ShareFile Technical Overview <presenter name> <presentation month/year> Agenda Agenda • Introduction to ShareFile Enterprise • High-Level Architecture • Availability and Redundancy • StorageZones • Security • Authentication • Follow-me-data with Citrix CloudGateway & Receiver • Wrap-up ShareFile Introduction • Enables file sharing with anyone • Syncs data across all devices • Online file sharing spaces for virtual teams • Selective offline access on mobile devices • Data protection ᵒ ᵒ ᵒ ᵒ Encryption Device lock Remote wipe Poison-pill Why ShareFile? • Enable workforce mobility & BYOD • Address the “Dropbox-Problem” • Simple and secure data sharing ᵒ Fellow employees ᵒ Team collaboration ᵒ Clients, 3rd party collaboration • Enhanced productivity Broad Device, Workflow and Protocol Support Mobile Apps Mobile Site iPhone Android BlackBerry Desktop Apps Windows 7 Phone iPad Android Tablet Automation Outlook Plug-in Browser Mac OS Sync Windows Sync Command Line Interface* Alternative Protocol (Cloud SZ) ShareFile High-level Architecture ShareFile – with Citrix managed StorageZones *.sharefile.com *.sf-api.com Control Plane • • • • Account info Brokering Reporting Access Control DB Client Storage Center (EC2) StorageZones • Storage Centers • Backend Storage • Various Locations WW S3 ShareFile – Current Architecture With Citrix managed StorageZones ShareFile Control Plane DMZ Webservers “main app” No Client Files File Metadata Account Data Load balancing Client SQL Cluster Load balancing TLS/SSL AES-256 Encryption API Webservers Replication to DR Datacenter S3 99.99% availability and 99.999999999% durability ShareFile StorageZones FTP/FTPS FTP Servers Utility Servers Anti Virus & Thumbnailing Full Text Index Backup Client Storage Centers S3 Commit TLS/SSL AES-256 Encryption Storage Storage Storage Encrypted Backup to 3rd Party Datacenter File Processing EBS EBS EBS EBS Cache Elastic Block Storage AES-256 Encryption AES-256 Encryption EC2 S3 Backup ShareFile StorageZones - Download FTP/FTPS FTP Servers Client Storage Centers Storage Storage Storage TLS/SSL AES-256 Encryption EBS EBS EBS EBS Elastic Block Storage EC2 S3 Availability and Redundancy Availability Information • Real-time backup to Citrix data center • Automatic failover (if necessary) • Lazy file deletion to support file recovery ShareFile StorageZones ShareFile StorageZones • Now available for all ShareFile Enterprise accounts • Store files in customer-managed StorageZones, in Citrix-managed StorageZones or both • Technology proven in the Cloud • Seamless user experience Why StorageZones? Compliance Meet unique compliance and data sovereignty requirements by storing data On-Prem Performance Optimize end user performance by placing files and folders in close proximity ShareFile - Citrix managed StorageZones *.sharefile.com *.sf-api.com Control Plane • • • • Account info Brokering Reporting Access Control DB Client Storage Center (EC2) StorageZones • Storage Centers • Backend Storage • Various Locations WW S3 Citrix managed and On-Prem StorageZones *.sharefile.com *.sf-api.com Control Plane • • • • Account info Brokering Reporting Access Control DB Client StorageZones Storage Center (Windows IIS) • • Storage Center (EC2) • • CIFS S3 Customer Datacenter Storage Centers Backend Storage In customer Datacenter(s) Hybrid with cloud Citrix managed StorageZones Control Plane 21 Customer managed StorageZones ShareFile European Control Plane • https://<subdomain>.sharefile.eu • Enterprise Accounts available in Q4 • High Performance • User Proximity • Government Compliance • In Citrix Online datacenter in Germany Using StorageZones Using StorageZones • StorageZones can be set on ᵒ User-level ᵒ Root Folder-level Using StorageZones On-Prem Deployment Models Proof of Concept Deployment https Firewall https Storage Center 10.0.0.20 Public Internet IP 10.0.0.1 HA Deployment Public Internet IP 1 https https Firewall https Storage Center 10.0.0.20 https Storage Center Storage Center Public Internet IP 2 10.0.0.1 10.0.0.21 Storage Secure DMZ Deployment Firewall https Firewall http or https Storage Center 10.0.0.20 http or https Storage Storage Center Public Internet IP 10.0.0.1 10.0.0.21 StorageZones Setup On-premise StorageZones Requirements • Windows 2008 Server R2 • IIS Web Services role with ASP.NET • Microsoft .NET 4.0 • A public-resolvable internet hostname • An SSL certificate for the above ᵒ Public, Windows accepted Certificate Authority ᵒ Self-signed or unsigned certificates are not supported IIS Configuration • Install SSL certificate and bind certificate to https port 443 ᵒ Not needed when using DMZ proxy • ISAPI and CGI Restrictions ᵒ ASP.NET v4.0.x needs to be set to “Allowed” Storage Center Installation Storage Center Configuration Shared Storage Configuration • CIFS Share Access • Storage Centers will access