Hands-on Lab Exercise Guide
Transcription
Hands-on Lab Exercise Guide
SF 617: Delivering an End-to-End Encrypted File Sync and Sharing Solution with ShareFile Enterprise Hands-on Lab Exercise Guide Mark Howell May 2015 Table of Contents Table of Contents....................................................................................................................... 1 Overview .................................................................................................................................... 2 Scenario..................................................................................................................................... 4 Exercise 1 .................................................................................................................................. 5 Part 1: Configuring NetScaler..................................................................................................... 5 Part 2: Configuring NetScaler for Restricted Zones ...................................................................12 Part 3: Configuring NetScaler Gateway .....................................................................................34 Exercise 2: Configuring On-Premise Storage Zones .................................................................49 Exercise 3: Configuring ShareFile User Management Tool .......................................................60 Exercise 4: Configuring ShareFile Enterprise ...........................................................................68 Exercise 5: Configuring XenMobile Server ................................................................................81 Exercise 6: Configuring ShareFile Account for SAML SSO .......................................................97 Exercise 7: Testing the Solution – (Optional) ..........................................................................100 |1 | Overview Hands-on Training Module Objective Provide hands-on experience with configuring Citrix ShareFile, StorageZone Connectors, NetScaler for High Availability, and On-Demand Sync Prerequisites Working knowledge of NetScaler and XenMobile Server is helpful. An iPad or Android tablet is optional. Audience Citrix employees, customers, and partners. Lab Environment Details Describe the lab environment. The system diagram of the lab is shown below: The Student Desktop VM is accessed remotely using Citrix Receiver running on your laptop. All windows applications such as XenCenter, (the XenServer GUI management tool), are accessed from the Student Desktop VM. |2 | Lab Guide Conventions This symbol indicates particular attention must be paid to this step Special note to offer advice or background information reboot Text the student enters or an item they select is printed like this VMDemo Filename mentioned in text or lines added to files during editing Start Bold text indicates reference to a button or object Focuses attention on a particular part of the screen Shows where to click or select an item on a screen shot List of Virtual Machines Used VM Name IP Address Description / OS Router (hidden) 192.168.10.1 Lab Router / Vyatta AD.training.lab 192.168.10.11 Active Directory Exchange 192.168.10.15 Exchange server used for SMTP SZC1 192.168.10.30 ShareFile StorageZone Controller 1 NS1 192.168.10.40 NetScaler VPX XMS 192.168.10.50 XenMobile Server Win7 192.168.10.61 Windows 7 utility machine License 192.168.10.60 Used for XenMobile Server license Required Lab Credentials The credentials required to connect to the environment and complete the lab exercises. |3 | VM Name IP Address Username Password AD 192.168.10.11 administrator Citrix123 SZC1 192.168.10.30 administrator Citrix123 NS1 192.168.10.40 nsroot nsroot XMS 192.168.10.50 administrator Citrix123 Win7 192.168.10.61 administrator Citrix123 Scenario You are the system administrator at Synergy Training Solutions. The CEO wants to enable a cloudbased file sharing solution, so all employees are able to access all their data, any time and from any device, and share that data with their contacts at business partners and customers. The CIO does have some additional requirements, as she has to make sure the company security policies are followed and the solution is compliant with the compliance regulations for their industry. Additional requirements from the CTO: • Data can be stored inside the cloud as well as on-premise. The on-premise StorageZone will store extremely confidential information so all file and folder metadata stored in ShareFile’s application tier needs to be encrypted and can only be decrypted by employees of Synergy Training Solutions. • The solution needs to be highly available, the CEO demands 100% uptime. • The company wants to easily provision users into their ShareFile account using the ShareFile User Management Tool. • The organization has recently purchased XenMobile Enterprise edition and the CIO wants to incorporate SAML SSO for all tier-1 ShareFile apps using the XenMobile Server as the identity provider (IDP). With these requirements in mind, you start implementing a solution based on Citrix ShareFile. To fulfill