Storage zones controller

Configure Citrix ADC for storage zones controller

NetScaler, version 10.1 build 120.1316.e and later, includes a wizard that prompts you for basic information about your storage zones controller environment. Then it generates a configuration that:

  • Load balances traffic across storage zones controllers
  • Provides user authentication for storage zone connectors
  • Validates URI signatures for ShareFile uploads and downloads
  • Terminates SSL connections at the Citrix ADC appliance

The diagram shows these Citrix ADC components created by the configuration:

  • Citrix ADC content switching virtual server — Sends user requests for data from ShareFile and from storage zone connectors to the appropriate Citrix ADC load balancing virtual server.
  • Citrix ADC load balancing virtual server — Load balances the traffic for your storage zones controllers and also handles the following:
    • For requests for data from your private data storage, a load balancing virtual server performs hash validation, to ensure valid URI signatures are present on incoming requests.

    • For requests for data from storage zone connectors, a load balancing virtual server can perform user authentication. It stops a user request at the Citrix ADC, authenticates the user, and then performs single sign-on of the user to storage zones controller.

    Note:

    Authentication to storage zone connectors through Citrix ADC is optional. Due to a known issue, if authentication is enabled in Citrix ADC, storage zone connectors in WebApp do not work in Chrome, Chromium, Safari, and Edge browsers. It is compatible with other browsers and desktop/mobile clients.

As of storage zones controller 4.0, administrators can limit inbound connections to the storage zones controllers to TLS v1.2. If protocols earlier than TLS v1.2 are disabled for inbound traffic to the storage zone controller, all client software components that interact with the storage zone must also support TLS v1.2. Click here for additional information and configuration instructions.

Note:

To set up NetScaler versions before 10.1 build 120.1316.e, see Configure Citrix ADC manually.

The setup of Citrix ADC for ShareFile wizard does not handle the configuration required to use Citrix Endpoint Management as a SAML identity provider for ShareFile. For more information, click here.

Prerequisites

  • A working Citrix ADC configuration
  • Security certificate: If one is not already available in Citrix ADC, the wizard enables you to install one on the content switching virtual server.
  • Information about your Active Directory configuration (The Citrix ADC for ShareFile Wizard must be completed with the Citrix NetScaler Enterprise Edition License):
    • IP address and port of your Active Directory server
    • Active Directory domain name
    • LDAP Base DN where users are stored
    • Account name and password for an administrator account that has permissions to communicate with Active Directory

Configure Citrix ADC for storage zones controllers

The following steps describe how to use the Citrix ADC for ShareFile wizard.

  1. Log on to the Citrix ADC appliance and, on the Configuration tab, navigate to Traffic Management.

  2. Under Citrix ShareFile, click Set up Citrix ADC for ShareFile.

    You can also access the wizard as follows: Under Mobility, click Configure Endpoint Management, ShareFile, and Citrix Gateway.

  3. Supply the information requested in the wizard.

Option Description
Name A display name for the content switching virtual server.
IP Address The external (public or DMZ) IP address to be used for the content switching virtual server. If you use a DMZ IP address, you must define a Network Address Translation (NAT) mapping from your external firewall address to this DMZ IP address.
ShareFile Data This option is enabled, indicating that you will use the Citrix ADC connection for storage zones for ShareFile Data.
storage zone connectors for Network File Share/SharePoint If you use connectors and you want to perform user authentication at the Citrix ADC, select the check box.
Certificate Choose a certificate or install one for the content switching virtual server. If you choose to install a certificate, you are prompted to upload the certificate and private key. For standard zones, certificates must be publicly trusted and not self-signed.
storage zones controller IP Address The internal IP addresses for one or more storage zones controller servers. These IP addresses define the storage zones controller servers as entities inside Citrix ADC. If you already added the servers to Citrix ADC, click Add From Existing and select the servers. To use Citrix ADC for load balancing, enter an internal IP address for each storage zones controller server. To use Citrix ADC only for SSL and authentication, enter just one IP address.
Port and Protocol The port and protocol used for communication from the Citrix ADC to storage zones controllers.
The authentication, authorization, and auditing (Citrix ADC AAA) virtual server IP Address An unused internal IP address for the Citrix ADC AAA virtual server. Citrix ADC creates this virtual server for its own use. The server does not require outside access.
LDAP Server IP Address and Port The IP address and port of your Active Directory server. If you already added an LDAP server to Citrix ADC, click the Choose LDAP tab and choose the server.
Time out The maximum number of seconds that the Citrix ADC waits for a response from the LDAP server. Defaults to 3 seconds. The minimum value is 1 second.
Single Sign-on Domain The Active Directory domain name.
Base DN (location of users) The LDAP Base Distinguished Name (DN) where users are stored. Specify the DN using the general form: CN=Users,dc=domain, dc=Net
Administrator Bind DN and Password An administrator account that has permissions to communicate with Active Directory.
Logon Name An LDAP attribute, used by Citrix ADC to determine whether users log on with their user name or email address. Defaults to sAMAccountName, which enables users to log on with their user names. To require users to enter their email address to log on, change this field to userPrincipalName.