the Share using the StorageCenterAppPool user • Application Pools → StorageCenterAppPool → Advanced Setting → Identity • Additional permission settings documented in eDocs Troubleshooting StorageZones Basic Troubleshooting • Ensure you type <external address> without port or https & check for typos on Configuration Page • Ensure on Enterprise account with SZ • Make sure user account has SZ admin permissions • Check if Storage Center URL is accessible from outside • Check file share for creation of directories • Check if SCKeys.txt is created in root of file share • Logs! ShareFile Security Security Information • SSAE 16 audited data centers • SSL Encryption in transit • AES 256-bit encryption at rest • All uploaded files scanned for viruses • Daily scans for McAfee SECURE accreditation • All ShareFile servers protected by dedicated firewalls Standard Download Security Client 1 Client requests a file 2 Prepare message send to Storage Center 1 5 HMAC is validated 4 Storage Center confirms validity 5 Client receives download URL with HMAC 6 Client requests download 9 6 7 2 4 Storage Center Main App/ API servers 8 DB Storage Shared Secret (trust) StorageZones 3 Control Plane 3 7 HMAC is validated 8 Storage Center gets file from storage 9 Download starts Trust & Encryption – On-Premise StorageZones Storage encryption key created when StorageZone is created Storage Center DB *.sf-api.com Shared Secret (trust) Storage Shared Key created when StorageZone is created Encryption Key is encrypted by Passphrase when Storage Center is configured StorageZones *.sharefile.com Download Security with On-Prem StorageZones • Security Best Practice 5 2 4 3 • Documented in admin guide on eDocs Storage Center 1 StoragZone ᵒ Connections with bad requests will not enter the internal network 1 DMZ • NetScaler can handle incoming HMAC’s NetScaler strips HMAC from URI 2 NetScaler sends URI & HMAC to Storage Center 3 HMAC is validated by Storage Center 4 Storage Center sends confirmation to NS 5 Process Completes ShareFile Authentication ShareFile Authentication Options • Built-in Authentication ᵒ Uses combination of email address and password ᵒ Passwords are stored hashed in database • SAML Support ᵒ Broad Identity Provide Support, including ADFS • CloudGateway ᵒ Offers user provisioning functionality ᵒ Receiver integration ᵒ Recommended, especially for existing Citrix customer Enterprise Active Directory Options SAML 2.0 Support • Requires customer provided and configured SAML provider • Unified storefront for all applications, data and services • Microsoft ADFS Support • Instant user provisioning and deprovisioning • Also supports popular Identity Providers such as: ᵒ ᵒ ᵒ ᵒ OneLogin CA SiteMinder PingIdentity PingFederate SalesForce • Fully integrated with Receiver • Real-time SaaS application monitoring • Comprehensive access control policies SAML Authentication • User account is still required in ShareFile ᵒ Folder Access Control ᵒ Licensing • Users will be matched by email address • Identity Provider Password will never be send to Control Plane • Password reset can be disabled • Requires tools to be ‘SAML-aware’ ᵒ ShareFile web site and iPad app are today with other tool support coming SAML Client 1 How it works Client requests ShareFile SSO login URL 2 Client discovers identity provider 71 82 93 4 3 Client redirected to identify provider 4 Client requests identity provider URL 5 Identity Provider identifies the user 5 User is authenticated and is redirected to 6 Assertion Consumer Service URL with SAML response User has access 6 Service Provider (sharefile.com) Identity Provider (e.g. CloudGateway, ADFS) 7 User agent requests ACS URL 8 ACS validates SAML response and redirects user agent to ShareFile URL 9 User agent requests ShareFile URL ShareFile Account Creation • User creation can be done manually ᵒ One-by-one ᵒ Import from Excel spreadsheet • User is provisioned through CloudGateway • User Management Tool User Management Tool • Creates ShareFile user accounts and distribution lists based on AD users and groups • Option to notify users of account creation • Ability to select default StorageZone for users • Easy process for keeping AD and SF in sync Citrix CloudGateway & Receiver Follow-me-data Access Gateway services PC Mac Smartphone Tablet Thin Client StoreFront™ services Content Controllers Technology Preview ShareFile StorageZone Connectors ShareFile StorageZone Connectors for Network Shares ShareFile Personal Folder ShareFile Team Folder ShareFile Team Folder Existing Network Share #CitrixSynergy 56 Citrix Confidential - Do Not Distribute Wrap Up Citrix ShareFile • Robust filesharing technology designed for the Enterprise • SaaS model with Cloud and On-premise options • Secure • AD Authentication options • CloudGateway Integration available soon Work better. Live better.