Product Documentation

System requirements

Sep 27, 2015

StorageZones Controller

  • A dedicated physical or virtual machine with 2 CPUs and 4 GB RAM
  • Windows Server 2012 R2 (Datacenter, Standard, or Essentials)

    or

    Windows Server 2008 R2, 64-bit edition, SP1 (Datacenter, Standard, or Essentials)

  • Use a publicly-resolvable Internet hostname (not an IP address).
  • Enable SSL for communications with ShareFile.

    The SSL certificate on the StorageZones Controller must be trusted by user devices and ShareFile web servers.

    If you use SSL directly with IIS, refer to http://support.microsoft.com/kb/298805 for information about configuring SSL.

  • Allow inbound TCP requests on port 443 through the Windows firewall.
  • For the server health check used only for StorageZones for ShareFile Data: Open port 80 on the localhost.
  • For a high availability production environment:
    • A minimum of two servers with StorageZones Controller installed.
    • If you are not using DMZ proxy servers, install a public SSL certificate on the IIS service.

      Use an SSL certificate that is from a commercially trusted Certificate Authority. ShareFile does not support self-signed or unsigned certificates.

  • For a DMZ proxy deployment:
    • One or more DMZ proxy servers, such as Citrix NetScaler VPX instances
    • For a DMZ proxy server that terminates the client connection and uses HTTP, install a public SSL certificate on the proxy server.

      If communications between the DMZ proxy server and the StorageZones Controller are secure, you can use HTTP. However, HTTPS is recommended as a best practice. If you use HTTPS, you can use a private (Enterprise) certificate on the StorageZones Controller if it is trusted by the DMZ proxy. The external address exposed by the DMZ proxy must use a commercially trusted certificate.

Other requirements

  • The StorageZones Controller installer requires administrative privileges.
  • For remote administration of StorageZones Controller, use a remoting protocol, such as RDP or Citrix ICA, to connect to the server and then open the StorageZones Controller console.

StorageZones for ShareFile Data

StorageZones for ShareFile Data is an optional feature that you enable on a StorageZones Controller.

Requirements:

  • ShareFile Enterprise account
  • A ShareFile user account that includes permission to create and manage zones
  • A CIFS share for private data storage

    If you plan to store ShareFile files in a Windows Azure storage container, the CIFS share is used for temporary files (encryption keys, queued files) and as a temporary storage cache.

  • The Web Server (IIS) role and ASP.NET 4.5. For more information, see Prepare your server for ShareFile data.
Note: Access to a ShareFile account from an FTP client is not compatible with StorageZones for ShareFile Data.

StorageZone Connector for SharePoint

StorageZone Connector for SharePoint is an optional feature that you enable on a StorageZones Controller.

Requirements:

  • ShareFile Enterprise account or Citrix XenMobile
  • Microsoft SharePoint Server 2013 or 2010
  • The StorageZones Controller server must be a domain member, in the same forest as the SharePoint server.
  • The Web Server (IIS) role and ASP.NET 4.5. For more information, see Prepare your server for ShareFile data.
  • SharePoint policies:
    • The default maximum upload file size for a Web application in SharePoint 2013 is 250 MB and in SharePoint 2010 is 50 MB. To change the default: In SharePoint Central Administration, go to the Web Application General Settings page and change the Maximum Upload Size. The upload file size limit for SharePoint is 2 GB.
    • ShareFile clients always attempt to check in a major version (publish) of a file. However, SharePoint policies determine whether a file is checked in as a major or minor version.
    • The SharePoint View-Only permission does not enable a user to download files. To read a file from a ShareFile client, a SharePoint user must have Read permission.
  • User devices: For the latest information about user device support for StorageZone Connectors, refer to the ShareFile Knowledge Base.

StorageZone Connector for SharePoint authentication

After authenticating the user, the StorageZones Controller server makes connections to the SharePoint server on the authenticated user’s behalf and responds to authentication challenges presented by the SharePoint server. StorageZone Connector for SharePoint supports the following authentication methods on the SharePoint server.

  • Basic

    Requires that you add <add key="CacheCredentials" value="1" /> to C:\inetpub\wwwroot\Citrix\StorageCenter\sp\AppSettingsRelease.config.

  • Negotiate (Kerberos)
  • Windows Challenge/Response (NTLM)

ShareFile mobile clients use Basic authentication over HTTPS to authenticate to the StorageZones Controller or DMZ proxy. Single sign-on to SharePoint is governed by the authentication requirements set on the SharePoint server. To use Kerberos or NTLM authentication on the SharePoint server: Configure the domain controller to trust the StorageZones Controller for delegation.

If your SharePoint server is configured for Kerberos authentication: Configure a service principal name (SPN) for the named user service accounts for the SharePoint server application pool. For more information, refer to "Configure trust for delegation for Web parts" in http://support.microsoft.com/kb/832769.

For deployments with NetScaler, it is possible to terminate Basic authentication at the NetScaler and then perform other types of authentication to the StorageZones Controller.

The following table indicates the supported scenarios when NetScaler is configured for Basic authentication.

Authentication method on StorageZones Controller Authentication method on SharePoint server
Basic Negotiate (Kerberos) NTLM
Basic Yes (1) Yes Yes
Negotiate (Kerberos) No Yes (2) No
NTLM No Yes No
(1) Requires that you add <add key="CacheCredentials" value="1" /> to C:\inetpub\wwwroot\Citrix\StorageCenter\sp\AppSettingsRelease.config.

(2) To provide users with a single sign-on experience, configure the Connector for NTLM authentication.

The following diagram summarizes the supported combinations of authentication types based on whether the user authenticates at NetScaler.


Diagram of StorageZones Controller authentication options

StorageZone Connector for Network File Shares

StorageZone Connector for Network File Shares is an optional feature that you enable on a StorageZones Controller.

Requirements:

  • ShareFile Enterprise or Citrix XenMobile account
  • The StorageZone Connector server must be a domain member, in the same forest as the network file servers.
  • The Web Server (IIS) role and ASP.NET 4.5. For more information, see Prepare your server for ShareFile data.
  • User devices: For the latest information about user device support for StorageZone Connectors, refer to the ShareFile Knowledge Base.

Connector for Network File Shares authentication

After authenticating the user, the StorageZones Controller server makes connections to the network file server on the authenticated user’s behalf and responds to authentication challenges presented by the file server. StorageZone Connector for Network File Shares supports the following authentication methods on the file server.

  • Negotiate (Kerberos)
  • Windows Challenge/Response (NTLM)

To use Kerberos or NTLM authentication on the StorageZones Controller: Configure the domain controller to trust the StorageZones Controller for delegation.

For deployments with NetScaler: To provide users with a single sign-on experience when NetScaler is configured for Basic authentication, configure the Connector for both Negotiate (Kerberos) and NTLM authentication.

PowerShell scripts and commands

The StorageZones Controller installation includes several PowerShell scripts and commands, located in C:\inetpub\wwwroot\Citrix\StorageCenter\Tools\.

  • Run the scripts in the 32-bit (x86) version of PowerShell.
  • For best results, upgrade to PowerShell 4.0, included with Windows Management Framework 4.0.

    PowerShell 2.0 causes significant problems due to compatibility issues with .NET Framework 4.