ShareFile SSO to Connectors with XenMobile 10
Network File Shares and SharePoint 2010/2013

Summary of Requirements

XenMobile

• XenMobile version 10
• ShareFile MDX application policy set to Secure Browse and Tunnelled to the internal network

NetScaler

• NetScaler must be configured to access sharefile.com/eu through customer Firewalls
• Content Switch created for ShareFile StorageZones (ShareFile NS wizard)
• (Optional) NetScaler AAA authentication (Enterprise License required)

ShareFile

• ShareFile StorageZone Controller authentication – Basic Authentication Enabled
• StorageZone FQDN to resolve to an internal IP (for PoC directly to the StorageZone Controller, or to a Content Switch/LBVIP with an internal IP on the NS)

Configuration steps

XenMobile server changes
1. Log onto the XenMobile 10 server https://<XenMobile server>:4443/zdm.
2. Click Configure, then click on Apps.  Highlight the ShareFile MDX application, then click on Edit.
3. Change the Network Access policy to Tunnelled to the internal network.
4. Change the Initial VPN Mode to Secure Browse.
5. Click Next then Save.

NetScaler

1. Run the ShareFile Wizard for StorageZones (Setup NetScaler for ShareFile)

2. If using AAA authentication on the NetScaler, check that the AAA LBVIP is configured and status is UP.  Browse to Security/AAA-Application Traffic/Virtual Servers, usually named _SF_AUTHSERVER.

3. Browse to Traffic Management/Load Balancing/Virtual Servers, check that the Connector LBVIP is UP, usually named _SF_CIF_SP_LB.

4. To check whether the AAA auth server is bound, Open the Connector LBVIP (usually named_SF_CIF_SP_LB).

5. Edit the Authentication option, ensure the 401 Based Authentication is enabled, and the appropriate AAA auth server is present (usually named _SF_AUTHSERVER).

ShareFile StorageZone Controller

1. Log onto the ShareFile StorageZone Controller
2. Expand the Default Website and highlight the cifs directory
3. Select the Authentication option in the right pane
4. Ensure the Basic Authentication is Enabled
5. Repeat this for the sp directory
Note: For configurations using DOMAIN\USER (SAM-Account-Name) and not USER@DOMAIN.COM (UserPrincinpalName), further configuration may be required within IIS for the StorageZone Controller as below.
6. Right-Click on the Basic Authentication setting and click Edit

7. Enter the details of your own Default domain (this example has citrix.lab)

domain

8. Click OK, then test.
Test

  • Enrol the mobile device onto XenMobile
  • Download ShareFile from the WorxStore
  • Log in, select a Network Connector, this should not prompt for credentials

Possible Errors

1. Connector prompts for credentials on first login
  • check that all steps have been carried out precisely
2. 504 Gateway Timeout

Note: internal devices could be resolving to the external IP address of the StorageZone FQDN (i.e. storagezone.company.com), traffic can usually blocked on the customer firewalls, therefore not reaching the StorageZone.

a. Ping the ShareFile StorageZone FQDN from an internal desktop/device

  • Resolves to the Public IP of the StorageZone

Check that you are able to access the SZC FQDN (i.e. storagezone.company.com) from the internal infrastructure (telnet fqdn 443).

  • Resolves to an internal IP of the StorageZone

Check DNS to see what this IP belongs to for storagezone.company.com internally, during a PoC this can go directly to the StorageZone Controller but for production this needs to go to a Load Balancer. See section b. below.

b. NetScaler Content Switch IP for the StorageZone resolves to Public IP or a NAT IP.

  • Public

If your NetScaler is using Public IPs, you can create another Content Switch for the StorageZone (identical to the existing one) with an internal IP to create a split DNS configuration.
Then create an internal DNS entry for your StorageZone FQDN in ActiveDirectory (i.e. storagezone.company.com) to point to that new Content switch with the internal IP.

  • NAT

If your NetScaler is using NAT addresses (internally reachable), create an internal DNS entry for your StorageZone FQDN (in ActiveDirectory to your storagezone.company.com) to point to that existing Content switch with the internal IP.