In my first Sharefile post I showed how to install and prepare the internal systems for use with Citrix Sharefile storage Zone (on premise). In this post we will have a look on publishing these services via Netscaler to authenticate users through a on-premise ADFS service.
Architecture
Requirements on the Sharefile Control Plane
Create a custom logon page as descripted in: http://support.citrixonline.com/en_US/sharefile/all_files/SF090016
You will need to edit the login.htm file to replace the default SAML url with your account’s SAML login url. Please replace https://subdomain.sharefile.com/saml/login with https://demo.sharefile.eu/saml/login (where demo is your subdomain).
You will also need to change the password reset request url from https://subdomain.sharefile.com/resetpasswordrequest.aspx to https://demo.sharefile.eu/resetpasswordrequest.aspx .
You can test this site by the URL https://demo.sharefile.eu/customlogon.aspx
To activate the custom logon page, you have to open a support request with Sharefile support.
Publishing ADFS Services
As described we will publish a SSL load balancer for access to the ADFS Services.
 |
Add the ADFS server and service for ADFS |
 |
Create a load balancer. |
 |
Bind the ADFS service. |
 |
Bind you certificate. |
 |
Add a responder to ensure only ADFS urls are available for access. |
 |
Enable your NAT on the firewall and check if the startsite of your ADFS service is available. |
Publishing Sharefile Storage Zone
Now we are ready to create the Sharefile Storage Zone vServer:
 |
Add the Sharefile Storage Zone controller.
By default, NetScaler pings the StorageZones Controller server to determine if it is online. To verify StorageZones Controller outbound connectivity to ShareFile, you can create a secure HTTP-ECV monitor that checks heartbeat.aspx and looks for „***online***“ content, bind it to the NetScaler service for each StorageZones Controller. |
 |
Create a data load balancer. |
 |
Bind the Sharfile service. |
 |
Bind the correct certificate. |
 |
Change the persistence settings. |
 |
Create a second vserver as controller load balancer. |
 |
Bind the Sharefile service. |
 |
Bind your certificate. |
 |
Create a Content Switch vServer. |
 |
Create a policy for the data request. |
 |
Create a policy for the connector request, ex. SMB or Sharepoint. |
 |
Bind the controller policy to the CS vServer. The target lb server is LB_SF_controller. |
 |
Bind the data policy to the CS vServer and bin the connector policy. The target lb server is LB_SF_data. |
 |
Enable your NAT on the firewall and check if the startsite of sharefile storage zone service is available. |
Configuring Control Plane
No the last step brings the three components together:
|
Login to your sharefile control plane with your admin account and navigate to Admin -> Configure Single Sign on |
 |
Configure the fields like described on the screenshot with your URLs. |
 |
For testing navigate with a second browser to your custom logon page: https://demo.sharefile.eu/customlogin.aspx
Depending on your customizations you should see a similar page. The left side represents your employee logon or a logon path for everybody how owns an active directory account in your domain. |
 |
If you click on the „Single-Sign-on“ a redirect to your ADFS Service site occurs. In the URL you can notice the SAML request.
Now when a user logon on correctly, a second redirect to his/her Sharefile filebox occurs. |
 |
And now the user has access to Sharefile. |
 |
The same redirect mechanism will initiate the user logout. If a user clicks on the logout button on the top, a redirect to the ADFS service will occur to invalidate the SAML logon. |
Securing Access to local Storage Zone
Restrict Access to Sharefile Storage with HTTP Callouts, so only are by Sharefile validated HTTP request are accepted by the Netscaler applicance. All other request, done by browsers or crawler are dropped
 |
Create a new HTTP callout, pointed to the Sharefile data lb vServer.
„/validate.ashx?RequestURI=“ + HTTP.REQ.URL.HTTP_URL_SAFE.B64ENCODE + „&h=“
|
 |
We want to extract the response code from the backend:
HTTP.RES.STATUS.EQ(„200“).NOT |
 |
Now create a second callout with the following URL steam expression:
„/validate.ashx?RequestURI=“ + HTTP.REQ.URL.BEFORE_STR(„&h“).HTTP_URL_SAFE.B64ENCODE + „&h=“ + HTTP.REQ.URL.QUERY.VALUE(„h“) |
 |
Again we have to look for the URL response code. |
 |
Last but not least we have to create a responder policy that will work with these callouts and also tests the structure of the request. If one of these things is not like desired, the request will be dropped.
Now bind the reponder to the LB_SF_data |
| HTTP.REQ.URL.CONTAINS(„&h=“) && HTTP.REQ.URL.CONTAINS(„/crossdomain.xml“).NOT&& HTTP.REQ.URL.CONTAINS(„/validate.ashx?requri“).NOT&& SYS.HTTP_CALLOUT(SF_LB_CALLOUT) || HTTP.REQ.URL.CONTAINS(„&h=“).NOT && HTTP.REQ.URL.CONTAINS(„/crossdomain.xml“).NOT&& HTTP.REQ.URL.CONTAINS(„/validate.ashx?requri“).NOT&& SYS.HTTP_CALLOUT(SF_LB_CALLOUT_y) | If you see problems with up- or downloads to your storage zone, try to unbind the responder policy and make sure that there is no typo or mis config in it. |
Marco Klose works as a Technical Consultant, Architect and CTO focused on Application & Desktop virtualization as well as application delivery with the Citrix product portfolio. He is specialized in Citrix virtualization, Citrix networking and Microsoft products. He has +10 years experience and holds the latest Citrix certifications and is member of the Citrix Partner Expert Council EMEA (PTEC). Since 2021 he is also a Citrix Technology Advocate (CTA).
