SF

617: Delivering an End-to-End Encrypted File Sync

and Sharing Solution with ShareFile Enterprise

Hands-on Lab Exercise Guide

Mark Howell

May 2015

| 1 |

Table of Contents

Table of Contents ....................................................................................................................... 1

Overview .................................................................................................................................... 2

Scenario..................................................................................................................................... 4

Exercise 1 .................................................................................................................................. 5

Part 1: Configuring NetScaler ..................................................................................................... 5

Part 2: Configuring NetScaler for Restricted Zones ...................................................................12

Part 3: Configuring NetScaler Gateway .....................................................................................34

Exercise 2: Configuring On-Premise Storage Zones .................................................................49

Exercise 3: Configuring ShareFile User Management Tool .......................................................60

Exercise 4: Configuring ShareFile Enterprise ...........................................................................68

Exercise 5: Configuring XenMobile Server ................................................................................81

Exercise 6: Configuring ShareFile Account for SAML SSO .......................................................97

Exercise 7: Testing the Solution – (Optional) .......................................................................... 100

| 2 |

Overview

Hands-on Training Module

Objective

Provide hands-on experience with configuring Citrix ShareFile, StorageZone Connectors, NetScaler

for High Availability, and On-Demand Sync

Prerequisites

Working knowledge of NetScaler and XenMobile Server is helpful. An iPad or Android tablet is

optional.

Audience

Citrix employees, customers, and partners.

Lab Environment Details

Describe the lab environment. The system diagram of the lab is shown below:

The Student Desktop VM is accessed remotely using Citrix Receiver running on your laptop. All

windows applications such as XenCenter, (the XenServer GUI management tool), are accessed

from the Student Desktop VM.

| 3 |

Lab Guide Conventions

This symbol indicates particular attention must be paid to this step

Special note to offer advice or background information

reboot Text the student enters or an item they select is printed like this

VMDemo Filename mentioned in text or lines added to files during editing

Start Bold text indicates reference to a button or object

Focuses attention on a particular part of the screen

Shows where to click or select an item on a screen shot

List of Virtual Machines Used

VM Name IP Address Description / OS

Router (hidden) 192.168.10.1 Lab Router / Vyatta

AD.training.lab 192.168.10.11 Active Directory

Exchange 192.168.10.15 Exchange server used for SMTP

SZC1 192.168.10.30 ShareFile StorageZone Controller 1

NS1 192.168.10.40 NetScaler VPX

XMS 192.168.10.50 XenMobile Server

Win7 192.168.10.61 Windows 7 utility machine

License 192.168.10.60 Used for XenMobile Server license

Required Lab Credentials

The credentials required to connect to the environment and complete the lab exercises.

VM Name IP Address Username Password

AD 192.168.10.11 administrator Citrix123

SZC1 192.168.10.30 administrator Citrix123

NS1 192.168.10.40 nsroot nsroot

XMS 192.168.10.50 administrator Citrix123

Win7 192.168.10.61 administrator Citrix123

| 4 |

Scenario You are the system administrator at Synergy Training Solutions. The CEO wants to enable a cloud-

based file sharing solution, so all employees are able to access all their data, any time and from any

device, and share that data with their contacts at business partners and customers. The CIO does

have some additional requirements, as she has to make sure the company security policies are

followed and the solution is compliant with the compliance regulations for their industry.

Additional requirements from the CTO:

• Data can be stored inside the cloud as well as on-premise. The on-premise StorageZone will

store extremely confidential information so all file and folder metadata stored in ShareFile’s

application tier needs to be encrypted and can only be decrypted by employees of Synergy

Training Solutions.

• The solution needs to be highly available, the CEO demands 100% uptime.

• The company wants to easily provision users into their ShareFile account using the ShareFile

User Management Tool.

• The organization has recently purchased XenMobile Enterprise edition and the CIO wants to

incorporate SAML SSO for all tier-1 ShareFile apps using the XenMobile Server as the identity

provider (IDP).

With these requirements in mind, you start implementing a solution based on Citrix ShareFile. To

fulfill all the requirements from the CTO, you use ShareFile StorageZones with an on premise

Restricted StorageZone. You make the environment highly available by front-ending the solution

with NetScaler and you need to configure the NetScaler, Citrix XenMobile Server and ShareFile to

enable SAML SSO. Finally you install and configure the ShareFile User Management Tool to set up

a rule that provisions users from Synergy Training Solutions AD into ShareFile.

| 5 |

Exercise 1

Part 1: Configuring NetScaler

Overview

Exercise 1 consists of 3 parts.

