Product Documentation

About ShareFile StorageZones Controller

Sep 27, 2015

ShareFile is a file sharing service that enables users to easily and securely exchange documents. ShareFile Enterprise provides enterprise-class service and includes StorageZones Controller and the User Management Tool.

ShareFile StorageZones Controller extends the ShareFile Software as a Service (SaaS) cloud storage by providing your ShareFile account with private data storage, referred to as StorageZones for ShareFile Data. StorageZones Controller also provides users with secure access to SharePoint sites and network file shares through StorageZone Connectors. The StorageZones for ShareFile Data and StorageZone Connectors features are optional.

Quick links to topic sections:

Components

The following diagram shows the key components in a high-availability deployment.


Diagram of StorageZones Controller components

The components are:

ShareFile control subsystem — Maintained in Citrix Online data centers, the ShareFile control subsystem handles all operations not related to file contents, such as authentication, authorization, file browsing, configuration, metadata handling, sending and requesting files, and load balancing. The control subsystem also performs StorageZones health checks and prevents off-line servers from sending requests.

StorageZones Controller — StorageZones Controller can host a private ShareFile storage subsystem for your data. The ShareFile storage subsystem handles operations related to file contents such as uploads, downloads, and antivirus verification. StorageZones Controller has a Web service that handles all HTTPS operations from end users and the ShareFile control subsystem. A high-availability deployment includes two or more StorageZones Controllers.

StorageZones for ShareFile Data — The StorageZones for ShareFile Data feature provides private data storage: You can store data in an on-premises CIFS share that you manage or in a Windows Azure storage container. Either storage option requires a network share for your private data such as encryption keys, queued files, and other temporary items. Use of Windows Azure storage also uses the network share for a temporary storage cache. Each StorageZones Controller in a zone must use the same CIFS share.

This figure shows the key components when Windows Azure storage is used.


Diagram of StorageZones Controller components with Windows Azure storage

ShareFile Enterprise administrators can choose the per-folder storage location, either ShareFile-managed cloud storage or your private data storage. This feature enables you to optimize performance by locating data close to the users. It also enables you to address data sovereignty and compliance requirements.

StorageZone Connectors — StorageZone Connectors give mobile users secure access to documents on specified network file shares and to SharePoint sites, site collections, and document libraries.

  • StorageZone Connector for Network File Shares enables mobile users to browse, upload, or download documents. Supported ShareFile clients display the documents under Folders > File Shares. Connected file shares can include the same network "home" drives used in Citrix XenDesktop or XenApp environments.

    StorageZones Controllers store file share names only, not file share data or credentials.

  • StorageZone Connector for SharePoint enables mobile users to download, check out, edit, and check in Microsoft Office documents and to annotate Adobe PDF documents. The mobile content editor integrated with ShareFile provides mobile users with a secure, rich editing experience, even when working offline. Supported ShareFile clients display SharePoint resources under Folders > SharePoint.

StorageZone Connectors is enabled on a StorageZones Controller and integrates with ShareFile Enterprise subdomains. You can deploy StorageZone Connectors in the same zone as StorageZones for ShareFile Data. However, StorageZones for ShareFile Data is not required to use StorageZone Connectors.

StorageZone Connectors are available to sites using ShareFile Enterprise or Citrix XenMobile. Permissions for read/write access are determined by the ShareFile plan: ShareFile Enterprise Edition and XenMobile Enterprise Edition support read/write access. XenMobile MDM Edition and XenMobile App Edition support read access only.

Data storage

By default, ShareFile stores data in the secure ShareFile-managed cloud storage. The StorageZones for ShareFile Data feature enables you to use private data storage, either an on-premises CIFS share that you manage or a Windows Azure storage container. StorageZones Controller enables you to optimize performance by locating data storage close to users and enables you to control storage for compliance purposes.

High availability requires at least two StorageZones Controllers per StorageZone. A StorageZone must use a single file share for all of its StorageZones Controllers.

Based on your organization’s performance and compliance requirements, consider the number of StorageZones you need and where to best locate them. For example, if you have users in Europe, storing the files in a StorageZones Controller located in Europe provides both performance and compliance benefits. In general, assigning users to the StorageZone that is closest to them geographically is the best practice for optimizing performance.

