ShareFile StorageZones

Report
ShareFile Technical Overview
<presenter name>
<presentation month/year>
Agenda
Agenda
• Introduction to ShareFile Enterprise
• High-Level Architecture
• Availability and Redundancy
• StorageZones
• Security
• Authentication
• Follow-me-data with Citrix CloudGateway & Receiver
• Wrap-up
ShareFile Introduction
• Enables file sharing with anyone
• Syncs data across all devices
• Online file sharing spaces for virtual teams
• Selective offline access on mobile devices
• Data protection
ᵒ
ᵒ
ᵒ
ᵒ
Encryption
Device lock
Remote wipe
Poison-pill
Why ShareFile?
• Enable workforce mobility & BYOD
• Address the “Dropbox-Problem”
• Simple and secure data sharing
ᵒ Fellow employees
ᵒ Team collaboration
ᵒ Clients, 3rd party collaboration
• Enhanced productivity
Broad Device, Workflow and Protocol Support
Mobile Apps
Mobile
Site
iPhone
Android
BlackBerry
Desktop Apps
Windows 7
Phone
iPad
Android
Tablet
Automation
Outlook
Plug-in
Browser
Mac OS
Sync
Windows
Sync
Command
Line
Interface*
Alternative Protocol (Cloud SZ)
ShareFile High-level
Architecture
ShareFile – with Citrix managed StorageZones
*.sharefile.com
*.sf-api.com
Control Plane
•
•
•
•
Account info
Brokering
Reporting
Access Control
DB
Client
Storage Center (EC2)
StorageZones
• Storage Centers
• Backend Storage
• Various
Locations WW
S3
ShareFile – Current Architecture
With Citrix managed StorageZones
ShareFile Control Plane
DMZ
Webservers “main app”
No Client Files
File Metadata
Account Data
Load balancing
Client
SQL
Cluster
Load balancing
TLS/SSL
AES-256
Encryption
API Webservers
Replication to
DR Datacenter
S3 99.99%
availability and
99.999999999%
durability
ShareFile StorageZones
FTP/FTPS
FTP Servers
Utility Servers
Anti Virus &
Thumbnailing
Full Text Index
Backup
Client
Storage Centers
S3 Commit
TLS/SSL
AES-256
Encryption
Storage
Storage
Storage
Encrypted
Backup to 3rd
Party Datacenter
File Processing
EBS
EBS
EBS
EBS
Cache
Elastic Block Storage
AES-256
Encryption
AES-256
Encryption
EC2
S3
Backup
ShareFile StorageZones - Download
FTP/FTPS
FTP Servers
Client
Storage Centers
Storage
Storage
Storage
TLS/SSL
AES-256
Encryption
EBS
EBS
EBS
EBS
Elastic Block Storage
EC2
S3
Availability and Redundancy
Availability Information
• Real-time backup to Citrix data center
• Automatic failover (if necessary)
• Lazy file deletion to support file recovery
ShareFile StorageZones
ShareFile StorageZones
• Now available for all ShareFile Enterprise
accounts
• Store files in customer-managed StorageZones,
in Citrix-managed StorageZones or both
• Technology proven in the Cloud
• Seamless user experience
Why StorageZones?
Compliance
Meet unique compliance and
data sovereignty requirements
by storing data On-Prem
Performance
Optimize end user performance
by placing files and folders in
close proximity
ShareFile - Citrix managed StorageZones
*.sharefile.com
*.sf-api.com
Control Plane
•
•
•
•
Account info
Brokering
Reporting
Access Control
DB
Client
Storage Center (EC2)
StorageZones
• Storage Centers
• Backend Storage
• Various
Locations WW
S3
Citrix managed and On-Prem StorageZones
*.sharefile.com
*.sf-api.com
Control Plane
•
•
•
•
Account info
Brokering
Reporting
Access Control
DB
Client
StorageZones
Storage Center (Windows IIS)
•
•
Storage Center (EC2)
•
•
CIFS
S3
Customer Datacenter
Storage Centers
Backend
Storage
In customer
Datacenter(s)
Hybrid with cloud
Citrix managed StorageZones
Control Plane
21
Customer managed StorageZones
ShareFile European Control Plane
• https://<subdomain>.sharefile.eu
• Enterprise Accounts available in Q4
• High Performance
• User Proximity
• Government Compliance
• In Citrix Online datacenter in Germany
Using StorageZones
Using StorageZones
• StorageZones can be set on
ᵒ User-level
ᵒ Root Folder-level
Using StorageZones
On-Prem Deployment Models
Proof of Concept Deployment
https
Firewall
https
Storage Center
10.0.0.20
Public Internet IP
10.0.0.1
HA Deployment
Public Internet IP 1
https
https
Firewall
https
Storage Center
10.0.0.20
https
Storage Center
Storage Center
Public Internet IP 2
10.0.0.1
10.0.0.21
Storage
Secure DMZ Deployment
Firewall
https
Firewall
http or https
Storage Center
10.0.0.20
http or https
Storage
Storage Center
Public
Internet IP
10.0.0.1
10.0.0.21
StorageZones Setup
On-premise StorageZones Requirements
• Windows 2008 Server R2
• IIS Web Services role with ASP.NET
• Microsoft .NET 4.0
• A public-resolvable internet hostname
• An SSL certificate for the above
ᵒ Public, Windows accepted Certificate
Authority
ᵒ Self-signed or unsigned certificates are
not supported
IIS Configuration
• Install SSL certificate and bind
certificate to https port 443
ᵒ Not needed when using DMZ proxy
• ISAPI and CGI Restrictions
ᵒ ASP.NET v4.0.x needs to be set to
“Allowed”
Storage Center Installation
Storage Center Configuration
Shared Storage Configuration
• CIFS Share Access
• Storage Centers will access the
Share using the
StorageCenterAppPool user
• Application Pools →
StorageCenterAppPool →
Advanced Setting → Identity
• Additional permission settings
documented in eDocs
Troubleshooting StorageZones
Basic Troubleshooting
• Ensure you type <external address> without
port or https & check for typos on
Configuration Page
• Ensure on Enterprise account with SZ
• Make sure user account has SZ admin
permissions
• Check if Storage Center URL is accessible
from outside
• Check file share for creation of directories
• Check if SCKeys.txt is created in root of file
share
• Logs!
