Hands-on Lab Exercise Guide

SF
617: Delivering an End-to-End Encrypted File Sync
and Sharing Solution with ShareFile Enterprise
Hands-on Lab Exercise Guide
Mark Howell
May 2015
Table of Contents
Table of Contents....................................................................................................................... 1
Overview .................................................................................................................................... 2
Scenario..................................................................................................................................... 4
Exercise 1 .................................................................................................................................. 5
Part 1: Configuring NetScaler..................................................................................................... 5
Part 2: Configuring NetScaler for Restricted Zones ...................................................................12
Part 3: Configuring NetScaler Gateway .....................................................................................34
Exercise 2: Configuring On-Premise Storage Zones .................................................................49
Exercise 3: Configuring ShareFile User Management Tool .......................................................60
Exercise 4: Configuring ShareFile Enterprise ...........................................................................68
Exercise 5: Configuring XenMobile Server ................................................................................81
Exercise 6: Configuring ShareFile Account for SAML SSO .......................................................97
Exercise 7: Testing the Solution – (Optional) ..........................................................................100
|1 |
Overview
Hands-on Training Module
Objective
Provide hands-on experience with configuring Citrix ShareFile, StorageZone Connectors, NetScaler
for High Availability, and On-Demand Sync
Prerequisites
Working knowledge of NetScaler and XenMobile Server is helpful. An iPad or Android tablet is
optional.
Audience
Citrix employees, customers, and partners.
Lab Environment Details
Describe the lab environment. The system diagram of the lab is shown below:
The Student Desktop VM is accessed remotely using Citrix Receiver running on your laptop. All
windows applications such as XenCenter, (the XenServer GUI management tool), are accessed
from the Student Desktop VM.
|2 |
Lab Guide Conventions
This symbol indicates particular attention must be paid to this step
Special note to offer advice or background information
reboot
Text the student enters or an item they select is printed like this
VMDemo
Filename mentioned in text or lines added to files during editing
Start
Bold text indicates reference to a button or object
Focuses attention on a particular part of the screen
Shows where to click or select an item on a screen shot
List of Virtual Machines Used
VM Name
IP Address
Description / OS
Router (hidden)
192.168.10.1
Lab Router / Vyatta
AD.training.lab
192.168.10.11
Active Directory
Exchange
192.168.10.15
Exchange server used for SMTP
SZC1
192.168.10.30
ShareFile StorageZone Controller 1
NS1
192.168.10.40
NetScaler VPX
XMS
192.168.10.50
XenMobile Server
Win7
192.168.10.61
Windows 7 utility machine
License
192.168.10.60
Used for XenMobile Server license
Required Lab Credentials
The credentials required to connect to the environment and complete the lab exercises.
|3 |
VM Name
IP Address
Username
Password
AD
192.168.10.11
administrator
Citrix123
SZC1
192.168.10.30
administrator
Citrix123
NS1
192.168.10.40
nsroot
nsroot
XMS
192.168.10.50
administrator
Citrix123
Win7
192.168.10.61
administrator
Citrix123
Scenario
You are the system administrator at Synergy Training Solutions. The CEO wants to enable a cloudbased file sharing solution, so all employees are able to access all their data, any time and from any
device, and share that data with their contacts at business partners and customers. The CIO does
have some additional requirements, as she has to make sure the company security policies are
followed and the solution is compliant with the compliance regulations for their industry.
Additional requirements from the CTO:
•
Data can be stored inside the cloud as well as on-premise. The on-premise StorageZone will
store extremely confidential information so all file and folder metadata stored in ShareFile’s
application tier needs to be encrypted and can only be decrypted by employees of Synergy
Training Solutions.
•
The solution needs to be highly available, the CEO demands 100% uptime.
•
The company wants to easily provision users into their ShareFile account using the ShareFile
User Management Tool.
•
The organization has recently purchased XenMobile Enterprise edition and the CIO wants to
incorporate SAML SSO for all tier-1 ShareFile apps using the XenMobile Server as the identity
provider (IDP).
With these requirements in mind, you start implementing a solution based on Citrix ShareFile. To
fulfill all the requirements from the CTO, you use ShareFile StorageZones with an on premise
Restricted StorageZone. You make the environment highly available by front-ending the solution
with NetScaler and you need to configure the NetScaler, Citrix XenMobile Server and ShareFile to
enable SAML SSO. Finally you install and configure the ShareFile User Management Tool to set up
a rule that provisions users from Synergy Training Solutions AD into ShareFile.
|4 |
Exercise 1
Part 1: Configuring NetScaler
Overview
Exercise 1 consists of 3 parts.
