Sharefile, Xenmobile with on prem storage

Sharefile is a big part of our Xenmobile deployment. Users can use it from their computers or mobile devices and I can store the data in my Datacenter. Setting it up can be a bit convoluted if you have never played with it before. I am hoping this write up will help. In our setup we want to enable AD users to be able to use Sharefile. We want the storage Sharefile is using to be local on premises. Being we have Xenmobile 8.6 running we can use the App Controller and Netscaler to work with sharefile.com and provision/authenticate the end user. For our deployment we use a standard Netscaler DMZ approach. This image was taken from the Citrix eDocs and is the architecture I am using for my deployment (Note: I currently only have one StorageZone controller in my deployment).

sf-storage-dmz-proxy-deploy

Basically what we are going to do is:

1. Setup a CIFS Share for ShareFile to use.
2. Setup a StorageZones Controller 2.2 Server.
3. Configure the Netscaler (Allow ShareFile and your StroageZone controller to talk though the Netscaler).
4. Configure your StorageZones (connect sharefile.com, SZ controller and the storage).
5. Set the default Storage for users to your on prem storage.
6. Setup Netscaler and App Controller v2.9 as the SAML ID provider for Sharefile (provision/authenticate users).

In order to do this you need the following:

– A Windows server (I’m using 2008 R2 SP1)
– IIS installed/enabled
– ASP.NET 4.5 needs to be installed
– 3rd Party SSL cert installed and bound to the IIS site on port 443
– Allow 443 inbound on the server’s firewall
– Sharefile Enterprise Account
– Working Netscaler 10.1 build 120.1316.e with a Gateway
– Working deployment of Xenmobile 8.6 Enterprise (App Controller 2.9)
– External URL that’s going to resolve to a reserved Netscaler DMZ VIP

Setup a CIFS share for ShareFile to use
1. Create a CIFS share to use for Sharefile. In this deployment I used storage on my NetApp Filer. I created a QTree on a volume then created a CIFS share to share out said QTree. If you are using a NetApp I’m going to assume you know how to handle provisioning storage for a CIFS share.

2. Setup a ShareFile service account in AD. Set both the share permissions and the NTFS security permissions so that the service account has “full control” (directly or via a group – I use groups).

Setup a StorageZones Controller 2.2
Next you’ll need to setup the Windows server so you can install the StorageZones Controller.

1. Spin up a 2008 R2 Windows server

2. Open your Server Manager and in the Add Roles Wizard, click “Next” and then select the Web Services (IIS) check box.
Screenshot 2013-11-29 17.04.06

3. Click “Next” twice and then select the ASP.NET check box.
Screenshot 2013-11-29 17.05.27

4. Click “Add Required Role Services”.
Screenshot 2013-11-29 17.06.27

5. Expand Security and then select the “Basic Authentication” check box.
Screenshot 2013-11-29 17.08.01

6. Click “Next” and then click “Install”.
Screenshot 2013-11-29 17.08.31

7. When the installation completes, click “Close” and then restart the server.

Next, we need to install .NET 4.5 and Configure IIS.

8. Download and Install ASP.NET installer from the Microsoft Download Center. When finished restart the server.

9. Open the IIS Manager console, click the primary IIS site, and then click ISAPI and CGI Restrictions. Set each ASP.NET v4.03319 entry to Allowed.
Screenshot 2013-11-27 15.22.49

Now we need to Install your SSL Cert and bind it to port 443.

10. In the IIS management console click “Server Certificates” and import your SSL Cert
Screenshot 2013-11-27 15.23.31

11. Bind it to port 443: In the IIS Manager console, click Default Web Site and then click Bindings on the far right pane. Click Add and configure the site binding. Type is https, IP address is All Unassigned, Port is 443, SSL certificate is your installed certificate.
Screenshot 2013-11-27 15.56.44

Screenshot 2013-11-27 15.57.03

Note: you can test the web server by going to http://localhost/ and to https://localhost/. If the connection is successful you’ll see the IIS logo. As expected, https will display a message about the certificate not matching the localhost name in the URL header (as it should).

12. Optional: Take a Snap shot of your VM before installing the StorageZones Controller 2.2 Software

13. We now need to install the StorageZones Controller 2.2 Software from Citrix. Download the controller software from Citrix and run the MSI to install

14. Uncheck the config box on the final screen and reboot the server.
screenshot-2013-11-27-16-00-41

15. Give the ShareFile service account you created earlier full control to the IIS install directory (default is c:\inetpub\wwwroot). Navigate to the folder and right-click on the Citrix folder, choose Properties, and then click the Security tab.
Screenshot 2013-11-27 16.03.41

Click Edit, click Add, and then enter the ShareFile service account name.
Screenshot 2013-11-27 16.03.57

Click OK, select Full Control, click Apply, and then click OK.

