Citrix ShareFile Storage Zones, NetScaler Unified Gateway and ADFS

Citrix ShareFile Storage Zones, NetScaler Unified Gateway and ADFS

Citrix ShareFile Storage Zones, NetScaler Unified Gateway and ADFS

This post has already been read 4411 times!

I have been meaning to get round to posting about Citrix ShareFile for some time now.  Citrix ShareFile is an enterprise file sharing tool that Citrix provide with the ability to use both on-premises and cloud based storage repositories and more importantly to validate and control where and who has access to your company data.

The idea of this post is: “by following this article you can take a standard cloud based ShareFile account and provide secure access to on-premises storage using your existing company identity management platform and credentials as a authentication method and present it all from a single NetScaler Unified Gateway”

This post will cover the following areas:

  • External DNS
  • Citrix NetScaler Configuration
  • Citrix ShareFile Storage Zone Installation and Configuration
  • ADFS Configuration for ShareFile
  • Citrix ShareFile SAML and SSO Configuration

First, as always, there are some assumptions about what you have in place prior to implementing this.

  • A working Unified Gateway – This can be wizard built or manually built but we will be using the content switching capability of the Unified Gateway to provide access to our ShareFile data
  • A working ADFS Implementation – We will be adding ShareFile as a Relying Party to ADFS so you will need this up and running
  • An internal Server to act as a StorageZone Connector
  • A file share to hold your on-premises data

So, lets get started.

External DNS

Before we start lets get our external DNS sorted.  We are going to need a new FQDN that points our external users to the existing Unified Gateway.  I run ug.bretty.me.uk as my Unified Gateway and will create sharefile.bretty.me.uk to point to the same external public IP Address (or no-ip dns name in my case)

ping-dns

NetScaler Unified Gateway

Once you have all traffic for ShareFile hitting your public IP address for Unified Gateway you will need to configure your NetScaler to handle this incoming traffic from ShareFile.

First, lets run through an overview of what you will be creating.

NOTE: This can all be done using the wizard on the NetScaler itself but personally I like to build things manually and understand whats being linked to what.  It makes troubleshooting things a lot easier further down the line should something go wrong

  • 2 HTTP Callout policies – check for valid URI signatures on the incoming connections
  • A Responder Policy – bind to the ShareFile Data Load Balancer
  • 2 Load Balanced vServers – one for ShareFile Data and one for ShareFile Connectors
  • Service Groups and Monitors for the Load Balanced vServers
  • 2 Content Switching Policies – one for ShareFile Data and one for ShareFile Connectors
  • 1 AAA vServer – used for ShareFile Connectors
  • 1 Session Policy – ShareFile Connector SSO

HTTP Callout

Navigate to AppExpert – HTTP Callouts

sf_callout Policy

Cilck Add to add a new policy and name it sf_callout. Enter the IP Address for your StorageZone Controller server and enter port 443.  Select Attribute-Based as the request Type and GET for the method.  Enter your StorageZone Connector Server IP as the expression then enter

"/validate.ashx?RequestURI=" + HTTP.REQ.URL.BEFORE_STR("&h").HTTP_URL_SAFE.B64ENCODE + "&h="+ HTTP.REQ.URL.QUERY.VALUE("h")

as the URL Stem Expression.  Scroll down and set the Scheme to http, the return type as BOOL and the return expression to

HTTP.RES.STATUS.EQ(200).NOT

then click OK.

