Storage zones controller

Install storage zones controller and create a storage zone

Important:

When you install a storage zones controller, you either create a zone and configure a primary storage zones controller or join secondary storage zones controllers to a zone.

While configuring a primary storage zones controller, you can enable either or both of these features:

  • Storage zones for ShareFile Data, to specify private data storage, either a private network share or a supported third-party storage system.
  • Storage zone connectors, to give users access to documents on SharePoint sites or specified network file shares.

The following steps describe how to install the storage zones controller, configure authentication for the IIS default website, create a zone, and enable features.

  1. Download and install the storage zones controller software:

    Note:

    Installing the storage zones controller changes the Default website on the server to the installation path of the controller.

    Anonymous Authentication should be enabled on the default website.

  2. On the server where you want to install the storage zones controller, run StorageCenter.msi.

    • The ShareFile storage zones controller Setup wizard starts.

    • For multitenancy, run the following command: msiexec /i StorageCenter_5.0.1.msi MULTITENANT=1

    Note:

    In the preceding command, you might need to update the version number (5.0.1 in the example) to match the number of the msi you are trying to install.

    • Respond to the prompts. When installation is complete, clear the check box for Launch storage zones controller Configuration Page and then click Finish.
  3. Restart the storage zones controller.

  4. To test that the installation is successful, navigate to http://localhost/. If the installation is successful, the ShareFile logo appears.

  5. If the ShareFile logo does not appear, clear the browser cache and try again.

    Important:

    If you plan to clone the storage zones controller, capture the disk image before you proceed with configuring the storage zones controller.

  6. To use an S3-compatible storage provider with ShareFile, perform the following steps before creating or configuring a storage zone.

    • Open Windows Registry Editor (Run > regedit.exe).

    • Find the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\StorageCenter registry key.

    • Create a new REG_SZ value under this key:

      • Value name: S3EndpointAddress
      • Value type: REG_SZ
      • Value data: Enter the HTTPS URL that corresponds to your S3-compatible storage endpoint.
    • If the storage provider supports only path-style container access (see http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html), create another value under this key.

      • Value name: S3ForcePathStyle
      • Value type: REG_SZ
      • Value data: true
    • Restart the storage zones controller application pool (StorageCenterAppPool).

    • Gather the following information from your S3-compatible storage system:

      • The name of an S3 bucket to use for ShareFile dataAccess key ID
      • Access key ID
      • Secret access key
  7. Continue with the following steps to create a new storage zone. Choose Amazon S3 as the persistent storage location. storage zones controller uses the custom endpoint address you entered instead of the actual Amazon S3 service. When configuring the S3 details, choose the bucket name you created earlier.

  8. Navigate to the storage zones controller console.

  9. Open http://localhost/configservice/login.aspx or start the configuration tool from the Start screen or menu. For information about using the Start screen shortcut in Windows 8, see Manage storage zones controllers.

  10. On the storage zones controller Logon page, enter the email address, password, and full account URL FQDN subdomain, such as subdomain.sharefile.com or subdomain.sharefile.eu, for your account. Click Log On.

  11. To set up your primary storage zones controller, click Create new Zone and provide the zone information:

    Option Description
    Zone A name that appears in the ShareFile Administrator console.
    Primary Zone controller Defaults to http://localhost/ConfigService. If you use SSL, change HTTP to https. Keep in mind that ShareFile supports only valid, trusted public SSL certificates for standard zones. If you have problems configuring a secondary storage zone host, ensure that you can resolve the ConfigService URL in a local browser on that server, with no SSL errors. localhost resolves to the server IP address. You can specify a server name instead (such as https://servername.subdomain.com/ConfigService). The server name must be resolvable by a secondary storage zones controller server.
    Host name A unique identifier for your storage zones controller. ShareFile recommends that you use the server host name as the identifier. This should be a friendly name and not the FQDN. This name appears in the ShareFile Administrator console.
    External Address The FQDN for this storage zones controller. If this storage zones controller will be used for standard zones, the URL must be accessible from the Internet. If you are using a load balancer, enter its address. When you submit the page, ShareFile validates the address.
  12. To specify private data storage, do the following.

    • Select the check box for Enable storage zones for ShareFile Data.

    • To configure a standard zone, clear the check box.

    Note:

    After you configure a storage zones controller, you cannot change its zone type.

    Storage zones controller uses the service account credentials to connect to the trusted Active Directory domain server for email address lookup.

    • Choose a Storage Repository.
  13. If you do not want to enable storage zone connectors, click Register to register storage zones controller with ShareFile and then continue with Step 14.

  14. If you are using S3-compatible storage, create these additional registry entries after the storage zone registers:

    • Open Windows Registry Editor (Run > regedit.exe).

    • Find the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\storage zone\CloudStorageUploaderConfig registry key.

    • Create a new REG_SZ value under this key:

      • Value name: S3EndpointAddress
      • Value type: REG_SZ
      • Value data: Enter the HTTPS URL that corresponds to your S3-compatible storage endpoint.
    • If the storage provider supports only path-style container access (see http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html), create another value under this key.