Part 1 consists of configuring the NetScaler VPX with Load Balancing rules to ensure StorageZones

Controller high availability and creating Content Switching for both ShareFile Data (including HTTP

Callouts and Responder Policies) as well as ShareFile Connector traffic (including AAA

Authentication).

To accomplish this you will use the new Setup NetScaler for ShareFile wizard introduced in

v10.1x.e however this lab is running NetScaler v10.5.x.

The wizard is designed to create and configure everything needed to successfully implement

NetScaler for ShareFile. I will highlight everything that was done at the end of Part 1.

Step by step guidance

Estimated time to complete this lab: 10 minutes.

Step Action

1. From the student desktop VM Open Google Chrome.

Navigate to http://192.168.10.40

Enter the credentials listed below and click Login.

User Name: nsroot

Password: nsroot

| 6 |

Step Action

2. Navigate to Traffic Management and click Setup NetScaler for ShareFile.

| 7 |

Step Action

3. Enter the IP Address 192.168.10.32 (This IP address is NAT’ed to the internet used for

communication to ShareFile.com).

Leave the Name set to ShareFile.

Check the StorageZones Connector for Network File Shares/SharePoint box.

Click Continue.

4. Use the drop down menu to add the MCTWilcard certificate.

Click Continue.

| 8 |

Step Action

5. Click Add New StorageZone Controller.

6. Enter the IP Address of the first StorageZone Controller server 192.168.10.30

Click the + sign next to the IP Address.

7. Normally you would add a 2nd StorageZone Controller IP address here for High Availability however to save time and ensure you finish the lab you will only be configuring 1 StorageZones Controller server.

8. This is what it should look like when finished.

Click Done.

| 9 |

Step Action

9. An LDAP Authentication Settings window will open.

Enter the following information into the LDAP Authentication Settings.

AAAVServer IP Address: 192.168.10.33

LDAP Server IP Address: 192.168.10.11

Single Sign-On Domain: training

Base DN (location of users): dc=training, dc=lab

Administrator Bind DN: administrator@training.lab

Password: Citrix123

Click Continue.

10. What you are doing here is configuring the AAA authentication that the ShareFile

connector and Restricted Storage Zone traffic will use to authenticate the user at the

NetScaler and then pass those credentials back to the appropriate virtual connector

directory on the StorageZones Controller servers.

| 10 |

Step Action

11. Checkpoint: This is what you should see when you are done.

Click Done.

12. You will be taken back to the Traffic Management window.

Below you will see the seven components that the wizard created and configured. The Content

Switching vServer is the “front-door” to the all incoming StorageZones traffic. Depending on what

type of traffic it is, ShareFile data or Connector, will determine its traffic flow pattern depicted in

images 2 and 3. The wizard is a very powerful tool that is not only effective but also efficient.

Here is a graphical representation of the communication flow and what the wizard configured:

| 11 |

Requests for ShareFile data from on-premise data storage.

A load balancing virtual server performs hash validation, to ensure valid URI signatures are present

on incoming requests.

Requests for data from StorageZones Connectors

A load balancing virtual server performs user authentication. It stops a user request at the

NetScaler, authenticates the user, and then performs single sign-on of the user to the

StorageZones Controller.

| 12 |

Part 2: Configuring NetScaler for Restricted Zones

Overview

Part 2 consists of additional configuration to enable restricted StorageZones.

To support restricted zones you must perform additional NetScaler configuration after you complete

the NetScaler for ShareFile wizard.

Create and configure a third NetScaler load-balancing virtual server, used to ensure that

ShareFile clients send credentials only when logged on to a trusted ShareFile domain.

StorageZones Controller uses the Cross-Origin Resource Sharing (CORS) standard to provide the

necessary security for requests to restricted zones. CORS uses HTTP headers to allow the client

and server to know enough about each other to determine if a request or response should succeed.

As described in the following steps, you will configure the additional virtual server to allow

anonymous access from clients for the HTTP OPTIONS verb. The OPTIONS request passes

through to the StorageZones Controller without being authenticated and without HTTPS callouts to

validate the signature. The CORS preflight check validates domain trust before sending credentials.

An understanding of CORS is not needed to perform the configuration. However, for more

information about CORS, including browser support, see http://enable-cors.org/.

Step by step guidance

Estimated time to complete this lab: 15 minutes.

Step Action

1. Navigate to Load Balancing | Virtual Servers and click Add.

| 13 |

Step Action

2. Enter a Name: _SF_SZ_OPTIONS

Change the Protocol to SSL.

Change the IP Address Type to Non-Addressable.

Click OK.

