Product Documentation

Architecture overview

Apr 25, 2016

This section provides an overview to deploying StorageZones Controller for proof-of-concept evaluations or high-availability production environments. High-availability deployment is shown both with and without a DMZ proxy such as Citrix NetScaler.

To evaluate a deployment with multiple StorageZones Controllers, follow the guidelines for a high availability deployment.

Each of the deployment scenarios require a ShareFile Enterprise account. By default, ShareFile stores data in the secure ShareFile-managed cloud. To use private data storage, either an on-premises network share or a supported third-party storage system, configure StorageZones for ShareFile Data.

To securely deliver data to users from network file shares or SharePoint document libraries, configure StorageZone Connectors.

Quick links to topic sections:

StorageZones Controller proof of concept deployment

Caution: A proof-of-concept deployment is intended for evaluation purposes only and should not be used for critical data storage.

A proof-of-concept deployment uses a single StorageZones Controller. The example deployment discussed in this section has both StorageZones for ShareFile Data and StorageZone Connectors enabled.

To evaluate a single StorageZones Controller, you can optionally store data in a folder (such as C:\ZoneFiles) on the hard drive of the StorageZones Controller instead of on a separate network share. All other system requirements apply to an evaluation deployment.

While you can use a mix of standard and restricted zones within your account, you must deploy separate StorageZones Controllers for standard zones (accessible to employees and non-employees) and restricted zones (accessible to employees only). After you configure a StorageZones Controller, you cannot change its zone type.

You can create multiple restricted zones, each with their own authentication requirements. For example, if users in Domain A should not be allowed to share files with users in Domain B, install a separate restricted zone for each domain.

Proof-of-concept deployment for standard StorageZones

A StorageZones Controller configured for standard zones must accept in-bound connections from the ShareFile cloud. To do that the controller must have a publicly accessible internet address and SSL enabled for communications with the ShareFile cloud. The following figure indicates the traffic flow between user devices, the ShareFile cloud, and StorageZones Controller.


Proof-of-concept deployment for standard zones

In this scenario, one firewall stands between the Internet and the secure network. StorageZones Controller resides inside the firewall to control access. User connections to ShareFile must traverse the firewall and use the SSL protocol on port 443 to establish this connection. To support this connectivity, you must open port 443 on the firewall and install a public SSL certificate on the IIS service of the StorageZones Controller.

Proof-of-concept deployment for restricted StorageZones

A StorageZones Controller configured for restricted zones does not need to accept in-bound connections from the ShareFile cloud: You can configure it with an internal address. The following figure indicates the traffic flow between user devices, the ShareFile cloud, and StorageZones Controller.


Proof-of-concept deployment for restricted zones

In this scenario, one firewall stands between the Internet and the secure network. StorageZones Controller resides inside the firewall to control access. User connections to ShareFile must traverse the firewall and use the SSL protocol on port 443 to establish this connection. To support this connectivity, you must open port 443 on the firewall and install an SSL certificate, which can be private, on the IIS service of the StorageZones Controller.

For restricted zones, StorageZones Controller sends email notifications from your local SMTP server instead of from ShareFile.

StorageZones Controller high availability deployment

For a production deployment of ShareFile with high-availability, the recommended best practice is to install at least two StorageZones Controllers. When you install the first controller, you create a StorageZone. When you install the other controllers, you join them to the same zone. StorageZones Controllers that belong to the same zone must use the same file share for storage.

In a high availability deployment the secondary servers are independent, fully functioning StorageZones Controllers. The StorageZones control subsystem randomly chooses a StorageZones Controller for operations. If the primary server goes offline, you can easily promote a secondary server to primary. You can also demote a server from primary to secondary.

While you can use a mix of standard and restricted zones within your account, you must deploy separate StorageZones Controllers for standard zones (accessible to employees and non-employees) and restricted zones (accessible to employees only). After you configure a StorageZones Controller, you cannot change its zone type.

You can create multiple restricted zones, each with their own authentication requirements. For example, if users in Domain A should not be allowed to share files with users in Domain B, install a separate restricted zone for each domain.

High availability deployment for standard zones

StorageZones Controllers configured for standard StorageZones must accept in-bound connections from the ShareFile cloud. To do that each controller must have a publicly accessible internet address and SSL enabled for communications with the ShareFile cloud. You can configure multiple external public addresses, each associated with a different StorageZones Controller. The following figure shows a high availability deployment for standard StorageZones.


