Product Documentation

ShareConnect

Jun 22, 2016
With ShareConnect, users can securely connect to their computers through iPads, Android tablets, and Android phones to access their files and applications. Users can work on files that reside on both their computers and on connected and networked drives.
When ShareConnect is running, the applications on the users' computers run within ShareConnect. Thus, ShareConnect enables you to provide mobile app access to users, without the need to wrap other Worx apps.
ShareConnect is optimized for mobile access to physical or virtual computers. You can also run ShareConnect on XenDesktop for mobile-optimized access to your XenDesktop.

The following video demonstrates ShareConnect features.

Architecture Overview

ShareConnect components include the Citrix-owned ShareConnect Broker and the ShareConnect Communication Servers, as shown in the following figure. The ShareConnect Broker is an application server and database that maps users to computers and lets users know whether their host computer is online or offline. ShareConnect Communication Servers are used to exchange data between host and client computers. That data can flow through a secure micro VPN tunnel between the host and client computers based on XenMobile settings.

WorxDesktop architecture

In addition, ShareFile can provide user authentication through single sign-on (SSO) with a SAML Identity Provider (IdP), such as XenMobile or Active Directory Federation Services (ADFS). Access to resources outside of the network is provided through NetScaler Gateway in a deployment with XenMobile.

How Connections Work in ShareConnect

ShareConnect establishes either direct or indirect connections:

  • Direct connections. ShareConnect establishes a direct connection between the client computer and host computer if the computers are on the same LAN or WiFi network. In this scenario, data flows directly between the client computer or mobile device being used to access a host computer. Data does not flow through the ShareConnect Communication Servers, resulting in optimal performance. For direct connections, XenMobile uses NetScaler Gateway to provide secure access to resources outside of the local network.
  • Indirect connections. ShareConnect establishes an indirect connection between the client computer and host computer if the computers are not directly reachable. In this scenario, data flows through the ShareConnect Communication Servers.

The following figure shows the connections used when users access a host computer from a computer or mobile device running ShareConnect using direct connections. Connection steps are described after the figure.

localized image

① In this scenario, XenMobile is configured to act as a SAML IdP for ShareFile, to provide SSO from Worx Home. ShareConnect requests a SAML token from Worx Home, which in turn passes the request to XenMobile through NetScaler Gateway. XenMobile then sends the SAML token to ShareConnect.

② ShareConnect sends the SAML token to ShareFile for validation and to exchange the SAML token for an OAuth token.

③ ShareConnect sends the OAuth token to the ShareConnect broker, which then sends a session token to ShareConnect.

④ ShareConnect gets a list of host computers from the ShareConnect Broker and prompts for host computer credentials. ShareConnect then establishes a direct connection with the ShareConnect Communication Server. After the host computer validates the credentials, ShareConnect gets a list of files and apps from the host computer. After the user opens a file or app, a direct connection occurs between ShareConnect and the host computer.

⑤ The ShareConnect agent on the host computer sends status messages to ShareConnect Poll Server to indicate whether it’s online or offline.

⑥ The ShareConnect Poll Server sends load-balanced requests from the ShareConnect agent to the ShareConnect Broker and sends host status updates to the ShareConnect Broker.

ShareConnect and Security

ShareConnect uses built-in 128-bit AES encryption so that all data sent between the ShareConnect client and a host computer running the ShareConnect agent is fully encrypted from end-to-end. The encryption key is unique for each connection. Even the most sophisticated devices cannot intercept the data necessary to decode the encryption.

You typically configure ShareConnect so that data is routed directly between the ShareConnect client and a host computer. Data is not routed through the ShareConnect Communication Servers unless you configure the Network access policy for unrestricted access. For policy details, see To add ShareConnect to XenMobile in this article.

For direct or indirect connections, encrypted metadata, such as the IP addresses and ports needed to establish connections, is sent to ShareConnect servers.

In addition, MDX wrapping of ShareConnect provides data encryption through the MDX Vault, which encrypts MDX-wrapped apps and associated stored data on both iOS (pre-iOS 9) and Android devices using FIPS-certified cryptographic modules provided by the OpenSSL. For details about data encryption on iOS 9 devices, see Advisory: iOS 9 and XenMobile.

Host Computer Security Features

  • By default, the screen of a connected host computer is blank and the mouse and keyboard are locked. This ensures that no one can see the host computer screen or use its mouse or keyboard when you are connected to it. The ShareConnect Viewer enables you to change those preferences.

Note: Hardware limitations with your video card can prevent screen blanking on multiple monitors.

  • After one hour of no keyboard or mouse activity on a host computer, the session automatically times-out.
  • While connected to a host computer, if the ShareConnect app is killed, the session with the host computer ends in five minutes.
  • When the ShareConnect app is put in the background:  
    • After five minutes of inactivity, the app disconnects from the host computer and the user is re-directed to the My Computers screen.
    • After 15 minutes of inactivity, the app disconnects completely and the user is directed to the Sign In screen and they must enter their user credentials once more to begin using the app based on SSO settings.
  • A host computer allows only one ShareConnect app session at a time. If a second client, registered to the same ShareConnect account, attempts to connect to a host computer that has an active ShareConnect session, the original session is disconnected.

