Product Documentation

Configure NetScaler for StorageZones Controller

Mar 12, 2018

NetScaler, version 10.1 build 120.1316.e and above, includes a wizard that prompts you for basic information about your StorageZones Controller environment and then generates a configuration that:

  • Load balances traffic across StorageZones Controllers
  • Provides user authentication for StorageZone Connectors
  • Validates URI signatures for ShareFile uploads and downloads
  • Terminates SSL connections at the NetScaler appliance

NetScaler deployment configuration

The diagram shows these NetScaler components created by the configuration:

  • NetScaler content switching virtual server — Sends user requests for data from ShareFile and from StorageZone Connectors to the appropriate NetScaler load balancing virtual server.
  • NetScaler load balancing virtual server — Load balances the traffic for your StorageZones Controllers and also handles the following:
    • For requests for data from your private data storage, a load balancing virtual server performs hash validation, to ensure valid URI signatures are present on incoming requests.
    • For requests for data from StorageZone Connectors, a load balancing virtual server performs user authentication. It stops a user request at the NetScaler, authenticates the user, and then performs single sign-on of the user to StorageZones Controller.

      Although authentication to NetScaler is optional, it is a recommended best practice.

To support restricted zones or web access to Connectors, you must perform additional NetScaler configuration after you complete the wizard. The configuration ensures that ShareFile clients send credentials only when logged on to a trusted ShareFile domain. To support web access to Connectors, you also add a path (/ProxyService) to the content switching policy used for traffic to /cifs and /sp.

As of StorageZones Controller 4.0, administrators can limit inbound connections to a StorageZone Controllers to TLS v1.2. If protocols earlier than TLS V1.2 are disabled for inbound traffic to the StorageZone Controller, all client software components that interact with the StorageZone must also support TLS v1.2. Click here for additional information and configuration instructions.

Quick links to topic sections:

Note: To set up NetScaler versions prior to 10.1 build 120.1316.e, see Configure NetScaler manually.

The Set up NetScaler for ShareFile wizard does not handle the configuration required to use XenMobile as a SAML identity provider for ShareFile. For more information, click here.

Prerequisites

  • A working NetScaler configuration
  • Security certificate: If one is not already available in NetScaler, the wizard enables you to install one on the content switching virtual server.
  • Information about your Active Directory configuration (The NetScaler for ShareFile Wizard cannot be completed without a NS Enterprise Edition License):
    • IP address and port of your Active Directory server
    • Active Directory domain name
    • LDAP Base DN where users are stored
    • Account name and password for an administrator account that has permissions to communicate with Active Directory

Configure NetScaler for StorageZones Controllers

The following steps describe how to use the NetScaler for ShareFile wizard.

  1. Log on to the NetScaler appliance and, on the Configuration tab, navigate to Traffic Management. 
  2. Under Citrix ShareFile, click Set up NetScaler for ShareFile.

    You can also access the wizard as follows: Under Mobility, click Configure XenMobile, ShareFile, and NetScaler Gateway.

  3. Supply the information requested in the wizard.
    Option Description
    Name A display name for the content switching virtual server.
    IP Address The external (public or DMZ) IP address to be used for the content switching virtual server. If you use a DMZ IP address, you must define a Network Address Translation (NAT) mapping from your external firewall address to this DMZ IP address.
    ShareFile Data This option is enabled, indicating that you will use the NetScaler connection for StorageZones for ShareFile Data.
    StorageZone Connectors for Network File Shares/SharePoint If you use Connectors and you want to perform user authentication at the NetScaler, select the check box.
    Certificate Choose a certificate or install one for the content switching virtual server. If you choose to install a certificate, you are prompted to upload the certificate and private key. For standard zones or for restricted zones with an external hostname, certificates must be publicly trusted and not self-signed.
    StorageZones Controller IP Address The internal IP addresses for one or more StorageZones Controller servers. These IP addresses define the StorageZones Controller servers as entities inside of NetScaler. If you already added the servers to NetScaler, click Add From Existing and select the servers.

    To use NetScaler for load balancing, enter an internal IP address for each StorageZones Controller server. To use NetScaler only for SSL and authentication, enter just one IP address.