 

sf_callout_y Policy

Add another policy but name it sf_callout_y with exactly the same settings with the exception of the URL Stem Expression.  For that enter

"/validate.ashx?RequestURI=" + HTTP.REQ.URL.HTTP_URL_SAFE.B64ENCODE + "&h="

Throughout this post I will be showing you the GUI method for configuring the NetScaler as well as the CLI method.  I will tag all CLI methods “CLI Code

CLI Code

add policy httpCallout sf_callout_y -IPAddress YOUR_SF_CONNECTOR_SERVER_IP -port 443 -returnType BOOL -hostExpr YOUR_SF_CONNECTOR_SERVER_IP -urlStemExpr "\"/validate.ashx?RequestURI=\" + HTTP.REQ.URL.HTTP_URL_SAFE.B64ENCODE + \"&h=\"" -scheme http -resultExpr "HTTP.RES.STATUS.EQ(200).NOT"
add policy httpCallout sf_callout_y -IPAddress YOUR_SF_CONNECTOR_SERVER_IP -port 443 -returnType BOOL -hostExpr YOUR_SF_CONNECTOR_SERVER_IP -urlStemExpr "\"/validate.ashx?RequestURI=\" + HTTP.REQ.URL.HTTP_URL_SAFE.B64ENCODE + \"&h=\"" -scheme http -resultExpr "HTTP.RES.STATUS.EQ(200).NOT"

Once done you should see your 2 HTTP Callout policies listed and showing UP

Responder Policy

Next we will move onto creating the Responder Policy that we will assign to the ShareFile Data Load Balances vServer

Navigate to AppExpert – Responder – Policies

Click to add a new policy and give it a meaningful name (in this case I am using res_pol_sharefile), Select DROP for the Action and enter the following for the expression

http.REQ.URL.CONTAINS("&h=") && http.req.url.contains("/crossdomain.xml").not && http.req.url.contains("/validate.ashx?requri").not && SYS.HTTP_CALLOUT(sf_callout) || http.REQ.URL.CONTAINS("&h=").NOT && http.req.url.contains("/crossdomain.xml").not && http.req.url.contains("/validate.ashx?requri").not && SYS.HTTP_CALLOUT(sf_callout_y)

Click ok and you will see your new policy listed

CLI Code

add responder policy res_pol_sharefile "http.REQ.URL.CONTAINS(\"&h=\") && http.req.url.contains(\"/crossdomain.xml\").not && http.req.url.contains(\"/validate.ashx?requri\").not && SYS.HTTP_CALLOUT(sf_callout) || http.REQ.URL.CONTAINS(\"&h=\").NOT && http.req.url.contains(\"/crossdomain.xml\").not && http.req.url.contains(\"/validate.ashx?requri\").not && SYS.HTTP_CALLOUT(sf_callout_y)" DROP

Load Balanced vServers (inc Service Group and Servers)

Moving on we will create 2 Load Balanced vServers to handle the Data and Connector traffic coming in from ShareFile.

Navigate to Traffic Management – Load Balancing – Servers

Add a new entry for your server(s) that you will be using for ShareFile StorageZone Connectors

Navigate to Traffic Management – Load Balancing – Service Groups

Add a new Service Group and give it a meaningful name (I will use svc_grp_citrix_sharefile_443), select your new server(s) as service group members and bind either a HTTP or HTTPS monitor to the service group depending on if you are offloading HTTPS to HTTP

Navigate to Traffic Management – Load Balancing – Virtual Servers

Data Load Balancer

Add a new load balanced vServer and give it a meaningfull name (I will use vsvr_citrix_sharefile_data_443), pick SSL as the traffic type, select non-addressable as this will only be referenced via the Content Switch in front of unified gateway there is no need to give it its own IP address.  Select your ShareFile Service Group you created earlier and assign a certificate that will be capable of authenticating your ShareFile FQDN (in my case shatrefile.bretty.me.uk)

Set the load balancing methos to TOKEN and enter the following as the expression

http.REQ.URL.QUERY.VALUE("uploadid")

Select SSLSESSION as a persistence method and set the timeout to 2 minutes

Finally bind your Responder Policy as a priority of 100

Click OK adn then click to Add a new Load Balanced vServer for the Connector.  Give it a meaningfull name (I will use vsvr_citrix_sharefile_connector_443), select SSL as the traffic type and as before use non-addressable, add your Service Group and bond your certificate to the vServer.