NOTE: In order to test that the installation was successful, navigate to http://localhost/ on the StorageZones Controller server. If the installation is successful, the ShareFile logo appears.

Configure the Netscaler for Sharefile
We now need to setup the Netscaler to work with Sharefile.com and our StorageZone Controller. This diagram taken from the Citrix eDocs shows the setup the new wizard will create for us. Please note, the scope of this write up does not cover the additional connectors for SharePoint or other Network File Shares. We will be dealing with the upper Load Balancing virtual Server for URI request validation but the wizard will setup both.

sf-deploy-netscaler

Log into your Netscaler and navigate to Traffic Management > Load Balancing. On the right main pane, under Citrix ShareFile, click “Set up NetScaler for ShareFile”. Supply the information requested in the wizard.

screenshot-2013-11-29-14-55-36

Here is a list of what it asks for:

Name: the name you wish to use – can be anything descriptive.

IP Address: DMZ IP address you’ll be using for the content switching virtual server. NOTE: Being we are using a DMZ you need to setup your outside firewall to forward all requests on port 443 from whatever your public IP address is to this DMZ address.

ShareFile Data: Enable this, it’s kind of the point of what we are doing.

StorageZone Connectors for NFS/SharePoint: Leave unchecked (This is what you want if you are setting up connectors for SharePoint or other Network Shares)

screenshot-2013-11-29-15-30-53

Certificate: Use the correct SSL Cert (You will need a cert installed on the Netscaler; use the same one you used for the StorageZones Controller Server).

screenshot-2013-11-29-15-31-11

StorageZones Controller IP: The IP of your StorageZones Controller 2.2

Port/Protocol: 443 (HTTPS)

Screenshot 2013-11-29 15.31.41

When finished you can look at “Traffic Management > Load Balancing > Virtual Servers. You should see a new virtual server that has a state of “UP”. You should also see a new service that points to your StorageZones Controller IP Address and a new Content Switching Virtual Server (under Traffic Management > Content Switching > Virtual Servers). That DMZ IP is what you want to have your outside firewall pass traffic on port 443 to. If you want to dig deeper there are also new policies created under the Content Switching section. Make sure to save your Netscaler Config.

Screenshot 2013-11-29 15.35.43

Configure your StorageZones
Now we need to setup our StorageZones Controller to talk with sharefile.com. You can access the configuration tool from http://localhost/configservice/login.aspx or by clicking the configuration tool from the start menu on the SZ Controller.

1. Log into the SZ Controller by using your ShareFile.com Enterprise account credentials. Your email address is username, password, and subdomain (mysubdomain.sharefile.com).

Screenshot 2013-11-29 15.52.02

2. Click “Create new Zone” fill out a name for the zone and provide your zone info:

HOSTNAME: the friendly name of your SZ Controller Server, this should NOT be the FQDN.

External Address: The external URL you are using. This is pointed to the Content Switching Virtual Server IP on your Netscaler. Because we are setting this up on a Netscaler in a DMZ this is the DNS name for whatever the IP of your outside firewall address is that gets forwarded to your Netscaler’s content switching virtual server IP.

Enable StorageZones for ShareFile Data: Check this and select “Local network share” as we want to use Local Network Storage for our Sharefile Data Repository.

Network Share Location: UNC path to your share.

Network Share Username: Use the service account you created for ShareFile.

Network Share Password: Password for the account.

Enable Encryption: If you want the files stored on the share encrypted, check this. I’m not using this as my file share is already secured by other tools. If you choose to encrypt files – other software might/will break. For example, you can’t virus scan encrypted files.

StorageZone Connectors: Leave these unchecked. This is for SharePoint integration, which is beyond the scope of this guide.

Passphrase: Required, but only matters if you choose to encrypt the files on the storage. it’s the phrase used to protect your file encryption key.