Part 1 consists of configuring the NetScaler VPX with Load Balancing rules to ensure StorageZones
Controller high availability and creating Content Switching for both ShareFile Data (including HTTP
Callouts and Responder Policies) as well as ShareFile Connector traffic (including AAA
Authentication).
To accomplish this you will use the new Setup NetScaler for ShareFile wizard introduced in
v10.1x.e however this lab is running NetScaler v10.5.x.
The wizard is designed to create and configure everything needed to successfully implement
NetScaler for ShareFile. I will highlight everything that was done at the end of Part 1.
Step by step guidance
Estimated time to complete this lab: 10 minutes.
Step
1.
Action
From the student desktop VM Open Google Chrome.
Navigate to http://192.168.10.40
Enter the credentials listed below and click Login.
User Name: nsroot
Password: nsroot
|5 |
Step
2.
|6 |
Action
Navigate to Traffic Management and click Setup NetScaler for ShareFile.
Step
3.
Action
Enter the IP Address 192.168.10.32 (This IP address is NAT’ed to the internet used for
communication to ShareFile.com).
Leave the Name set to ShareFile.
Check the StorageZones Connector for Network File Shares/SharePoint box.
Click Continue.
4.
Use the drop down menu to add the MCTWilcard certificate.
Click Continue.
|7 |
Step
Action
5.
Click Add New StorageZone Controller.
6.
Enter the IP Address of the first StorageZone Controller server 192.168.10.30
Click the + sign next to the IP Address.
7.
8.
Normally you would add a 2nd StorageZone Controller IP address here for High
Availability however to save time and ensure you finish the lab you will only be
configuring 1 StorageZones Controller server.
This is what it should look like when finished.
Click Done.
|8 |
Step
9.
Action
An LDAP Authentication Settings window will open.
Enter the following information into the LDAP Authentication Settings.
AAAVServer IP Address: 192.168.10.33
LDAP Server IP Address: 192.168.10.11
Single Sign-On Domain: training
Base DN (location of users): dc=training, dc=lab
Administrator Bind DN: [email protected]
Password: Citrix123
Click Continue.
10.
|9 |
What you are doing here is configuring the AAA authentication that the ShareFile
connector and Restricted Storage Zone traffic will use to authenticate the user at the
NetScaler and then pass those credentials back to the appropriate virtual connector
directory on the StorageZones Controller servers.
Step
11.
Action
Checkpoint: This is what you should see when you are done.
Click Done.
12.
You will be taken back to the Traffic Management window.
Below you will see the seven components that the wizard created and configured. The Content
Switching vServer is the “front-door” to the all incoming StorageZones traffic. Depending on what
type of traffic it is, ShareFile data or Connector, will determine its traffic flow pattern depicted in
images 2 and 3. The wizard is a very powerful tool that is not only effective but also efficient.
Here is a graphical representation of the communication flow and what the wizard configured:
| 10 |
Requests for ShareFile data from on-premise data storage.
A load balancing virtual server performs hash validation, to ensure valid URI signatures are present
on incoming requests.
Requests for data from StorageZones Connectors
A load balancing virtual server performs user authentication. It stops a user request at the
NetScaler, authenticates the user, and then performs single sign-on of the user to the
StorageZones Controller.
| 11 |
Part 2: Configuring NetScaler for Restricted Zones
Overview
Part 2 consists of additional configuration to enable restricted StorageZones.
To support restricted zones you must perform additional NetScaler configuration after you complete
the NetScaler for ShareFile wizard.

Create and configure a third NetScaler load-balancing virtual server, used to ensure that
ShareFile clients send credentials only when logged on to a trusted ShareFile domain.
StorageZones Controller uses the Cross-Origin Resource Sharing (CORS) standard to provide the
necessary security for requests to restricted zones. CORS uses HTTP headers to allow the client
and server to know enough about each other to determine if a request or response should succeed.
As described in the following steps, you will configure the additional virtual server to allow
anonymous access from clients for the HTTP OPTIONS verb. The OPTIONS request passes
through to the StorageZones Controller without being authenticated and without HTTPS callouts to
validate the signature. The CORS preflight check validates domain trust before sending credentials.
An understanding of CORS is not needed to perform the configuration. However, for more
information about CORS, including browser support, see http://enable-cors.org/.
Step by step guidance
Estimated time to complete this lab: 15 minutes.
Step
1.
| 12 |
Action
Navigate to Load Balancing | Virtual Servers and click Add.
Step
2.
Action
Enter a Name: _SF_SZ_OPTIONS
Change the Protocol to SSL.
Change the IP Address Type to Non-Addressable.
Click OK.
| 13 |
3.
Select the No Load Balancing Virtual Service Binding option.
4.
Click to Select in the Select Service field.
Step
| 14 |
Action
5.
