Product Documentation

System requirements

Dec 22, 2015

StorageZones Controller

  • A dedicated physical or virtual machine with 2 CPUs and 4 GB RAM
  • Windows Server 2012 R2 (Datacenter, Standard, or Essentials)

    or

    Windows Server 2008 R2, 64-bit edition, SP1 (Datacenter, Standard, or Essentials)

  • For standard StorageZones:
    • Use a publicly-resolvable Internet hostname (not an IP address).
    • Enable SSL for communications with ShareFile.

      The SSL certificate on the StorageZones Controller must be trusted by user devices and ShareFile web servers.

      If you use SSL directly with IIS, refer to http://support.microsoft.com/kb/298805 for information about configuring SSL.

    • Allow inbound TCP requests on port 443 through the Windows firewall.
    • Allow outbound TCP requests to the ShareFile control plane on port 443 through the Windows firewall.

      ShareFile.com control plane IP range: 173.199.5.0 - 173.199.5.255.

      ShareFile.eu control plane IP range: 78.108.127.0 - 78.108.127.255.

    • Allow outbound TCP requests to *.sf-api.com or *.sf-api.eu on port 443 through the Windows firewall.
  • For restricted StorageZones:
    • Use an internal or external hostname.
    • Enable SSL for communications with ShareFile.

      If you use an internal hostname, you can use a private certificate. The certificate must be trusted by user devices.

      If you use an external hostname, the SSL certificate on the StorageZones Controller must be trusted by user devices and ShareFile web servers.

    • Provide outbound HTTP access from StorageZones Controller to one of the following service bus URIs:
      • ShareFile.com accounts: sf-zk-email-use.servicebus.windows.net
      • ShareFile.eu accounts: sf-zk-email-euw.servicebus.windows.net

      Be sure to arrange network dependencies with your networking team.

  • For the server health check used only for StorageZones for ShareFile Data: Open port 80 on the localhost.
  • For a high availability production environment:
    • A minimum of two servers with StorageZones Controller installed.
    • If you are not using DMZ proxy servers, install an SSL certificate on the IIS service.

      For information about supported certificates, see the certificate requirements for standard and restricted zones above.

  • For a DMZ proxy deployment:
    • One or more DMZ proxy servers, such as Citrix NetScaler VPX instances
    • For a DMZ proxy server that terminates the client connection and uses HTTP, install a public SSL certificate on the proxy server.

      If communications between the DMZ proxy server and the StorageZones Controller are secure, you can use HTTP. However, HTTPS is recommended as a best practice. If you use HTTPS, you can use a private (Enterprise) certificate on the StorageZones Controller if it is trusted by the DMZ proxy. The external address exposed by the DMZ proxy must use a commercially trusted certificate. For information about supported certificates, see the certificate requirements for standard and restricted zones above.

Other requirements

  • The StorageZones Controller installer requires administrative privileges.
  • For remote administration of StorageZones Controller, use a remoting protocol, such as RDP or Citrix ICA, to connect to the server and then open the StorageZones Controller console.
  • If you use User Management Tool to provision user accounts, User Management Tool 1.7.3 is required for restricted zones.

StorageZones for ShareFile Data

StorageZones for ShareFile Data is an optional feature that you enable on a StorageZones Controller.

Requirements:

  • ShareFile Enterprise account, with the StorageZone feature enabled
  • A ShareFile user account that includes permission to create and manage zones
  • A CIFS share for private data storage

    If you plan to store ShareFile files in a Windows Azure storage container, the CIFS share is used for temporary files (encryption keys, queued files) and as a temporary storage cache.

  • The Web Server (IIS) role and ASP.NET 4.5. For more information, see Prepare your server for ShareFile data.
Note: Access to a ShareFile account from an FTP client is not compatible with StorageZones for ShareFile Data.

StorageZone Connector for SharePoint

StorageZone Connector for SharePoint is an optional feature that you enable on a StorageZones Controller.

Requirements:

  • ShareFile Enterprise account, with the StorageZone feature enabled, or Citrix XenMobile
  • Microsoft SharePoint Server 2013 or 2010
  • The StorageZones Controller server must be a domain member, in the same forest as the SharePoint server.
  • The Web Server (IIS) role and ASP.NET 4.5. For more information, see Prepare your server for ShareFile data.
  • SharePoint policies:
    • The default maximum upload file size for a Web application in SharePoint 2013 is 250 MB and in SharePoint 2010 is 50 MB. To change the default: In SharePoint Central Administration, go to the Web Application General Settings page and change the Maximum Upload Size. The upload file size limit for SharePoint is 2 GB.
    • ShareFile clients always attempt to check in a major version (publish) of a file. However, SharePoint policies determine whether a file is checked in as a major or minor version.
    • The SharePoint View-Only permission does not enable a user to download files. To read a file from a ShareFile client, a SharePoint user must have Read permission.
  • User devices: For the latest information about user device support for StorageZone Connectors, refer to the ShareFile Knowledge Base.

StorageZone Connector for SharePoint authentication

After authenticating the user, the StorageZones Controller server makes connections to the SharePoint server on the authenticated user’s behalf and responds to authentication challenges presented by the SharePoint server. StorageZone Connector for SharePoint supports the following authentication methods on the SharePoint server.