3. Select the No Load Balancing Virtual Service Binding option.

4. Click to Select in the Select Service field.

| 14 |

Step Action

5. Check the boxes next to the service and click OK.

6. Click Bind.

7. This is what you should see. Click OK.

| 15 |

Step Action

8. Click the No Server Certificate option.

9. Click to Select in the Select Server Certificate field.

| 16 |

Step Action

10. Bullet the MCTWildcard certificate and select OK.

11. Click Bind.

| 17 |

Step Action

12. This is what you should see. Click OK.

13. This is what you should see. Click Done.

| 18 |

Step Action

14. Click the Refresh icon.

15. This is what you should see when finished.

| 19 |

Step Action

16. Navigate to Traffic Management | Content Switching | Policies and click Add.

17. Enter a Name: _SF_SZ_OPTIONS_CSPOL. Next to the Action field click the + icon.

| 20 |

Step Action

18. Enter a Name: OPTIONS In the Target Load Balancing Virtual Server field use the pull down and select the _SF_SZ_OPTIONS virtual server just created. Click Create.

19. Click Expression Editor.

| 21 |

Step Action

20. In the first drop down menu select HTTP.

21. In the 2nd drop down menu select REQ.

| 22 |

Step Action

22. In the 3rd drop down menu select METHOD.

23. In the 4th drop down menu select EQ(String).

| 23 |

Step Action

24. Enter OPTIONS in the field next to EQ(String). Click Done.

25. This is what you will see when finished. Click Create.

| 24 |

Step Action

26. You will be brought back to the Content Switching Policies window.

27. Select the _SF_CIF_SP_CSPOL policy and click Edit.

| 25 |

Step Action

28. Place the cursor after (“/sp/”) followed by a space and select the Operators pull down menu. Select the || operator.

29. The Expression should look like the below expression.

Enter another space after the || operator.

Click Expression Editor.

| 26 |

Step Action

30. Similar to the way you accomplished steps 20-24, use the drop down menus to enter the information exactly as it is below. When finished click Done.

31. This is what it should look like when finished. Click Ok.

| 27 |

Step Action

32. You will be brought back to the Content Switching Policies window.

33. Navigate to Traffic Management | Content Switching | Virtual Servers and highlight the _SF_CS_ShareFIle virtual server. Click Edit.

| 28 |

Step Action

34. Under CS Policy Binding select the 2 Content Switching Policies option.

35. Click Add Binding.

| 29 |

Step Action

36. Click to Select in the Select Policy field.

37. Bullet the _SF_SZ_OPTIONS_CSPOL policy and click OK.

| 30 |

Step Action

38. Change the Priority to 10. This policy needs to have the highest priority which means it will have the lowest number of all content switching policies. Click Bind.

39. Highlight the _SF_CIF_SP_CSPOL and using the Edit dropdown menu select Edit Binding.

| 31 |

Step Action

40. Change the Priority to 20.

In the Goto Expression field use the dropdown menu to select END.

Click Bind.

41. This is what it should look like when finished. The priorities of these bindings is essential for

traffic flow.

Click Close.

| 32 |

Step Action

42. Click Done.

43. Click the Save icon.

44.

45. That concludes this part of the configuration.

| 33 |

In Part 2 you added the necessary components to enable Restricted StorageZones.

• You added a 3rd, non-addressable load-balanced vServer configured to accept traffic from

the content switch policy created named _sf_sz_options_ cspol. This policy needs the

highest priority of the 3 policies to ensure proper traffic flow.

• Secondly, you added to the _sf_cifs_sp_cspol to include traffic that contained the term

“proxyservice” in the URL header. This service is used to authenticate users to the

Restricted StorageZone and subsequently decrypt the file and folder metadata.

• Finally you edited the Content Switching policies priority to ensure that incoming ShareFile

data was directed to the appropriate places.

| 34 |

Part 3: Configuring NetScaler Gateway

Overview

Part 3 consists of creating a NS Gateway policy and profile, as well as make all configurations

needed to enable SAML SSO to the XenMobile Server.

Step by step guidance

Estimated time to complete this lab: 10 minutes.

Section 1: Creating NetScaler Gateway Session Policy and Profile.

Step Action

1. Navigate to NetScaler Gateway | Policies | Session and click Add.

2. Enter a Name: SF_SAML_SSO_POLICY

3. Click + next to Action.

| 35 |

Step Action

4. Enter a Name: SF_SAML_SSO_PROFILE

5. Select the Client Experience tab and Check the Override Global boxes of the three

sections highlighted above.

6. Home Page uncheck the Display Home Page box and verify that the word ‘none’

populates the field.