ShareFile offers these storage options:

  • ShareFile-managed cloud storage — Citrix maintains a secure public multi-tenant storage system for ShareFile data. You can use ShareFile-managed cloud storage by itself or in combination with StorageZones for ShareFile Data.
    Diagram of ShareFile-managed cloud storage

  • StorageZones for ShareFile Data — You can store ShareFile data in either Windows Azure cloud storage or a private single-tenant storage system that you maintain. You specify a storage option when you configure StorageZones for ShareFile Data.
    Diagram of on-premises data storage

Data storage security considerations

  • In an enterprise environment where the CIFS share for a StorageZone is already secured by third-party tools, we recommend that you do not encrypt the files on the share. Although this additional security is offered as an option for maximum security when required, encrypting files on the share will make the disk unreadable by third-party tools such as antivirus scanners and filer tools, including data deduplication tools. ShareFile uses a file encryption key to confirm the validity of download requests and encrypt the storage.
  • Place the StorageZones Controllers inside the network, with DMZ tools protecting them.
  • For maximum security, use Citrix NetScaler or NetScaler VPX.
  • Use SSL-encrypted connections to ensure the security of information transmitted between your users and StorageZones. If you are not using DMZ proxy servers, install a public SSL certificate on the IIS service of all StorageZones Controllers. For a DMZ proxy server that terminates the client connection and uses HTTP, install a public SSL certificate on the proxy server.
  • To control connections to ShareFile, IP whitelisting is not a recommended security practice because connections originate from a number of servers in the ShareFile-managed cloud storage, as well as from each individual user device. IP blacklisting, however, is an effective network-level control if your site needs additional security.

Security best practices

Your organization may need to meet specific security standards to satisfy regulatory requirements. This topic does not cover this subject, because such security standards change over time. For up-to-date information on security standards and Citrix products, consult http://www.citrix.com/security/, or contact your Citrix representative.

Security best practices:

  • Keep all computers in your environment up to date with security patches.
  • Protect all computers in your environment with antivirus software.
  • Protect all computers in your environment with perimeter firewalls, including at enclave boundaries as appropriate.
  • All computers in your environment should be protected by a personal firewall on the computer.
  • All network communications should be appropriately secured and encrypted to match your security policy. You can secure all communication between Microsoft Windows computers using IPsec. Refer to your operating system documentation for information.
  • You should grant users only the capabilities they require.

User authentication

The authentication method configured for your ShareFile Enterprise account is used to authenticate users accessing data stored in your StorageZones and on network files shares or SharePoint servers made available through StorageZone Connectors.

If a user needs to use different credentials to access connected files, the user must log out of ShareFile and then log on using the alternate credentials.

ShareFile recommends that you integrate your ShareFile account with third-party authentication, such as Active Directory (AD), using one of the following methods.

  • Integrate ShareFile with Citrix XenMobile. The recommended best practice is to integrate ShareFile with Citrix XenMobile App Edition or XenMobile Enterprise Edition, a simpler alternative to configuring Security Assertion Markup Language (SAML)-based federation. When ShareFile is used with those XenMobile editions, App Controller provides ShareFile with single sign-on authentication of Worx Mobile App users, AD-based user account provisioning, and comprehensive access control policies. The App Controller Management Console enables you to perform ShareFile configuration and to monitor service levels and license usage.

    For more information, refer to the XenMobile documentation.

  • Configure ShareFile to communicate with a SAML-based federation tool running in your network. This configuration provides ShareFile users with single sign-on authentication when they log on to ShareFile using their AD credentials. User logon requests are redirected to AD. You can use the same SAML Identity Provider (IdP) that you use for other web applications.

    ShareFile supports the following SAML IdPs:

    XenMobile

    Microsoft Active Directory Federation Services (ADFS)

    Ping Federate

    When you use a third-party SAML-based federation tool, you can provision user accounts and create distribution groups from AD with the ShareFile User Management Tool. You install the User Management Tool on-premises.

ShareFile Enterprise and XenMobile

Each edition of Citrix XenMobile includes a different set of ShareFile features.

  • XenMobile MDM Edition includes support for StorageZones Connector for SharePoint and StorageZones Connector for Network File Shares:
    • Mobile users can securely browse and download documents from SharePoint document libraries and network file shares.
    • Administrators and users can create Connectors.
    • All data handled by a Connector is encrypted.
    • Connectors support Active Directory authentication.
  • XenMobile Advanced Edition provides the above features plus the ability to wrap ShareFile in MDX technology. When MDX-wrapped, ShareFile benefits from the MDX micro-VPN, single sign-on with Citrix Worx, and two-factor authentication.
  • XenMobile Enterprise Edition includes all ShareFile Enterprise features. If you have the XenMobile MDM or Advanced Editions and want to use ShareFile Enterprise features, upgrade to XenMobile Enterprise Edition.