    Port and Protocol The port and protocol used for communication from the NetScaler to StorageZones Controllers.
    AAA VServer IP Address An unused internal IP address for the Authentication, Authorization, and Auditing (AAA) virtual server. NetScaler creates this virtual server for its own use. The server does not require outside access.
    LDAP Server IP Address and Port The IP address and port of your Active Directory server. If you already added an LDAP server to NetScaler, click the Choose LDAP tab and choose the server.
    Time out The maximum number of seconds that the NetScaler waits for a response from the LDAP server. Defaults to 3 seconds. The minimum value is 1 second.
    Single Sign-on Domain The Active Directory domain name.
    Base DN (location of users) The LDAP Base Distinguished Name (DN) where users are stored. Specify the DN using the general form: CN=Users,dc=domain, dc=Net
    Administrator Bind DN and Password An administrator account that has permissions to communicate with Active Directory.
    Logon Name An LDAP attribute, used by NetScaler to determine whether users log on with their user name or email address. Defaults to sAMAccountName, which enables users to log on with their user names. To require users to enter their email address to log on, change this field to userPrincipalName.

Configure NetScaler for restricted zones or web access to Connectors

To support restricted zones or web access to StorageZone Connectors, you must perform additional NetScaler configuration after you complete the NetScaler for ShareFile wizard.

  • Create and configure a third NetScaler load-balancing virtual server, used to ensure that ShareFile clients send credentials only when logged on to a trusted ShareFile domain.

    StorageZones Controller uses the Cross-Origin Resource Sharing (CORS) standard to provide the necessary security for requests to restricted zones and from the ShareFile web interface to StorageZone Connectors. CORS uses HTTP headers to allow the client and server to know enough about each other to determine if a request or response should succeed.

    As described in the following steps, you will configure the additional virtual server to allow anonymous access from clients for the HTTP OPTIONS verb. The OPTIONS request passes through to StorageZones Controller without being authenticated and without HTTPS callouts to validate the signature. The CORS preflight check validates domain trust before sending credentials.

    An understanding of CORS is not needed to perform the configuration. However, for more information about CORS, see http://enable-cors.org/.

    Use of Internet Explorer for web access to connectors in restricted zones requires Internet Explorer configuration. For details, see Client requirements for restricted StorageZones.

  • To support web access to StorageZone Connectors, add a path (/ProxyService) to the content switching policy used for traffic to /cifs and /sp.

The additional configuration provides the NetScaler components shown in the following diagram.


NetScaler components for restricted zones

Perform the following steps in NetScaler after you complete the NetScaler for ShareFile wizard.

  1. Create a third load-balancing virtual server:
    1. Navigate to Traffic Management > Load Balancing > Virtual Servers.
    2. Click Add.
    3. Specify the following values:
      Option Value
      Name A policy name, such as SF_ZONE_OPTIONS
      Protocol SSL
      IP Address Type Non Addressable
    4. Click through to create the virtual server.
    5. To bind the same services to it as the load-balancing virtual servers created by the wizard: In the Load Balancing Virtual Server screen, across from Service, click > and then click Save.
    6. Add a certificate to the virtual server.
  2. Create a policy for the virtual server you just added:
    1. Navigate to Traffic Management > Content Switching > Policies.
    2. In the details pane, click Add and then specify the following values:
      Option Value
      Name A name for the content switching action, such as OPTIONS
      Target LB Virtual Server The virtual server added in Step 1
      Expression

      Click Expression Editor and then build this expression:

      Select HTTP.

      Select REQ.

      Select METHOD.

      Select EQ(String) and type OPTIONS.

      The expression should read as follows:

      HTTP.REQ.METHOD.EQ("OPTIONS")

    3. Click Done.
    4. Click Create.
  3. Bind the policy you just created to the new load-balancing virtual server:
    1. Navigate to Traffic Management > Load Balancing > Virtual Servers.
    2. In the list, click the new virtual server.
    3. Click Bind.
    4. Select the check box for the policy you just created.
    5. Click Insert.
    6. Change the priority of the new policy so it has the lowest number of the three policies.

      The policy with the lowest value has the highest priority and so is handled first.

  4. Update the policy used for traffic to StorageZone Connectors (_SF_CIF_SP_CSPOL):
    1. Navigate to Traffic Management > Content Switching > Policies.
    2. Select the _SF_CIF_SP_CSPOL policy.
    3. Add the following to the policy expression:

      || HTTP.REQ.URL.CONTAINS("/ProxyService/")

      The full policy expression should be as follows:

      HTTP.REQ.URL.CONTAINS("/cifs/") || HTTP.REQ.URL.CONTAINS("/sp/") || 
      HTTP.REQ.URL.CONTAINS("/ProxyService/")  
      