7. Session Time-Out (mins) set to 1

8. Check the Single Sign-On to Web Applications box

| 36 |

Step Action

9. Select the Security tab.

10. Click the Override Global box and the Default Authorization Action will change to

ALLOW.

| 37 |

Step Action

11. Select the Published Applications tab and Check the Override Global boxes of the four sections highlighted below.

12. Set the ICA Proxy to On

13. Set the Web Interface Address to https://xms.training.lab:8443

14. Set the Web Interface Address Type to IPV4

15. Set the Web Interface Portal Mode to Normal

16. Set the Single Sign-On Domain to training

17. Click Create.

| 38 |

Step Action

18. The newly created Profile should be listed in the Action field.

19. Click Expression Editor.

20. An Add Expression window opens.

21. Change the Qualifier to HEADER.

22. Change the Operator to CONTAINS.

23. Enter NSC_FSRD as the Value.

24. Enter Cookie as the Header Name.

| 39 |

Step Action

25. Click Done.

26. This is what the Policy should look like.

27. Click Create.

28. CheckPoint - This is what you should see.

29. Save the running configuration.

In this section you created the SAML SSO policy and profile required by the NetScaler to provide

SAML SSO communication to the XenMobile Server.

| 40 |

Section 2: Editing the NetScaler Gateway Virtual Server.

Step Action

1. Navigate to NetScaler Gateway | Virtual Servers. Select the NetScaler_Gateway virtual

server and click Edit.

2. Click + in the Policies section.

| 41 |

Step Action

3. In the Choose Policy window verify that Session is selected (it should default to this) and

in the Choose Type window Request is selected.

4. Click Continue.

5. Click to Select in the Select Policy field.

6. Bullet the SF_SAML_SSO_POLICY just created.

7. Click OK.

| 42 |

Step Action

8. Change the Priority to 10 and click Bind.

9. Checkpoint – This is what you should see.

| 43 |

Step Action

10. In the Advanced section on the right hand side click + in the Published Applications

section.

11. Click the Right Arrow in the ‘No STA Server’ section.

| 44 |

Step Action

12. h

t

t

p

s

:

/

/

a

p

p

c

1

Type https://xms.training.lab in the Secure Ticket Authority Server window and

select IPV4 from the Secure Ticket Authority Server Address Type drop down.

13. Click Bind.

14. From this window select the 1 STA Server section in Published Applications.

| 45 |

Step Action

15. This what you should see.

16. Click Close.

17. From the Advanced section on the right hand side click + in Other Settings.

| 46 |

Step Action

18. Uncheck Redirect to Home Page.

19. In the ShareFile field type xms.training.lab:8443

In the AppController field type https://xms.training.lab:8443

20. Click OK.

| 47 |

Step Action

21. Checkpoint: This is what you should see.

22. Click Done.

23. Click the Disk icon at the top right to save the running configuration.

| 48 |

Step Action

24. Click Yes.

25. Click Logout and close the browser.

In section 2 you configured the NetScaler Gateway to allow for SAML SSO to the XenMobile

Server. This solution uses the NetScaler Gateway for traffic coming from the ShareFile clients to be

redirected to the XenMobile Server for active directory authentication via SAML.

Exercise Summary

In Part 1 students learned how to use the NetScaler for ShareFile Wizard which created traditional

Load Balancing rules to ensure StorageZone Controller high availability, as well as Content

Switching for both ShareFile Data (including HTTP Callouts and Responder Policies) and ShareFile

Connector traffic (including AAA Authentication).

In Part 2 students configured an additional load-balanced vServer and content switching policy

enabling Restricted StorageZones.

In Part 3 students configured the NetScaler Gateway with the information necessary to enable it to

provide SAML single sign-on authentication with the XenMobile Server.

Key takeaways include:

You created the session policy and profile, necessary for the configuration. The NetScaler

Gateway already had the authentication policy and SSL certificate bound to it.

You configured the NetScaler Gateway virtual server.

You added the XenMobile Server as an STA and in the options section you disabled the

cginfra home page redirection, necessary for forms based SAML and under ShareFile URL

you added the internal server name and port of your XenMobile Server; this configuration

authorizes requests to the specified URL through the /cginfra path.

| 49 |

Exercise 2

Configuring On-Premise Storage Zones

Overview

For this exercise, you will create an on premise storage zone that allows users to store files on

premise in a CIFS file share instead of in the ShareFile cloud. An empty file share has been created

for you at \\szc1.training.lab\sharefiledata.

Note: When installing On-premise StorageZones without a NetScaler in front of the solution a

server with a public Internet address and a trusted SSL certificate is required. Because this lab has

a NetScaler configured this is not required as the NetScaler will handle the SSL communications on

behalf of the StorageZones Controller servers.