High availability deployment for standard StorageZones

In this scenario, one firewall stands between the Internet and the secure network. The StorageZones Controllers reside inside the firewall to control access. User connections to ShareFile must traverse the firewall and use the SSL protocol on port 443 to establish this connection. To support this connectivity, you must open port 443 on the firewall and install a public SSL certificate on the IIS service of all StorageZones Controllers.

High availability deployment for restricted zones

StorageZones Controllers configured for restricted zones do not need to accept in-bound connections from the ShareFile cloud: You can configure each one with an internal address. The following figure shows a high availability deployment for restricted zones.


High availability deployment for restricted zones

In this scenario, one firewall stands between the Internet and the secure network. The StorageZones Controllers reside inside the firewall to control access. User connections to ShareFile must traverse the firewall and use the SSL protocol on port 443 to establish this connection. To support this connectivity, you must open port 443 on the firewall and install an SSL certificate, which can be private, on the IIS service of the StorageZones Controller.

For restricted zones, StorageZones Controller sends email notifications from your local SMTP server instead of from ShareFile.

Shared storage configuration

StorageZones Controllers that belong to the same StorageZone must use the same file share for storage. StorageZones Controllers access the share using the IIS Account Pool user. By default, application pools operate under the Network Service user account, which has low-level user rights. A StorageZones Controller uses the Network Service account by default.

You can use a named user account instead of the Network Service account to access the share. To use a named user account, just specify the user name and password in the StorageZones console Configuration page. Run the IIS application pool and the Citrix ShareFile Services using the Network Service account.

Network connections

Network connections varies based on the type of zone — Citrix-managed, standard, or restricted.

Citrix-managed zones

The following table describes the network connections that occur when a user logs onto ShareFile and then downloads a document from a Citrix-managed zone. All connections use HTTPS.

Step Source Destination
1. User logon request Client company.sharefile.com:443
2. (Optional) Redirect to SAML IDP logon Client SAML Identity Provider URL
3. File/folder enumeration and download request Client company.sharefile.com:443
4. File download Client storage-location.sharefile.com:443

Standard StorageZones

The following table describes the network connections that occur when a user logs onto ShareFile and then downloads a document from a standard StorageZone. All connections use HTTPS.

Step Source Destination
1. User logon request Client company.sharefile.com
2. (Optional) If using ADFS, redirect to SAML IDP logon Client SAML Identity Provider URL
3. File/folder enumeration and download request Client company.sharefile.com
4. File download authorization company.sharefile.com szc.company.com
5. File download Client szc.company.com

Restricted zones

The following table describes the network connections that occur when a user logs onto ShareFile and then downloads a document from a restricted zone. All connections use HTTPS.

Step Source Destination
1. User logon request Client company.sharefile.com
2. If using ADFS, redirect to SAML IDP logon Client SAML Identity Provider URL
3. File/folder enumeration and download request Client szc.company.com
4. File download authorization and get encrypted metadata szc.company.com company.sharefile.com
5. File download Client szc.company.com

StorageZones Controller DMZ proxy deployment

A demilitarized zone (DMZ) provides an extra layer of security for the internal network. A DMZ proxy, such as Citrix NetScaler VPX, is an optional component used to:

  • Ensure all requests to a StorageZones Controller originate from the ShareFile cloud, so that only approved traffic reaches the StorageZones Controllers.

    StorageZones Controller has a validate operation that checks for valid URI signatures for all incoming messages. The DMZ component is responsible for validating signatures before forwarding messages.

  • Load balance requests to StorageZones Controllers using real-time status indicators.

    Operations can be load-balanced to StorageZones Controllers if they all can access the same files.

  • Offload SSL from StorageZones Controllers.
  • Ensure requests for files on SharePoint or network drives are authenticated before passing through the DMZ.

You must use separate deployments for standard StorageZones (accessible to employees and non-employees) and restricted StorageZones (accessible to employees only).

NetScaler and StorageZones Controller deployment

Deployment for standard StorageZones

StorageZones Controllers configured for standard zones must accept in-bound connections from the ShareFile cloud. To do that the NetScaler must have a publicly accessible internet address and SSL enabled for communications with the ShareFile cloud. The following figure shows a NetScaler and StorageZones Controller deployment for standard zones.


