ShareFile use with XenMobile

XenMobile has two options for integrating with ShareFile: ShareFile Enterprise and StorageZone Connectors. Integration with ShareFile Enterprise or StorageZone Connectors requires XenMobile Enterprise Edition.

ShareFile Enterprise

If you have XenMobile Enterprise Edition, you can configure XenMobile to provide access to your ShareFile Enterprise account. That configuration:

  • Gives mobile users access to the full ShareFile feature set, such as file sharing, file sync, and StorageZone Connectors.
  • Can provide ShareFile with single sign-on authentication of XenMobile App users, AD-based user account provisioning, and comprehensive access control policies.
  • Provides ShareFile configuration, service level monitoring, and license usage monitoring through the XenMobile console.

For more information about configuring XenMobile for ShareFile Enterprise, see SAML for single sign-on with ShareFile.

StorageZone Connectors

You can configure XenMobile to provide access only to StorageZone Connectors that you create through the XenMobile console. That configuration:

  • Provides secure mobile access to existing on-premises storage repositories, such as SharePoint sites and network file shares.
  • Doesn’t require that you set up a ShareFile subdomain, provision users to ShareFile, or host ShareFile data.
  • Provides users with mobile access to data through the ShareFile mobile productivity apps for iOS and Android. Users can edit Microsoft Office documents. Users can also preview and annotate Adobe PDF files from mobile devices.
  • Complies with security restrictions against leaking user information outside of the corporate network.
  • Provides simple setup of StorageZone Connectors through the XenMobile console. If you later decide to use the full ShareFile functionality with XenMobile, you can change the configuration in the XenMobile console.
  • Requires XenMobile Enterprise Edition.

For a XenMobile integration with StorageZone Connectors only:

  • ShareFile uses your single sign-on configuration to NetScaler Gateway to authenticate with StorageZones Controller.
  • XenMobile doesn’t authenticate through SAML because the ShareFile control plane isn’t used.

The following diagram shows the high-level architecture for XenMobile use with StorageZone Connectors.

Image of StorageZone Controller


  • Minimum component versions:
    • XenMobile Server 10.5 (on-premises)
    • ShareFile for iOS (MDX) 5.3
    • ShareFile for Android (MDX) 5.3
    • ShareFile StorageZones Controller 5.0 This article contains instructions for how to configure ShareFile StorageZones Controller 5.0
  • Ensure that the server to run StorageZones Controller meets the system requirements. For requirements, see System requirements.

The requirements for StorageZones for ShareFile Data and for Restricted StorageZones don’t apply to a XenMobile integration with StorageZone Connectors only.

XenMobile doesn’t support Documentum connectors.

  • To run PowerShell scripts:
    • Run the scripts in the 32-bit (x86) version of PowerShell.

Installation tasks

Complete the following tasks, in the order presented, to install and set up StorageZones Controller. These steps are specific to XenMobile integration with StorageZone Connectors only. Some of these articles are in the StorageZones Controller documentation.

  1. Configure NetScaler for StorageZones Controller

    You can use NetScaler as a DMZ proxy for StorageZones Controller.

  2. Install an SSL certificate

    A StorageZones Controller that hosts standard zones requires an SSL certificate. A StorageZones Controller that hosts restricted zones and uses an internal address doesn’t require an SSL certificate.

  3. Prepare your server

    IIS and ASP.NET setup is required for StorageZone Connectors.

  4. Install StorageZones Controller

  5. Prepare StorageZones Controller for use with StorageZone Connectors-only

  6. Specify a proxy server for StorageZones

    The StorageZones Controllers console enables you to specify a proxy server for StorageZones Controllers. You can also specify a proxy server using other methods.

  7. Configure the domain controller to trust the StorageZones Controller for delegation

    Configure the domain controller to support NTLM or Kerberos authentication on network shares or SharePoint sites.

  8. Join a secondary StorageZones Controller to a StorageZone

    To configure a StorageZone for high availability, connect at least two StorageZones Controllers to it.