Click on OK – we will re-visit this vServer later in the post to set the authentication and persistence methods.

You should now see 2 vServers listed and showing as UP

CLI Code

add server SERVER_FQDN SERVER_IP
add serviceGroup svc_grp_citrix_sharefile_443 HTTP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
bind serviceGroup svc_grp_citrix_sharefile_443 SERVER_FQDN 80
bind serviceGroup svc_grp_citrix_sharefile_443 -monitorName http
add lb vserver vsvr_citrix_sharefile_data_443 SSL 0.0.0.0 0 -persistenceType SSLSESSION -lbMethod TOKEN -rule "http.REQ.URL.QUERY.VALUE(\"uploadid\")" -cltTimeout 180
add lb vserver vsvr_citrix_sharefile_connector_443 SSL 0.0.0.0 0
bind lb vserver vsvr_citrix_sharefile_data_443 svc_grp_citrix_sharefile_443
bind lb vserver vsvr_citrix_sharefile_connector_443 svc_grp_citrix_sharefile_443
bind lb vserver vsvr_citrix_sharefile_data_443 -policyName res_pol_sharefile -priority 100 -gotoPriorityExpression END -type REQUEST
bind ssl vserver vsvr_citrix_sharefile_data_443 -certkeyName WILDCARD_CERT_NAME
bind ssl vserver vsvr_citrix_sharefile_connector_443 -certkeyName WILDCARD_CERT_NAME
bind ssl vserver vsvr_citrix_sharefile_data_443 -eccCurveName P_256
bind ssl vserver vsvr_citrix_sharefile_data_443 -eccCurveName P_384
bind ssl vserver vsvr_citrix_sharefile_data_443 -eccCurveName P_224
bind ssl vserver vsvr_citrix_sharefile_data_443 -eccCurveName P_521
bind ssl vserver vsvr_citrix_sharefile_connector_443 -eccCurveName P_256
bind ssl vserver vsvr_citrix_sharefile_connector_443 -eccCurveName P_384
bind ssl vserver vsvr_citrix_sharefile_connector_443 -eccCurveName P_224
bind ssl vserver vsvr_citrix_sharefile_connector_443 -eccCurveName P_521

Content Switching Policies

Next we are going to move onto the Content Switching policies to direct traffic correctly when incoming requests happen from the ShareFile Control Plane

Navigate to Traffic Management – Content Switching – Policies

Click to add a new policy for ShareFile Data and give it a meaningfull name (I will use cs_pol_citrix_sharefile_data_443)

Enter the following as an expression – just change the FQDN to your external sharefile domain name pointing at your Unified Gateway

HTTP.REQ.HOSTNAME.CONTAINS("sharefile.bretty.me.uk") && HTTP.REQ.URL.CONTAINS("/cifs/").NOT && HTTP.REQ.URL.CONTAINS("/sp/").NOT

Click OK then click to add a second Content Switching policy for ShareFile Connector traffic.  Give it a meaningfull name (I will use cs_pol_citrix_sharefile_connector_443) and enter the following as an expression – again, just change the FQDN to your external sharefile domain name pointing at your Unified Gateway

HTTP.REQ.HOSTNAME.CONTAINS("sharefile.bretty.me.uk") && (HTTP.REQ.URL.CONTAINS("/cifs/") || HTTP.REQ.URL.CONTAINS("/sp/"))

Once you have your 2 policies defined you will need to bind them to your Unified Gateway and set the vServer you want to direct traffic to.