Step by step guidance

Estimated time to complete this lab: 15 minutes.

Section 1: Configuring StorageZones Controller Software on SZC1

Step Action

1. From the student desktop VM navigate to Start | Run and enter mstsc and click OK.

Click OK.

| 50 |

Step Action

2. Enter SZC1 into the computer name.

Click Connect.

3. You will be prompted to enter credentials to make an RDP connection.

Log in with the administrators credentials. Click OK.

User name: training\administrator

Password: Citrix123

| 51 |

Step Action

4. Click on the IIS Manager icon in the taskbar and navigate to the Default Web Site.

Select Browse localhost on: 80 (http).

5. Verify that Citrix ShareFile is displayed.

6. Close web browser and close IIS Manager.

7. Open Internet Explorer and enter the following in the URL window. (You can use the

pulldown arrow).

http://localhost/configservice/login.aspx

| 52 |

Step Action

8. Enter the details for your ShareFile lab account and click Log In.

Email: mark.howell@citrix.com

Password: citrix123

Subdomain: <student account>.sharefile.com

9. Bullet Create New Zone and enter a name.

10. Enter the External Address which is the IP1 FQDN address from your lab documentation

in the form listed above.

| 53 |

Step Action

11. Check the 2 boxes to Enable StorageZone Connectors.

12. Check the box next to Enable StorageZone for ShareFile Data.

Check the box next to Create a Restricted Zone.

Complete the Local Network Share Configuration fields using the following information:

Network Share Location: \\szc1.training.lab\sharefiledata

Network Share Username: training\administrator

Network Share Password: Citrix123

| 54 |

Step Action

13. Enter a Passphrase (Citrix123 as an example) and confirm it by entering it again and

click Register.

14. Once completed you will see the following message.

Click Go there now.

| 55 |

Step Action

15. Enter the following information:

SMTP server address: exchange.training.lab

SMTP port number: 25

Sender address: administrator@training.lab

Send sample email to: user1@training.lab

Click Send Test email.

| 56 |

Step Action

16. Click Apply.

| 57 |

Step Action

17. This is the message you will see.

18. Click Log Out.

19. Navigate to Start (Windows Icon) | Run type Drivers and click OK.

| 58 |

Step Action

20. Open the etc folder.

21. Open the Hosts file.

22. You will be prompted How do you want to open this file?

Select Notepad.

| 59 |

Step Action

23. Enter the information similar to below.

On the left side enter 192.168.10.30 (the IP address of the SZC server).

On the right side enter the FQDN of YOUR IP1 address from the Lab website.

24. Click File | Save.

25. Close all windows and close the RDP session.

26. Normally this is where you would configure the 2nd StorageZones Controller server

and link it to the primary server. The configuration is redundant so to ensure you

finish the entire lab it has been removed.

Exercise Summary

In this exercise students learned how to configure a StorageZones Controller servers for Restricted

StorageZones, including the SMTP service needed for e-mail communication from ShareFile.

| 60 |

Exercise 3

Configuring ShareFile User Management Tool

Overview

In this exercise students will configure and use the ShareFile User Management Tool (UMT) to add

users to their ShareFile training account. The UMT is considered the best practice for provisioning

users into ShareFile as it provides the most configurable options through the user interface.

Step by step guidance

Estimated time to complete this lab: 10 minutes.

Section 1: Exploring StorageZones

Step Action

1. From the student desktop VM navigate to Start | Run and enter mstsc click OK.

2. Enter win7 into the computer name.

Click Connect.

| 61 |

Step Action

3. You will be prompted to enter credentials to make an RDP connection.

Log in with the administrators credentials. Click OK.

User name: training\administrator

Password: Citrix123

4. From the desktop launch the ShareFile User Management Tool.

5. Log in using your ShareFile training account and administrator credentials.

| 62 |

Step Action

6. Enter the domain information in the Connect to Domain window.

Domain: training.lab

UserName: administrator

Password: Citrix123

Click Connect.

| 63 |

Step Action

7. From the Dashboard tab select the Users icon.

8. Select the ShareFile OU and click Add Rule.

| 64 |

Step Action

9. You will be prompted with the Edit Users Rule window.

10. Change How will your employees log in? to AD-Integrated

11. Change StorageZone to ShareFile US East

12. Change Default Company Name to Training

13. Check the box next to Add to Shared Address Book

14. Click Save and then click Close.

| 65 |

Step Action

15. Select the Rules tab and click Refresh.

16. Click Commit Now

| 66 |

Step Action

17. Click OK.

18. This is what you should see when finished.

Close the UMT tool and close the Win7 RDP session.

| 67 |

Exercise Summary

In this exercise students configured the ShareFile User Management Tool (UMT) which is primarily

used by our enterprise customers for ShareFile account provisioning from Active Directory.