  5. Update the policy used for traffic to StorageZones for ShareFile Data (_SF_SZ_CSPOL):
    1. Navigate to Traffic Management > Content Switching > Policies.
    2. Select the _SF_SZ_CSPOL policy.
    3. Add the following to the policy expression:

      && HTTP.REQ.URL.CONTAINS("/ProxyService/").NOT

      The full policy expression should be as follows:

      HTTP.REQ.URL.CONTAINS("/cifs/").NOT && HTTP.REQ.URL.CONTAINS("/sp/“).NOT 
      && HTTP.REQ.URL.CONTAINS("/ProxyService/").NOT  
      

Configure NetScaler for View-Only Sharing

To support View-Only Sharing, users must be able to access your Microsoft Office Web Apps Server (OWA). If your OWA server is externally accessible on its own address, no additional NetScaler configuration should be required for your StorageZones Controller.

If you wish to combine the StorageZones Controller and Office Web App Server onto a single external address using NetScaler content switching policies, you must perform additional NetScaler configuration after you complete the NetScaler for ShareFile wizard. NetScaler configuration is required to ensure that traffic is routed to your externally accessible OWA Server properly.

Once the following NetScaler rules are configured, Administrators may re-use the existing External address of their StorageZones Controller zone, eliminating the need to create an additional external address for OWA.

To create and configure an additional NetScaler load-balancing virtual server:

  1. Create an additional load-balancing service.
    • Navigate to Traffic Management > Load Balancing > Services.
    • Click Add.
    • Enter the required information to create a service that corresponds to your OWA server(s). Click OK.
  2. Create an additional load-balancing virtual server:
    • Navigate to Traffic Management > Load Balancing > Virtual Servers.
    • Click Add.
    • Specify the following values:
      Option Value
      Name A policy name, such as SF_OWA_vServer
      Protocol SSL
      IP Address Type Non Addressable
    • Click through to create the virtual server.
    • To bind the virtual server to the OWA service you created in the previous step, click Load Balancing Virtual Service Binding > Select Service. Click the checkbox beside the service you created in the previous step.
    • Click Select.
    • Click Bind.
  3. Create a new policy used to route traffic to your OWA server.
    • Navigate to Traffic Management > Content Switching > Policies.
    • Select Add.
    • Name the policy.
    • Add the following expression:
      • HTTP.REQ.URL.CONTAINS("/hosting/discovery")
        || HTTP.REQ.URL.CONTAINS("/x/")
        || HTTP.REQ.URL.CONTAINS("/wv/")
        || HTTP.REQ.URL.CONTAINS("/p/")


        The full policy expression should be as follows:
        HTTP.REQ.URL.CONTAINS("/hosting/discovery") || HTTP.REQ.URL.CONTAINS("/x/") || HTTP.REQ.URL.CONTAINS("/wv/") || HTTP.REQ.URL.CONTAINS("/p/") ||
  4. Update the priority of the new policy within the load-balancing virtual 
    • Navigate to Traffic Management > Content Switching > Virtual Servers.
    • Click the load-balancing virtual server, then select Content Switching Policies.
    • Change the priority of the policies so that the (Example) "_SF_OWA" policy is third in priority.
      Priority Policy Name
      90 SF_ZK_OPTIONS
      95 _SF_CIF_SP_SPOL
      99 _SF_OWA
      100 _SF_SZ_CSPOL
  • Click Close. Click Done

Create a monitor for the StorageZones Controller service

By default, NetScaler pings the StorageZones Controller server to determine if it is online. However, even if the controller is online, it might not be able to send heartbeat messages to the ShareFile web site. In that case, NetScaler will send traffic to StorageZones Controller although it is not communicating with ShareFile.

To verify StorageZones Controller outbound connectivity to ShareFile, you can create a monitor that checks heartbeat.aspx and bind it to the NetScaler service for each StorageZones Controller.

Code Copy

add lb monitor SZC_Heartbeat HTTP-ECV -send "GET /heartbeat.aspx" -recv "***ONLINE***” -secure YES

bind service StorageZone_Svc -monitorName SZC_Heartbeat

StorageZone_Svc is the NetScaler service that corresponds to a StorageZones Controller. That service name is automatically created by the NetScaler for ShareFile wizard. The service name includes the IP address of the controller, such as _SF_SVC_ip-address.

-secure YES is required if the service is listening on port 443.

Verify the NetScaler configuration

After you complete the wizard, go to Traffic Management > Load Balancing > Virtual Servers to view the status of the load balancing virtual servers created by the wizard.

View the throughput of ShareFile requests through NetScaler

Throughput statistics can be found on the Dashboard menu.