ShareFile Security
Security Information
• SSAE 16 audited data centers
• SSL Encryption in transit
• AES 256-bit encryption at rest
• All uploaded files scanned for viruses
• Daily scans for McAfee SECURE accreditation
• All ShareFile servers protected by dedicated firewalls
Standard Download Security
Client
1
Client requests a file
2 Prepare message send to Storage Center
1
5
HMAC is validated
4
Storage Center confirms validity
5
Client receives download URL with HMAC
6
Client requests download
9 6
7
2
4
Storage Center
Main App/
API servers
8
DB
Storage
Shared Secret (trust)
StorageZones
3
Control Plane
3
7 HMAC is validated
8
Storage Center gets file from storage
9
Download starts
Trust & Encryption – On-Premise StorageZones
Storage encryption key
created when
StorageZone is created
Storage Center
DB
*.sf-api.com
Shared Secret (trust)
Storage
Shared Key created
when StorageZone is
created
Encryption Key is
encrypted by
Passphrase when
Storage Center is
configured
StorageZones
*.sharefile.com
Download Security with On-Prem StorageZones
• Security Best Practice
5
2
4
3
• Documented in admin guide on eDocs
Storage Center
1
StoragZone
ᵒ Connections with bad requests will not enter
the internal network
1
DMZ
• NetScaler can handle incoming HMAC’s
NetScaler strips HMAC from URI
2 NetScaler sends URI & HMAC to Storage Center
3
HMAC is validated by Storage Center
4
Storage Center sends confirmation to NS
5
Process Completes
ShareFile Authentication
ShareFile Authentication Options
• Built-in Authentication
ᵒ Uses combination of email address and password
ᵒ Passwords are stored hashed in database
• SAML Support
ᵒ Broad Identity Provide Support, including ADFS
• CloudGateway
ᵒ Offers user provisioning functionality
ᵒ Receiver integration
ᵒ Recommended, especially for existing Citrix
customer
Enterprise Active Directory Options
SAML 2.0 Support
• Requires customer provided and
configured SAML provider
• Unified storefront for all applications, data
and services
• Microsoft ADFS Support
• Instant user provisioning and deprovisioning
• Also supports popular Identity
Providers such as:
ᵒ
ᵒ
ᵒ
ᵒ
OneLogin
CA SiteMinder
PingIdentity PingFederate
SalesForce
• Fully integrated with Receiver
• Real-time SaaS application monitoring
• Comprehensive access control policies
SAML Authentication
• User account is still required in ShareFile
ᵒ Folder Access Control
ᵒ Licensing
• Users will be matched by email address
• Identity Provider Password will never be
send to Control Plane
• Password reset can be disabled
• Requires tools to be ‘SAML-aware’
ᵒ ShareFile web site and iPad app are today
with other tool support coming
SAML
Client
1
How it works
Client requests ShareFile SSO login URL
2 Client discovers identity provider
71
82
93
4
3
Client redirected to identify provider
4
Client requests identity provider URL
5
Identity Provider identifies the user
5
User is authenticated and is redirected to
6 Assertion Consumer Service URL with SAML
response
User has access
6
Service Provider
(sharefile.com)
Identity Provider
(e.g. CloudGateway,
ADFS)
7
User agent requests ACS URL
8
ACS validates SAML response and redirects
user agent to ShareFile URL
9
User agent requests ShareFile URL
ShareFile Account Creation
• User creation can be done manually
ᵒ One-by-one
ᵒ Import from Excel spreadsheet
• User is provisioned through CloudGateway
• User Management Tool
User Management Tool
• Creates ShareFile user accounts and
distribution lists based on AD users
and groups
• Option to notify users of account
creation
• Ability to select default StorageZone
for users
• Easy process for keeping AD and SF
in sync
Citrix CloudGateway &
Receiver
Follow-me-data
Access Gateway services
PC
Mac
Smartphone
Tablet
Thin Client
StoreFront™
services
Content Controllers
Technology Preview
ShareFile StorageZone Connectors
ShareFile StorageZone Connectors for Network
Shares
ShareFile Personal Folder
ShareFile Team Folder
ShareFile Team Folder
Existing Network Share
#CitrixSynergy
56
Citrix Confidential - Do Not Distribute
Wrap Up
Citrix ShareFile
• Robust filesharing technology designed for the Enterprise
• SaaS model with Cloud and On-premise options
• Secure
• AD Authentication options
• CloudGateway Integration available soon
Work better. Live better.

similar documents