This post has already been read 26589 times!
I have been meaning to get round to posting about Citrix ShareFile for some time now. Citrix ShareFile is an enterprise file sharing tool that Citrix provide with the ability to use both on-premises and cloud based storage repositories and more importantly to validate and control where and who has access to your company data.
The idea of this post is: “by following this article you can take a standard cloud based ShareFile account and provide secure access to on-premises storage using your existing company identity management platform and credentials as a authentication method and present it all from a single NetScaler Unified Gateway”
This post will cover the following areas:
- External DNS
- Citrix NetScaler Configuration
- Citrix ShareFile Storage Zone Installation and Configuration
- ADFS Configuration for ShareFile
- Citrix ShareFile SAML and SSO Configuration
First, as always, there are some assumptions about what you have in place prior to implementing this.
- A working Unified Gateway – This can be wizard built or manually built but we will be using the content switching capability of the Unified Gateway to provide access to our ShareFile data
- A working ADFS Implementation – We will be adding ShareFile as a Relying Party to ADFS so you will need this up and running
- An internal Server to act as a StorageZone Connector
- A file share to hold your on-premises data
So, lets get started.
External DNS
Before we start lets get our external DNS sorted. We are going to need a new FQDN that points our external users to the existing Unified Gateway. I run ug.bretty.me.uk as my Unified Gateway and will create sharefile.bretty.me.uk to point to the same external public IP Address (or no-ip dns name in my case)
NetScaler Unified Gateway
Once you have all traffic for ShareFile hitting your public IP address for Unified Gateway you will need to configure your NetScaler to handle this incoming traffic from ShareFile.
First, lets run through an overview of what you will be creating.
NOTE: This can all be done using the wizard on the NetScaler itself but personally I like to build things manually and understand whats being linked to what. It makes troubleshooting things a lot easier further down the line should something go wrong
- 2 HTTP Callout policies – check for valid URI signatures on the incoming connections
- A Responder Policy – bind to the ShareFile Data Load Balancer
- 2 Load Balanced vServers – one for ShareFile Data and one for ShareFile Connectors
- Service Groups and Monitors for the Load Balanced vServers
- 2 Content Switching Policies – one for ShareFile Data and one for ShareFile Connectors
- 1 AAA vServer – used for ShareFile Connectors
- 1 Session Policy – ShareFile Connector SSO
HTTP Callout
Navigate to AppExpert – HTTP Callouts
sf_callout Policy
Cilck Add to add a new policy and name it sf_callout. Enter the IP Address for your StorageZone Controller server and enter port 443. Select Attribute-Based as the request Type and GET for the method. Enter your StorageZone Connector Server IP as the expression then enter
"/validate.ashx?RequestURI=" + HTTP.REQ.URL.BEFORE_STR("&h").HTTP_URL_SAFE.B64ENCODE + "&h="+ HTTP.REQ.URL.QUERY.VALUE("h")
as the URL Stem Expression. Scroll down and set the Scheme to http, the return type as BOOL and the return expression to
HTTP.RES.STATUS.EQ(200).NOT
then click OK.