Configure Citrix ADC for web access to connectors

To support web access to storage zone connectors, you must perform additional Citrix ADC configuration after you complete the Citrix ADC for ShareFile wizard.

  • Create and configure a third Citrix ADC load-balancing virtual server, used to ensure that ShareFile clients send credentials only when logged on to a trusted ShareFile domain.

    As described in the following steps, you will configure the additional virtual server to allow anonymous access from clients for the HTTP OPTIONS verb. The OPTIONS request passes through to storage zones controller without being authenticated and without HTTPS callouts to validate the signature. The CORS preflight check validates domain trust before sending credentials.

    An understanding of CORS is not needed to perform the configuration. However, for more information about CORS, see http://enable-cors.org/.

  • To support web access to storage zone connectors, add a path (/ProxyService) to the content switching policy used for traffic to /cifs and /sp.

Perform the following steps in Citrix ADC after you complete the Citrix ADC for ShareFile wizard.

  1. Create a third load-balancing virtual server:
    1. Navigate to Traffic Management > Load Balancing > Virtual Servers.

    2. Click Add.

    3. Specify the following values:

      Option Value
      Name A policy name, such as SF_ZONE_OPTIONS
      Protocol SSL
      IP Address Type Non Addressable
    4. Click through to create the virtual server.

    5. To bind the same services to it as the load-balancing virtual servers created by the wizard: In the Load Balancing Virtual Server screen, across from Service, click > and then click Save.

    6. Add a certificate to the virtual server.

  2. Create a policy for the virtual server you just added:
    1. Navigate to Traffic Management > Content Switching > Policies.

    2. In the details pane, click Add and then specify the Name, Target LB Virtual Server, and Expression values. Click Expression Editor and then build this expression. Select HTTP. Select REQ. Select METHOD. Select EQ(String) and type OPTIONS. The expression should read as follows: HTTP.REQ.METHOD.EQ("OPTIONS")

    3. Click Done.

    4. Click Create.

  3. Bind the policy you just created to the new load-balancing virtual server:
    1. Navigate to Traffic Management > Content Switching > Virtual Servers.

    2. In the list, click the virtual server and click Edit.

    3. Navigate to the section of Content Switching Policy Binding and click 2 Content Switching Policies.

    4. Click Add Binding.

    5. Select the new Content Policy and select the Target Load Balancing Virtual Server.

    6. Click Bind.

    7. Click Edit Binding and update the Priority. Change the priority of the new policy so it has the lowest number of the three policies.

      The policy with the lowest value has the highest priority and so is handled first.

  4. Update the policy used for traffic to storage zone connectors (_SF_CIF_SP_CSPOL):
    1. Navigate to Traffic Management > Content Switching > Policies.

    2. Select the _SF_CIF_SP_CSPOL policy.

    3. Add the following to the policy expression:

      || HTTP.REQ.URL.CONTAINS("/ProxyService/")
      <!--NeedCopy-->
      

      The full policy expression should be as follows:

      HTTP.REQ.URL.CONTAINS("/cifs/") || HTTP.REQ.URL.CONTAINS("/sp/") ||
      HTTP.REQ.URL.CONTAINS("/ProxyService/")
      <!--NeedCopy-->
      
  5. Update the policy used for traffic to storage zones for ShareFile Data (_SF_SZ_CSPOL):
    1. Navigate to Traffic Management > Content Switching > Policies.

