ShareFile is a file sharing service that enables users to easily and securely exchange documents. ShareFile Enterprise provides enterprise-class service and includes StorageZones Controller and the User Management Tool.
ShareFile StorageZones Controller extends the ShareFile Software as a Service (SaaS) cloud storage by providing your ShareFile account with private data storage, referred to as StorageZones for ShareFile Data. Managing your own data storage enables you to meet regulatory compliance requirements and to locate the storage close to users for optimized performance.
You can use the ShareFile-managed cloud storage by itself or in combination with storage that you maintain, called StorageZones for ShareFile Data. The StorageZones that you maintain can reside in your on-premises single-tenant storage system or in supported cloud storage, such as Windows Azure.
StorageZones Controller also provides users with secure access to SharePoint sites and network file shares through StorageZone Connectors. Connected file shares can include the same network home drives used in Citrix XenDesktop or XenApp environments. StorageZone Connectors enable you to provide secure mobile access to data residing behind your corporate firewall without the need to migrate data to the cloud.
StorageZone Connectors enables ShareFile client users to browse, upload, or download documents. For documents stored in SharePoint, mobile users can download, check out, edit, and check in Microsoft Office documents and annotate Adobe PDF documents. The mobile content editor integrated with ShareFile provides mobile users with a secure, rich editing experience, even when working offline.
Quick links to topic sections:
The following diagram shows the key components in a high-availability deployment.
The components are:
ShareFile control subsystem — Maintained in Citrix Online data centers, the ShareFile control subsystem handles a variety of operations not related to file contents, performs StorageZones health checks, and prevents off-line servers from sending requests.
StorageZones Controller — StorageZones Controller can host a private ShareFile storage subsystem for your data. StorageZones Controller has a Web service that handles all HTTPS operations from end users and the ShareFile control subsystem.
StorageZones for ShareFile Data — This feature provides private data storage: You can store data in an on-premises network file share that you manage or in a Windows Azure storage container. Either storage option requires a network share for your private data such as encryption keys, queued files, and other temporary items. If you use Windows Azure storage, the network share also serves as a temporary storage cache. Each StorageZones Controller in a StorageZone must use the same network share.
This figure shows the key components when Windows Azure storage is used.
ShareFile Enterprise administrators can choose the per-folder storage location, either ShareFile-managed cloud storage or your private data storage. This feature enables you to optimize performance by locating data close to the users. It also enables you to address data sovereignty and compliance requirements.
StorageZone Connectors — StorageZone Connectors give mobile users secure access to documents on specified network file shares and to SharePoint sites, site collections, and document libraries.
StorageZone Connectors is enabled on a StorageZones Controller and integrates with ShareFile Enterprise subdomains. You can deploy StorageZone Connectors in the same zone as StorageZones for ShareFile Data. However, StorageZones for ShareFile Data is not required to use StorageZone Connectors.
StorageZones Controllers do not store any data for StorageZone Connectors. ShareFile.com stores the encrypted top level path for StorageZone Connectors.
StorageZone Connectors are available to sites using ShareFile Enterprise or Citrix XenMobile.
By default, ShareFile stores data in the secure ShareFile-managed cloud storage. StorageZones Controller provides private data storage, either an on-premises network share that you manage or a Windows Azure storage container. With StorageZones Controller, you can optimize performance by locating data storage close to users and you control storage for compliance purposes.
High availability requires at least two StorageZones Controllers per StorageZone. A StorageZone must use a single file share for all of its StorageZones Controllers.
Based on your organization’s performance and compliance requirements, consider the number of StorageZones you need and where to best locate them. For example, if you have users in Europe, storing the files in a StorageZones Controller located in Europe provides both performance and compliance benefits. In general, assigning users to the StorageZone that is closest to them geographically is the best practice for optimizing performance.
Your organization may need to meet specific security standards to satisfy regulatory requirements. This topic does not cover this subject, because such security standards change over time. For up-to-date information on security standards and Citrix products, consult http://www.citrix.com/security/, or contact your Citrix representative.
