1 / 58

<presentation month/year>

ShareFile Technical Overview. <presenter name>. <presentation month/year>. Agenda. Agenda. Introduction to ShareFile Enterprise High-Level Architecture Availability and Redundancy StorageZones Security Authentication Follow-me-data with Citrix CloudGateway & Receiver Wrap-up.

vlora
Télécharger la présentation

<presentation month/year>

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ShareFile Technical Overview <presenter name> <presentation month/year>

  2. Agenda

  3. Agenda • Introduction to ShareFile Enterprise • High-Level Architecture • Availability and Redundancy • StorageZones • Security • Authentication • Follow-me-data with Citrix CloudGateway & Receiver • Wrap-up

  4. ShareFile Introduction

  5. Enables file sharing with anyone • Syncs data across all devices • Online file sharing spaces for virtual teams • Selective offline access on mobile devices • Data protection • Encryption • Device lock • Remote wipe • Poison-pill

  6. Why ShareFile? Enable workforce mobility & BYOD Address the “Dropbox-Problem” Simple and secure data sharing • Fellow employees • Team collaboration • Clients, 3rd party collaboration Enhanced productivity

  7. Broad Device, Workflow and Protocol Support Mobile Apps Desktop Apps Automation API Command LineInterface* OutlookPlug-in Browser Alternative Protocol (Cloud SZ) Mac OSSync WindowsSync FTP/S SMTP Mobile Site Windows 7 Phone Android Tablet iPhone Android BlackBerry iPad

  8. ShareFile High-level Architecture

  9. ShareFile – with Citrix managed StorageZones *.sf-api.com *.sharefile.com Control Plane • Account info • Brokering • Reporting • Access Control DB Client Storage Center (EC2) StorageZones • Storage Centers • Backend Storage • Various Locations WW S3

  10. ShareFile – Current Architecture With Citrix managed StorageZones

  11. ShareFile Control Plane No Client Files File Metadata Account Data DMZ Webservers “main app” Load balancing Client SQL Cluster Load balancing TLS/SSL AES-256 Encryption API Webservers Replication to DR Datacenter

  12. Storage S3 99.99% availability and 99.999999999% durability ShareFile StorageZones Storage FTP/FTPS FTP Servers Utility Servers Anti Virus & Thumbnailing Full Text Index Backup Client Encrypted Backup to 3rd Party Datacenter Storage Centers Storage S3 Commit TLS/SSL AES-256 Encryption File Processing EBS EBS EBS EBS Cache AES-256 Encryption Backup Elastic Block Storage AES-256 Encryption EC2 S3

  13. Storage ShareFile StorageZones - Download Storage FTP/FTPS FTP Servers Client Storage Centers Storage TLS/SSL AES-256 Encryption EBS EBS EBS EBS Elastic Block Storage EC2 S3

  14. Availability and Redundancy

  15. Availability Information • Real-time backup to Citrix data center • Automatic failover (if necessary) • Lazy file deletion to support file recovery

  16. ShareFile StorageZones

  17. ShareFile StorageZones • Now available for all ShareFile Enterprise accounts • Store files in customer-managed StorageZones, in Citrix-managed StorageZones or both • Technology proven in the Cloud • Seamless user experience

  18. Why StorageZones? Meet unique compliance and data sovereignty requirements by storing data On-Prem Optimize end user performance by placing files and folders in close proximity Compliance Performance

  19. ShareFile - Citrix managed StorageZones *.sf-api.com *.sharefile.com Control Plane • Account info • Brokering • Reporting • Access Control DB Client Storage Center (EC2) StorageZones • Storage Centers • Backend Storage • Various Locations WW S3

  20. Citrix managed and On-Prem StorageZones *.sf-api.com *.sharefile.com Control Plane • Account info • Brokering • Reporting • Access Control DB Storage Center (EC2) Client StorageZones S3 Storage Center (Windows IIS) • Storage Centers • Backend Storage • In customer Datacenter(s) • Hybrid with cloud CIFS Customer Datacenter

  21. Citrix managed StorageZones Control Plane Customer managed StorageZones

  22. ShareFile European Control Plane • https://<subdomain>.sharefile.eu • Enterprise Accounts available in Q4 • High Performance • User Proximity • Government Compliance • In Citrix Online datacenter in Germany

  23. Using StorageZones

  24. Using StorageZones • StorageZones can be set on • User-level • Root Folder-level

  25. Using StorageZones

  26. On-Prem Deployment Models

  27. Proof of Concept Deployment Firewall https https Storage Center 10.0.0.20 Public Internet IP 10.0.0.1

  28. HA Deployment Public Internet IP 1 Firewall https https Storage Center 10.0.0.20 https https Storage Center Storage Storage Center Public Internet IP 2 10.0.0.1 10.0.0.21