You configured a rule to sync users in the ShareFile Users OU into your ShareFile student lab

account and you could have set a schedule so that the sync would run at specific times of the day.

When configured this way any changes to the ShareFile Users OU would be synced at the next

time interval keeping the 2 systems in sync.

| 68 |

Exercise 4

Configuring ShareFile Enterprise

Overview

In this exercise students will explore StorageZones within ShareFile.com. You will create a folder

that uses the on-premise Restricted StorageZone you created in Exercise 2 and you will upload

some files in it to demonstrate the Restricted StorageZone authentication requirements and file

structure. Finally you will use the Win7 virtual machine to check the e-mail for user1.

Step by step guidance

Estimated time to complete this lab: 20 minutes.

Section 1: Exploring StorageZones

Step Action

1. From your student laptop, open a browser and go to the URL of your ShareFile account

and login using the Client Login with the following credentials:

URL: https://student-x.sharefile.com

Email Address: mark.howell@citrix.com

Password: citrix123

| 69 |

Step Action

2. After logging in click on Admin in the menu bar.

3. Click StorageZones in the left-hand column.

| 70 |

Step Action

4. Select the name of the StorageZone you just created.

5. Statistics on each StorageZone Controller, as well as any users or folders that are using

that StorageZone are presented on this page.

| 71 |

Step Action

6. Now you’ll create a new ShareFile folder that uses your Restricted StorageZone for file

storage.

Click Home in the menu bar followed by the Shared Folders tab to reach a top level

folder in the ShareFile account.

7. Click Create Folder.

8. Name the folder RESTRICTED and select your Restricted StorageZone name from the

drop-down list of StorageZones.

In the Add Users select Add From Shared Address Book

Click Create Folder.

| 72 |

Step Action

9. Check the boxes next to both users and click Add Selected Users.

10. Check all boxes under Configure custom permissions and click Add Users.

| 73 |

Step Action

11. Click Save Changes.

12. You will be prompted to enter AD credentials.

Enter the following:

User Name: user1

Password: Citrix123

Click Log In.

| 74 |

Step Action

13. Once authenticated you will be taken into the RESTRICTED folder.

14. Logout of your ShareFile account and completely close the browser.

15. Download some sample files from https://mhowell.sharefile.com/d/s121a13afbf34841b

unzip the downloaded file and store on the student laptop.

| 75 |

Step Action

16. From your student laptop, open a browser and go to the URL of your ShareFile account

and login using the Client Login with the following credentials:

URL: https://student-x.sharefile.com

Email Address: mark.howell@citrix.com

Password: citrix123

17. Navigate to the Shared Folder tab and open the RESTRICTED shared folder just created.

18. You will be prompted to authenticate to Active Directory.

Enter the following:

User Name: user1

Password: Citrix123

Click Log In.

| 76 |

Step Action

19. Select Upload Files.

20. Select Choose Files or drag and drop files

| 77 |

Step Action

21. Navigate to the location where you stored the test documents. Select a couple of

documents and click Open.

22. Click Upload Files.

| 78 |

Step Action

23. This is what you should see when finished.

24. Click Log Out and close the browser.

25. From the student desktop VM you can view the file objects as they are added to the

folder structure beneath \\SZC1\sharefiledata\persistentstorage\...

When prompted for credentials use:

Username: training\administrator

Password: Citrix123

26. From the student desktop VM navigate to Start | Run and type mstsc.

27. Log in to the Win7 VM.

Click Connect.

| 79 |

Step Action

28. Enter Citrix123 for the Password. Click OK.

29. From the Win7 VM desktop launch the Chrome – Outlook Web Access shortcut.

Bullet This is a private computer.

Password: Citrix123

Click Sign In

| 80 |

Step Action

30. Verify that an email was sent to user1@training.lab notifying that user that files were

uploaded to the RESTRICTED shared folder.

31. You will also see the test e-mail sent when you initially configured the SMTP service on

the StorageZones Controller server.

32. Close Outlook and close the Win7 RDP session.

Exercise Summary

In this exercise students learned how to configure a shared folder in ShareFile to use a customer-

managed StorageZone. They uploaded some files to that folder and verified that the SMTP server

configured in Exercise 2 is functioning properly.

| 81 |

Exercise 5

Configuring XenMobile Server

Overview

In this exercise students will learn how to configure the XenMobile Server as the IDP to allow for

SAML Single Sign-On.

