Use ShareFile with XenMobile
XenMobile has two options for integrating with ShareFile: Citrix Files and storage zone connectors. Integration with Citrix Files or storage zone connectors requires XenMobile Advanced Edition (On-premises) or Citrix Endpoint Management (cloud).
If you have XenMobile Advanced Edition (On-premises) or Citrix Endpoint Management (cloud), you can configure XenMobile to provide access to your Citrix Files account. That configuration:
- Gives mobile users access to the full Enterprise feature set, such as file sharing, file sync, and storage zone connectors.
- Can provide Citrix Files with single sign-on authentication of XenMobile App users and comprehensive access control policies.
- Provides Citrix Files configuration, service level monitoring, and license usage monitoring through the XenMobile console.
For more information about configuring XenMobile for Citrix Files, see SAML for single sign-on with Citrix Files.
Storage zone connectors
You can configure XenMobile to provide access only to storage zone connectors that you create through the XenMobile console. That configuration:
- Provides secure mobile access to existing on-premises storage repositories, such as SharePoint sites and network file shares.
- Doesn’t require that you set up a ShareFile subdomain or host Citrix Files data.
- Provides users with mobile access to data through the Citrix Files mobile productivity apps for iOS and Android. Users can edit Microsoft Office documents. Users can also preview and annotate Adobe PDF files from mobile devices.
- Complies with security restrictions against leaking user information outside of the corporate network.
- Provides simple setup of storage zone connectors through the XenMobile console. If you later decide to use the full Citrix Files functionality with XenMobile, you can change the configuration in the XenMobile console.
- Requires XenMobile Advanced Edition (On-premises) or Citrix Endpoint Management (cloud).
For a XenMobile integration with storage zone connectors only:
- ShareFile uses your single sign-on configuration to Citrix Gateway to authenticate with the storage zones controller.
- XenMobile doesn’t authenticate through SAML because the Citrix Files control plane isn’t used.
The following diagram shows the high-level architecture for XenMobile use with storage zone connectors.
- Minimum component versions:
- XenMobile Server 10.5 (on-premises)
- ShareFile for iOS (MDX) 5.3
- ShareFile for Android (MDX) 5.3
Storage zones controller 5.0
This article contains instructions for how to configure storage zones controller 5.0
- Ensure that the server to run storage zones controller meets the system requirements. For requirements, see System requirements.
The requirements for storage zones for Citrix Files Data and for Restricted storage zones don’t apply to a XenMobile integration with storage zone connectors only.
XenMobile doesn’t support Documentum connectors.
- To run PowerShell scripts:
- Run the scripts in the 32-bit (x86) version of PowerShell.
Complete the following tasks, in the order presented, to install and set up storage zones controller. These steps are specific to XenMobile integration with storage zone connectors only. Some of these articles are in the storage zones controller documentation.
You can use Citrix ADC as a DMZ proxy for storage zones controller.
A storage zones controller that hosts standard zones requires an SSL certificate. A storage zones controller that hosts restricted zones and uses an internal address doesn’t require an SSL certificate.
IIS and ASP.NET setup is required for storage zone connectors.
The storage zones controllers console enables you to specify a proxy server for storage zones controllers. You can also specify a proxy server using other methods.
Configure the domain controller to support NTLM or Kerberos authentication on network shares or SharePoint sites.
To configure a storage zone for high availability, connect at least two storage zones controllers to it.
Download and install the storage zones controller software:
Go to https://www.citrix.com/downloads. Search for ShareFile and then download the latest storage zones controller installer.
Installing the storage zones controller changes the default website on the server to the installation path of the controller. Enable Anonymous Authentication on the default website.
On the server where you want to install storage zones controller, run StorageCenter.msi.
The storage zones controller Setup wizard starts.
Respond to the prompts:
- In the Destination Folder page, if Internet Information Services (IIS) is installed in the default location, leave the defaults. If not, browse to the IIS installation location.
- When installation is complete, clear the checkbox for Launch Storage Zones Controller Configuration Page and then click Finish.
When prompted, restart the storage zones controller.
To test that the installation was successful, navigate to
https://localhost/. If the installation is successful, the Citrix Files logo appears.
If the Citrix Files logo does not appear, clear the browser cache and try again.
If you plan to clone the storage zones controller, capture the disk image before you continue with configuring the storage zones controller.
For an integration only with storage zone connectors, you don’t use the storage zones controller administrative console. That interface requires a Citrix Files administrator account, which isn’t necessary for this solution. As a result, you run a PowerShell script to prepare the storage zones controller for use without the Citrix Files control plane. The script does the following:
- Registers the current storage zones controller as a primary storage zones controller. You can later join secondary storage zones controllers to the primary controller.
- Creates a zone and sets the passphrase for it.
From your storage zone controller server, download the PsExec tool: Navigate to Microsoft Windows Sysinternals and then click Download PsTools. Extract the tool to the root of the C drive.
Run the PsExec tool: Open the Command Prompt as the Administrator User and then type the following:
cd c:\pstools PsExec.exe -i -u "NT AUTHORITY\NetworkService" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe <!--NeedCopy-->
When prompted, click Agree to run the Sysinternals tool.