  29. Secure DMZ Deployment Firewall Firewall http or https https Storage Center 10.0.0.20 http or https Storage Storage Center Public Internet IP 10.0.0.1 10.0.0.21

  30. StorageZones Setup

  31. On-premise StorageZones Requirements • Windows 2008 Server R2 • IIS Web Services role with ASP.NET • Microsoft .NET 4.0 • A public-resolvable internet hostname • An SSL certificate for the above • Public, Windows accepted Certificate Authority • Self-signed or unsigned certificates are not supported

  32. IIS Configuration • Install SSL certificate and bind certificate to https port 443 • Not needed when using DMZ proxy • ISAPI and CGI Restrictions • ASP.NET v4.0.x needs to be set to “Allowed”

  33. Storage Center Installation

  34. Storage Center Configuration

  35. Shared Storage Configuration • CIFS Share Access • Storage Centers will access the Share using the StorageCenterAppPool user • Application Pools → StorageCenterAppPool → Advanced Setting → Identity • Additional permission settings documented in eDocs

  36. Troubleshooting StorageZones

  37. Basic Troubleshooting • Ensure you type <external address> without port or https & check for typos on Configuration Page • Ensure on Enterprise account with SZ • Make sure user account has SZ admin permissions • Check if Storage Center URL is accessible from outside • Check file share for creation of directories • Check if SCKeys.txt is created in root of file share • Logs!

  38. ShareFile Security

  39. Security Information • SSAE 16 audited data centers • SSL Encryption in transit • AES 256-bit encryption at rest • All uploaded files scanned for viruses • Daily scans for McAfee SECURE accreditation • All ShareFile servers protected by dedicated firewalls

  40. Client requests a file Standard Download Security 1 Prepare message send to Storage Center 2 HMAC is validated 3 Client Storage Center confirms validity Client receives download URL with HMAC 5 4 Client requests download 6 HMAC is validated 7 1 5 9 6 Storage Center gets file from storage 8 Download starts Control Plane StorageZones 9 3 7 2 4 Storage Center Main App/ API servers 8 DB Storage Shared Secret (trust)

  41. Trust & Encryption – On-Premise StorageZones *.sf-api.com *.sharefile.com Storage encryption key created when StorageZone is created StorageZones Storage Center DB Storage Shared Secret (trust) Shared Key created when StorageZone is created Encryption Key is encrypted by Passphrase when Storage Center is configured

  42. NetScaler strips HMAC from URI Download Security with On-Prem StorageZones 1 DMZ NetScaler sends URI & HMAC to Storage Center 2 HMAC is validated by Storage Center 3 Storage Center sends confirmation to NS Process Completes 5 4 1 5 • NetScaler can handle incoming HMAC’s • Security Best Practice • Connections with bad requests will not enter the internal network • Documented in admin guide on eDocs StoragZone 2 4 3 Storage Center

  43. ShareFile Authentication

  44. ShareFile Authentication Options • Built-in Authentication • Uses combination of email address and password • Passwords are stored hashed in database • SAML Support • Broad Identity Provide Support, including ADFS • CloudGateway • Offers user provisioning functionality • Receiver integration • Recommended, especially for existing Citrix customer

  45. Enterprise Active Directory Options • Requires customer provided and configured SAML provider • Microsoft ADFS Support • Also supports popular Identity Providers such as: • OneLogin • CA SiteMinder • PingIdentity PingFederate • SalesForce • Unified storefront for all applications, data and services • Instant user provisioning and de-provisioning • Fully integrated with Receiver • Real-time SaaS application monitoring • Comprehensive access control policies SAML 2.0 Support

  46. SAML Authentication • User account is still required in ShareFile • Folder Access Control • Licensing • Users will be matched by email address • Identity Provider Password will never be send to Control Plane • Password reset can be disabled • Requires tools to be ‘SAML-aware’ • ShareFile web site and iPad app are today with other tool support coming

  47. SAML Client requests ShareFile SSO login URL 1 Client Client discovers identity provider 2 How it works Client redirected to identify provider 3 Client requests identity provider URL 4 9 7 8 Identity Provider identifies the user 5 User has access User is authenticated and is redirected to Assertion Consumer Service URL with SAML response 3 4 5 1 2 6 User agent requests ACS URL 7 ACS validates SAML response and redirects user agent to ShareFile URL 8 User agent requests ShareFile URL 9 6 Service Provider (sharefile.com) Identity Provider (e.g. CloudGateway, ADFS)

  48. ShareFile Account Creation • User creation can be done manually • One-by-one • Import from Excel spreadsheet • User is provisioned through CloudGateway • User Management Tool

  49. User Management Tool • Creates ShareFile user accounts and distribution lists based on AD users and groups • Option to notify users of account creation • Ability to select default StorageZone for users • Easy process for keeping AD and SF in sync

  50. Citrix CloudGateway & Receiver Follow-me-data

More Related