Navigate to Traffic Management – Content Switching – Virtual Servers

Open up your Unified Gateway Virtual Server

NOTE: The certificate bound to this vServer MUST be able to authenticate traffic for both your Unified Gateway FQDN AND your ShareFile FQDN

Click on Content Switching Policies and bind your ShareFile Connector Policy to it with a priority lower than any other existing policies bound selecting your Connector vServer as the destination

Next bind the policy for ShareFile Data with a priority 10 higher than the Connector policy and select the ShareFile Data vServer as the destination

Once done your Unified Gateway will now know how to direct incoming traffic requests from ShareFile

CLI Code

add cs policy cs_pol_citrix_sharefile_data_443 -rule "HTTP.REQ.HOSTNAME.CONTAINS(\"YOUR_SHAREFILE_FQDN\") && HTTP.REQ.URL.CONTAINS(\"/cifs/\").NOT && HTTP.REQ.URL.CONTAINS(\"/sp/\").NOT"
add cs policy cs_pol_citrix_sharefile_connector_443 -rule "HTTP.REQ.HOSTNAME.CONTAINS(\"YOUR_SHAREFILE_FQDN\") && (HTTP.REQ.URL.CONTAINS(\"/cifs/\") || HTTP.REQ.URL.CONTAINS(\"/sp/\"))"
bind cs vserver UNIFIED_GATEWAY_NAME -policyName cs_pol_citrix_sharefile_connector_443 -targetLBVserver vsvr_citrix_sharefile_connector_443 -priority 80
bind cs vserver UNIFIED_GATEWAY_NAME -policyName cs_pol_citrix_sharefile_data_443 -targetLBVserver vsvr_citrix_sharefile_data_443 -priority 90

AAA vServer

Next you will need a AAA vServer to act as an authentication server for the ShareFile Connectors.

Navigate to Security – AAA Application Traffic – Virtual Servers 

Click to add a new AAA vServer and give it a meaningfull name (I will use vsvr_aaa_sharefile_443), give it a free internal IP address and select port 443.  Bind your certificate that will authenticate your sharefile FQDN to the AAA vServer.

Scroll down and bind the Authentication Method you want to use for this vServer.  I will use the same LDAP policy that I have bound to my Unified Gateway (ensure that UserPrincipleName is used for authentication)

Scroll down until you see the 401 Based Virtual Servers and click to add and bind one, then select your vServer for ShareFile Connector

Click OK to save the AAA vServer

CLI Code

add authentication vserver vsvr_aaa_sharefile_443 SSL AAA_IP_ADDRESS 443
bind authentication vserver vsvr_aaa_sharefile_443 -policy pol_ldaps_dc.bretty.me.uk -priority 100
bind ssl vserver vsvr_aaa_sharefile_443 -certkeyName WILDCARE_CERT_NAME
bind ssl vserver vsvr_aaa_sharefile_443 -eccCurveName P_256
bind ssl vserver vsvr_aaa_sharefile_443 -eccCurveName P_384
bind ssl vserver vsvr_aaa_sharefile_443 -eccCurveName P_224
bind ssl vserver vsvr_aaa_sharefile_443 -eccCurveName P_521

Session Policy

Next we need to create a Session Policy to handle the authentication on the AAA vServer.

Navigate to Security – AAA Application Traffic – Policies – Session

Click to add a new Session Policy and give it a meaningfull name (I will use ses_pol_sharefile_connector), add ns_true as the expression and click the plus to add a new request profile.

Give the profile a meaningfull name (I will use ses_pro_sharefile_connector) and select for Single Sign-on to Web Applications, Credential Index and Single Sign-on Domain

click OK and OK again to save the Session Policy

Next re-open your AAA vServer and bind your new Session Policy to the vServer

Finally to check that this has been applied correctly open up the Load Balancing vServer for ShareFile Connector and ensure that under Authentication your AAA vServer is listed.  Also for Persistence select COOKIEINSERT and set the timeout to 240 minutes

CLI Code

add tm sessionAction ses_pro_sharefile_connector -SSO ON -ssoCredential PRIMARY -ssoDomain YOUR_DOMAIN
add tm sessionPolicy ses_pol_sharefile_connector ns_true ses_pro_sharefile_connector
bind authentication vserver vsvr_aaa_sharefile_443 -policy ses_pol_sharefile_connector -priority 100