      • Value name: S3ForcePathStyle
      • Value type: REG_SZ
      • Value data: true
    • Restart the storage zones controller application pool (StorageCenterAppPool).

  15. To enable storage zone connectors:

    Enabling the connectors creates the IIS apps “cifs” (connector for Network File Shares) and “sp” (connector for SharePoint).

    • Select the check box for each connector type you want to use: Enable storage zone connector for Network File Shares and Enable storage zone connector for SharePoint. For information about the connector settings, see Configure storage zone connectors, in this section.

    • Click Register. Your storage zones controller information appears.

    • If you specified Allowed Paths or Denied Paths for storage zone connectors, restart the IIS server.

  16. To configure secondary storage zones controllers, refer to Manage storage zones controllers.

Important:

A storage zones controller is installed on your local site and you are responsible for backing it up. To protect your deployment, you should take a snapshot of the storage zones controller server, back up the storage zones controller configuration, and prepare storage zones controller for disaster recovery.

Configure storage zones for ShareFile Data

Note:

Storage zones for ShareFile Data is available for Citrix Endpoint Management Enterprise Edition and is not available for other Citrix Endpoint Management editions.

You can configure storage zones for ShareFile Data from the storage zones controller wizard when you create a storage zone or from the storage zones controller console. Use the ShareFile Data tab to configure settings for private network shares or supported third-party storage systems.

Network share settings

Option Description
Storage Repository Choose Local network share. After you create the zone, you cannot change the Storage Repository option. For example, to switch from a local network share to third-party storage, you must create a new zone.
Network Share Location The UNC path to the network share you will use for private data storage and for data such as encryption keys, queued files, and other temporary items. Specify the path in the form \\server\share. storage zones controllers belonging to the same storage zone must use the same file share for storage. Caution: storage zones controller will overwrite any data in this path with a proprietary storage format. Never specify a path to a location with file data. Reserve this storage location for storage zones for ShareFile Data only. storage zones controllers access the Network Share using the Network Share username/password supplied on the config page. If no Network Share username/password is supplied on the config page, then the Network Service account will be used by default. The Network Service account must have full access to this storage location. Storage zones controller will also use the Network Service account by default for the StorageCenterAppPool. It is important to note that the only supported configuration is to use the Network Service account.
Network Share user name and Network Share Password The credentials for the UNC path of your network share location. To use a named user account instead of the Network Service account to access the share, specify those credentials. You can continue to run the IIS application pool and the ShareFile Services using the Network Service account.
Enable Encryption Select the check box only if you want to encrypt the file content stored on your file share. In an enterprise environment where the network share is inside your network and already secured by third-party tools, we recommend that you do not encrypt the files on the share. This setting does not relate to metadata. Metadata is not encrypted for standard zones. Although this additional security is offered as an option for maximum security when required, encrypting files on the share will make the disk unreadable by third-party tools such as antivirus scanners and filer tools, including data deduplication tools. ShareFile uses a file encryption key to confirm the validity of download requests and encrypt the storage.
Passphrase A phrase used to protect your file encryption key. The passphrase must contain more than six characters. Be sure to archive the passphrase and encryption key in a secure location. You must use the same passphrase for each storage zones controller in a zone. The passphrase is not the same as your account password and cannot be recovered if lost. If you lose the passphrase, you cannot reinstall storage zones, join additional storage zones controllers to the storage zone, or recover the storage zone if the server fails. Note: The encryption key appears in the root of the shared storage path. Losing the encryption key file, SCKeys.txt, immediately breaks access to all storage zone files. Be sure to back up the encryption key file as part of your normal data center procedures.

Shared Cache configuration settings

Option Description
Shared cache location the path to a network share that will contain your storage cache and data such as encryption keys, queued files, and other temporary items. Specify the path in the form \\server\share. storage zones controllers belonging to the same storage zone must use the same file share for storage. Caution: storage zones controller will overwrite any data in this path with a proprietary storage format. Never specify a path to a location with file data. Reserve this storage location for storage zones for ShareFile Data only. The Network Service account (or the account the ShareFile Management Service is configured to run as) must have full access to this storage location.
Shared cache Logon and Shared cache Password The credentials for the UNC path of your shared cache location.
Enable Encryption Select the check box to encrypt the files stored in your shared cache.

Windows Azure storage container settings

Option Description
Storage Repository Choose Azure storage container. After you create the zone, you cannot change the Storage Repository option. For example, to switch from a local network share to Azure-based storage, you must create a new zone.
Account Name The name of your Azure storage account. These names are always lower case.
Access Key The primary or secondary access key for your Azure storage. Copy the key from the Manage Access Keys screen of the Windows Azure Management Portal.
Validate Click the button to validate the Azure access key. You cannot proceed with the configuration until the validation is completed and the Container Name menu includes all available containers for the specified account.
Container Name Select the Azure container to use for all storage zones controllers in this storage zone. This list is empty until your Azure access key is validated.