Step by step guidance

Estimated time to complete this lab: 15 minutes.

Section 1: Adding a ShareFile Users Delivery Group to XenMobile

Server.

Step Action

1. From the student desktop VM open Google Chrome and navigate to

https://192.168.10.50:4443 you will be prompted with a “Your connection is not

private” message.

2. Click Advanced.

| 82 |

Step Action

3. Click Proceed to 192.168.10.50 (unsafe).

4. Log on using the following credentials:

Username: administrator

Password: Citrix123

| 83 |

Step Action

5. Select the Configure tab.

6. Select Delivery Groups and click Add.

| 84 |

Step Action

7. Enter a Name: ShareFile Users and Description (optional).

8. s Click Next.

9. Type the word ShareFile into the Include User Groups field and click Search.

| 85 |

Step Action

10. Check the box next to the training.lab\ShareFile Users security group.

11. Click Next.

12. Don’t make any changes. Click Next.

| 86 |

Step Action

13. Don’t make any changes. Click Next.

14. Don’t make any changes. Click Next.

| 87 |

Step Action

15. Click Save.

16. This is what you will see when finished.

In section 1 you added a ShareFile user’s Delivery Group to the XenMobile Server. This is

important for user provisioning because using the default ‘All Users’ group would allow provisioning

of all users into your ShareFile account which is typically not what customers want to do. In this lab

there are 2 users in the ShareFile Users security group, user1 and user2.

| 88 |

Section 2: Configuring ShareFile integration.

Step Action

1. Select the Configure tab and select Settings and More.

2. Under the ShareFile section, select ShareFile.

| 89 |

Step Action

3.

4. Enter the Domain which is the test ShareFile account assigned to you.

5. Check the box next to the ShareFile Users Delivery Group.

6. U

s

Use the following credentials for the ShareFile Administrator Account Login:

User name: mark.howell@citrix.com

Password: citrix123

7. Click Save.

| 90 |

Step Action

8. This is what you will see when Save is complete.

9. Click Sync.

| 91 |

Step Action

10. Click OK

| 92 |

Step Action

11. Click Cancel.

12. This completes this exercise. Keep this window open.

This section configures the ShareFile communications from the XenMobile Server to the ShareFile

account. In your lab you will be assigned a student account (student-x.sharefile.com), this will be

the account information entered above. This configuration is used for 2 things in ShareFile, account

provisioning and SAML communications.

| 93 |

Section 3: Configuring XenMobile Server to Communicate with NetScaler

Step Action

1. Select the Configure tab and select Settings and More.

2. Select NetScaler Gateway.

3. Click the Add button.

| 94 |

Step Action

4. Enter a Name: NS01

5. Enter an Alias: NetScaler_Gateway

6. The External URL is the IP2 FQDN address provided when the lab was provisioned. Enter the External URL in the form https://<IP2 FQDN.mycitrixtraining.net> (https://75-126-165-68.mycitrixtraining.net as an example)

7. Select the Set as Default switch.

8. Click Save.

| 95 |

Step Action

9. This is what you should see.

Authentication should have switched to On. If it didn’t switch it to On.

10. Click Save.

11. Click OK.

| 96 |

Step Action

12. Click Log Out.

13. Close the browser.

Exercise Summary

In this exercise students integrated the XenMobile Server with ShareFile and NetScaler making the

necessary configurations to allow it to serve as the IDP for ShareFile SAML Single sign-on.

Key takeaways include:

Configuring a Delivery Group that limits the overall Active Directory environment to a specific

set of users designed to use ShareFile.

Integrating the ShareFile account with the XenMobile Server and in doing so adding SSO

configurations to ShareFile enterprise specific to the XenMobile Server.

Configuring the NetScaler deployment allowing the XenMobile Server to communicate to

NetScaler.

| 97 |

Exercise 6

Configuring ShareFile Account for SAML SSO

Overview

In this exercise students will learn how to configure the ShareFile account for SAML SSO using the

XenMobile Server as the IDP

Step by step guidance

Estimated time to complete this lab: 5 minutes

Section 1: Configuring ShareFile Account for SAML SSO

Step Action

1. From your Student Laptop open a browser and navigate to your ShareFile training

account. (student-x.sharefile.com)

Log in to the Client Login with the following credentials:

Email Address: mark.howell@citrix.com

Password: citrix123

| 98 |

Step Action

2. Navigate to Admin | Configure Single Sign-On.

| 99 |

Step Action

3.