Install StorageZones Controller

  1. Download and install the StorageZones Controller software:

    1. From the ShareFile download page at, log on and download the latest StorageZones Controller installer.

    2. Installing StorageZones Controller changes the default website on the server to the installation path of the controller. Enable Anonymous Authentication on the default website.

  2. On the server where you want to install StorageZones Controller, run StorageCenter.msi.

    The ShareFile StorageZones Controller Setup wizard starts.

  3. Respond to the prompts:

    • In the Destination Folder page, if Internet Information Services (IIS) is installed in the default location, leave the defaults. If not, browse to the IIS installation location.
    • When installation is complete, clear the check box for Launch StorageZones Controller Configuration Page and then click Finish.

    Image of setup wizard

  4. When prompted, restart the StorageZones Controller.

  5. To test that the installation was successful, navigate to https://localhost/. If the installation is successful, the ShareFile logo appears.

    If the ShareFile logo does not appear, clear the browser cache and try again.


    If you plan to clone the StorageZones Controller, capture the disk image before you proceed with configuring the StorageZones Controller.

Prepare StorageZones Controller for use with StorageZone Connectors-only

For an integration only with StorageZone Connectors, you don’t use the StorageZones Controller administrative console. That interface requires a ShareFile administrator account, which isn’t necessary for this solution. As a result, you run a PowerShell script to prepare the StorageZones Controller for use without the ShareFile control plane. The script does the following:

  • Registers the current StorageZones Controller as a primary StorageZones Controller. You can later join secondary StorageZones Controllers to the primary controller.
  • Creates a zone and sets the passphrase for it.
  1. From your StorageZone Controller server, download the PsExec tool: Navigate to Microsoft Windows Sysinternals and then click Download PsTools. Extract the tool to the root of the C drive.

    Image of PsTool download

  2. Run the PsExec tool: Open the Command Prompt as the Administrator User and then type the following:

    cd c:\pstools
    PsExec.exe -i -u "NT AUTHORITY\NetworkService" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

    Image of PsTool command

  3. When prompted, click Agree to run the Sysinternals tool.

    Image of PsTool license agreement

    A PowerShell widow opens.

  4. In the PowerShell window, type the following:

    Import-Module "C:\inetpub\wwwroot\Citrix\StorageCenter\Tools\SfConfig\SfConfig.dll"
    New-Zone -Passphrase passphrase -ExternalAddress


    Passphrase: Is the passphrase you want to assign to the site. Make a note of it. You cannot recover the passphrase from the controller. If you lose the passphrase, you cannot reinstall StorageZones, join more StorageZones Controllers to the StorageZone, or recover the StorageZone if the server fails.

    ExternalAddress: Is the external fully qualified domain name of the StorageZones Controller server.

    Image of powershell commands

    Your primary StorageZones Controller is now ready.

    Before you log in to XenMobile to create StorageZone Connectors: Complete the following configuration, if applicable:

    Specify a proxy server for StorageZones

    Configure the domain controller to trust the StorageZones Controller for delegation

    Join a secondary StorageZones Controller to a StorageZone

    To create StorageZone Connectors, see Define StorageZones Controller connections in XenMobile.

Join a secondary StorageZones Controller to a StorageZone

To configure a StorageZone for high availability, connect at least two StorageZones Controllers to it. To join a secondary StorageZones Controller to a zone, install StorageZones Controller on a second server. Then join that controller to the zone of the primary controller.

  1. Open a PowerShell window on the StorageZones Controller server that you want to join to the primary server.

  2. In the PowerShell window, type the following:

    Join-Zone -Passphrase \<passphrase\> -PrimaryController \<HostnameOrIP>

    For example:

    Join-Zone -Passphrase secret123 -PrimaryController

Define StorageZones Controller connections in XenMobile

Before you add StorageZone Connectors, you configure connection information for each StorageZones Controller enabled for StorageZone Connectors. You can define StorageZones Controllers as described in this section, or when you add a connector.

On your first visit to the Configure > ShareFile page, the page summarizes the differences between using XenMobile with ShareFile Enterprise and with StorageZone Connectors.

Image of ShareFile configuration

Click Configure Connectors to continue with the configuration steps in this article.