Check the boxes next to the service and click OK.
6.
Click Bind.
7.
This is what you should see. Click OK.
Step
| 15 |
Action
8.
Click the No Server Certificate option.
9.
Click to Select in the Select Server Certificate field.
Step
| 16 |
Action
10.
Bullet the MCTWildcard certificate and select OK.
11.
Click Bind.
Step
| 17 |
Action
12.
This is what you should see. Click OK.
13.
This is what you should see. Click Done.
Step
| 18 |
Action
14.
Click the Refresh icon.
15.
This is what you should see when finished.
Step
Action
16.
Navigate to Traffic Management | Content Switching | Policies and click Add.
17.
Enter a Name: _SF_SZ_OPTIONS_CSPOL.
Next to the Action field click the + icon.
| 19 |
Step
18.
Action
Enter a Name: OPTIONS
In the Target Load Balancing Virtual Server field use the pull down and select the
_SF_SZ_OPTIONS virtual server just created.
Click Create.
19.
| 20 |
Click Expression Editor.
Step
| 21 |
Action
20.
In the first drop down menu select HTTP.
21.
In the 2nd drop down menu select REQ.
Step
| 22 |
Action
22.
In the 3rd drop down menu select METHOD.
23.
In the 4th drop down menu select EQ(String).
Step
24.
Action
Enter OPTIONS in the field next to EQ(String).
Click Done.
25.
This is what you will see when finished.
Click Create.
| 23 |
Step
| 24 |
Action
26.
You will be brought back to the Content Switching Policies window.
27.
Select the _SF_CIF_SP_CSPOL policy and click Edit.
Step
28.
Action
Place the cursor after (“/sp/”) followed by a space and select the Operators pull down menu.
Select the || operator.
29.
The Expression should look like the below expression.
Enter another space after the || operator.
Click Expression Editor.
| 25 |
Step
30.
Action
Similar to the way you accomplished steps 20-24, use the drop down menus to enter the
information exactly as it is below.
When finished click Done.
31.
This is what it should look like when finished.
Click Ok.
| 26 |
Step
Action
32.
You will be brought back to the Content Switching Policies window.
33.
Navigate to Traffic Management | Content Switching | Virtual Servers and highlight the
_SF_CS_ShareFIle virtual server.
Click Edit.
| 27 |
Step
| 28 |
Action
34.
Under CS Policy Binding select the 2 Content Switching Policies option.
35.
Click Add Binding.
Step
| 29 |
Action
36.
Click to Select in the Select Policy field.
37.
Bullet the _SF_SZ_OPTIONS_CSPOL policy and click OK.
Step
38.
Action
Change the Priority to 10.
This policy needs to have the highest priority which means it will have the lowest number of
all content switching policies.
Click Bind.
39.
| 30 |
Highlight the _SF_CIF_SP_CSPOL and using the Edit dropdown menu select Edit
Binding.
Step
40.
Action
Change the Priority to 20.
In the Goto Expression field use the dropdown menu to select END.
Click Bind.
41.
This is what it should look like when finished. The priorities of these bindings is essential for
traffic flow.
Click Close.
| 31 |
Step
Action
42.
Click Done.
43.
Click the Save icon.
44.
45.
| 32 |
That concludes this part of the configuration.
In Part 2 you added the necessary components to enable Restricted StorageZones.
| 33 |
•
You added a 3rd, non-addressable load-balanced vServer configured to accept traffic from
the content switch policy created named _sf_sz_options_ cspol. This policy needs the
highest priority of the 3 policies to ensure proper traffic flow.
•
Secondly, you added to the _sf_cifs_sp_cspol to include traffic that contained the term
“proxyservice” in the URL header. This service is used to authenticate users to the
Restricted StorageZone and subsequently decrypt the file and folder metadata.
•
Finally you edited the Content Switching policies priority to ensure that incoming ShareFile
data was directed to the appropriate places.
Part 3: Configuring NetScaler Gateway
Overview
Part 3 consists of creating a NS Gateway policy and profile, as well as make all configurations
needed to enable SAML SSO to the XenMobile Server.
Step by step guidance
Estimated time to complete this lab: 10 minutes.
Section 1: Creating NetScaler Gateway Session Policy and Profile.
Step
| 34 |
Action
1.
Navigate to NetScaler Gateway | Policies | Session and click Add.
2.
Enter a Name: SF_SAML_SSO_POLICY
3.
Click + next to Action.
Step
| 35 |
Action
4.
Enter a Name: SF_SAML_SSO_PROFILE
5.
Select the Client Experience tab and Check the Override Global boxes of the three
sections highlighted above.
6.
Home Page uncheck the Display Home Page box and verify that the word ‘none’
populates the field.
7.