A PowerShell widow opens.
In the PowerShell window, type the following:
Import-Module "C:\inetpub\wwwroot\Citrix\StorageCenter\Tools\SfConfig\SfConfig.dll" New-Zone -Passphrase passphrase -ExternalAddress https://szcfqdn.com <!--NeedCopy-->
Passphrase: Is the passphrase that you want to assign to the site. Make a note of it. You cannot recover the passphrase from the controller. If you lose the passphrase, you cannot reinstall the storage zones controller. Join more storage zones controllers to the storage zone, or recover the storage zone if the server fails.
ExternalAddress: Is the external fully qualified domain name of the storage zones controller server.
Your primary storage zones controller is now ready.
Before you log in to XenMobile to create storage zone connectors: Complete the following configuration, if applicable:
To create storage zone connectors, see Define storage zones controller connections in XenMobile.
To configure a storage zone for high availability, connect at least two storage zones controllers to it. To join a secondary storage zones controller to a zone, install a storage zones controller on a second server. Then join that controller to the zone of the primary controller.
Open a PowerShell window on the storage zones controller server that you want to join to the primary server.
In the PowerShell window, type the following:
Join-Zone -Passphrase \<passphrase\> -PrimaryController \<HostnameOrIP>
Join-Zone -Passphrase secret123 -PrimaryController 10.10.110.210
Before you add storage zone connectors, you configure connection information for each storage zones controller enabled for storage zone connectors. You can define storage zones controllers as described in this section, or when you add a connector.
On your first visit to the Configure > ShareFile page, the page summarizes the differences between using XenMobile for Enterprise accounts and storage zone connectors.
Click Configure Connectors to continue with the configuration steps in this article.
In Configure > ShareFile, click Manage StorageZones.
In Manage StorageZones, add the connection information.
- Name: A descriptive name for the StorageZone, used to identify the StorageZone in XenMobile. Don’t include a space or special characters in the name.
- FQDN and Port: The fully qualified domain name and port number for a storage zones controller that is reachable from the XenMobile Server.
- Secure Connection: If you use SSL for connections to storage zones controller, use the default setting, ON. If you don’t use SSL for connections, change this setting to OFF.
- Administrator user name and Administrator password: An administrator service account user name (in the form domain\admin) and password. Alternatively, a user account with read and write permissions on the storage zones controllers.
To test the connection, verify that XenMobile Server can reach the fully qualified domain name of the storage zones controller on port 443.
To define another storage zones controller connection, click the Add button in Manage StorageZones.
To edit or delete the information for a storage zones controller connection, select the connection name in Manage StorageZones. Then, click Edit or Delete.
Add a storage zone connector in XenMobile
Go to Configure > ShareFile and then click Add.
On the Connector Info page, configure these settings:
- Connector Name: A name that identifies the storage zone connector in XenMobile.
- Description: Optional notes about this Connector.
- Type: Choose either SharePoint or Network.
- StorageZone: Choose the storage zone associated with the Connector. If the storage zone isn’t listed, click Manage StorageZones to define the storage zones controller.
Location: For SharePoint, specify the URL of the SharePoint root-level site, site collection, or document library, in the form
https://sharepoint.company.com. For a network share, specify the fully qualified domain name of the Uniform Naming Convention (UNC) path, in the form \\server\share.
On the Delivery Group Assignment page, optionally assign the Connector to delivery groups. Alternatively, you can associate connectors to delivery groups using Configure > Delivery Groups.
On the Summary page, you can review the options you configured. To adjust the configuration, click Back.
Click Save to save the Connector.
Test the connector:
When you wrap the Citrix Files clients, do the following:
- Set the Network access policy to Tunneled to the internal network.
In this mode of operation, the XenMobile MDX framework intercepts all network traffic from the Citrix Files client. The traffic redirects through Citrix Gateway by using an app-specific micro VPN.
- Set the Preferred VPN mode policy to Tunneled - Web SSO.
In this mode of tunneling, the MDX framework terminates SSL/HTTP traffic from an MDX app. MDX then initiates new connections to internal connections on behalf of the user. This policy setting enables the MDX framework to detect and respond to authentication challenges issued by web servers.
Add the Citrix Files clients to XenMobile. For details, see Integrating and delivering Citrix Files for Endpoint Management clients.
From a supported device, verify single sign-on to Citrix Files and connectors.
In the following samples, SharefileDev is the name of a connector.
You can filter the list of storage zone connectors by Connector type, assigned delivery groups, and storage zone.
Go to Configure > ShareFile and then click Show filter.
Expand the filter headings to make selections. To save a filter, click Save This View, type the filter name, and click Save.
To rename or delete a filter, click the arrow icon beside the filter name.
After integrating storage zone connectors with XenMobile, you can later switch to the full Enterprise feature set. Use of the Citrix Files feature set requires XenMobile Advanced Edition (On-premises) or Citrix Endpoint Management (cloud). XenMobile retains your existing storage zone connector integration settings.
Go to Configure > ShareFile, click the StorageZone Connectors drop-down menu, and then click Configure ShareFile Enterprise.
For information about configuring Citrix Files, see SAML for single sign-on with Citrix Files.