Embed Size (px)
Citation preview
Citrix Systems International GmbH
ShareFile Enterprise
Roger Bösch
ShareFile Introduction
Sync
Share
Store• Enables file sharing with anyone
• Syncs data across all devices
• Online file sharing spaces for virtual teams
• Selective offline access on mobile devices
• Data protection ᵒ Encryptionᵒ Device lockᵒ Remote wipeᵒ Poison-pill
Why ShareFile?
• Enable workforce mobility & BYOD
• Address the “Dropbox-Problem”
• Simple and secure data sharingᵒ Fellow employeesᵒ Team collaborationᵒ Clients, 3rd party collaboration
• Enhanced productivity
Broad Device, Workflow and Protocol Support
Desktop AppsDesktop Apps Alternative Protocol / AutomationAlternative Protocol / Automation
Mobile AppsMobile Apps
Mobile
SiteiPhone Android BlackBerry
Windows 7
PhoneiPad
Android
Tablet
Outlook
Plug-in
Desktop
Sync
Desktop
Widget
Enterprise
Sync
Command
Line
Interface
Drive
Mapping
ShareFile High-level Architecture
ShareFile – with Citrix managed StorageZones
DB
*.sharefile.com *.sf-api.com
Storage Center (EC2)
S3
• Account info
• Brokering
• Reporting• Access Control
Control Plane
• Storage Centers
• Backend Storage
• Various Locations WW
StorageZones
Client
ShareFile – Current ArchitectureWith Citrix managed StorageZones
ShareFile Control Plane
SQLCluster
Load balancing
Webservers “main app”
API Webservers
Replication to
DR Datacenter
TLS/SSL
AES-256
Encryption
DMZ No Client Files
File MetadataAccount Data
Load balancing
Client
StorageStorage
EBSEBS
EBSEBS
ShareFile StorageZones
Storage Centers
TLS/SSL
AES-256
Encryption
Client
Storage
EC2 S3
Utility Servers
AES-256
Encryption
Cache
File Processing
Anti Virus &
Thumbnailing
Full Text IndexBackup
Elastic Block Storage
S3 Commit
AES-256
Encryption
FTP ServersFTP/FTPS
Encrypted
Backup to 3rd
Party Datacenter
Backup
S3 99.99%
availability and
99.999999999% durability
StorageStorage
EBSEBS
EBSEBS
ShareFile StorageZones - Download
Storage Centers
TLS/SSL
AES-256
Encryption
Client
Storage
EC2 S3
Elastic Block Storage
FTP ServersFTP/FTPS
Availability and Redundancy
Availability Information
• Real-time backup to Citrix data center
• Automatic failover (if necessary)
• Lazy file deletion to support file recovery
ShareFile StorageZones
ShareFile StorageZones
• Store files in customer managed
StorageZones and/or in the Citrix managed
StorageZones
• Modified On-Prem version of existing
Storage Plane software
• Same user experience
• Technology Preview available
Why StorageZones?
Meet unique compliance and
data sovereignty requirements
by storing data On-Prem
Optimize end user performance
by placing files and folders in
close proximity
Compliance Performance
ShareFile - Citrix managed StorageZones
DB
*.sharefile.com *.sf-api.com
Storage Center (EC2)
S3
• Account info
• Brokering
• Reporting• Access Control
Control Plane
• Storage Centers
• Backend Storage
• Various Locations WW
StorageZones
Client
Storage Center (EC2)
S3
Citrix managed and On-Prem StorageZones
• Account info
• Brokering
• Reporting• Access Control
Control Plane
Client
Customer Datacenter
Storage Center (Windows IIS)
NAS CIFS
• Storage Centers
• Backend Storage
• In customer Datacenter(s)
• Hybrid with cloud
StorageZones
DB
*.sharefile.com *.sf-api.com
Citrix managed StorageZones
Control Planes
Customer - managed StorageZones
NEW: Control Plane in
Germany / Frankfurt
Using StorageZones
Using StorageZones
• StorageZones can be set onᵒ User-level
ᵒ Root Folder-level
Using StorageZones
On-Prem Deployment Models
Proof of Concept Deployment
Fir
ew
all
Storage Center
httpshttps
Public Internet IP 10.0.0.1
10.0.0.20
HA Deployment
Storage Center
httpshttps
Public Internet IP 2 10.0.0.1
Storage Center
https
10.0.0.21
Storage Center
10.0.0.20
Storage
https
Public Internet IP 1
Fir
ew
all
Secure DMZ Deployment
http or https
https
Public
Internet IP
10.0.0.1
Storage Center
10.0.0.21
Storage Center
10.0.0.20
Storage
Fir
ew
all
Fir
ew
all
http or https
StorageZones Setup
On-premise StorageZones Requirements
• Windows 2008 Server R2
• IIS Web Services role with ASP.NET
• Microsoft .NET 4.0
• A public-resolvable internet hostname
• An SSL certificate for the above ᵒ Public, Windows accepted Certificate
Authority ᵒ Self-signed or unsigned certificates are
not supported at this time
IIS Configuration
• Install SSL certificate and bind
certificate to https port 443ᵒ Not needed when using DMZ proxy
• ISAPI and CGI Restrictionsᵒ ASP.NET v4.0.x needs to be set to
“Allowed”
Storage Center Installation
Storage Center Configuration
Shared Storage Configuration
• Tech Preview can use CIFS (UNC)
or local or mapped drive/directory
• Storage Centers will access the
Share using the
StorageCenterAppPool userᵒ Default NetworkServiceᵒ Can be changed
• Application Pools →
StorageCenterAppPool →
Advanced Setting → Identity
ShareFile Security
Security Information
• SSAE 16 audited data centers
• SSL Encryption in transit
• AES 256-bit encryption at rest
• All uploaded files scanned for viruses
• Daily scans for McAfee SECURE accreditation
• All ShareFile servers protected by dedicated firewalls
Standard Download Security
Client
Co
ntr
ol P
lan
e
Sto