Session Time-Out (mins) set to 1
8.
Check the Single Sign-On to Web Applications box
Step
| 36 |
Action
9.
Select the Security tab.
10.
Click the Override Global box and the Default Authorization Action will change to
ALLOW.
Step
| 37 |
Action
11.
Select the Published Applications tab and Check the Override Global boxes of the four
sections highlighted below.
12.
Set the ICA Proxy to On
13.
Set the Web Interface Address to https://xms.training.lab:8443
14.
Set the Web Interface Address Type to IPV4
15.
Set the Web Interface Portal Mode to Normal
16.
Set the Single Sign-On Domain to training
17.
Click Create.
Step
| 38 |
Action
18.
The newly created Profile should be listed in the Action field.
19.
Click Expression Editor.
20.
An Add Expression window opens.
21.
Change the Qualifier to HEADER.
22.
Change the Operator to CONTAINS.
23.
Enter NSC_FSRD as the Value.
24.
Enter Cookie as the Header Name.
Step
Action
25.
Click Done.
26.
This is what the Policy should look like.
27.
Click Create.
28.
CheckPoint - This is what you should see.
29.
Save the running configuration.
In this section you created the SAML SSO policy and profile required by the NetScaler to provide
SAML SSO communication to the XenMobile Server.
| 39 |
Section 2: Editing the NetScaler Gateway Virtual Server.
Step
| 40 |
Action
1.
Navigate to NetScaler Gateway | Virtual Servers. Select the NetScaler_Gateway virtual
server and click Edit.
2.
Click + in the Policies section.
Step
| 41 |
Action
3.
In the Choose Policy window verify that Session is selected (it should default to this) and
in the Choose Type window Request is selected.
4.
Click Continue.
5.
Click to Select in the Select Policy field.
6.
Bullet the SF_SAML_SSO_POLICY just created.
7.
Click OK.
Step
| 42 |
Action
8.
Change the Priority to 10 and click Bind.
9.
Checkpoint – This is what you should see.
Step
| 43 |
Action
10.
In the Advanced section on the right hand side click + in the Published Applications
section.
11.
Click the Right Arrow in the ‘No STA Server’ section.
Step
| 44 |
Action
12.
hType https://xms.training.lab in the Secure Ticket Authority Server window and
tselect IPV4 from the Secure Ticket Authority Server Address Type drop down.
t
p
s
:
/
/
a
p
p
c
1
13.
Click Bind.
14.
From this window select the 1 STA Server section in Published Applications.
Step
| 45 |
Action
15.
This what you should see.
16.
Click Close.
17.
From the Advanced section on the right hand side click + in Other Settings.
Step
Action
18.
Uncheck Redirect to Home Page.
19.
In the ShareFile field type xms.training.lab:8443
In the AppController field type https://xms.training.lab:8443
20.
| 46 |
Click OK.
Step
| 47 |
Action
21.
Checkpoint: This is what you should see.
22.
Click Done.
23.
Click the Disk icon at the top right to save the running configuration.
Step
Action
24.
Click Yes.
25.
Click Logout and close the browser.
In section 2 you configured the NetScaler Gateway to allow for SAML SSO to the XenMobile
Server. This solution uses the NetScaler Gateway for traffic coming from the ShareFile clients to be
redirected to the XenMobile Server for active directory authentication via SAML.
Exercise Summary
In Part 1 students learned how to use the NetScaler for ShareFile Wizard which created traditional
Load Balancing rules to ensure StorageZone Controller high availability, as well as Content
Switching for both ShareFile Data (including HTTP Callouts and Responder Policies) and ShareFile
Connector traffic (including AAA Authentication).
In Part 2 students configured an additional load-balanced vServer and content switching policy
enabling Restricted StorageZones.
In Part 3 students configured the NetScaler Gateway with the information necessary to enable it to
provide SAML single sign-on authentication with the XenMobile Server.
Key takeaways include:



| 48 |
You created the session policy and profile, necessary for the configuration. The NetScaler
Gateway already had the authentication policy and SSL certificate bound to it.
You configured the NetScaler Gateway virtual server.
You added the XenMobile Server as an STA and in the options section you disabled the
cginfra home page redirection, necessary for forms based SAML and under ShareFile URL
you added the internal server name and port of your XenMobile Server; this configuration
authorizes requests to the specified URL through the /cginfra path.
Exercise 2
Configuring On-Premise Storage Zones
Overview
For this exercise, you will create an on premise storage zone that allows users to store files on
premise in a CIFS file share instead of in the ShareFile cloud. An empty file share has been created
for you at \\szc1.training.lab\sharefiledata.
