In my first Sharefile post I showed how to install and prepare the internal systems for use with Citrix Sharefile storage Zone (on premise). In this post we will have a look on publishing these services via Netscaler to authenticate users through a on-premise ADFS service.





Requirements on the Sharefile Control Plane

Create a custom logon page as descripted in:

You will need to edit the login.htm file to replace the default SAML url with your account’s SAML login url. Please replace with (where demo is your subdomain).

You will also need to change the password reset request url from to .

You can test this site by the URL

To activate the custom logon page, you have to open a support request with Sharefile support.


Publishing ADFS Services

As described we will publish a SSL load balancer for access to the ADFS Services.

 adfs-p2-002 Add the ADFS server and service for ADFS
 adfs-p2-003 Create a load balancer.
 adfs-p2-004 Bind the ADFS service.
 adfs-p2-005 Bind you certificate.
adfs-p2-006 Add a responder to ensure only ADFS urls are available for access.
adfs-p2-007 Enable your NAT on the firewall and check if the startsite of your ADFS service is available.


Publishing Sharefile Storage Zone

Now we are ready to create the Sharefile Storage Zone vServer:

adfs-p2-008 Add the Sharefile Storage Zone controller.

By default, NetScaler pings the StorageZones Controller server to determine if it is online.

To verify StorageZones Controller outbound connectivity to ShareFile, you can create a secure HTTP-ECV monitor that checks heartbeat.aspx and looks for „***online***“ content, bind it to the NetScaler service for each StorageZones Controller.

adfs-p2-009 Create a data load balancer.
adfs-p2-010 Bind the Sharfile service.
adfs-p2-011  Bind the correct certificate.
adfs-p2-012 Change the persistence settings.
adfs-p2-013 Create a second vserver as controller load balancer.
adfs-p2-014 Bind the Sharefile service.
adfs-p2-015 Bind your certificate.
adfs-p2-016 Create a Content Switch vServer.
adfs-p2-017 Create a policy for the data request.
adfs-p2-018 Create a policy for the connector request, ex. SMB or Sharepoint.
adfs-p2-019 Bind the controller policy to the CS vServer. The target lb server is LB_SF_controller.
adfs-p2-020 Bind the data policy to the CS vServer and bin the connector policy. The target lb server is LB_SF_data.
adfs-p2-021 Enable your NAT on the firewall and check if the startsite of sharefile storage zone service is available.



Configuring Control Plane

No the last step brings the three components together:





Login to your sharefile control plane with your admin account and navigate to Admin -> Configure Single Sign on
adfs-p2-024 Configure the fields like described on the screenshot with your URLs.
adfs-p2-025 For testing navigate with a second browser to your custom logon page:

Depending on your customizations you should see a similar page. The left side represents your employee logon or a logon path for everybody how owns an active directory account in your domain.

adfs-p2-026 If you click on the „Single-Sign-on“ a redirect to your ADFS Service site occurs. In the URL you can notice the SAML request.

Now when a user logon on correctly, a second redirect to his/her Sharefile filebox occurs.

adfs-p2-027 And now the user has access to Sharefile.
adfs-p2-028 The same redirect mechanism will initiate the user logout. If a user clicks on the logout button on the top, a redirect to the ADFS service will occur to invalidate the SAML logon.


Securing Access to local Storage Zone

Restrict Access to Sharefile Storage with HTTP Callouts, so only are by Sharefile validated HTTP request are accepted by the Netscaler applicance. All other request, done by browsers or crawler are dropped

adfs-p2-029 Create a new HTTP callout, pointed to the Sharefile data lb vServer.

„/validate.ashx?RequestURI=“ + HTTP.REQ.URL.HTTP_URL_SAFE.B64ENCODE + „&h=“


adfs-p2-030 We want to extract the response code from the backend:


adfs-p2-031 Now create a second callout with the following URL steam expression:

„/validate.ashx?RequestURI=“ + HTTP.REQ.URL.BEFORE_STR(„&h“).HTTP_URL_SAFE.B64ENCODE + „&h=“ + HTTP.REQ.URL.QUERY.VALUE(„h“)

adfs-p2-032 Again we have to look for the URL response code.
adfs-p2-033 Last but not least we have to create a responder policy that will work with these callouts and also tests the structure of the request. If one of these things is not like desired, the request will be dropped.

Now bind the reponder to the LB_SF_data

HTTP.REQ.URL.CONTAINS(„&h=“) && HTTP.REQ.URL.CONTAINS(„/crossdomain.xml“).NOT&& HTTP.REQ.URL.CONTAINS(„/validate.ashx?requri“).NOT&& SYS.HTTP_CALLOUT(SF_LB_CALLOUT) || HTTP.REQ.URL.CONTAINS(„&h=“).NOT && HTTP.REQ.URL.CONTAINS(„/crossdomain.xml“).NOT&& HTTP.REQ.URL.CONTAINS(„/validate.ashx?requri“).NOT&& SYS.HTTP_CALLOUT(SF_LB_CALLOUT_y) If you see problems with up- or downloads to your storage zone, try to unbind the responder policy and make sure that there is no typo or mis config in it.


Leave a Comment

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.