sf_callout_y Policy
Add another policy but name it sf_callout_y with exactly the same settings with the exception of the URL Stem Expression. For that enter
"/validate.ashx?RequestURI=" + HTTP.REQ.URL.HTTP_URL_SAFE.B64ENCODE + "&h="
Throughout this post I will be showing you the GUI method for configuring the NetScaler as well as the CLI method. I will tag all CLI methods “CLI Code”
CLI Code
add policy httpCallout sf_callout_y -IPAddress YOUR_SF_CONNECTOR_SERVER_IP -port 443 -returnType BOOL -hostExpr YOUR_SF_CONNECTOR_SERVER_IP -urlStemExpr "\"/validate.ashx?RequestURI=\" + HTTP.REQ.URL.HTTP_URL_SAFE.B64ENCODE + \"&h=\"" -scheme http -resultExpr "HTTP.RES.STATUS.EQ(200).NOT" add policy httpCallout sf_callout_y -IPAddress YOUR_SF_CONNECTOR_SERVER_IP -port 443 -returnType BOOL -hostExpr YOUR_SF_CONNECTOR_SERVER_IP -urlStemExpr "\"/validate.ashx?RequestURI=\" + HTTP.REQ.URL.HTTP_URL_SAFE.B64ENCODE + \"&h=\"" -scheme http -resultExpr "HTTP.RES.STATUS.EQ(200).NOT"
Once done you should see your 2 HTTP Callout policies listed and showing UP
Responder Policy
Next we will move onto creating the Responder Policy that we will assign to the ShareFile Data Load Balances vServer
Navigate to AppExpert – Responder – Policies
Click to add a new policy and give it a meaningful name (in this case I am using res_pol_sharefile), Select DROP for the Action and enter the following for the expression
http.REQ.URL.CONTAINS("&h=") && http.req.url.contains("/crossdomain.xml").not && http.req.url.contains("/validate.ashx?requri").not && SYS.HTTP_CALLOUT(sf_callout) || http.REQ.URL.CONTAINS("&h=").NOT && http.req.url.contains("/crossdomain.xml").not && http.req.url.contains("/validate.ashx?requri").not && SYS.HTTP_CALLOUT(sf_callout_y)
Click ok and you will see your new policy listed
CLI Code
add responder policy res_pol_sharefile "http.REQ.URL.CONTAINS(\"&h=\") && http.req.url.contains(\"/crossdomain.xml\").not && http.req.url.contains(\"/validate.ashx?requri\").not && SYS.HTTP_CALLOUT(sf_callout) || http.REQ.URL.CONTAINS(\"&h=\").NOT && http.req.url.contains(\"/crossdomain.xml\").not && http.req.url.contains(\"/validate.ashx?requri\").not && SYS.HTTP_CALLOUT(sf_callout_y)" DROP
Load Balanced vServers (inc Service Group and Servers)
Moving on we will create 2 Load Balanced vServers to handle the Data and Connector traffic coming in from ShareFile.
Navigate to Traffic Management – Load Balancing – Servers
Add a new entry for your server(s) that you will be using for ShareFile StorageZone Connectors
Navigate to Traffic Management – Load Balancing – Service Groups
Add a new Service Group and give it a meaningful name (I will use svc_grp_citrix_sharefile_443), select your new server(s) as service group members and bind either a HTTP or HTTPS monitor to the service group depending on if you are offloading HTTPS to HTTP
Navigate to Traffic Management – Load Balancing – Virtual Servers
Data Load Balancer
Add a new load balanced vServer and give it a meaningfull name (I will use vsvr_citrix_sharefile_data_443), pick SSL as the traffic type, select non-addressable as this will only be referenced via the Content Switch in front of unified gateway there is no need to give it its own IP address. Select your ShareFile Service Group you created earlier and assign a certificate that will be capable of authenticating your ShareFile FQDN (in my case shatrefile.bretty.me.uk)
Set the load balancing methos to TOKEN and enter the following as the expression
http.REQ.URL.QUERY.VALUE("uploadid")
Select SSLSESSION as a persistence method and set the timeout to 2 minutes
Finally bind your Responder Policy as a priority of 100
Click OK adn then click to Add a new Load Balanced vServer for the Connector. Give it a meaningfull name (I will use vsvr_citrix_sharefile_connector_443), select SSL as the traffic type and as before use non-addressable, add your Service Group and bond your certificate to the vServer.
Click on OK – we will re-visit this vServer later in the post to set the authentication and persistence methods.