Note: When installing On-premise StorageZones without a NetScaler in front of the solution a
server with a public Internet address and a trusted SSL certificate is required. Because this lab has
a NetScaler configured this is not required as the NetScaler will handle the SSL communications on
behalf of the StorageZones Controller servers.
Step by step guidance
Estimated time to complete this lab: 15 minutes.
Section 1: Configuring StorageZones Controller Software on SZC1
Step Action
1.
From the student desktop VM navigate to Start | Run and enter mstsc and click OK.
Click OK.
| 49 |
Step Action
2.
Enter SZC1 into the computer name.
Click Connect.
3.
You will be prompted to enter credentials to make an RDP connection.
Log in with the administrators credentials. Click OK.
User name: training\administrator
Password: Citrix123
| 50 |
Step Action
4.
Click on the IIS Manager icon in the taskbar and navigate to the Default Web Site.
Select Browse localhost on: 80 (http).
5.
Verify that Citrix ShareFile is displayed.
6.
Close web browser and close IIS Manager.
7.
Open Internet Explorer and enter the following in the URL window. (You can use the
pulldown arrow).
http://localhost/configservice/login.aspx
| 51 |
Step Action
8.
Enter the details for your ShareFile lab account and click Log In.
Email: [email protected]
Password: citrix123
Subdomain: <student account>.sharefile.com
| 52 |
9.
Bullet Create New Zone and enter a name.
10.
Enter the External Address which is the IP1 FQDN address from your lab documentation
in the form listed above.
Step Action
11.
Check the 2 boxes to Enable StorageZone Connectors.
12.
Check the box next to Enable StorageZone for ShareFile Data.
Check the box next to Create a Restricted Zone.
Complete the Local Network Share Configuration fields using the following information:
Network Share Location: \\szc1.training.lab\sharefiledata
Network Share Username: training\administrator
Network Share Password: Citrix123
| 53 |
Step Action
13.
Enter a Passphrase (Citrix123 as an example) and confirm it by entering it again and
click Register.
14.
Once completed you will see the following message.
Click Go there now.
| 54 |
Step Action
15.
Enter the following information:
SMTP server address: exchange.training.lab
SMTP port number: 25
Sender address: [email protected]
Send sample email to: [email protected]
Click Send Test email.
| 55 |
Step Action
16.
| 56 |
Click Apply.
Step Action
| 57 |
17.
This is the message you will see.
18.
Click Log Out.
19.
Navigate to Start (Windows Icon) | Run type Drivers and click OK.
Step Action
| 58 |
20.
Open the etc folder.
21.
Open the Hosts file.
22.
You will be prompted How do you want to open this file?
Select Notepad.
Step Action
23.
Enter the information similar to below.
On the left side enter 192.168.10.30 (the IP address of the SZC server).
On the right side enter the FQDN of YOUR IP1 address from the Lab website.
24.
Click File | Save.
25.
Close all windows and close the RDP session.
26.
Normally this is where you would configure the 2nd StorageZones Controller server
and link it to the primary server. The configuration is redundant so to ensure you
finish the entire lab it has been removed.
Exercise Summary
In this exercise students learned how to configure a StorageZones Controller servers for Restricted
StorageZones, including the SMTP service needed for e-mail communication from ShareFile.
| 59 |
Exercise 3
Configuring ShareFile User Management Tool
Overview
In this exercise students will configure and use the ShareFile User Management Tool (UMT) to add
users to their ShareFile training account. The UMT is considered the best practice for provisioning
users into ShareFile as it provides the most configurable options through the user interface.
Step by step guidance
Estimated time to complete this lab: 10 minutes.
Section 1: Exploring StorageZones
Step
Action
1.
From the student desktop VM navigate to Start | Run and enter mstsc click OK.
2.
Enter win7 into the computer name.
Click Connect.
| 60 |
Step
3.
Action
You will be prompted to enter credentials to make an RDP connection.
Log in with the administrators credentials. Click OK.
User name: training\administrator
Password: Citrix123
| 61 |
4.
From the desktop launch the ShareFile User Management Tool.
5.
Log in using your ShareFile training account and administrator credentials.
Step
6.
Action
Enter the domain information in the Connect to Domain window.
Domain: training.lab
UserName: administrator
Password: Citrix123
Click Connect.
| 62 |
Step
| 63 |
Action
7.
From the Dashboard tab select the Users icon.
8.
Select the ShareFile OU and click Add Rule.
Step
| 64 |
Action
9.
You will be prompted with the Edit Users Rule window.
10.
Change How will your employees log in? to AD-Integrated
11.
Change StorageZone to ShareFile US East
12.
Change Default Company Name to Training
13.
Check the box next to Add to Shared Address Book
14.
Click Save and then click Close.
Step
| 65 |
Action
15.
