Restricted StorageZones

Customers utilizing StorageZones Controller (version 3 or later) can utilize Restricted Zones to better control employee access to data.


Not all features and apps may be utilized with data stored on a Restricted Zone.

Additional RZ Info

Restricted Zone Features

Zone Authentication: In addition to logging on to ShareFile, users must authenticate separately to the StorageZones Controller to access documents stored in a restricted zone. Directory lookup ensures that the user logging on to ShareFile is the same one authenticating to the zone. This extra authentication requirement limits sharing. Documents can be shared only with others who have access to the StorageZones Controller and who can authenticate using enterprise credentials. In a restricted zone, files cannot be shared anonymously. Users must be granted permission to view a file and must always log on to receive a shared file.

Metadata Encryption: All information about files and folders in the zone is encrypted with your key before being sent to ShareFile. As a result, no one outside of your organization can see folder or file names in restricted zones. Access to encryption keys, decrypted files, and metadata is available only through enterprise authentication to StorageZones Controller.

Internal address for StorageZones Controller: For a restricted zone, authorization occurs between StorageZones Controller and ShareFile clients instead of between StorageZones Controller and the ShareFile cloud. As a result, a StorageZones Controller that hosts restricted zones does not require an external address or external SSL certificate. When StorageZones Controller is configured with an internal-only address, users must connect to the company network or VPN to access documents in the restricted zone.

Email notifications from your mail server: When users receive e-mail notifications about shared files and folders in a restricted zone, the e-mail is sent from your internal mail server instead of a ShareFile server.

Differences between standard and restricted zones

Properties Standard zones Restricted zones
StorageZone servers can be managed by… Citrix or you you
User authentication is handled by… or a combination of or plus your on-premises StorageZones Controller
Files can be shared with… employees and third party users (that is, anyone with an email address) employees or other users who have a domain account
File and folder metadata stored in the ShareFile control plane is… stored in clear text, visible to some Citrix employees encrypted with your private keys, which are not available to Citrix
Email notifications are sent using… ShareFile mail servers or your SMTP servers your SMTP servers
An external address for the zone is… required not required