NetScaler and StorageZones Controllers with standard zones

In this scenario, two firewalls stand between the Internet and the secure network. StorageZones Controllers reside in the internal network. User connections to ShareFile must traverse the first firewall and use the SSL protocol on port 443 to establish this connection. To support this connectivity, you must open port 443 on the firewall and install a public SSL certificate on the IIS service of the DMZ proxy servers (if they terminate the user connection).

Deployment for restricted StorageZones

The following figure shows a high availability deployment for restricted zones.

NetScaler and StorageZones Controllers with restricted zones

For restricted zones, StorageZones Controller sends email notifications from your local SMTP server instead of from ShareFile.

Network connections for standard zones

The following diagram and table describe the network connections that occur when a user logs onto ShareFile and then downloads a document from a standard zone deployed behind NetScaler. In this case, the account uses Active Directory Federation Services (ADFS) for SAML logon.

Authentication traffic is handled in the DMZ by an ADFS proxy server that communicates with an ADFS server on the trusted network. File activity is accessed via NetScaler in the DMZ, which terminates SSL, authenticates user requests and then accesses the StorageZones Controller in the trusted network on behalf of authenticated users. The NetScaler external address for ShareFile is accessed using the Internet FQDN szc.company.com.


Logon and download connections for on-premises StorageZones using NetScaler

Step Source Destination Protocol
1. User logon request Client company.sharefile.com HTTPS
2. (Optional) Redirect to SAML IDP logon Client SAML Identity Provider URL HTTPS
2a. ADFS logon ADFS proxy ADFS server HTTPS
3. File/folder enumeration and download request Client company.sharefile.com HTTPS
4. File download authorization Sharefile szc.company.com (external address) HTTP(S)
4a. File download authorization NetScaler NSIP StorageZones Controller HTTPS
5. File download Client szc.company.com (external address) HTTPS
5a. File download NetScaler NSIP StorageZones Controller HTTP(S)

The following diagram and table extend the previous scenario to show the network connections for StorageZone Connectors. This scenario includes use of NetScaler in the DMZ to terminate SSL and perform user authentication for Connectors access.


Logon and download connections for StorageZone Connectors using NetScaler

Step Source Destination Protocol
1. User logon request Client company.sharefile.com HTTPS
2. (Optional) Redirect to SAML IDP logon Client SAML Identity Provider URL HTTPS
2a. ADFS logon ADFS proxy ADFS server HTTPS
3. Top-level Connector enumeration Client company.sharefile.com HTTPS
4. User logon to StorageZones Controller server Client szc.company.com (external address) HTTPS
5. User authentication NetScaler NSIP AD Domain Controller LDAP(S)
6. File/folder enumeration and upload/download requests NetScaler NSIP StorageZones Controller HTTP(S)
7. Network share enumeration and upload/download StorageZones Controller File server CIFS or DFS
7a. SharePoint enumeration and upload/download StorageZones Controller SharePoint HTTP(S)

The following diagram summarizes the supported combinations of authentication types based on whether the user authenticates at NetScaler.


Supported authentication type combinations

Network connections for restricted zones

The following diagram and table describe the network connections that occur when a user logs onto ShareFile and then uploads a document to a restricted zone. In this case, the account uses Active Directory Federation Services (ADFS) for SAML logon. Authentication traffic is handled by an ADFS proxy server that communicates with an ADFS server on the trusted network.


Network connections for restricted zones

Step Source Destination Protocol
1. ShareFile client or browser opens connection Client company.sharefile.com or company.sharefile.eu HTTPS
2. (Optional) Redirect to SAML IDP logon Client SAML Identity Provider URL HTTPS
3. ShareFile redirects user to StorageZones Controller Client company.sharefile.com or company.sharefile.eu HTTPS
4. Client submits Windows credentials to StorageZones Controller Client StorageZones Controller HTTPS
5. StorageZones Controller verifies credentials and grants client access StorageZones Controller Domain controller Kerberos
6. Client uploads a file to StorageZones Controller Client StorageZones Controller HTTPS
7. File is written to the storage repository for the restricted zone StorageZones Controller Local storage CIFS
8. StorageZones Controller encrypts file metadata and sends it to ShareFile StorageZones Controller company.sharefile.com or company.sharefile.eu HTTPS