System Requirements for ShareConnect

  • Host computer operating systems: Windows 7 (minimum version)
  • Supported iOS devices: iPad 2 – iPad Air 2 with iOS versions 7.0 – 9.0
  • Supported Android devices:
    • Any tablet with a screen 7 inches or larger running Android versions 4.1.x, 4.4.x, 5.x, and 6.x
    • Any phone using Android version 4.1.x, 4.4.x, 5.x, and 6.x
    • Android 4.1.x is supported in MDM mode only.
    • Android 4.2 and 4.3 are not supported.

Important

Apps wrapped with MDX Toolkit 10.0.x will not run on iOS 9. Users must upgrade to apps wrapped with MDX Toolkit 10.2 before upgrading to iOS 9. If users try to open older wrapped apps with iOS 9, they will not be able to upgrade those apps and must reinstall a version wrapped with MDX Toolkit 10.2 before upgrading to iOS 9.

Port Requirements for ShareConnect

You must open the following ports to allow ShareConnect communications. The port requirements differ depending on the type of connection, either direction connections (if the computers are on the same LAN or WiFi network) or indirect connections (if the client and host computers cannot directly reach each other).
 
TCP port Description Source Destination
For direct connections
80 Used for outbound connections from NetScaler Gateway to app.shareconnect.com. NetScaler Gateway app.shareconnect.com
80 / 443 / 8200 At least one of these ports is required for outbound connections from NetScaler Gateway to the ShareConnect Communication Server. For more information, see http://www.citrixonline.com/iprange. NetScaler Gateway ShareConnect Communication Servers
80 / 443 / 8200 Used for outbound connections from ShareConnect host computers to Citrix servers. ShareConnect host computers poll.shareconnect.com

ShareConnect Communication Servers

443 Used for outbound connections from NetScaler Gateway to required sites. NetScaler Gateway crashlytics.com

secure.sharefile.com

ShareFile_sub-domain.sharefile.com

53000 - 53010 Used for outbound connections from NetScaler Gateway to ShareConnect host computers. NetScaler Gateway LAN-based ShareConnect host computers
53000 - 53010 Used for inbound connections from NetScaler Gateway to ShareConnect host computers. NetScaler Gateway LAN-based ShareConnect host computers
For indirect connections
80 Used for outbound connections from the ShareConnect agent to app.shareconnect.com. ShareConnect agent app.shareconnect.com
80 / 443 / 8200 At least one of these ports is required for outbound connections from the ShareConnect agent to the ShareConnect Communication Server. For more information, see http://www.citrixonline.com/iprange. ShareConnect agent ShareConnect Communication Servers
80 / 443 / 8200 Used for outbound connections from ShareConnect host computers to Citrix servers. ShareConnect host computers poll.shareconnect.com

ShareConnect Communication Servers

443 Used for outbound connections from the ShareConnect agent to required sites. ShareConnect agent crashlytics.com

secure.sharefile.com

ShareFile_sub-domain.sharefile.com

What's New in ShareConnect

  • Android M compatibility. 

Integrating and Delivering ShareConnect

To integrate and deliver ShareConnect with XenMobile, follow these general steps:

  1. You can optionally enable SSO from Worx Home. To do that, you configure ShareFile account information in XenMobile to enable XenMobile as a SAML IdP for ShareFile.

    Configuring the ShareFile account information in XenMobile is a one-time setup used for all Worx clients, ShareFile Worx clients, and non-MDX ShareFile clients. For details, see To configure ShareFile account information in XenMobile for SSO.

  2. Download (http://www.citrix.com/downloads/xenmobile/product-software.html) and wrap ShareConnect. For details, see About the MDX Toolkit.
  3. Add ShareConnect to XenMobile and configure MDX policies. For details, see To add ShareConnect to XenMobile, in this article.
  4. Install the ShareConnect agent on host computers. The ShareConnect agent is an MSI package, so you can use your existing software deployment methods to distribute and install the agent. Users must then register the host computer by signing on to the Agent using their ShareFile credentials within one hour of installation.

    Alternatively, users can install the ShareConnect agent on the computer they will connect to with ShareConnect. For details, see To install the ShareConnect agent on a computer, in this article.

To add ShareConnect to XenMobile

You add ShareConnect to XenMobile using the same steps as for other MDX apps. For details, see To add an MDX app to XenMobile. When adding ShareConnect, configure the MDX policies for it as shown in the following table.

Policy Value Results
Network access Tunneled to the internal network or Unrestricted Tunneled to the internal network uses a per-application VPN tunnel back to the internal network for all network access. This configuration provides direct connection between ShareConnect and a host computer.

Unrestricted uses Citrix-owned Communication Servers to route encrypted data between a host computer and ShareConnect. Be sure to test your setup with unrestricted access to ensure everything works, even if you plan to use Tunneled to the internal network for network access.