4. Change the Login URL to the following:

https://<IP2FQDN>.mycitrixtraining.net/cginfra/https/xms.training.la

b:8443/samlsp/websso.do?action=authenticateUser&app=ShareFile_SAML&reqtyp

e=1&nssso=true

**Do not try to cut and paste this expression, it will not work, manually type information

into the Login URL.

Make sure the Login URL in ShareFile matches this exactly. If not SAML SSO will

NOT work.

5. Check the Enable Web Authentication box.

6. Change the SP-Initiated Auth Context to Username and Password

7. Click Save

8. Logout of ShareFile.

Exercise Summary

In this final configuration exercise students finished up the SAML SSO configuration by adding the

necessary information to the Login URL which ShareFile will use when redirecting login requests

that will use SAML single sign-on, changing the authentication model to forms-based using User

Name and Password as the authentication context.

| 100 |

Exercise 7

Testing the Solution – (Optional)

Overview

In this exercise students will test the solution that they’ve just built. Testing is limited to using the

browser to log into ShareFile using SAML as instructed.

Step by step guidance

Estimated time to complete this lab: 5 minutes

Section 1: Testing SAML via a Browser

Step Action

1. From your Student Laptop open a browser and navigate to your ShareFile training

account. (student-x.sharefile.com)

Log in to the Employee Login by clicking the LogIn button.

2. You will be redirected to a NetScaler Gateway authentication page.

| 101 |

Step Action

3. Enter the credentials: Username: user1

Password: Citrix123

Click Log On.

4. You’ll be logged in to ShareFile with a Welcome message, click Close Tour.

5. Navigate to Shared Folders.

6. Open the Restricted folder.

| 102 |

Step Action

7. Enter the AD credentials for user1 and click Log In.

User Name: user1

Password: Citrix123

8. When you enter the domain credentials to get into the Restricted StorageZone

folder what you are doing is authenticating to the StorageZone Proxy Service that

in turn decrypts the file metadata allowing you to see and understand the file

names inside the folder.

9. The Restricted folder will open.

This concludes the lab. To quickly recap what you’ve done:

| 103 |

First you used the Setup ShareFile for NetScaler wizard to configure NetScaler to provide

HA and secure communications to the ShareFile StorageZones Controller server.

You then configured the NetScaler to allow for Restricted StorageZones.

Next you configured NetScaler Gateway with the necessary information to allow SAML

authentication to the XenMobile Server.

In exercise 2 you configured the StorageZone Controller server for a customer-managed

Restricted StorageZone and configured an SMTP server for Restricted StorageZone e-

mails.

In the 3rd exercise students configured the ShareFile User Management Tool (UMT) which

is primarily used by our enterprise customers for ShareFile account provisioning from

Active Directory.

In the 4th exercise you configured the ShareFile account with a shared folder that uses the

customer-managed Restricted StorageZone and uploaded files to that shared folder.

In exercise 5 you configuring the XenMobile Server with a delivery group specific to

ShareFile. You configured the ShareFile integration to the ShareFile account, using the

delivery group you previously created and finally you integrated the NetScaler Gateway to

the XenMobile Server.

Finally in exercise 6 you entered the final pieces of information into the ‘Configure Single

Sign-On’ section of the ShareFile web application to complete the solution.

What you’ve accomplished is building the most secure ShareFile Enterprise deployment. Users

will be authenticated to ShareFile using their Active Directory credentials, so no need for

additional usernames/passwords and authentication happens in the customer datacenter and

not in the cloud. Additionally, all ShareFile traffic destined to the customer-managed Restricted

StorageZone will be stopped and authenticated in the DMZ using the NetScaler, allowing only

valid, authenticated traffic into the datacenter, thus achieving all of the CEO and CTO

requirements as defined in the opening scenario.

| 104 |

Revision: Change Description Updated By Date

1.0 Original Version Mark Howell May 2015

About Citrix

Citrix (NASDAQ:CTXS) is a cloud company that enables mobile workstyles—empowering people to

work and collaborate from anywhere, securely accessing apps and data on any of the latest

devices, as easily as they would in their own office. Citrix solutions help IT and service providers

build clouds, leveraging virtualization and networking technologies to deliver high-performance,

elastic and cost-effective cloud services. With market-leading cloud solutions for mobility, desktop

virtualization, networking, cloud platforms, collaboration and data sharing, Citrix helps organizations

of all sizes achieve the speed and agility necessary to succeed in a mobile and dynamic world.

Citrix products are in use at more than 330,000 organizations and by over 100 million users

globally. Annual revenue in 2012 was $2.59 billion. Learn more at www.citrix.com.

| 105 |