enterprise-class service and includes StorageZones Controller and the User Management Tool.
ShareFile StorageZones Controller extends the ShareFile Software as a Service (SaaS) cloud storage by providing your ShareFile account with private data storage, referred to as StorageZones for ShareFile Data. Managing your own data storage enables you to meet regulatory compliance requirements and to locate the storage close to users for optimized performance.
You can use the ShareFile-managed cloud storage by itself or in combination with storage that you maintain, called StorageZones for ShareFile Data. The StorageZones that you maintain can reside in your on-premises single-tenant storage system or in supported third-party cloud storage, such as Amazon S3 or Windows Azure.
StorageZones Controller also provides users with secure access to SharePoint sites and network file shares through StorageZone Connectors. Connected file shares can include the same network home drives used in Citrix XenDesktop or XenApp environments. StorageZone Connectors enable you to provide secure mobile access to data residing behind your corporate firewall without the need to migrate data to the cloud.
StorageZone Connectors enables ShareFile client users to browse, upload, or download documents. For documents stored in SharePoint, mobile users can download, check out, edit, and check in Microsoft Office documents and annotate Adobe PDF documents. The mobile content editor integrated with ShareFile provides mobile users with a secure, rich editing experience, even when working offline.
The following diagram shows the key components in a high-availability deployment.
The components are:
ShareFile control subsystem — Maintained in Citrix Online data centers, the ShareFile control subsystem handles a variety of operations not related to file contents and performs StorageZones health checks.
StorageZones Controller — StorageZones Controller can host a private ShareFile storage subsystem for your data. StorageZones Controller has a Web service that handles all HTTPS operations from end users and the ShareFile control subsystem.
StorageZones for ShareFile Data — This feature provides private data storage: You can store data in an on-premises network file share that you manage or in a supported third-party storage system. Either storage option requires a network share for your private data such as encryption keys, queued files, and other temporary items. If you use third-party storage, the network share is used for your private data storage. Each StorageZones Controller in a StorageZone must use the same network share.
This figure shows the key components when third-party storage is used.
ShareFile Enterprise administrators can choose the per-folder storage location, either ShareFile-managed cloud storage or your private data storage. This feature enables you to optimize performance by locating data close to the users. It also enables you to address data sovereignty and compliance requirements.
StorageZone Connectors — StorageZone Connectors give mobile users secure access to documents on specified network file shares and to SharePoint sites, site collections, and document libraries.
StorageZone Connectors is enabled on a StorageZones Controller and integrates with ShareFile Enterprise subdomains. You can deploy StorageZone Connectors in the same zone as StorageZones for ShareFile Data. However, StorageZones for ShareFile Data is not required to use StorageZone Connectors.
StorageZones Controllers do not store any data for StorageZone Connectors. ShareFile.com stores the encrypted top level path for StorageZone Connectors.
StorageZone Connectors are available to sites using ShareFile Enterprise or Citrix XenMobile.
By default, ShareFile stores data in the secure ShareFile-managed cloud storage. StorageZones Controller provides private data storage, either an on-premises network share that you manage or a supported third-party storage system. With StorageZones Controller, you can optimize performance by locating data storage close to users and you control storage for compliance purposes.
High availability requires at least two StorageZones Controllers per StorageZone. A StorageZone must use a single file share for all of its StorageZones Controllers.
Based on your organization’s performance and compliance requirements, consider the number of StorageZones you need and where to best locate them. For example, if you have users in Europe, storing the files in a StorageZones Controller located in Europe provides both performance and compliance benefits. In general, assigning users to the StorageZone that is closest to them geographically is the best practice for optimizing performance.
Data storage security considerations
- In an enterprise environment where the network share for a StorageZone is already secured by third-party tools, we recommend that you do not encrypt the files on the share. Although this additional security is offered as an option for maximum security when required, encrypting files on the share will make the disk unreadable by third-party tools such as antivirus scanners and filer tools, including data deduplication tools. ShareFile uses a file encryption key to confirm the validity of download requests and encrypt the storage.
- Place the StorageZones Controllers inside the network, with DMZ tools protecting them.
- For maximum security, use Citrix NetScaler or NetScaler VPX.
- Use SSL-encrypted connections to ensure the security of information transmitted between your users and StorageZones. If you are not using DMZ proxy servers, install an SSL certificate on the IIS service of all StorageZones Controllers. For a DMZ proxy server that terminates the client connection and uses HTTP, install an SSL certificate on the proxy server. Public certificates are required for standard zones or for restricted zones that have an external hostname.
- To control connections to ShareFile, IP whitelisting is not a recommended security practice because connections originate from a number of servers in the ShareFile-managed cloud storage, as well as from each individual user device. IP blacklisting, however, is an effective network-level control if your site needs additional security.
Security best practices
Your organization may need to meet specific security standards to satisfy regulatory requirements. This topic does not cover this subject, because such security standards change over time. For up-to-date information on security standards and Citrix products, consult
http://www.citrix.com/security/, or contact your Citrix representative.
Security best practices:
- Keep all computers in your environment up to date with security patches.
- Protect all computers in your environment with antivirus software.
- Protect all computers in your environment with perimeter firewalls, including at enclave boundaries as appropriate.
- Install a personal firewall on all computers in your environment.
- Secure and encrypt all network communications according to your security policy. You can secure all communication between Microsoft Windows computers using IPsec. Refer to your operating system documentation for information.
- Grant users only the capabilities they require.
