Product Documentation

Configure NetScaler manually

Dec 22, 2015
As of version 10.1 build 120.1316, NetScaler includes a wizard that configures the settings needed for StorageZones Controller data and connectors. To configure earlier versions of NetScaler for StorageZones Controller, we recommend that you watch the following video and use the information in this section to supplement the video instructions.
 

The steps in this section describe the NetScaler settings needed for StorageZones Controller. All links are for the NetScaler 10.1 documentation. Similar topics are available for earlier versions of NetScaler.

To check for valid URI signatures on all incoming messages and to load balance

  1. Create an HTTP callout named sf_callout:
    1. In the Configure HTTP Callout dialog box, click Virtual Server or IP Address and specify the address.
    2. Under Request to send to the server, click Attribute-based and then click Configure Request Attributes.
    3. Select Get Method.
    4. In Host Expression enter the virtual server IP address or the host IP address for any of the StorageZone Controllers.
    5. In URL Stem Expression enter:

      "/validate.ashx?RequestURI=" + HTTP.REQ.URL.BEFORE_STR("&h").HTTP_URL_SAFE.B64ENCODE + "&h="+ HTTP.REQ.URL.QUERY.VALUE("h")

    6. Click OK and then return to the Configure HTTP Callout dialog box.
    7. Under Server Response, choose a Return Type of Bool.
    8. In Expression to extract data from the response enter:

      HTTP.RES.STATUS.EQ(200).NOT

    9. Click Create.
    For more information, refer to HTTP Callouts in the NetScaler documentation.
  2. Follow the preceding steps to configure an HTTP callout named sf_callout_y. Use the same settings except for the expression:
    • In URL Stem Expression enter:

      "/validate.ashx?RequestURI=" + HTTP.REQ.URL.HTTP_URL_SAFE.B64ENCODE + "&h="

  3. Configure a responder policy:
    1. In the Configure Responder Policy dialog box: For Action, choose Drop.
    2. In Expression, enter:

      http.REQ.URL.CONTAINS("&h=") && http.req.url.contains("/crossdomain.xml").not && http.req.url.contains("/validate.ashx?requri").not && SYS.HTTP_CALLOUT(sf_callout) || http.REQ.URL.CONTAINS("&h=").NOT && http.req.url.contains("/crossdomain.xml").not && http.req.url.contains("/validate.ashx?requri").not && SYS.HTTP_CALLOUT(sf_callout_y)

      For more information, refer to Responder in the NetScaler documentation.

  4. Bind the responder policy to the load balancer virtual server and configure SSL session-based persistence.
  5. Configure token-based load balancing.

    Use the rule expression: “http.REQ.URL.QUERY.VALUE("uploadid")”

    Token-based load balancing is required for StorageZones Controllers in a high availability deployment. Round-robin load balancing will result in intermittent download or upload failures because a client request for an upload or download can get directed to a StorageZones Controller other than the one that received the authorization request from ShareFile.com.

  6. Configure NetScaler to terminate SSL connections.

    For information, refer to Configuring SSL Offloading and its subtopics in the NetScaler documentation.

To configure content switching and authentication for Connectors

  1. Enable content switching, as described in Enabling Content Switching in the NetScaler documentation.
  2. Create a content switching policy for user requests for ShareFile data from your on-premises StorageZone:
    1. In the Configure Content Switching Policy dialog box: Enter a Name for the content switching policy. These steps use the name Data_Requests.
    2. Enter the Expression:

      HTTP.REQ.HOSTNAME.CONTAINS("StorageZonesControllerHostName") && HTTP.REQ.URL.CONTAINS("/cifs/").NOT && HTTP.REQ.URL.CONTAINS("/sp/").NOT

    3. Click OK.

      For more information, refer to Content Switching in the NetScaler documentation.

  3. Create a content switching policy for user requests for data accessed from StorageZone Connectors.
    1. In the Configure Content Switching Policy dialog box: Specify a Name for the content switching policy. These steps use the name Connector_Requests.
    2. Enter the Expression:

      HTTP.REQ.HOSTNAME.CONTAINS("StorageZonesControllerHostName") && (HTTP.REQ.URL.CONTAINS("/cifs/") || HTTP.REQ.URL.CONTAINS("/sp/"))

    3. Click OK.
  4. Create a content switching virtual server.
  5. Set the content switching policy targets:
    • In the Configure Virtual Server (Content Switching) dialog box: For the Data_Requests policy, specify the load balancer virtual server for StorageZones for ShareFile data.

      This load balancer virtual server is the one to which you bound the responder policy in Step 4 of To check for valid URI signatures on all incoming messages and to load balance.

    • For the Connector_Requests policy, specify the load balancer virtual server for StorageZone Connectors.
  6. Configure the authentication virtual server for StorageZone Connectors:

    Although authentication to NetScaler is optional, it is a recommended best practice.

    1. In the navigation pane, expand Load Balancing, select the name of the load balancer virtual server for StorageZone Connectors, and then click Open.
    2. In the Configure Virtual Server (Load Balancing) dialog box, click the Advanced tab and then expand Authentication Settings.
    3. Select the check box for 401 Based Authentication and then choose the Authentication VServer.
    4. Click the Method and Persistence tab.
    5. For Persistence, choose COOKIEINSERT.
    6. For Time-out (min), enter 240.

      A time-out value of 240 minutes is recommended. The minimum value should be greater than 10 minutes.

      For more information, refer to Configuring the Authentication Virtual Server in the NetScaler documentation.

  7. Use the Configure Authentication Server dialog box to create and configure an authentication server.

    In SSO Name Attribute, enter userPrincipalName.

    For more information about other settings, refer to Authentication Policies in the NetScaler documentation.

  8. Configure an authentication policy for the authentication server just created:
    1. In the Configure Authentication Policy dialog box: Enter a Name for the policy and then select the authentication Server configured in the previous step.
    2. Enter the Expression:

      ns_true

    For more information, refer to Configure an authentication policy in the NetScaler documentation.
  9. Configure a session profile for single sign-on:
    1. In the Configure Session Profile dialog box, enter a Name for the profile.
    2. Select the check box for Single Sign-on to Web Applications.
    3. For Credential Index, select PRIMARY.
    4. In Single Sign-on Domain, enter the domain name for your StorageZones Controller.
    5. Select the Override Global check boxes for each of the preceding three items.
    For more information, refer to Session Profiles in the NetScaler documentation.
  10. Configure a session policy for single sign-on:
    1. In the Configure Session Policy dialog box, enter a Name for the policy.
    2. For Request Profile, select the name of the session profile configured in the previous step.
    3. Enter the Expression:

      ns_true

    For more information, refer to Session Policies in the NetScaler documentation.
  11. Create an authentication virtual server:
    1. In the Configure Virtual Server (Authentication) dialog box, enter a Name and the IP Address for the server.
    2. Click the Authentication tab and for Protocol, select SSL.
    3. Select the check box for Authenticate Users.
    4. Under Authentication Policies, click Primary and then choose the authentication policy you configured in Step 7.
    5. Click the Policies tab, click Session, and then choose the session policy you configured in Step 9.
    For more information, refer to Configuring the Authentication Virtual Server in the NetScaler documentation.