rag
eZ
on
es
1
1 Client requests a file
2 Prepare message send to Storage Center
3 HMAC is validated
5 Client receives download URL with HMAC
6 Client requests download
7 HMAC is validated
8 Storage Center gets file from storage
9 Download starts
2
Storage Center
EBS S3
Main App/
API servers
DB
Shared Secret (trust)
3
5 6
7
8
9
4
4 Storage Center confirms validity
Trust & Encryption – On-Premise StorageZonesS
tora
ge
Zo
ne
s
Storage Center
Shared Secret (trust)DB
*.sharefile.com *.sf-api.com
Storage
Shared Key Created
when StorageZone is
createdStorage encryption
based on Passphrase
during Storage Center configuration
DM
ZDownload Security with On-Prem StorageZones
• NetScaler can handle incoming HMAC’s
• Can also work with other 3rd Party products
• HMAC part of URI: &h=…
• Shared key not required on NetScaler
Sto
rag
Zo
ne
Storage Center
1 NetScaler strips HMAC from URI
2 NetScaler sends URI & HMAC to Storage Center
3 HMAC is validated by Storage Center
5 Process Completes
4 Storage Center sends confirmation to NS
1 5
2 4
3
NetScaler Configuration
• For Validation checks, you will need to configure http callouts and a responder
policy
• http://support.citrix.com/article/CTX133417
• Future version of NetScaler will have pre-configured policies
ShareFile Authentication
ShareFile Authentication Options
• Built-in Authenticationᵒ Uses combination of email address and password
ᵒ Passwords are stored hashed in database
• SAML Supportᵒ Broad Identity Provide Support, including ADFS
• CloudGatewayᵒ Offers user provisioning functionalityᵒ Receiver integration
ᵒ Recommended, especially for existing Citrix customer
Enterprise Active Directory Options
• Requires customer provided and configured SAML provider
• Microsoft ADFS Support
• Also supports popular Identity
Providers such as:ᵒ OneLoginᵒ CA SiteMinder
ᵒ PingIdentity PingFederateᵒ SalesForce
• Unified storefront for all applications, data and services
• Instant user provisioning and de-provisioning
• Fully integrated with Receiver
• Real-time SaaS application monitoring
• Comprehensive access control policies
SAML 2.0 Support
SAML Authentication
• User account is still required in ShareFileᵒ Folder Access Control
ᵒ Licensing
• Users will be matched by email address
• Identity Provider Password will never be
send to Control Plane
• Password reset can be disabled
• Requires tools to be ‘SAML-aware’ᵒ ShareFile web site and iPad app are today
with other tool support coming
7 8 91 2 3
Service Provider
(sharefile.com)Identity Provider
(e.g. CloudGateway,
ADFS)
4 5
6
1 Client requests ShareFile SSO login URL
2 Client discovers identity provider
3 Client redirected to identify provider
4 Client requests identity provider URL
5 Identity Provider identifies the user
6User is authenticated and is redirected to
Assertion Consumer Service URL with SAML
response
7 User agent requests ACS URL
8ACS validates SAML response and redirects
user agent to ShareFile URL
9 User agent requests ShareFile URL
User has access
SAMLHow it works
Client
ShareFile Account Creation
• User creation can be done manuallyᵒ One-by-one
ᵒ Import from Excel spreadsheet
• User is provisioned through CloudGateway
• Employee Creation Tool
Employee Creation Tool
• Creates ShareFile user accounts and
distribution lists based on AD users
and groups
• Option to notify users of account
creation
• Built-in log
• Ability to select default StorageZone
for users
• Users added with the ECT should also
be removed with the ECT
Employee Creation Tool Options
• Pre-defined user account settingsᵒ Enabled:
• Personal File Box• Manage Client Users
• My Settings link available
• User is added to Company Address Book
ᵒ Disabled:• Selection of StorageZones for root-level folders
• Ability to change password
• Edit Shared Address Book
• Root folder creation and email notification
through UI
• EmployeeCreationTool.exe.config
Citrix CloudGateway & ReceiverFollow-me-data
PC
Mac
Smartphone
Tablet
Thin Client
StoreFront™services
Content Controllers
Access Gateway services
Deployment Option & FeaturesFeatures ShareFile Receiver + ShareFile + CloudGateway
Access + Security
Multi-device/platform access √ √
Desktop synch √ √
Offline Access √ √
AD + SAML Support √ √
Remote wipe of data √ √
Collaboration
Shared Folders with permissions √ √
Outlook plug-in √ √
Simple link sharing √ √
Enterprise Control + Unified Delivery
Remote Wipe of apps and data √
SSO across Apps and Data with 2-factor support √
AD based Roles and Provisioning/De-provisioning √
XenApp Integration √
Apps and Data via Single UI (Receiver) √
Unified Admin console for apps and data √
Policy based access* √
Data Encryption with shredding* √
What’s Next
ShareFile StorageZones Connect Tech Preview
• Web application
• Brokering• Reporting
• Access Control
Control Plane
Client
Customer Datacenter
Storage Center (Windows IIS)
NASCIFS Share
• Provide mobile access to files in existing CIFS shares
StorageZone
DB
*.sharefile.com *.sf-api.com
ShareFile StorageZones Connect Tech Preview
ShareFile Personal Folder
ShareFile Team Folder
ShareFile Team Folder
Existing Network Share
Work better. Live better.
