Citrix Day 2012: ShareFile


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Citrix Day 2012: ShareFile

  1. 1. ShareFile EnterpriseRoger BöschCitrix Systems International GmbH
  2. 2. ShareFile Introduction
  3. 3. • Enables file sharing with anyone• Syncs data across all devices• Online file sharing spaces for virtual teams Store Sync• Selective offline access on mobile devices• Data protection ᵒ Encryption ᵒ Device lock ᵒ Remote wipe ᵒ Poison-pill Share
  4. 4. Why ShareFile?• Enable workforce mobility & BYOD• Address the “Dropbox-Problem”• Simple and secure data sharing ᵒ Fellow employees ᵒ Team collaboration ᵒ Clients, 3rd party collaboration• Enhanced productivity
  5. 5. Broad Device, Workflow and Protocol Support Desktop Apps Alternative Protocol / Automation Outlook Desktop Plug-in Widget Desktop Enterprise Command Line Drive Sync Sync Mapping Interface Mobile Apps Mobile Windows 7 Android iPhone Android BlackBerry iPad Site Phone Tablet
  6. 6. ShareFile High-levelArchitecture
  7. 7. ShareFile – with Citrix managed StorageZones * * Control Plane • Account info • Brokering • Reporting • Access Control DBClient Storage Center (EC2) StorageZones • Storage Centers • Backend Storage • Various Locations WW S3
  8. 8. ShareFile – Current ArchitectureWith Citrix managed StorageZones
  9. 9. ShareFile Control Plane DMZ No Client Files File Metadata Webservers “main app” Account Data Load balancing Client SQL Cluster Load balancing TLS/SSL AES-256Encryption API Webservers Replication to DR Datacenter
  10. 10. S3 99.99% ShareFile StorageZones availability and 99.999999999% durabilityFTP/FTPS FTP Servers Utility Servers Anti Virus & Client Thumbnailing Full Text Index Storage Centers Backup Encrypted Backup to 3rd Storage Party Datacenter Storage Storage S3 Commit TLS/SSL AES-256 File ProcessingEncryption EBS EBS EBS Cache EBS AES-256 Encryption Backup Elastic Block Storage AES-256Encryption EC2 S3
  11. 11. ShareFile StorageZones - DownloadFTP/FTPS FTP ServersClient Storage Centers Storage Storage Storage TLS/SSL AES-256Encryption EBS EBS EBS EBS Elastic Block Storage EC2 S3
  12. 12. Availability and Redundancy
  13. 13. Availability Information• Real-time backup to Citrix data center• Automatic failover (if necessary)• Lazy file deletion to support file recovery
  14. 14. ShareFile StorageZones
  15. 15. ShareFile StorageZones• Store files in customer managed StorageZones and/or in the Citrix managed StorageZones• Modified On-Prem version of existing Storage Plane software• Same user experience• Technology Preview available
  16. 16. Why StorageZones? Compliance Performance Meet unique compliance and Optimize end user performance data sovereignty requirements by placing files and folders in by storing data On-Prem close proximity
  17. 17. ShareFile - Citrix managed StorageZones * * Control Plane • Account info • Brokering • Reporting • Access Control DBClient Storage Center (EC2) StorageZones • Storage Centers • Backend Storage • Various Locations WW S3
  18. 18. Citrix managed and On-Prem StorageZones * * Control Plane • Account info • Brokering • Reporting • Access Control DBClient StorageZones Storage Center (Windows IIS) • Storage Centers • Backend Storage Storage Center (EC2) • In customer Datacenter(s) • Hybrid with cloud NAS CIFS S3 Customer Datacenter
  19. 19. NEW: Control Plane inGermany / Frankfurt Citrix managed StorageZones Control Planes Customer - managed StorageZones
  20. 20. Using StorageZones
  21. 21. Using StorageZones• StorageZones can be set on ᵒ User-level ᵒ Root Folder-level
  22. 22. Using StorageZones
  23. 23. On-Prem Deployment Models
  24. 24. Proof of Concept Deployment https https Firewall Storage Center Public Internet IP
  25. 25. HA Deployment Public Internet IP 1 https https Firewall Storage Center https https Storage Center Storage Storage Center Public Internet IP 2
  26. 26. Secure DMZ Deployment http or httpshttps Firewall Firewall Storage Center http or https Storage Storage Center Public Internet IP
  27. 27. StorageZones Setup
  28. 28. On-premise StorageZones Requirements• Windows 2008 Server R2• IIS Web Services role with ASP.NET• Microsoft .NET 4.0• A public-resolvable internet hostname• An SSL certificate for the above ᵒ Public, Windows accepted Certificate Authority ᵒ Self-signed or unsigned certificates are not supported at this time
  29. 29. IIS Configuration• Install SSL certificate and bind certificate to https port 443 ᵒ Not needed when using DMZ proxy• ISAPI and CGI Restrictions ᵒ ASP.NET v4.0.x needs to be set to “Allowed”
  30. 30. Storage Center Installation
  31. 31. Storage Center Configuration
  32. 32. Shared Storage Configuration• Tech Preview can use CIFS (UNC) or local or mapped drive/directory• Storage Centers will access the Share using the StorageCenterAppPool user ᵒ Default NetworkService ᵒ Can be changed• Application Pools → StorageCenterAppPool → Advanced Setting → Identity
  33. 33. ShareFile Security
  34. 34. Security Information• SSAE 16 audited data centers• SSL Encryption in transit• AES 256-bit encryption at rest• All uploaded files scanned for viruses• Daily scans for McAfee SECURE accreditation• All ShareFile servers protected by dedicated firewalls
