Storage zones controller

Configure Citrix ADC manually

As of version 10.1 build 120.1316, NetScaler includes a wizard that configures the settings needed for the storage zone controller data and connectors.

The steps in this section describe the Citrix ADC settings needed for the storage zone controller. All links are for the NetScaler 10.1 documentation. Similar topics are available for later versions of Citrix ADC.

To check for valid URI signatures on all incoming messages

  1. Create an HTTP callout named sf_callout:
    1. In the Configure HTTP Callout dialog box, click Virtual Server or IP Address and specify the address.

    2. Under Request to send to the server, click Attribute-based and then click Configure Request Attributes.

    3. Select Get Method.

    4. In Host Expression enter the virtual server IP address or the host IP address for any of the storage zones controllers.

    5. In the URL Stem Expression, enter:

      "/validate.ashx?RequestURI=" + HTTP.REQ.URL.BEFORE\_STR("\&h").HTTP\_URL\_SAFE.B64ENCODE + "\&h="+ HTTP.REQ.URL.QUERY.VALUE("h")
      <!--NeedCopy-->
      
    6. Click OK and then return to the Configure HTTP Callout dialog box.

    7. Under Server Response, choose a Return Type of Bool.

    8. In the Expression to extract data from the response, enter:

      HTTP.RES.STATUS.EQ(200).NOT

    9. Click Create.

  2. Follow the preceding steps to configure an HTTP callout named sf_callout_y. Use the same settings except for the expression:
    • In the URL Stem Expression, enter:

       "/validate.ashx?RequestURI=" + HTTP.REQ.URL.HTTP\_URL\_SAFE.B64ENCODE + "\&h="
       <!--NeedCopy-->
      
  3. Configure a responder policy:
    1. In the Configure Responder Policy dialog box: For Action, choose Drop.

    2. Enter the expression:

      http.REQ.URL.CONTAINS("\&h=") && http.req.url.contains("/crossdomain.xml").not && http.req.url.contains("/validate.ashx?requri").not && SYS.HTTP\_CALLOUT(sf\_callout) || http.REQ.URL.CONTAINS("\&h=").NOT && http.req.url.contains("/crossdomain.xml").not && http.req.url.contains("/validate.ashx?requri").not && SYS.HTTP\_CALLOUT(sf\_callout\_y)
      <!--NeedCopy-->
      

      For more information, see Responder.

  4. Bind the responder policy to the load balancer virtual server and configure SSL session-based persistence.

To load balance

  1. Configure token-based load balancing.

    Use the rule expression: “http.REQ.URL.QUERY.VALUE("uploadid")”

    Token-based load balancing is required for storage zones controllers in a high availability deployment. Round-robin load balancing results in intermittent download or upload failures because a client request for an upload or download can get directed to a storage zone controller other than the one that received the authorization request from ShareFile.com.

  2. Configure Citrix ADC to terminate SSL connections.

    For information, see Configuring SSL Offloading.

To configure content switching and authentication for Connectors

  1. To enable content switching, see Enabling Content Switching.

  2. Create a content switching policy for user requests for ShareFile data from your on-premises storage zones:

    1. In the Configure Content Switching Policy dialog box. enter a name for the content switching policy. These steps use the name Data_Requests.

    2. Enter the expression:

      HTTP.REQ.HOSTNAME.CONTAINS("StorageZonesControllerHostName") && HTTP.REQ.URL.CONTAINS("/cifs/").NOT && HTTP.REQ.URL.CONTAINS("/sp/").NOT
      <!--NeedCopy-->
      
    3. Click OK.

      For more information, see Content Switching.

  3. Create a content switching policy for user requests for data accessed from storage zone connectors.

    1. In the Configure Content Switching Policy dialog box, specify a name for the content switching policy. These steps use the name Connector_Requests.

    2. Enter the expression:

      HTTP.REQ.HOSTNAME.CONTAINS("StorageZonesControllerFQDN") && (HTTP.REQ.URL.CONTAINS("/cifs/") || HTTP.REQ.URL.CONTAINS("/sp/"))
      <!--NeedCopy-->
      

      Be sure to replace “StorageZonesControllerFQDN” with the FQDN of your controller.

    3. Click OK.

  4. Create a content switching virtual server.

  5. Set the content switching policy targets:

    • In the Configure Virtual Server (Content Switching) dialog box, for the Data_Requests policy, specify the load balancer virtual server for storage zones for ShareFile data.

      This load balancer virtual server is the one to bound the responder policy in Step 4 to check for valid URI signatures on all incoming messages and to load balance.

    • For the Connector_Requests policy, specify the load balancer virtual server for storage zone connectors.

  6. Configure the authentication virtual server for the storage zone controller:

    Although authentication to Citrix ADC is optional, it is a recommended best practice.

    1. In the navigation pane, expand Load Balancing, select the name of the load balancer virtual server for storage zones connectors, and then click Open.

    2. In the Configure Virtual Server (Load Balancing) dialog box, click the Advanced tab and then expand Authentication Settings.

    3. Select the check box for 401 Based Authentication and then choose the Authentication virtual server.

    4. Click the Method and Persistence tab.

    5. For Persistence, choose COOKIEINSERT.

    6. For Time-out (min), enter 240.

      A time-out value of 240 minutes is recommended. Use a minimum value greater than 10 minutes.

      For more information, see Configuring the Authentication Virtual Server.

  7. Use the Configure Authentication Server dialog box to create and configure an authentication server.

    In SSO Name Attribute, enter userPrincipalName.

    For more information about other settings, seeAuthentication Policies.

  8. Configure an authentication policy for the authentication server:

    1. In the Configure Authentication Policy dialog box: Enter a Name for the policy and then select the authentication Server configured in the previous step.

    2. Enter the expression:

      ns_true

    For more information, see Configure an authentication policy.

  9. Configure a session profile for single sign-on:

    1. In the Configure Session Profile dialog box, enter a name for the profile.
    2. Select the check box for single sign-on to Web Applications.
    3. For Credential Index, select PRIMARY.
    4. In the single sign-on domain, enter the domain name for your storage zones controller.
    5. Select the Override Global check boxes for each of the preceding three items.

    For more information, see Session Profiles.

  10. Configure a session policy for single sign-on:

    1. In the Configure Session Policy dialog box, enter a name for the policy.

    2. For Request Profile, select the name of the session profile configured in the previous step.

    3. Enter the expression:

      ns_true

    For more information, see Session Policies.

  11. Create an authentication virtual server:

    1. In the Configure Virtual Server (Authentication) dialog box, enter a name and the IP Address for the server.
    2. Click the Authentication tab and for Protocol, select SSL.
    3. Select the check box for Authenticate Users.
    4. Under Authentication Policies, click Primary and then choose the authentication policy you configured in Step 7.
    5. Click the Policies tab, click Session, and then choose the session policy you configured in Step 9.

    For more information, see Configuring the Authentication Virtual Server.

Configure Citrix ADC manually