Security best practices:
The authentication method configured for your ShareFile Enterprise account is used to authenticate users accessing data stored in your StorageZones and on network files shares or SharePoint servers made available through StorageZone Connectors.
If a user needs to use different credentials to access connected files, the user must log out of ShareFile and then log on using the alternate credentials.
ShareFile recommends that you integrate your ShareFile account with third-party authentication, such as Active Directory (AD), using one of the following methods.
For more information, refer to the XenMobile documentation.
ShareFile supports the following SAML IdPs:
You can designate a StorageZone as standard or restricted.
The following table summarizes the differences between standard and restricted zones.
|Properties||Standard zones||Restricted zones|
|StorageZone servers can be managed by…||Citrix or you||you|
|User authentication is handled by…||ShareFile.com or ShareFile.eu||a combination of ShareFile.com or ShareFile.eu plus your on-premises StorageZones Controller|
|Files can be shared with…||employees and third party users (that is, anyone with an email address)||employees or other users who have a domain account|
|File and folder metadata stored in the ShareFile control plane is…||stored in clear text, visible to some Citrix employees||encrypted with your private keys, which are not available to Citrix|
|Email notifications are sent using…||ShareFile mail servers or your SMTP servers||your SMTP servers|
|An external address for the zone is…||required||not required|
In a Citrix-managed zone, the ShareFile cloud performs all operations except for employee authentication, which is handled by StorageZones Controller. The following table indicates how operations are handled for standard and restricted zones.
|Standard zone||Operation||Restricted zone|
|Website maintenance and updates|
|Client and application updates|
|File storage and encryption|
|Upload and download authorization|
|Email notifications (SMTP)|
|Third-party user authentication||No third-party access|
ShareFile supports a mix of standard and restricted zones within an account. You can create multiple restricted zones, each with their own unique authentication requirements. For example, if users in Domain A should not be allowed to share files with users in Domain B, install a separate restricted zone for each domain.
The rest of this section describes the workflow in ShareFile-managed, standard, and restricted zones.
When a ShareFile client interacts with a ShareFile-managed zone, all requests and traffic go through the ShareFile cloud and all of your ShareFile data is stored in the ShareFile cloud.
The following diagram summarizes the workflow for ShareFile-managed cloud storage.
When a ShareFile client interacts with a standard zone, ShareFile handles user log on requests and then authorization occurs between the ShareFile cloud and StorageZones Controller. A StorageZones Controller that hosts standard zones must have an external address and external SSL certificate. The StorageZone SSL certificate must be trusted by user devices and ShareFile web servers.
The ShareFile client interacts with StorageZones Controller during file operations. The controller stores files in the storage location defined for the zone and sends unencrypted metadata to the ShareFile cloud.
Users can share files that reside in standard zones with anyone who has an email address.
When users share or download files from a standard zone, ShareFile uses ShareFile SMTP servers to send email notifications.
The following diagram summarizes the workflow for a standard zone.
When a ShareFile client interacts with a restricted zone, ShareFile handles user log on requests. Authorization occurs between the StorageZones Controller and ShareFile client instead of between StorageZones Controller and the ShareFile cloud.
As a result, a StorageZones Controller that hosts restricted zones can reside behind your firewall and does not require an external address or external SSL certificate. The SSL certificate on the StorageZones Controller must be trusted by user devices. When StorageZones Controller is configured with an internal address, users must connect to your company network or a VPN to access documents in a restricted zone.
Access to data stored in a restricted zone has these authentication requirements:
This extra authentication requirement limits sharing so that documents can only be shared with users who have access to the StorageZones Controller, who authenticate using enterprise credentials, and who have permission to view the documents. Users cannot anonymously share files that are stored in a restricted zone.
The controller uses an authenticated proxy service to read and store encrypted data in the ShareFile cloud and to exchange unencrypted metadata with ShareFile clients. StorageZones Controller encrypts your metadata with an encryption key that is unique to your organization and not available to Citrix. As a result, no one outside of your organization can see folder or file names in restricted zones.
When users share or download files from a restricted zone, your SMTP servers send the email notifications.
The following diagram summarizes the workflow for a restricted zone.