TLS v1.2 Support
As of StorageZones Controller 4.0, administrators can limit inbound connections to a StorageZone Controllers to TLS v1.2. If protocols earlier than TLS V1.2 are disabled for inbound traffic to the StorageZone Controller, all client software components that interact with the StorageZone must also support TLS v1.2.
The authentication method configured for your ShareFile Enterprise account is used to authenticate users accessing data stored in your StorageZones and on network files shares or SharePoint servers made available through StorageZone Connectors. If a user needs to use different credentials to access connected files, the user must log out of ShareFile and then log on using the alternate credentials.
ShareFile recommends that you integrate your ShareFile account with third-party authentication, such as Active Directory (AD), using one of the following methods.
Supported configurations - these configurations have been tested and are supported for most environments, and configuration guides are provided:
|ADFS 4.0 (Windows Server 2016)||Download|
|Dual IDP - ADFS and XenMobile||Download|
|NetScaler (version 10.5)||Download|
|NetScaler (version 11.1)||Download|
|Microsoft Azure AD||Download|
Additional configurations - these configurations have been successfully configured and tested by members of our engineering teams, but configuration documentation is subject to change due to continued product enhancements and improvements. Consequently, configuration guides for the following are presented as is:XenMobile 9
|NetScaler AAA and Kerberos KCD/NTLM Fallback||Download|
|NetScaler AAA and Client Certificate Authentication||Download|
|PingOne / PingID||Download|
ShareFile also offers a Guided SSO Setup program - click here for information on setup assistance provided by Implementation Engineers.
Standard and restricted StorageZones
You can designate a StorageZone as standard or restricted.
- A standard StorageZone is intended for non-sensitive data and enables employees to share data with non-employees.
- A restricted StorageZone protects sensitive data: Only employees can access the data stored in the zone.
The following table summarizes the differences between standard and restricted zones.
|Properties||Standard zones||Restricted zones|
|StorageZone servers can be managed by…||Citrix or you||you|
|User authentication is handled by…||
||a combination of
|Files can be shared with…||employees and third party users (that is, anyone with an email address)||employees or other users who have a domain account|
|File and folder metadata stored in the ShareFile control plane is…||stored in clear text, visible to some Citrix employees||encrypted with your private keys, which are not available to Citrix|
|Email notifications are sent using…||ShareFile mail servers or your SMTP servers||your SMTP servers|
|An external address for the zone is…||required||not required|
In a Citrix-managed zone, the ShareFile cloud performs all operations except for employee authentication, which is handled by StorageZones Controller.
In the standard zone, website maintenance and updates, client and application updates, file metadata, upload and download authorization, email notifications (SMTP), third-party user authentication, and folder permissions are handled in the cloud. Employee authentication and file storage and encryption are handled by the controller.
In the restricted zone, website maintenance and updates, client and application updates, and folder permissions are handled in the cloud. Employee authentication, file storage and encryption, file metadata, upload and download authorization, and email notifications (SMTP) are handled by the controller. Third-party user authentication are not supported in the restricted zone.
ShareFile supports a mix of standard and restricted zones within an account. You can create multiple restricted zones, each with their own unique authentication requirements. For example, if users in Domain A should not be allowed to share files with users in Domain B, install a separate restricted zone for each domain.
The rest of this section describes the workflow in ShareFile-managed, standard, and restricted zones.
When a ShareFile client interacts with a ShareFile-managed zone, all requests and traffic go through the ShareFile cloud and all of your ShareFile data is stored in the ShareFile cloud.
The following diagram summarizes the workflow for ShareFile-managed cloud storage.
When a ShareFile client interacts with a standard zone, ShareFile handles user log on requests and then authorization occurs between the ShareFile cloud and StorageZones Controller. A StorageZones Controller that hosts standard zones must have an external address and external SSL certificate. The StorageZone SSL certificate must be trusted by user devices and ShareFile web servers.
The ShareFile client interacts with StorageZones Controller during file upload or download operations. The controller stores files in the storage location defined for the zone and sends unencrypted metadata to the ShareFile cloud.
Users can share files that reside in standard zones with anyone who has an email address.
When users share or download files from a standard zone, ShareFile uses ShareFile SMTP servers to send email notifications.
The following diagram summarizes the workflow for a standard zone.
When a ShareFile client interacts with a restricted zone, ShareFile handles user log on requests. Authorization occurs between the StorageZones Controller and ShareFile client instead of between StorageZones Controller and the ShareFile cloud.
As a result, a StorageZones Controller that hosts restricted zones can reside behind your firewall and does not require an external address or external SSL certificate. The SSL certificate on the StorageZones Controller must be trusted by user devices. When StorageZones Controller is configured with an internal address, users must connect to your company network or a VPN to access documents in a restricted zone.
Access to data stored in a restricted zone has these authentication requirements:
In addition to logging on to ShareFile, users must authenticate separately to the StorageZones Controller to access documents stored in a restricted zone. Directory lookup ensures that the same user logs on to ShareFile and the zone.
This extra authentication requirement limits sharing so that documents can only be shared with users who have access to the StorageZones Controller, who authenticate using enterprise credentials, and who have permission to view the documents. Users cannot anonymously share files that are stored in a restricted zone.
Access to encryption keys and metadata also requires enterprise authentication to StorageZones Controller.
The controller uses an authenticated proxy service to read and store encrypted data in the ShareFile cloud and to exchange unencrypted metadata with ShareFile clients. StorageZones Controller encrypts your metadata with an encryption key that is unique to your organization and not available to Citrix. As a result, no one outside of your organization can see folder or file names in restricted zones.
When users share or download files from a restricted zone, your SMTP servers send the email notifications.
The following diagram summarizes the workflow for a restricted zone.