  • Basic

    Requires that you add <add key="CacheCredentials" value="1" /> to C:\inetpub\wwwroot\Citrix\StorageCenter\sp\AppSettingsRelease.config.

  • Negotiate (Kerberos)
  • Windows Challenge/Response (NTLM)

ShareFile mobile clients use Basic authentication over HTTPS to authenticate to the StorageZones Controller or DMZ proxy. Single sign-on to SharePoint is governed by the authentication requirements set on the SharePoint server. To use Kerberos or NTLM authentication on the SharePoint server: Configure the domain controller to trust the StorageZones Controller for delegation.

If your SharePoint server is configured for Kerberos authentication: Configure a service principal name (SPN) for the named user service accounts for the SharePoint server application pool. For more information, refer to "Configure trust for delegation for Web parts" in http://support.microsoft.com/kb/832769.

For deployments with NetScaler, it is possible to terminate Basic authentication at the NetScaler and then perform other types of authentication to the StorageZones Controller.

The following table indicates the supported scenarios when NetScaler is configured for Basic authentication.

Authentication method on StorageZones Controller Authentication method on SharePoint server
Basic Negotiate (Kerberos) NTLM
Basic Yes (1) Yes Yes
Negotiate (Kerberos) No Yes (2) No
NTLM No Yes No
(1) Requires that you add <add key="CacheCredentials" value="1" /> to C:\inetpub\wwwroot\Citrix\StorageCenter\sp\AppSettingsRelease.config.

(2) To provide users with a single sign-on experience, configure the Connector for NTLM authentication.

The following diagram summarizes the supported combinations of authentication types based on whether the user authenticates at NetScaler.


Diagram of StorageZones Controller authentication options

StorageZone Connector for Network File Shares

StorageZone Connector for Network File Shares is an optional feature that you enable on a StorageZones Controller.

Requirements:

  • ShareFile Enterprise or Citrix XenMobile account
  • The StorageZone Connector server must be a domain member, in the same forest as the network file servers.
  • The Web Server (IIS) role and ASP.NET 4.5. For more information, see Prepare your server for ShareFile data.
  • User devices: For the latest information about user device support for StorageZone Connectors, refer to the ShareFile Knowledge Base.

Connector for Network File Shares authentication

After authenticating the user, the StorageZones Controller server makes connections to the network file server on the authenticated user’s behalf and responds to authentication challenges presented by the file server. StorageZone Connector for Network File Shares supports the following authentication methods on the file server.

  • Negotiate (Kerberos)
  • Windows Challenge/Response (NTLM)

To use Kerberos or NTLM authentication on the StorageZones Controller: Configure the domain controller to trust the StorageZones Controller for delegation.

For deployments with NetScaler: To provide users with a single sign-on experience when NetScaler is configured for Basic authentication, configure the Connector for both Negotiate (Kerberos) and NTLM authentication.

PowerShell scripts and commands

The StorageZones Controller installation includes several PowerShell scripts and commands, located in C:\inetpub\wwwroot\Citrix\StorageCenter\Tools\.

  • Run the scripts in the 32-bit (x86) version of PowerShell.
  • For best results, upgrade to PowerShell 4.0, included with Windows Management Framework 4.0.

    PowerShell 2.0 causes significant problems due to compatibility issues with .NET Framework 4.

Client requirements for restricted StorageZones

The ShareFile web application supports restricted StorageZones from the following web browsers:

  • Internet Explorer 11

    To enable access from the ShareFile web application to folders and connectors in restricted zones:

    1. Open Internet Explorer, go to Internet Options, click the Security tab, and then click Trusted Sites.
    2. Click Sites and then add your subdomain and the external StorageZones Controller address.
    3. Click Close and then click Custom Level.
    4. For Miscellaneous > Access data sources across domains, select Enable.
    5. For User Authentication > Logon, select Prompt for user name and password.
  • Chrome
  • Firefox
  • Safari
  • WorxWeb

To support restricted StorageZones, ShareFile clients must be upgraded to the following versions or later:

  • ShareFile Sync for Windows 3.1
  • ShareFile Outlook Plugin 3.2.2
  • ShareFile for iOS 3.3
  • ShareFile for Android 3.4
  • ShareFile for Windows Phone 2.3.10

These ShareFile clients and tools are not supported for use with restricted StorageZones as of the publication date of this article:

Note: For the latest information about ShareFile client capabilities, see the ShareFile support site or contact your ShareFile support representative.
  • Off-domain use of ShareFile Desktop Sync for Windows 3.1 and ShareFile Outlook Plug-in

    The clients must be on a domain-joined Windows desktop that is in the same Active Directory forest as the StorageZones Controller server. Clients can use NTLM or Kerberos for silent authentication to a restricted zone.

  • On-Demand Sync for Windows
  • Sync for Mac
  • ShareFile Enterprise Sync Manager
  • WorxMail for iOS
  • ShareFile Desktop Widget
  • ShareFile for BlackBerry
  • Sharefile mobile website

The following alternative account access methods are not supported for use with restricted StorageZones:

  • FTP
  • Powershell
  • ShareFile Command Line Interface (SFCLI)
  • HTTPS API (V1)
  • WebDav
  • SMTP