Select the Rules tab and click Refresh.
16.
Click Commit Now
Step
| 66 |
Action
17.
Click OK.
18.
This is what you should see when finished.
Close the UMT tool and close the Win7 RDP session.
Exercise Summary
In this exercise students configured the ShareFile User Management Tool (UMT) which is primarily
used by our enterprise customers for ShareFile account provisioning from Active Directory.
You configured a rule to sync users in the ShareFile Users OU into your ShareFile student lab
account and you could have set a schedule so that the sync would run at specific times of the day.
When configured this way any changes to the ShareFile Users OU would be synced at the next
time interval keeping the 2 systems in sync.
| 67 |
Exercise 4
Configuring ShareFile Enterprise
Overview
In this exercise students will explore StorageZones within ShareFile.com. You will create a folder
that uses the on-premise Restricted StorageZone you created in Exercise 2 and you will upload
some files in it to demonstrate the Restricted StorageZone authentication requirements and file
structure. Finally you will use the Win7 virtual machine to check the e-mail for user1.
Step by step guidance
Estimated time to complete this lab: 20 minutes.
Section 1: Exploring StorageZones
Step Action
1.
From your student laptop, open a browser and go to the URL of your ShareFile account
and login using the Client Login with the following credentials:
URL: https://student-x.sharefile.com
Email Address: [email protected]
Password: citrix123
| 68 |
Step Action
| 69 |
2.
After logging in click on Admin in the menu bar.
3.
Click StorageZones in the left-hand column.
Step Action
| 70 |
4.
Select the name of the StorageZone you just created.
5.
Statistics on each StorageZone Controller, as well as any users or folders that are using
that StorageZone are presented on this page.
Step Action
6.
Now you’ll create a new ShareFile folder that uses your Restricted StorageZone for file
storage.
Click Home in the menu bar followed by the Shared Folders tab to reach a top level
folder in the ShareFile account.
7.
Click Create Folder.
8.
Name the folder RESTRICTED and select your Restricted StorageZone name from the
drop-down list of StorageZones.
In the Add Users select Add From Shared Address Book
Click Create Folder.
| 71 |
Step Action
| 72 |
9.
Check the boxes next to both users and click Add Selected Users.
10.
Check all boxes under Configure custom permissions and click Add Users.
Step Action
11.
Click Save Changes.
12.
You will be prompted to enter AD credentials.
Enter the following:
User Name: user1
Password: Citrix123
Click Log In.
| 73 |
Step Action
| 74 |
13.
Once authenticated you will be taken into the RESTRICTED folder.
14.
Logout of your ShareFile account and completely close the browser.
15.
Download some sample files from https://mhowell.sharefile.com/d/s121a13afbf34841b
unzip the downloaded file and store on the student laptop.
Step Action
16.
From your student laptop, open a browser and go to the URL of your ShareFile account
and login using the Client Login with the following credentials:
URL: https://student-x.sharefile.com
Email Address: [email protected]
Password: citrix123
17.
Navigate to the Shared Folder tab and open the RESTRICTED shared folder just created.
18.
You will be prompted to authenticate to Active Directory.
Enter the following:
User Name: user1
Password: Citrix123
Click Log In.
| 75 |
Step Action
| 76 |
19.
Select Upload Files.
20.
Select Choose Files or drag and drop files
Step Action
| 77 |
21.
Navigate to the location where you stored the test documents. Select a couple of
documents and click Open.
22.
Click Upload Files.
Step Action
23.
This is what you should see when finished.
24.
Click Log Out and close the browser.
25.
From the student desktop VM you can view the file objects as they are added to the
folder structure beneath \\SZC1\sharefiledata\persistentstorage\...
When prompted for credentials use:
Username: training\administrator
Password: Citrix123
26.
From the student desktop VM navigate to Start | Run and type mstsc.
27.
Log in to the Win7 VM.
Click Connect.
| 78 |
Step Action
28.
Enter Citrix123 for the Password. Click OK.
29.
From the Win7 VM desktop launch the Chrome – Outlook Web Access shortcut.
Bullet This is a private computer.
Password: Citrix123
Click Sign In
| 79 |
Step Action
30.
Verify that an email was sent to [email protected] notifying that user that files were
uploaded to the RESTRICTED shared folder.
31.
You will also see the test e-mail sent when you initially configured the SMTP service on
the StorageZones Controller server.
32.
Close Outlook and close the Win7 RDP session.
Exercise Summary
In this exercise students learned how to configure a shared folder in ShareFile to use a customermanaged StorageZone. They uploaded some files to that folder and verified that the SMTP server
configured in Exercise 2 is functioning properly.
| 80 |
Exercise 5
Configuring XenMobile Server
Overview
In this exercise students will learn how to configure the XenMobile Server as the IDP to allow for
SAML Single Sign-On.