You should now see 2 vServers listed and showing as UP
CLI Code
add server SERVER_FQDN SERVER_IP add serviceGroup svc_grp_citrix_sharefile_443 HTTP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO bind serviceGroup svc_grp_citrix_sharefile_443 SERVER_FQDN 80 bind serviceGroup svc_grp_citrix_sharefile_443 -monitorName http add lb vserver vsvr_citrix_sharefile_data_443 SSL 0.0.0.0 0 -persistenceType SSLSESSION -lbMethod TOKEN -rule "http.REQ.URL.QUERY.VALUE(\"uploadid\")" -cltTimeout 180 add lb vserver vsvr_citrix_sharefile_connector_443 SSL 0.0.0.0 0 bind lb vserver vsvr_citrix_sharefile_data_443 svc_grp_citrix_sharefile_443 bind lb vserver vsvr_citrix_sharefile_connector_443 svc_grp_citrix_sharefile_443 bind lb vserver vsvr_citrix_sharefile_data_443 -policyName res_pol_sharefile -priority 100 -gotoPriorityExpression END -type REQUEST bind ssl vserver vsvr_citrix_sharefile_data_443 -certkeyName WILDCARD_CERT_NAME bind ssl vserver vsvr_citrix_sharefile_connector_443 -certkeyName WILDCARD_CERT_NAME bind ssl vserver vsvr_citrix_sharefile_data_443 -eccCurveName P_256 bind ssl vserver vsvr_citrix_sharefile_data_443 -eccCurveName P_384 bind ssl vserver vsvr_citrix_sharefile_data_443 -eccCurveName P_224 bind ssl vserver vsvr_citrix_sharefile_data_443 -eccCurveName P_521 bind ssl vserver vsvr_citrix_sharefile_connector_443 -eccCurveName P_256 bind ssl vserver vsvr_citrix_sharefile_connector_443 -eccCurveName P_384 bind ssl vserver vsvr_citrix_sharefile_connector_443 -eccCurveName P_224 bind ssl vserver vsvr_citrix_sharefile_connector_443 -eccCurveName P_521
Content Switching Policies
Next we are going to move onto the Content Switching policies to direct traffic correctly when incoming requests happen from the ShareFile Control Plane
Navigate to Traffic Management – Content Switching – Policies
Click to add a new policy for ShareFile Data and give it a meaningfull name (I will use cs_pol_citrix_sharefile_data_443)
Enter the following as an expression – just change the FQDN to your external sharefile domain name pointing at your Unified Gateway
HTTP.REQ.HOSTNAME.CONTAINS("sharefile.bretty.me.uk") && HTTP.REQ.URL.CONTAINS("/cifs/").NOT && HTTP.REQ.URL.CONTAINS("/sp/").NOT
Click OK then click to add a second Content Switching policy for ShareFile Connector traffic. Give it a meaningfull name (I will use cs_pol_citrix_sharefile_connector_443) and enter the following as an expression – again, just change the FQDN to your external sharefile domain name pointing at your Unified Gateway
HTTP.REQ.HOSTNAME.CONTAINS("sharefile.bretty.me.uk") && (HTTP.REQ.URL.CONTAINS("/cifs/") || HTTP.REQ.URL.CONTAINS("/sp/"))
Once you have your 2 policies defined you will need to bind them to your Unified Gateway and set the vServer you want to direct traffic to.
Navigate to Traffic Management – Content Switching – Virtual Servers
Open up your Unified Gateway Virtual Server
NOTE: The certificate bound to this vServer MUST be able to authenticate traffic for both your Unified Gateway FQDN AND your ShareFile FQDN
Click on Content Switching Policies and bind your ShareFile Connector Policy to it with a priority lower than any other existing policies bound selecting your Connector vServer as the destination
Next bind the policy for ShareFile Data with a priority 10 higher than the Connector policy and select the ShareFile Data vServer as the destination
Once done your Unified Gateway will now know how to direct incoming traffic requests from ShareFile
CLI Code
add cs policy cs_pol_citrix_sharefile_data_443 -rule "HTTP.REQ.HOSTNAME.CONTAINS(\"YOUR_SHAREFILE_FQDN\") && HTTP.REQ.URL.CONTAINS(\"/cifs/\").NOT && HTTP.REQ.URL.CONTAINS(\"/sp/\").NOT" add cs policy cs_pol_citrix_sharefile_connector_443 -rule "HTTP.REQ.HOSTNAME.CONTAINS(\"YOUR_SHAREFILE_FQDN\") && (HTTP.REQ.URL.CONTAINS(\"/cifs/\") || HTTP.REQ.URL.CONTAINS(\"/sp/\"))" bind cs vserver UNIFIED_GATEWAY_NAME -policyName cs_pol_citrix_sharefile_connector_443 -targetLBVserver vsvr_citrix_sharefile_connector_443 -priority 80 bind cs vserver UNIFIED_GATEWAY_NAME -policyName cs_pol_citrix_sharefile_data_443 -targetLBVserver vsvr_citrix_sharefile_data_443 -priority 90
AAA vServer
Next you will need a AAA vServer to act as an authentication server for the ShareFile Connectors.