  35. 35. Standard Download Security Client 1 Client requests a file 2 Prepare message send to Storage Center 3 HMAC is validated 1 5 9 6 4 Storage Center confirms validity 5 Client receives download URL with HMAC 3 7 6 Client requests download StorageZonesControl Plane 2 4 7 HMAC is validated Main App/ Storage Center 8 Storage Center gets file from storage API servers 8 9 Download starts DB EBS S3 Shared Secret (trust)
  36. 36. Trust & Encryption – On-Premise StorageZones Storage Center * * StorageZones Shared Secret (trust) DB Storage Shared Key Created when StorageZone is created Storage encryption based on Passphrase during Storage Center configuration
  37. 37. Download Security with On-Prem StorageZones DMZ 1 5• NetScaler can handle incoming HMAC’s• Can also work with other 3rd Party products 2 4• HMAC part of URI: &h=… StoragZone 3• Shared key not required on NetScaler Storage Center 1 NetScaler strips HMAC from URI 2 NetScaler sends URI & HMAC to Storage Center 3 HMAC is validated by Storage Center 4 Storage Center sends confirmation to NS 5 Process Completes
  38. 38. NetScaler Configuration• For Validation checks, you will need to configure http callouts and a responder policy•• Future version of NetScaler will have pre-configured policies
  39. 39. ShareFile Authentication
  40. 40. ShareFile Authentication Options• Built-in Authentication ᵒ Uses combination of email address and password ᵒ Passwords are stored hashed in database• SAML Support ᵒ Broad Identity Provide Support, including ADFS• CloudGateway ᵒ Offers user provisioning functionality ᵒ Receiver integration ᵒ Recommended, especially for existing Citrix customer
  41. 41. Enterprise Active Directory OptionsSAML 2.0 Support• Requires customer provided and • Unified storefront for all applications, data configured SAML provider and services• Microsoft ADFS Support • Instant user provisioning and de-• Also supports popular Identity provisioning Providers such as: • Fully integrated with Receiver ᵒ OneLogin ᵒ CA SiteMinder • Real-time SaaS application monitoring ᵒ PingIdentity PingFederate • Comprehensive access control policies ᵒ SalesForce
  42. 42. SAML Authentication• User account is still required in ShareFile ᵒ Folder Access Control ᵒ Licensing• Users will be matched by email address• Identity Provider Password will never be send to Control Plane• Password reset can be disabled• Requires tools to be ‘SAML-aware’ ᵒ ShareFile web site and iPad app are today with other tool support coming
  43. 43. SAML Client 1 Client requests ShareFile SSO login URLHow it works 2 Client discovers identity provider 3 Client redirected to identify provider 4 Client requests identity provider URL 5 Identity Provider identifies the user 1 7 2 8 3 9 4 5 User is authenticated and is redirected to 6 Assertion Consumer Service URL with SAML response User has access 7 User agent requests ACS URL ACS validates SAML response and redirects 8 user agent to ShareFile URL 9 User agent requests ShareFile URL 6 Service Provider Identity Provider ( (e.g. CloudGateway, ADFS)
  44. 44. ShareFile Account Creation• User creation can be done manually ᵒ One-by-one ᵒ Import from Excel spreadsheet• User is provisioned through CloudGateway• Employee Creation Tool
  45. 45. Employee Creation Tool• Creates ShareFile user accounts and distribution lists based on AD users and groups• Option to notify users of account creation• Built-in log• Ability to select default StorageZone for users• Users added with the ECT should also be removed with the ECT
  46. 46. Employee Creation Tool Options• Pre-defined user account settings ᵒ Enabled: • Personal File Box • Manage Client Users • My Settings link available • User is added to Company Address Book ᵒ Disabled: • Selection of StorageZones for root-level folders • Ability to change password • Edit Shared Address Book• Root folder creation and email notification through UI• EmployeeCreationTool.exe.config
  47. 47. Citrix CloudGateway &ReceiverFollow-me-data
  48. 48. Access Gateway services PC StoreFront™ Mac servicesSmartphone Tablet Thin Client Content Controllers
  49. 49. Deployment Option & FeaturesFeatures ShareFile Receiver + ShareFile + CloudGateway Access + SecurityMulti-device/platform access √ √Desktop synch √ √Offline Access √ √AD + SAML Support √ √Remote wipe of data √ √ CollaborationShared Folders with permissions √ √Outlook plug-in √ √Simple link sharing √ √ Enterprise Control + Unified DeliveryRemote Wipe of apps and data √SSO across Apps and Data with 2-factor support √AD based Roles and Provisioning/De-provisioning √XenApp Integration √Apps and Data via Single UI (Receiver) √Unified Admin console for apps and data √Policy based access* √Data Encryption with shredding* √
  50. 50. What’s Next
  51. 51. ShareFile StorageZones Connect Tech Preview * * Control Plane • Web application • Brokering • Reporting DB • Access ControlClient StorageZone Storage Center (Windows IIS) • Provide mobile access to files in existing CIFS shares CIFS NAS Share Customer Datacenter
  52. 52. ShareFile StorageZones Connect Tech PreviewShareFile Personal FolderShareFile Team FolderShareFile Team FolderExisting Network Share
  53. 53. Work better. Live better.