Image of ShareFile configuration

  1. In Configure > ShareFile, click Manage StorageZones.

    Image of ShareFile configuration

  2. In Manage StorageZones, add the connection information.

    Image of ShareFile configuration

    • Name: A descriptive name for the StorageZone, used to identify the StorageZone in XenMobile. Don’t include a space or special characters in the name.
    • FQDN and Port: The fully qualified domain name and port number for a StorageZones Controller that is reachable from the XenMobile Server.
    • Secure Connection: If you use SSL for connections to StorageZones Controller, use the default setting, ON. If you don’t use SSL for connections, change this setting to OFF.
    • Administrator user name and Administrator password: An administrator service account user name (in the form domain\admin) and password. Alternatively, a user account with read and write permissions on the StorageZones Controllers.
  3. Click Save.

  4. To test the connection, verify that XenMobile Server can reach the fully qualified domain name of the StorageZones Controller on port 443.

  5. To define another StorageZones Controller connection, click the Add button in Manage StorageZones.

    To edit or delete the information for a StorageZones Controller connection, select the connection name in Manage StorageZones. Then, click Edit or Delete.

Add a StorageZone Connector in XenMobile

  1. Go to Configure > ShareFile and then click Add.

    Image of ShareFile configuration

  2. On the Connector Info page, configure these settings:

    Image of ShareFile configuration

    • Connector Name: A name that identifies the StorageZone Connector in XenMobile.
    • Description: Optional notes about this Connector.
    • Type: Choose either SharePoint or Network.
    • StorageZone: Choose the StorageZone associated with the Connector. If the StorageZone isn’t listed, click Manage StorageZones to define the StorageZones Controller.
    • Location: For SharePoint, specify the URL of the SharePoint root-level site, site collection, or document library, in the form For a network share, specify the fully qualified domain name of the Uniform Naming Convention (UNC) path, in the form \\server\share.
  3. On the Delivery Group Assignment page, optionally assign the Connector to delivery groups. Alternatively, you can associate connectors to delivery groups using Configure > Delivery Groups.

Image of ShareFile configuration

  1. On the Summary page, you can review the options you configured. To adjust the configuration, click Back.

  2. Click Save to save the Connector.

  3. Test the connector:

    1. When you wrap the ShareFile clients, do the following:

      • Set the Network access policy to Tunneled to the internal network.

      In this mode of operation, the XenMobile MDX framework intercepts all network traffic from the ShareFile client. The traffic redirects through NetScaler Gateway by using an app-specific micro VPN.

      • Set the Preferred VPN mode policy to Tunneled - Web SSO.

      In this mode of tunneling, the MDX framework terminates SSL/HTTP traffic from an MDX app. MDX then initiates new connections to internal connections on behalf of the user. This policy setting enables the MDX framework to detect and respond to authentication challenges issued by web servers.

    2. Add the ShareFile clients to XenMobile. For details, see Integrating and delivering Citrix Files Endpoint Management clients.

    3. From a supported device, verify single sign-on to ShareFile and connectors.

    In the following samples, SharefileDev is the name of a connector.

    Image of ShareFile configuration

    Image of ShareFile configuration

Filter the StorageZone Connectors list

You can filter the list of StorageZone Connectors by Connector type, assigned delivery groups, and StorageZone.

  1. Go to Configure > ShareFile and then click Show filter.

    Image of ShareFile configuration

  2. Expand the filter headings to make selections. To save a filter, click Save This View, type the filter name, and click Save.

    Image of ShareFile configuration

  3. To rename or delete a filter, click the arrow icon beside the filter name.

    Image of ShareFile configuration

Switch to ShareFile Enterprise

After integrating StorageZone Connectors with XenMobile, you can later switch to the full ShareFile Enterprise feature set. Use of the ShareFile Enterprise feature set requires XenMobile Enterprise Edition. XenMobile retains your existing StorageZone Connector integration settings.

Go to Configure > ShareFile, click the StorageZone Connectors drop-down menu, and then click Configure ShareFile Enterprise.

Image of ShareFile configuration

For information about configuring ShareFile Enterprise, see SAML for single sign-on with ShareFile.


ShareFile use with XenMobile