Preferred VPN mode Secure browse Sets the initial connection mode appropriately for connections that require SSO.
Enable encryption On Encrypts the data stored on the tablet. For details about data encryption and iOS 9, see Advisory: iOS 9 and XenMobile.
Cut and copy Unrestricted Enables cut and copy operations for ShareConnect.
Paste Unrestricted Enables paste operations for ShareConnect.
Document Exchange (Open In) Unrestricted Permits users to open any file on the connected computer or a connected network drive from ShareConnect.
Save Password Off Requires users to enter the user name and password for their computer each time they sign on to ShareConnect.


For details, see About MDX Policies for Worx Apps.

To install the ShareConnect agent on a computer

The following steps describe how a user installs the ShareConnect agent on each physical or virtual computer they want to connect to from a supported mobile device.

Before performing these steps, the user must first install Worx Home and follow the prompts to allow the Worx apps to install on the supported mobile device.

  1. Sign on to Worx Home on the tablet.
  2. Open ShareConnect.
  3. Tap Email download link.

    Citrix sends an email to you from no-reply@shareconnect.com.

  4. From the host computer that you want to access from ShareConnect, open the email.
  5. In the email, click Set up this computer.
  6. Double-click ShareConnect_Installer.exe to begin the installation.

    The ShareConnect agent installs on your host computer. During the installation, ShareConnect prompts for an email address (if ShareFile SSO is configured) or for ShareFile credentials (if ShareFile SSO is not configured).

  7. Follow the instructions provided in the ShareConnect and Get Started wizards.

The ShareConnect agent then registers the host computer, which can connect from a ShareConnect client provided that the host computer is powered on and can reach poll.shareconnect.com on at least one published port (80, 443, or 8200).

ShareConnect Features

  • Add host computers. Users can add and connect to remote host computers from supported mobile devices using ShareConnect.
  • Access files. Users can view a list of recent files and browse and search for files on their host computer and connected drives.
  • Edit files. From tablets, users can access desktop applications on their host computers to edit files. Users can work with the applications in full screen .
  • Screen share. Instead of viewing a single file or app, users can use the screen-sharing feature to view their host computer’s desktop.
  • ShareFile integration. Users can move or share files between the host computer and ShareFile.
  • Keyboard and mouse. ShareConnect supports the simultaneous use of a Bluetooth keyboard and the Citrix XI Prototype Mouse.
  • Restricted ports. ShareConnect uses ports 53000 to 53010 only.
  • Forced passwords for each sign-on. For enhanced security, you can configure this option to require users to enter their computer passwords every time they sign on to ShareConnect. When the Save password policy is turned off, as shown in the following figure, users are forced to enter their sign-on credentials for every connection.

  • Add or delete apps. Users can add or delete apps from their app tray in ShareConnect by toggling the switch beside each app to select or deselect it.

  • Cache previewed files. ShareConnect caches already-accessed files so that the files don't download again if users preview other files and then come back to the earlier ones. This feature improves load times when users subsequently access files.

Troubleshooting ShareConnect

ShareConnect Agent Installation Issues

Issue Description and resolution

If a user downloads the ShareConnect agent and waits an hour or more to start the installation, the user must enter their ShareFile account name and password to register the ShareConnect agent.

The ShareConnect agent installer includes a token that expires one hour after download. If a user doesn't start the installation before the token expires, the user must sign on to their ShareFile account twice, first to register the ShareConnect agent and then to sign on to the agent after the installation completes. If users download and install the ShareConnect agent within an hour, they are prompted to sign on only once.

During registration of the ShareConnect agent, the agent does not connect and an error message such as "Please check your connection and try again." appears.

Verify that the port to poll.shareconnect.com is not blocked. For details, see the System Requirements earlier in this article.

ShareConnect Connection Issues

Important

As described in To add ShareConnect to XenMobile earlier in this article, Citrix recommends that, to test ShareConnect, you set the Network Access policy to Unrestricted to rule out issues with ports and network settings. Unrestricted access forces ShareConnect to connect through the ShareConnect Communication Servers, which typically enable you to test the connection if the ShareConnect mobile device and host computer have Internet access.

Issue Description and resolution

ShareConnect starts, but does not connect to the host computer and does not prompt for credentials.

Verify that your setup meets the port requirements detailed earlier in this article under System Requirements.

Users are unable to sign on to ShareConnect using their ShareFile account credentials.

SSO to ShareConnect requires that your ShareFile account is configured with a SAML IdP. For details about using XenMobile as a SAML IdP, see To configure ShareFile account information in XenMobile for SSO.  For details about configuring other IdPs, see ShareFile Single Sign-On.

If SSO is not configured for your account, ShareConnect for iOS prompts for the user’s ShareFile username and password.

 

After users sign on to ShareConnect, ShareConnect cannot connect to the host computer.

When ShareConnect is configured for direct connections (that is, the Network access policy is set to Tunneled to the internal network), connection failures can occur if there are restrictions in network settings like firewalls blocking or proxy servers configured.