Step by step guidance
Estimated time to complete this lab: 15 minutes.
Section 1: Adding a ShareFile Users Delivery Group to XenMobile
Server.
Step
| 81 |
Action
1.
From the student desktop VM open Google Chrome and navigate to
https://192.168.10.50:4443 you will be prompted with a “Your connection is not
private” message.
2.
Click Advanced.
Step
Action
3.
Click Proceed to 192.168.10.50 (unsafe).
4.
Log on using the following credentials:
Username: administrator
Password: Citrix123
| 82 |
Step
| 83 |
Action
5.
Select the Configure tab.
6.
Select Delivery Groups and click Add.
Step
| 84 |
Action
7.
Enter a Name: ShareFile Users and Description (optional).
8.
sClick Next.
9.
Type the word ShareFile into the Include User Groups field and click Search.
Step
| 85 |
Action
10.
Check the box next to the training.lab\ShareFile Users security group.
11.
Click Next.
12.
Don’t make any changes. Click Next.
Step
| 86 |
Action
13.
Don’t make any changes. Click Next.
14.
Don’t make any changes. Click Next.
Step
Action
15.
Click Save.
16.
This is what you will see when finished.
In section 1 you added a ShareFile user’s Delivery Group to the XenMobile Server. This is
important for user provisioning because using the default ‘All Users’ group would allow provisioning
of all users into your ShareFile account which is typically not what customers want to do. In this lab
there are 2 users in the ShareFile Users security group, user1 and user2.
| 87 |
Section 2: Configuring ShareFile integration.
Step
| 88 |
Action
1.
Select the Configure tab and select Settings and More.
2.
Under the ShareFile section, select ShareFile.
Step
Action
3.
| 89 |
4.
Enter the Domain which is the test ShareFile account assigned to you.
5.
Check the box next to the ShareFile Users Delivery Group.
6.
UUse the following credentials for the ShareFile Administrator Account Login:
s
User name: [email protected]
Password: citrix123
7.
Click Save.
Step
| 90 |
Action
8.
This is what you will see when Save is complete.
9.
Click Sync.
Step
10.
| 91 |
Action
Click OK
Step
Action
11.
Click Cancel.
12.
This completes this exercise. Keep this window open.
This section configures the ShareFile communications from the XenMobile Server to the ShareFile
account. In your lab you will be assigned a student account (student-x.sharefile.com), this will be
the account information entered above. This configuration is used for 2 things in ShareFile, account
provisioning and SAML communications.
| 92 |
Section 3: Configuring XenMobile Server to Communicate with NetScaler
Step
| 93 |
Action
1.
Select the Configure tab and select Settings and More.
2.
Select NetScaler Gateway.
3.
Click the Add button.
Step
Action
4.
Enter a Name: NS01
5.
Enter an Alias: NetScaler_Gateway
6.
The External URL is the IP2 FQDN address provided when the lab was provisioned.
Enter the External URL in the form https://<IP2 FQDN.mycitrixtraining.net>
(https://75-126-165-68.mycitrixtraining.net as an example)
| 94 |
7.
Select the Set as Default switch.
8.
Click Save.
Step
9.
Action
This is what you should see.
Authentication should have switched to On. If it didn’t switch it to On.
| 95 |
10.
Click Save.
11.
Click OK.
Step
Action
12.
Click Log Out.
13.
Close the browser.
Exercise Summary
In this exercise students integrated the XenMobile Server with ShareFile and NetScaler making the
necessary configurations to allow it to serve as the IDP for ShareFile SAML Single sign-on.
Key takeaways include:



| 96 |
Configuring a Delivery Group that limits the overall Active Directory environment to a specific
set of users designed to use ShareFile.
Integrating the ShareFile account with the XenMobile Server and in doing so adding SSO
configurations to ShareFile enterprise specific to the XenMobile Server.
Configuring the NetScaler deployment allowing the XenMobile Server to communicate to
NetScaler.
Exercise 6
Configuring ShareFile Account for SAML SSO
Overview
In this exercise students will learn how to configure the ShareFile account for SAML SSO using the
XenMobile Server as the IDP
Step by step guidance
Estimated time to complete this lab: 5 minutes
Section 1: Configuring ShareFile Account for SAML SSO
Step
1.
Action
From your Student Laptop open a browser and navigate to your ShareFile training
account. (student-x.sharefile.com)
Log in to the Client Login with the following credentials:
Email Address:
Password:
| 97 |
[email protected]
citrix123
Step
2.
| 98 |
Action
Navigate to Admin | Configure Single Sign-On.
Step
Action
3.
4.