NetScaler Build Code

Below is the entire build script for the NetScaler part of this guide.  Edit the following text

  • YOUR_SF_CONNECTOR_SERVER_IP – IP Address of your Primary ShareFile StorageZone Connector Server
  • SERVER_FQDN – FQDN for the Primary ShareFile StorageZone Connector Server
  • SERVER_IP – IP Address for the Primary ShareFile StorageZone Connector Server
  • WILDCARD_CERT_NAME – Wildcard or SAN Certificate Name
  • YOUR_SHAREFILE_FQDN – Your ShareFile Local FQDN – i.e. sharefile.bretty.me.uk
  • UNIFIED_GATEWAY_NAME – Unified Gateway Content Switch Name
  • AAA_IP_ADDRESS – AAA vServer IP Address
  • LDAPS_POLICY – LDAP Policy Name
  • YOUR_DOMAIN – Your SSO Domain Name

CLI Code

add policy httpCallout sf_callout -IPAddress YOUR_SF_CONNECTOR_SERVER_IP -port 443 -returnType BOOL -hostExpr YOUR_SF_CONNECTOR_SERVER_IP -urlStemExpr "\"/validate.ashx?RequestURI=\" + HTTP.REQ.URL.BEFORE_STR(\"&h\").HTTP_URL_SAFE.B64ENCODE + \"&h=\"+ HTTP.REQ.URL.QUERY.VALUE(\"h\")" -scheme http -resultExpr "HTTP.RES.STATUS.EQ(200).NOT"
add policy httpCallout sf_callout_y -IPAddress YOUR_SF_CONNECTOR_SERVER_IP -port 443 -returnType BOOL -hostExpr YOUR_SF_CONNECTOR_SERVER_IP -urlStemExpr "\"/validate.ashx?RequestURI=\" + HTTP.REQ.URL.HTTP_URL_SAFE.B64ENCODE + \"&h=\"" -scheme http -resultExpr "HTTP.RES.STATUS.EQ(200).NOT"
add responder policy res_pol_sharefile "http.REQ.URL.CONTAINS(\"&h=\") && http.req.url.contains(\"/crossdomain.xml\").not && http.req.url.contains(\"/validate.ashx?requri\").not && SYS.HTTP_CALLOUT(sf_callout) || http.REQ.URL.CONTAINS(\"&h=\").NOT && http.req.url.contains(\"/crossdomain.xml\").not && http.req.url.contains(\"/validate.ashx?requri\").not && SYS.HTTP_CALLOUT(sf_callout_y)" DROP
add server SERVER_FQDN SERVER_IP
add serviceGroup svc_grp_citrix_sharefile_443 HTTP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
bind serviceGroup svc_grp_citrix_sharefile_443 SERVER_FQDN 80
bind serviceGroup svc_grp_citrix_sharefile_443 -monitorName http
add authentication vserver vsvr_aaa_sharefile_443 SSL AAA_IP_ADDRESS 443
bind authentication vserver vsvr_aaa_sharefile_443 -policy LDAPS_POLICY -priority 100
bind ssl vserver vsvr_aaa_sharefile_443 -certkeyName WILDCARD_CERT_NAME
bind ssl vserver vsvr_aaa_sharefile_443 -eccCurveName P_256
bind ssl vserver vsvr_aaa_sharefile_443 -eccCurveName P_384
bind ssl vserver vsvr_aaa_sharefile_443 -eccCurveName P_224
bind ssl vserver vsvr_aaa_sharefile_443 -eccCurveName P_521
add tm sessionAction ses_pro_sharefile_connector -SSO ON -ssoCredential PRIMARY -ssoDomain YOUR_DOMAIN
add tm sessionPolicy ses_pol_sharefile_connector ns_true ses_pro_sharefile_connector
bind authentication vserver vsvr_aaa_sharefile_443 -policy ses_pol_sharefile_connector -priority 100
add lb vserver vsvr_citrix_sharefile_data_443 SSL 0.0.0.0 0 -persistenceType SSLSESSION -lbMethod TOKEN -rule "http.REQ.URL.QUERY.VALUE(\"uploadid\")" -cltTimeout 180