    2. Select the _SF_SZ_CSPOL policy.

    3. Add the following to the policy expression:

      && HTTP.REQ.URL.CONTAINS("/ProxyService/").NOT
      <!--NeedCopy-->
      

      The full policy expression should be as follows:

      HTTP.REQ.URL.CONTAINS("/cifs/").NOT && HTTP.REQ.URL.CONTAINS("/sp/“).NOT
      && HTTP.REQ.URL.CONTAINS("/ProxyService/").NOT
      <!--NeedCopy-->
      

Configure Citrix ADC for view-only sharing

To support the view-only sharing, users must be able to access your Microsoft Office Web Apps Server (OWA). If your OWA server is externally accessible on its own address, no additional Citrix ADC configuration should be required for your storage zones controller.

If you want to combine the storage zones controller and Office Web App Server onto a single external address using Citrix ADC content switching policies, you must perform additional Citrix ADC configuration after you complete the Citrix ADC for ShareFile wizard. Citrix ADC configuration is required to ensure that traffic is routed to your externally accessible OWA Server properly.

Once the following Citrix ADC rules are configured, Administrators can reuse the existing External address of their storage zones controller zone, eliminating the need to create an additional external address for OWA.

To create and configure an additional Citrix ADC load-balancing virtual server:

  1. Create an additional load-balancing service.
    • Navigate to Traffic Management > Load Balancing > Services.
    • Click Add.
    • Enter the required information to create a service that corresponds to your OWA server(s). Click OK.
  2. Create an additional load-balancing virtual server:
    • Navigate to Traffic Management > Load Balancing > Virtual Servers.
    • Click Add.
    • Specify the following values:

      Option Value
      Name A policy name, such as SF_OWA_vServer
      Protocol SSL
      IP Address Type Non Addressable
    • Click through to create the virtual server.
    • To bind the virtual server to the OWA service you created in the previous step, click Load Balancing Virtual Service Binding > Select Service. Click the check box beside the service you created in the previous step.
    • Click Select.
    • Click Bind.
  3. Create a new policy used to route traffic to your OWA server.
    • Navigate to Traffic Management > Content Switching > Policies.
    • Select Add.
    • Name the policy.
    • Add the following expression:
      • HTTP.REQ.URL.CONTAINS(“/hosting/discovery”) || HTTP.REQ.URL.CONTAINS("/x/") || HTTP.REQ.URL.CONTAINS("/wv/") || HTTP.REQ.URL.CONTAINS("/p/")

        The full policy expression should be as follows:

        HTTP.REQ.URL.CONTAINS(“/hosting/discovery”) || HTTP.REQ.URL.CONTAINS("/x/") || HTTP.REQ.URL.CONTAINS("/wv/") || HTTP.REQ.URL.CONTAINS("/p/")

  4. Update the priority of the new policy within the load-balancing virtual
    • Navigate to Traffic Management > Content Switching > Virtual Servers.
    • Click the load-balancing virtual server, then select Content Switching Policies.
    • Change the priority of the policies so that the (Example) “_SF_OWA” policy is third in priority.

      Priority Policy Name
      90 SF_ZK_OPTIONS
      95 _SF_CIF_SP_SPOL
      99 _SF_OWA
      100 _SF_SZ_CSPOL
  • Click Close. Click Done

Create a monitor for the storage zones controller service

By default, Citrix ADC pings the storage zones controller server to determine if it is online. However, even if the controller is online, it might not be able to send heartbeat messages to the ShareFile website. In that case, Citrix ADC will send traffic to storage zones controller although it is not communicating with ShareFile.

To verify storage zones controller outbound connectivity to ShareFile, you can create a monitor that checks heartbeat.aspx and bind it to the Citrix ADC service for each storage zones controller.

    add lb monitor SZC_Heartbeat HTTP-ECV -send "GET /heartbeat.aspx" -recv "***ONLINE***” -secure YES
bind service StorageZone_Svc -monitorName SZC_Heartbeat
<!--NeedCopy-->

StorageZone_Svc is the Citrix ADC service that corresponds to a storage zones controller. That service name is automatically created by the Citrix ADC for ShareFile wizard. The service name includes the IP address of the controller, such as SF_SVC_ip-address.

-secure YES is required if the service is listening on port 443.

Verify the Citrix ADC configuration

After you complete the wizard, go to Traffic Management > Load Balancing > Virtual Servers to view the status of the load balancing virtual servers created by the wizard.

View the throughput of ShareFile requests through Citrix ADC

Throughput statistics can be found on the Dashboard menu.

Configure Citrix ADC for storage zones controller