Amazon S3 storage bucket settings

Option Description
Storage Repository Choose the Amazon S3 storage bucket. After you create the zone, you cannot change the Storage Repository option. For example, to switch from a local network share to Amazon S3 storage, you must create a new zone.
Access Key Id The access key ID for your Amazon S3 storage.
Secret Access Key The secret access key for your Amazon S3 storage.
Validate Click the button to validate the Amazon S3 secret access key. You cannot proceed with the configuration until the validation is completed and the Bucket Name menu includes all available buckets for the specified account.
Bucket Name Select the Amazon S3 bucket to use for all storage zones controllers in this storage zone. This list is empty until your Amazon S3 secret access key is validated.

SMTP settings

Option Description
SMTP server address and SMTP port number Your local SMTP server host name and port.
Use SSL Select the check box to connect to the SMTP server over a secure connection.
User name and Password The user name and password for your local SMTP server.
Authentication mode The Default authentication mode uses the most secure method available to connect from the storage zones controller to the SMTP server.
Sender address The email address that appears in the From field.

Google Cloud platform

Generate an access key and secret from Google Cloud Platform > Settings > Interoperability.

Before running storage zones Configuration, set the S3EndpointAddress registry value to https://storage.googleapis.com and then restart IIS.

Option 1

Description

Storage repository

Choose Amazon S3 storage bucket. After you create the zone, you cannot change the Storage Repository option. For example, to switch from a local network share to Amazon S3 storage, you must create a new zone.

Access Key ID

The Access Key ID from your Google Cloud Platform storage.

Secret Access Key

The Secret from your Google Cloud Platform storage.

Validate

Click the button to validate the Google Cloud Platform secret access key. You cannot proceed with the configuration until the validation is completed and the Bucket Name list includes all available buckets for the specified account.

Bucket Name

Select the correct bucket to use for all storage zones controllers in this storage zone. This list is empty until your Google Cloud Platform secret access key is validated.

Configure storage zone connectors

Storage zone connectors give users access to documents on SharePoint sites or specified network file shares. You do not have to enable storage zones for ShareFile Data to use storage zone connectors.

Note:

Storage zones for ShareFile Data and the storage zones connectors features can share a zone. However, storage zones controller keeps the data and access rules for the two data types separate.

You can configure storage zone connectors when you create a zone using the storage zones controller wizard or from the storage zones controller console.

To control access to particular network file shares or SharePoint document libraries, specify a list of Allowed Paths or Denied Paths. After you save your changes, restart the IIS server.

In-bound connections to storage zone connectors are first checked against the allowed paths. If the connection is allowed, the path is then checked against the denied paths. For example, to provide access to \\myserver\teamshare and all of its subfolders, specify an allowed path of \\myserver\teamshare.

  • All connections are allowed by default, indicated by an Allowed Paths value. The value is not valid for Denied Paths.

  • If the allowed and denied paths conflict with each other, the most restrictive path is enforced.

  • Entries are comma-separated.

  • For connectors to network file shares, specify the allowed UNC paths.

    Example with FQDN: \\fileserver.acme.com\shared

    You can use the following variables in the UNC path:

    • %UserName%

      Redirects to a user’s home directory. Example path: \\myserver\homedirs\%UserName%

    • %HomeDrive%

      Redirects to a user’s home folder path, as defined in the Active Directory property Home-Directory. Example path: %HomeDrive%

    • %TSHomeDrive%

      Redirects to a user’s Terminal Services home directory, as defined in the Active Directory property ms-TS-Home-Directory. The location is used when a user logs on to Windows from a terminal server or Citrix XenApp server. Example path: %TSHomeDrive%

      In the Active Directory Users and Computers snap-in, the ms-TS-Home-Directory value is accessible on the Remote Desktop Services Profile tab when editing a user object.

    • %UserDomain%

      Redirects to the NetBIOS domain name of the authenticated user. For example, if the authenticated user logon name is “abc\johnd”, the variable is substituted with “abc”. Example path: \\myserver%UserDomain%_%UserName%

    The variables are not case sensitive.

  • For a connector to a root-level SharePoint site, specify the root-level path.

    Example: https://sharepoint.company.com

  • For a connector to a SharePoint site collection:

    Example: https://sharepoint.company.com/site/SiteCollection

  • For connectors to SharePoint 2010 document libraries, specify the URLs (not including path terminators, such as file.aspx or /Forms).

    Examples:

    • https://mycompany.com/sharepoint/
    • https://mycompany.com/sharepoint/sales-team/Shared Documents/
    • https://mycompany.com/sharepoint/sales-team/Shared Documents/Forms/AllItems.aspx

    The default SharePoint 2013 URL (when Minimal Download Strategy is enabled) is in the form: https://sharepoint.company.com/\_layouts/15/start.aspx\#/Shared%20Documents/.

Security recommendation to remove the server header

IIS/ASP.NET by default exposes the Server header in HTTP responses. This header could become useful to an attacker. The header discloses the sending server type and in some cases the version number. This header is not necessary for production sites and can be disabled.

Unfortunately, the storage zones controller installer is not able to remove this header automatically. But we can provide recommendations to customers to remove this header in our storage zones controller documentation/installation guide.

Refer to the following article for the specific steps that we should provide in our documentation: https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/

Install storage zones controller and create a storage zone