Navigate to Security – AAA Application Traffic – Virtual Servers
Click to add a new AAA vServer and give it a meaningfull name (I will use vsvr_aaa_sharefile_443), give it a free internal IP address and select port 443. Bind your certificate that will authenticate your sharefile FQDN to the AAA vServer.
Scroll down and bind the Authentication Method you want to use for this vServer. I will use the same LDAP policy that I have bound to my Unified Gateway (ensure that UserPrincipleName is used for authentication)
Scroll down until you see the 401 Based Virtual Servers and click to add and bind one, then select your vServer for ShareFile Connector
Click OK to save the AAA vServer
CLI Code
add authentication vserver vsvr_aaa_sharefile_443 SSL AAA_IP_ADDRESS 443 bind authentication vserver vsvr_aaa_sharefile_443 -policy pol_ldaps_dc.bretty.me.uk -priority 100 bind ssl vserver vsvr_aaa_sharefile_443 -certkeyName WILDCARE_CERT_NAME bind ssl vserver vsvr_aaa_sharefile_443 -eccCurveName P_256 bind ssl vserver vsvr_aaa_sharefile_443 -eccCurveName P_384 bind ssl vserver vsvr_aaa_sharefile_443 -eccCurveName P_224 bind ssl vserver vsvr_aaa_sharefile_443 -eccCurveName P_521
Session Policy
Next we need to create a Session Policy to handle the authentication on the AAA vServer.
Navigate to Security – AAA Application Traffic – Policies – Session
Click to add a new Session Policy and give it a meaningfull name (I will use ses_pol_sharefile_connector), add ns_true as the expression and click the plus to add a new request profile.
Give the profile a meaningfull name (I will use ses_pro_sharefile_connector) and select for Single Sign-on to Web Applications, Credential Index and Single Sign-on Domain
click OK and OK again to save the Session Policy
Next re-open your AAA vServer and bind your new Session Policy to the vServer
Finally to check that this has been applied correctly open up the Load Balancing vServer for ShareFile Connector and ensure that under Authentication your AAA vServer is listed. Also for Persistence select COOKIEINSERT and set the timeout to 240 minutes
CLI Code
add tm sessionAction ses_pro_sharefile_connector -SSO ON -ssoCredential PRIMARY -ssoDomain YOUR_DOMAIN add tm sessionPolicy ses_pol_sharefile_connector ns_true ses_pro_sharefile_connector bind authentication vserver vsvr_aaa_sharefile_443 -policy ses_pol_sharefile_connector -priority 100
NetScaler Build Code
Below is the entire build script for the NetScaler part of this guide. Edit the following text
- YOUR_SF_CONNECTOR_SERVER_IP – IP Address of your Primary ShareFile StorageZone Connector Server
- SERVER_FQDN – FQDN for the Primary ShareFile StorageZone Connector Server
- SERVER_IP – IP Address for the Primary ShareFile StorageZone Connector Server
- WILDCARD_CERT_NAME – Wildcard or SAN Certificate Name
- YOUR_SHAREFILE_FQDN – Your ShareFile Local FQDN – i.e. sharefile.bretty.me.uk
- UNIFIED_GATEWAY_NAME – Unified Gateway Content Switch Name
- AAA_IP_ADDRESS – AAA vServer IP Address
- LDAPS_POLICY – LDAP Policy Name
- YOUR_DOMAIN – Your SSO Domain Name
CLI Code