add lb vserver vsvr_citrix_sharefile_connector_443 SSL 0.0.0.0 0 -persistenceType COOKIEINSERT -timeout 240 -cltTimeout 180 -authn401 ON -authnVsName vsvr_aaa_sharefile_443
bind lb vserver vsvr_citrix_sharefile_data_443 svc_grp_citrix_sharefile_443
bind lb vserver vsvr_citrix_sharefile_connector_443 svc_grp_citrix_sharefile_443
bind lb vserver vsvr_citrix_sharefile_data_443 -policyName res_pol_sharefile -priority 100 -gotoPriorityExpression END -type REQUEST
bind ssl vserver vsvr_citrix_sharefile_data_443 -certkeyName WILDCARD_CERT_NAME
bind ssl vserver vsvr_citrix_sharefile_connector_443 -certkeyName WILDCARD_CERT_NAME
bind ssl vserver vsvr_citrix_sharefile_data_443 -eccCurveName P_256
bind ssl vserver vsvr_citrix_sharefile_data_443 -eccCurveName P_384
bind ssl vserver vsvr_citrix_sharefile_data_443 -eccCurveName P_224
bind ssl vserver vsvr_citrix_sharefile_data_443 -eccCurveName P_521
bind ssl vserver vsvr_citrix_sharefile_connector_443 -eccCurveName P_256
bind ssl vserver vsvr_citrix_sharefile_connector_443 -eccCurveName P_384
bind ssl vserver vsvr_citrix_sharefile_connector_443 -eccCurveName P_224
bind ssl vserver vsvr_citrix_sharefile_connector_443 -eccCurveName P_521
add cs policy cs_pol_citrix_sharefile_data_443 -rule "HTTP.REQ.HOSTNAME.CONTAINS(\"YOUR_SHAREFILE_FQDN\") && HTTP.REQ.URL.CONTAINS(\"/cifs/\").NOT && HTTP.REQ.URL.CONTAINS(\"/sp/\").NOT"
add cs policy cs_pol_citrix_sharefile_connector_443 -rule "HTTP.REQ.HOSTNAME.CONTAINS(\"YOUR_SHAREFILE_FQDN\") && (HTTP.REQ.URL.CONTAINS(\"/cifs/\") || HTTP.REQ.URL.CONTAINS(\"/sp/\"))"
bind cs vserver UNIFIED_GATEWAY_NAME -policyName cs_pol_citrix_sharefile_connector_443 -targetLBVserver vsvr_citrix_sharefile_connector_443 -priority 80
bind cs vserver UNIFIED_GATEWAY_NAME -policyName cs_pol_citrix_sharefile_data_443 -targetLBVserver vsvr_citrix_sharefile_data_443 -priority 90

Citrix ShareFile Storage Zone Installation and Configuration

So, lets move onto getting the ShareFile StorageZone Connector Server build and configured.

I am using a Windows Server 2016 Server, Domain joined and have an empty local file share created called ShareFile.  There is a service account will FULL rights to this share (svc_sharefile)

Begin by installing the latest version of the ShareFile StorageZones Controller software.  I am not going to provide screen shots of this as it is just following the defaults and then rebooting the server.

I have also installed the User Management Tool onto the same server so that I can easily migrate my on-Premises users into ShareFile for use with the platform.

As you can see I have installed v4.3 of the software

Once installed open up the local Configuration Service for the StorageZones Controller bu opening up Internet Explorer and go to the following URL

http://localhost/configservice/login.aspx

Log in with your Administrator Credentials

Click to create a new Zone rather than add this Controller to an existing Zone.  If this was the second controller you could add it to an already defined zone.