Change the Login URL to the following:
https://<IP2FQDN>.mycitrixtraining.net/cginfra/https/xms.training.la
b:8443/samlsp/websso.do?action=authenticateUser&app=ShareFile_SAML&reqtyp
e=1&nssso=true
**Do not try to cut and paste this expression, it will not work, manually type information
into the Login URL.
Make sure the Login URL in ShareFile matches this exactly. If not SAML SSO will
NOT work.
5.
Check the Enable Web Authentication box.
6.
Change the SP-Initiated Auth Context to Username and Password
7.
Click Save
8.
Logout of ShareFile.
Exercise Summary
In this final configuration exercise students finished up the SAML SSO configuration by adding the
necessary information to the Login URL which ShareFile will use when redirecting login requests
that will use SAML single sign-on, changing the authentication model to forms-based using User
Name and Password as the authentication context.
| 99 |
Exercise 7
Testing the Solution – (Optional)
Overview
In this exercise students will test the solution that they’ve just built. Testing is limited to using the
browser to log into ShareFile using SAML as instructed.
Step by step guidance
Estimated time to complete this lab: 5 minutes
Section 1: Testing SAML via a Browser
Step
1.
Action
From your Student Laptop open a browser and navigate to your ShareFile training
account. (student-x.sharefile.com)
Log in to the Employee Login by clicking the LogIn button.
2.
| 100 |
You will be redirected to a NetScaler Gateway authentication page.
Step
3.
Action
Enter the credentials:
Username: user1
Password: Citrix123
Click Log On.
| 101 |
4.
You’ll be logged in to ShareFile with a Welcome message, click Close Tour.
5.
Navigate to Shared Folders.
6.
Open the Restricted folder.
Step
7.
Action
Enter the AD credentials for user1 and click Log In.
User Name: user1
Password: Citrix123
8.
When you enter the domain credentials to get into the Restricted StorageZone
folder what you are doing is authenticating to the StorageZone Proxy Service that
in turn decrypts the file metadata allowing you to see and understand the file
names inside the folder.
9.
The Restricted folder will open.
This concludes the lab. To quickly recap what you’ve done:
| 102 |








First you used the Setup ShareFile for NetScaler wizard to configure NetScaler to provide
HA and secure communications to the ShareFile StorageZones Controller server.
You then configured the NetScaler to allow for Restricted StorageZones.
Next you configured NetScaler Gateway with the necessary information to allow SAML
authentication to the XenMobile Server.
In exercise 2 you configured the StorageZone Controller server for a customer-managed
Restricted StorageZone and configured an SMTP server for Restricted StorageZone emails.
In the 3rd exercise students configured the ShareFile User Management Tool (UMT) which
is primarily used by our enterprise customers for ShareFile account provisioning from
Active Directory.
In the 4th exercise you configured the ShareFile account with a shared folder that uses the
customer-managed Restricted StorageZone and uploaded files to that shared folder.
In exercise 5 you configuring the XenMobile Server with a delivery group specific to
ShareFile. You configured the ShareFile integration to the ShareFile account, using the
delivery group you previously created and finally you integrated the NetScaler Gateway to
the XenMobile Server.
Finally in exercise 6 you entered the final pieces of information into the ‘Configure Single
Sign-On’ section of the ShareFile web application to complete the solution.
What you’ve accomplished is building the most secure ShareFile Enterprise deployment. Users
will be authenticated to ShareFile using their Active Directory credentials, so no need for
additional usernames/passwords and authentication happens in the customer datacenter and
not in the cloud. Additionally, all ShareFile traffic destined to the customer-managed Restricted
StorageZone will be stopped and authenticated in the DMZ using the NetScaler, allowing only
valid, authenticated traffic into the datacenter, thus achieving all of the CEO and CTO
requirements as defined in the opening scenario.
| 103 |
Revision:
1.0
Change Description
Updated By
Date
Original Version
Mark Howell
May 2015
About Citrix
Citrix (NASDAQ:CTXS) is a cloud company that enables mobile workstyles—empowering people to
work and collaborate from anywhere, securely accessing apps and data on any of the latest
devices, as easily as they would in their own office. Citrix solutions help IT and service providers
build clouds, leveraging virtualization and networking technologies to deliver high-performance,
elastic and cost-effective cloud services. With market-leading cloud solutions for mobility, desktop
virtualization, networking, cloud platforms, collaboration and data sharing, Citrix helps organizations
of all sizes achieve the speed and agility necessary to succeed in a mobile and dynamic world.
Citrix products are in use at more than 330,000 organizations and by over 100 million users
globally. Annual revenue in 2012 was $2.59 billion. Learn more at www.citrix.com.
| 104 |
| 105 |