add policy httpCallout sf_callout -IPAddress YOUR_SF_CONNECTOR_SERVER_IP -port 443 -returnType BOOL -hostExpr YOUR_SF_CONNECTOR_SERVER_IP -urlStemExpr "\"/validate.ashx?RequestURI=\" + HTTP.REQ.URL.BEFORE_STR(\"&h\").HTTP_URL_SAFE.B64ENCODE + \"&h=\"+ HTTP.REQ.URL.QUERY.VALUE(\"h\")" -scheme http -resultExpr "HTTP.RES.STATUS.EQ(200).NOT" add policy httpCallout sf_callout_y -IPAddress YOUR_SF_CONNECTOR_SERVER_IP -port 443 -returnType BOOL -hostExpr YOUR_SF_CONNECTOR_SERVER_IP -urlStemExpr "\"/validate.ashx?RequestURI=\" + HTTP.REQ.URL.HTTP_URL_SAFE.B64ENCODE + \"&h=\"" -scheme http -resultExpr "HTTP.RES.STATUS.EQ(200).NOT" add responder policy res_pol_sharefile "http.REQ.URL.CONTAINS(\"&h=\") && http.req.url.contains(\"/crossdomain.xml\").not && http.req.url.contains(\"/validate.ashx?requri\").not && SYS.HTTP_CALLOUT(sf_callout) || http.REQ.URL.CONTAINS(\"&h=\").NOT && http.req.url.contains(\"/crossdomain.xml\").not && http.req.url.contains(\"/validate.ashx?requri\").not && SYS.HTTP_CALLOUT(sf_callout_y)" DROP add server SERVER_FQDN SERVER_IP add serviceGroup svc_grp_citrix_sharefile_443 HTTP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO bind serviceGroup svc_grp_citrix_sharefile_443 SERVER_FQDN 80 bind serviceGroup svc_grp_citrix_sharefile_443 -monitorName http add authentication vserver vsvr_aaa_sharefile_443 SSL AAA_IP_ADDRESS 443 bind authentication vserver vsvr_aaa_sharefile_443 -policy LDAPS_POLICY -priority 100 bind ssl vserver vsvr_aaa_sharefile_443 -certkeyName WILDCARD_CERT_NAME bind ssl vserver vsvr_aaa_sharefile_443 -eccCurveName P_256 bind ssl vserver vsvr_aaa_sharefile_443 -eccCurveName P_384 bind ssl vserver vsvr_aaa_sharefile_443 -eccCurveName P_224 bind ssl vserver vsvr_aaa_sharefile_443 -eccCurveName P_521 add tm sessionAction ses_pro_sharefile_connector -SSO ON -ssoCredential PRIMARY -ssoDomain YOUR_DOMAIN add tm sessionPolicy ses_pol_sharefile_connector ns_true ses_pro_sharefile_connector bind authentication vserver vsvr_aaa_sharefile_443 -policy ses_pol_sharefile_connector -priority 100 add lb vserver vsvr_citrix_sharefile_data_443 SSL 0.0.0.0 0 -persistenceType SSLSESSION -lbMethod TOKEN -rule "http.REQ.URL.QUERY.VALUE(\"uploadid\")" -cltTimeout 180 add lb vserver vsvr_citrix_sharefile_connector_443 SSL 0.0.0.0 0 -persistenceType COOKIEINSERT -timeout 240 -cltTimeout 180 -authn401 ON -authnVsName vsvr_aaa_sharefile_443 bind lb vserver vsvr_citrix_sharefile_data_443 svc_grp_citrix_sharefile_443 bind lb vserver vsvr_citrix_sharefile_connector_443 svc_grp_citrix_sharefile_443 bind lb vserver vsvr_citrix_sharefile_data_443 -policyName res_pol_sharefile -priority 100 -gotoPriorityExpression END -type REQUEST bind ssl vserver vsvr_citrix_sharefile_data_443 -certkeyName WILDCARD_CERT_NAME bind ssl vserver vsvr_citrix_sharefile_connector_443 -certkeyName WILDCARD_CERT_NAME bind ssl vserver vsvr_citrix_sharefile_data_443 -eccCurveName P_256 bind ssl vserver vsvr_citrix_sharefile_data_443 -eccCurveName P_384 bind ssl vserver vsvr_citrix_sharefile_data_443 -eccCurveName P_224 bind ssl vserver vsvr_citrix_sharefile_data_443 -eccCurveName P_521 bind ssl vserver vsvr_citrix_sharefile_connector_443 -eccCurveName P_256 bind ssl vserver vsvr_citrix_sharefile_connector_443 -eccCurveName P_384 bind ssl vserver vsvr_citrix_sharefile_connector_443 -eccCurveName P_224 bind ssl vserver vsvr_citrix_sharefile_connector_443 -eccCurveName P_521 add cs policy cs_pol_citrix_sharefile_data_443 -rule "HTTP.REQ.HOSTNAME.CONTAINS(\"YOUR_SHAREFILE_FQDN\") && HTTP.REQ.URL.CONTAINS(\"/cifs/\").NOT && HTTP.REQ.URL.CONTAINS(\"/sp/\").NOT" add cs policy cs_pol_citrix_sharefile_connector_443 -rule "HTTP.REQ.HOSTNAME.CONTAINS(\"YOUR_SHAREFILE_FQDN\") && (HTTP.REQ.URL.CONTAINS(\"/cifs/\") || HTTP.REQ.URL.CONTAINS(\"/sp/\"))" bind cs vserver UNIFIED_GATEWAY_NAME -policyName cs_pol_citrix_sharefile_connector_443 -targetLBVserver vsvr_citrix_sharefile_connector_443 -priority 80 bind cs vserver UNIFIED_GATEWAY_NAME -policyName cs_pol_citrix_sharefile_data_443 -targetLBVserver vsvr_citrix_sharefile_data_443 -priority 90
Citrix ShareFile Storage Zone Installation and Configuration
So, lets move onto getting the ShareFile StorageZone Connector Server build and configured.
I am using a Windows Server 2016 Server, Domain joined and have an empty local file share created called ShareFile. There is a service account will FULL rights to this share (svc_sharefile)
Begin by installing the latest version of the ShareFile StorageZones Controller software. I am not going to provide screen shots of this as it is just following the defaults and then rebooting the server.
I have also installed the User Management Tool onto the same server so that I can easily migrate my on-Premises users into ShareFile for use with the platform.
As you can see I have installed v4.3 of the software
Once installed open up the local Configuration Service for the StorageZones Controller bu opening up Internet Explorer and go to the following URL
http://localhost/configservice/login.aspx
Log in with your Administrator Credentials
Click to create a new Zone rather than add this Controller to an existing Zone. If this was the second controller you could add it to an already defined zone.
Give the zone a name, enter the hostname for the server (this will be shown in the zone health data) and put in the external FQDN for access to this StorageZones Controller. This was the FQDN you defined earlier.
Click to enable StorageZones for ShareFile Data and select local network share as the zone type. Enter the network path to your share and enter the credentials for the service account with access to that share
You can enable or disable encryption, DLP, AV integration and Web App Previews.
Next you can enable Connector for Network File Shares and Sharepoint (or both) and set allowed and denied paths
Enter your passphrase and click on Save – you should see the success prompt
Once done you can check that the zone has been created corrently by clicking on the monitoring tab. You should see the below
Or if you log into your ShareFile account as an administrator you will see the new zone by clicking on Admin Settings then Storage Zones
Finally if you log into your server that hosts the share for the zone you will see it initialised as below
ADFS Configuration for ShareFile
Next we will set up ADFS to Accept requests from ShareFile as a relying party.
Open up your ADFS Management Tool and navigate to Relying Party Trusts. Click Add Relying Party Trust and select Claims Aware
Click next and fill out the web path to your metadata for your subdomain in ShareFile
Click next all the way through accepting the defaults and un-tick the open claims window.