Give the zone a name, enter the hostname for the server (this will be shown in the zone health data) and put in the external FQDN for access to this StorageZones Controller.  This was the FQDN you defined earlier.

Click to enable StorageZones for ShareFile Data and select local network share as the zone type.  Enter the network path to your share and enter the credentials for the service account with access to that share

You can enable or disable encryption, DLP, AV integration and Web App Previews.

Next you can enable Connector for Network File Shares and Sharepoint (or both) and set allowed and denied paths

Enter your passphrase and click on Save – you should see the success prompt

Once done you can check that the zone has been created corrently by clicking on the monitoring tab.  You should see the below

Or if you log into your ShareFile account as an administrator you will see the new zone by clicking on Admin Settings then Storage Zones

Finally if you log into your server that hosts the share for the zone you will see it initialised as below

ADFS Configuration for ShareFile

Next we will set up ADFS to Accept requests from ShareFile as a relying party.

Open up your ADFS Management Tool and navigate to Relying Party Trusts.  Click Add Relying Party Trust and select Claims Aware

Click next and fill out the web path to your metadata for your subdomain in ShareFile

Click next all the way through accepting the defaults and un-tick the open claims window.

Right click your new Relying Party and select Properties.  Then select the Advanced Tab and change the Secure Hash Algorithm to SHA-1

OK that then right click and select edit claim issuance policy.  Click to Add a new Rule, give it a name, select Active Directory as the Attribute Store and select e-Mail Addresses as the LDAP Attribute and UPN as the Outgoing Claim

Click to add another rule and select Transform an Incoming Claim

Click next and give the rule a name.  Set the incoming Claim to UPN and the Outgoing as Name ID in the format Email

Click OK and you should see your 2 claims listed

Citrix ShareFile SAML and SSO Configuration

Finally we need to set up ShareFile to use ADFS as a logon point.  Log into your ShareFile Control Plane as your Admin Account and navigate to Admin Settings – Security and Login and Security Policy

Under Basic Settings click to enable SAML.  Fill out the ShareFile Issuer / Entity ID as your subdomain URL and the IDP Issuer as the same but with /saml/info tagged onto the end.  Set the login URL to the external login URL for youe ADFS Proxy Service (In this case also hosted on my Unified Gateway)

Click on Save.

Finally – and just as a nice to have I am going to set up some connectors to local file shares to test that all inbound traffic is working.

Click on Connectors and add a connector pointing to a local file share.

As you can see I have a connector configured pointing to my local root for my DSF Share.

So, lets test it all and make sure it works.

First ensure that you have a corporate user added to ShareFile and the StorageZone for that user set to the on-premises Zone

Use the ShareFile User Management Tool to import your users into ShareFile

open a browser and navigate to https://yoursubdomain.sharefile.com

As you can see I now have the option to log in using Employee Details

Click on the Employee Details link and you are handed off to ADFS to log in

Once logged in you can see that I am using my corporate e-mail address

If I then upload a file to my ShareFile account

Then check the local file share to check that it has been passed through to my on-premises storage location

So, lets check with the mobile app and with ShareFile Connectors

I will connect to the bottom account, my corporate email address

Click on Login with Employee Ceredntials

As you can see ShareFile is handing me off to ADFS for authentication

Once logged in you can see my file presented thats on my on-premises storage

If I navigate to Connectors you can see 2 I have defined in there

Open up Shared and you can see the Root of my DFS file share that is also hosted on-premises

Thats it, how to install and configure Citrix ShareFile StorageZones Connectors and present it all from a NetScaler Unified Gateway with ADFS Authentication.

Laters,

b@m

One thought on “Citrix ShareFile Storage Zones, NetScaler Unified Gateway and ADFS

  1. Pingback: Citrix ShareFile Storage Zones, NetScaler Unified Gateway and ADFS

Leave a Reply

Your email address will not be published. Required fields are marked *