Screenshot 2013-11-29 16.09.01

Once you save the config you will get a message at the top showing it’s configured. You can verify this by going to your sharefile site, login with your admin account. Click “Admin” on the top bar, then click StorageZones on the left. It should list your storage you just setup.
Screenshot 2013-12-03 13.31.02

If you click on the Storage it will pull up stats for it.
Screenshot 2013-12-03 13.31.47

Set the default Storage for users to use on prem storage zone
Before you setup your App Controller to talk with Sharefile we need to make sure all new users that get pulled from AD use the on prem storage as the default zone. By default when a new user is pulled in via App Controller the default storage zone will be private cloud. If you want to change this so new users that get created use our on prem storage then you need to call ShareFile Support and let them know. Currently I have not found a way to set this setting myself. Calling ShareFile Support resulted in one of their level 1 tech’s changing on their end. Their support number is 1-800-441-3453 in the US.

Setup XenMobile as the SAML ID provider for Sharefile
Now that you have hooked up your storage to ShareFile we need to setup App Controller v2.9 (XenMobile) and the Netscaler Gateway to handle the redirected user auth requests. This will allow us to use Active Directory users/groups to setup ShareFile users and authenticate them using their AD username and passwords.

We are going to be using the XenMobile App Controller (v2.9) and the Netscaler Gateway to function as the identity provider for ShareFile. This allows the user to login to a ShareFile client. That login request gets redirected to the Netscaler for authentication. When you configure ShareFile in App Controller, you configure settings to connect to the ShareFile account and administrator service account for user account management. Then, you can connect to ShareFile from the App Controller management console to configure administrator settings.

1. Create a Role in App Controller 2.9 for ShareFile Users
You should NOT use “AllUsers” role when setting up ShareFile in the App Controller. Instead create a roll on your App Controller for ShareFile Users. Login to your App Controller, click on the “Roles” tab on the top and click “Add role” on the bottom left pane. Create your Role name and description. You won’t see any Storage Zones yet so just leave this “unassigned”. We’ll go back and change it in once we hook up the App Controller and ShareFile.
Screenshot 2013-12-03 12.45.29

Click Next and select the AD groups of the users that you are going to pull into ShareFile.
Screenshot 2013-12-03 12.50.16

2. Hook up App Controller v2.9 to ShareFile.
Click “Apps & Docs” tab in App Controller. On the left pane under Docs, click “ShareFile”. Edit this configuration. Put your sharefile FQDN in the Domain box, Select the Role you just created for the Assigned role field. Enter your Sharefile Admin account information. the SAML config will just show “Your Issuer” until you save the config. Once you do it will show up with the default SAML cert which is installed on your App Controller by default when you installed it (AppController.example.com).
screenshot-2013-12-03-12-47-45

3. Edit your role you created in step 1 and select the correct storage zone. The Storage Zone you created before should now show up as an option.
Screenshot 2013-12-03 11.20.46

4. Create the ShareFile Web App on the App Controller
Go to “Apps & Docs” tab the on the left click “Web & SaaS” Click the green “+” icon to add a new App. Select “ShareFile_SAML_SP” from the flyout.

5. In the Configure App screen fill out the “Cookies Domain” and the “URL”. Cookies Domain should be the FQDN of your sharefile site and the URL should be the actual URL to the SAML login page on your ShareFile site. Under assigned role select the roll you created in Step 1.
Screenshot 2013-12-03 13.00.09

Click “Next” and enter your ShareFile Admin account information.
screenshot-2013-12-03-13-01-06

Click “Next” 3 times and just leave the default values.
Screenshot 2013-12-03 13.02.28

Click “Save”
Screenshot 2013-12-03 13.03.37

You can now see users will start to show up in ShareFile. If you go to your ShareFile site and log in you can select “Manage Users” along the top and then click “Browse Employees”. You should see a list of all the users in the AD groups you selected when you setup the Web App in the above steps.
Screenshot 2013-12-03 13.27.33

If you want your users to be able to use their AD credentials we have to do some tweaking on the Gateway. I’m going to assume you already have a working Gateway that is being used for Xenmobile or XenDesktop on your Netscaler. We need to make a few changes to the gateway.

6. Disable home page redirection
We need to turn off the default redirection for requests that use the /cginfra path. We want to retain the original requested internal URL and not have it redirect to the default configured home page. The easiest way to do this is by the command line. SSH to your Netscaler and issue the following command from the prompt. Note: Change “GatewayName” to whatever the name of your gateway is named on the Netscaler.

set vpn vserver GatewayName -cginfraHomePageRedirect DISABLED

7. Create a ShareFile session policy and profile. Log into your Netscaler’s web interface and navigate to Netscaler Gateway > Policies > Session.