Right click your new Relying Party and select Properties. Then select the Advanced Tab and change the Secure Hash Algorithm to SHA-1
OK that then right click and select edit claim issuance policy. Click to Add a new Rule, give it a name, select Active Directory as the Attribute Store and select e-Mail Addresses as the LDAP Attribute and UPN as the Outgoing Claim
Click to add another rule and select Transform an Incoming Claim
Click next and give the rule a name. Set the incoming Claim to UPN and the Outgoing as Name ID in the format Email
Click OK and you should see your 2 claims listed
Citrix ShareFile SAML and SSO Configuration
Finally we need to set up ShareFile to use ADFS as a logon point. Log into your ShareFile Control Plane as your Admin Account and navigate to Admin Settings – Security and Login and Security Policy
Under Basic Settings click to enable SAML. Fill out the ShareFile Issuer / Entity ID as your subdomain URL and the IDP Issuer as the same but with /saml/info tagged onto the end. Set the login URL to the external login URL for youe ADFS Proxy Service (In this case also hosted on my Unified Gateway)
Click on Save.
Finally – and just as a nice to have I am going to set up some connectors to local file shares to test that all inbound traffic is working.
Click on Connectors and add a connector pointing to a local file share.
As you can see I have a connector configured pointing to my local root for my DSF Share.
So, lets test it all and make sure it works.
First ensure that you have a corporate user added to ShareFile and the StorageZone for that user set to the on-premises Zone
Use the ShareFile User Management Tool to import your users into ShareFile
open a browser and navigate to https://yoursubdomain.sharefile.com
As you can see I now have the option to log in using Employee Details
Click on the Employee Details link and you are handed off to ADFS to log in
Once logged in you can see that I am using my corporate e-mail address
If I then upload a file to my ShareFile account
Then check the local file share to check that it has been passed through to my on-premises storage location
So, lets check with the mobile app and with ShareFile Connectors
I will connect to the bottom account, my corporate email address
Click on Login with Employee Ceredntials
As you can see ShareFile is handing me off to ADFS for authentication
Once logged in you can see my file presented thats on my on-premises storage
If I navigate to Connectors you can see 2 I have defined in there
Open up Shared and you can see the Root of my DFS file share that is also hosted on-premises
Thats it, how to install and configure Citrix ShareFile StorageZones Connectors and present it all from a NetScaler Unified Gateway with ADFS Authentication.
If you want to find out more about ShareFile then you can do so by following this link https://www.sharefile.com/
Laters,
b@m
Pingback: Citrix ShareFile Storage Zones, NetScaler Unified Gateway and ADFS
Thank you for this detailed setup steps. We have setup ShareFile SSO with NetScaler SAML IDP. Everything goes quite well on SSO; however, we just cannot upload the files to on-premises folder and also cannot create ShareFile Connectors. I have follow all the steps from what you have described except the ADFS part. Could you please advise what we have done wrong or where I should look into the problem. The error message which I got when I tried to upload the file is as follow.
{“code”:”InternalServerError”,”message”:{“lang”:”en-US”,”value”:”System error”},”reason”:”Unspecified”} SmartBrowser Overview_EN.pdf 841 KB
When I tried to created ShareFile connectors and I got the error message of “Unable to Create Connector: Invalid UNC path or URL”
What about the logout URL? I’ve noticed many people don’t include this and even the Citrix documentation doesn’t include it. When you leave it out it will log you out of ShareFile but not ADFS which results in them clicking the login button again and it taking them straight into ShareFile without actually having to login again. That is no good.
Good point well made. I will update it with the relevant logout url.
Thank you for the tutorial..
we’ve set up configuration as mentionned in your article… But The files won’t upload to restricted zone when we bind responder to LB virtual server… However, if we unbind the responder , uploading files work fine. Any idea about this?
Pingback: Citrix NetScaler ADC and ShareFile StorageZone Controller Setup - "The folder you are looking for could not be found" on ShareFile Web App while accessing Network shares - blog - Alexander Ollischer | Citrix | Microsoft