Create a new session policy – on the Policies tab, click Add. Give your policy a name. I used ShareFile_POL to keep it simple.
Screenshot 2013-12-03 14.45.37

Now click on the “new” button on the request profile line to create the new profile. On the new create netscaler gateway session profile window enter a Name for your profile. I used ShareFile_PROFILE. On the “Client Experience” tab set the following:

Home Page: none
Session Time-Out: 1
Single Sign-on to Web Applications: Checked
Credential Index: Primary
Screenshot 2013-12-03 14.49.25

On the Published Applications tab set as follows:

ICA Proxy: ON
Web Interface Address: The URL for app controller
Single Sign-On Domain: your AD Domain name
Screenshot 2013-12-03 14.54.03

Click Create to create the profile.

Add the expression for the policy. The expression is: “REQ.HTTP.HEADER Cookie CONTAINS NSC_FSRD” This can be set in the window by clicking the “Add” button and filling it out as follows in the screenshot below:
Screenshot 2013-12-03 14.59.29

Click OK, Click Create and then Close. The Policy should look like the screenshot below:
Screenshot 2013-12-03 15.00.22

Now we need to attach the policy we just created to the Gateway. In the Netscaler web interface under Netscaler Gateway > Virtual Servers open the Gateway and select the “Policies” tab. Click “Insert Policy” and insert the ShareFile_POL that was created earlier. Set this policy to the lowest number so it has the highest priority compared to the other policies.
Screenshot 2013-12-03 15.56.28

Now Click the “Advanced” tab on the Gateway and enter a ShareFile URL. This URL should be the internal name of the App Controller followed by the port (443). This auths requests to the specified URL through the /cginfra path.
Screenshot 2013-12-03 15.59.13

Click “OK” and then save the Netscaler Configuration.

8. Config ShareFile Account
When you setup your App Controller with all your ShareFile details, ShareFile setup the SSO settings. You need to edit those settings to add some other features like web authentication.

Login to your ShareFile site with your admin account. Click on “Admin” on the top row and then click “Configure Single Sign-On” on the left side.

Under “Optional Settings” Check the “Enable Web Authentication” box.

Now look up under Basic Settings and look at the field for “Login URL” – it’s going to already be populated from your App Controller setup but it needs to be tweaked to point at the Netscaler Gateway. Below is the example of my URL

URL that was populated from the App Controller config/integration:
https://apc.bmctotalcare.com/samlsp/websso.do?action=authenticateUser&app=ShareFile_SAML_SP&reqtype=1

It needs to be changed to include the FQDN of the Gateway and appended with a a specific path as follows:
https://mobile.bmctotalcare.com/cginfra/https/apc.bmctotalcare.com/samlsp/websso.do?action=authenticateUser&app=ShareFile_SAML_SP4&reqtype=1&nssso=true

In my case the gateway DNS FQDN of my Netscaler Gateway is mobile.bmctotalcare.com We then add the /cginfra/https/ to that. Finally at the end we append &nssso=true
Screenshot 2013-12-03 16.12.39

Important Note: The part of the final URL in my example has “app=ShareFile_SAML_SP4” The reason for this is the internal name of the App is actually “ShareFile_SAML_SP4” even though the name of the App on the App Controller is “ShareFile_SAML_SP”. The name you use has to be the same as the Internal name of the App on the App controller. You can find it by just click on the App in App Controller.
Screenshot 2013-12-03 16.50.03

Click Save to save the changes. Go back in and verify the login URL was saved correctly. I’ve seen it mess up the &’s in the URL string after saving. If that happens no one will be able to login and you will get an error that says SSO Requires Application Name back from the app controller after the Netscaler has done the Authentication.

9. Verify the configuration
Point your browser to your sharefile URL (https://subdomainname.sharefile.com/saml/login) it should redirect you to your Netscaler Gateway logon form.

Login with a valid user using your AD account credentials.

10. Now you can MDX Wrap the mobile versions of the ShareFile Application. You can download it from the Citrix Website. I did a write up and covered how to do the application wrapping in my XenMobile 8.6 upgrade guide Part 2

Advertisements

2 thoughts on “Sharefile, Xenmobile with on prem storage

  1. Hi Allen,

    Great Article. I am currently working on ShareFile on premise. With this setup is it possible to do SSO on ShareFile app?

    • Yep – We install the ShareFile client on our XenDeskop VDI’s and it will use SSO. it maps the ad account and the sharefile account (username is the user’s email).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s