all the requirements from the CTO, you use ShareFile StorageZones with an on premise Restricted StorageZone. You make the environment highly available by front-ending the solution with NetScaler and you need to configure the NetScaler, Citrix XenMobile Server and ShareFile to enable SAML SSO. Finally you install and configure the ShareFile User Management Tool to set up a rule that provisions users from Synergy Training Solutions AD into ShareFile. |4 | Exercise 1 Part 1: Configuring NetScaler Overview Exercise 1 consists of 3 parts. Part 1 consists of configuring the NetScaler VPX with Load Balancing rules to ensure StorageZones Controller high availability and creating Content Switching for both ShareFile Data (including HTTP Callouts and Responder Policies) as well as ShareFile Connector traffic (including AAA Authentication). To accomplish this you will use the new Setup NetScaler for ShareFile wizard introduced in v10.1x.e however this lab is running NetScaler v10.5.x. The wizard is designed to create and configure everything needed to successfully implement NetScaler for ShareFile. I will highlight everything that was done at the end of Part 1. Step by step guidance Estimated time to complete this lab: 10 minutes. Step 1. Action From the student desktop VM Open Google Chrome. Navigate to http://192.168.10.40 Enter the credentials listed below and click Login. User Name: nsroot Password: nsroot |5 | Step 2. |6 | Action Navigate to Traffic Management and click Setup NetScaler for ShareFile. Step 3. Action Enter the IP Address 192.168.10.32 (This IP address is NAT’ed to the internet used for communication to ShareFile.com). Leave the Name set to ShareFile. Check the StorageZones Connector for Network File Shares/SharePoint box. Click Continue. 4. Use the drop down menu to add the MCTWilcard certificate. Click Continue. |7 | Step Action 5. Click Add New StorageZone Controller. 6. Enter the IP Address of the first StorageZone Controller server 192.168.10.30 Click the + sign next to the IP Address. 7. 8. Normally you would add a 2nd StorageZone Controller IP address here for High Availability however to save time and ensure you finish the lab you will only be configuring 1 StorageZones Controller server. This is what it should look like when finished. Click Done. |8 | Step 9. Action An LDAP Authentication Settings window will open. Enter the following information into the LDAP Authentication Settings. AAAVServer IP Address: 192.168.10.33 LDAP Server IP Address: 192.168.10.11 Single Sign-On Domain: training Base DN (location of users): dc=training, dc=lab Administrator Bind DN: [email protected] Password: Citrix123 Click Continue. 10. |9 | What you are doing here is configuring the AAA authentication that the ShareFile connector and Restricted Storage Zone traffic will use to authenticate the user at the NetScaler and then pass those credentials back to the appropriate virtual connector directory on the StorageZones Controller servers. Step 11. Action Checkpoint: This is what you should see when you are done. Click Done. 12. You will be taken back to the Traffic Management window. Below you will see the seven components that the wizard created and configured. The Content Switching vServer is the “front-door” to the all incoming StorageZones traffic. Depending on what type of traffic it is, ShareFile data or Connector, will determine its traffic flow pattern depicted in images 2 and 3. The wizard is a very powerful tool that is not only effective but also efficient. Here is a graphical representation of the communication flow and what the wizard configured: | 10 | Requests for ShareFile data from on-premise data storage. A load balancing virtual server performs hash validation, to ensure valid URI signatures are present on incoming requests. Requests for data from StorageZones Connectors A load balancing virtual server performs user authentication. It stops a user request at the NetScaler, authenticates the user, and then performs single sign-on of the user to the StorageZones Controller. | 11 | Part 2: Configuring NetScaler for Restricted Zones Overview Part 2 consists of additional configuration to enable restricted StorageZones. To support restricted zones you must perform additional NetScaler configuration after you complete the NetScaler for ShareFile wizard. Create and configure a third NetScaler load-balancing virtual server, used to ensure that ShareFile clients send credentials only when logged on to a trusted ShareFile domain. StorageZones Controller uses the Cross-Origin Resource Sharing (CORS) standard to provide the necessary security for requests to restricted zones. CORS uses HTTP headers to allow the client and server to know enough about each other to determine if a request or response should succeed. As described in the following steps, you will configure the additional virtual server to allow anonymous access from clients for the HTTP OPTIONS verb. The OPTIONS request passes through to the StorageZones Controller without being authenticated and without HTTPS callouts to validate the signature. The CORS preflight check validates domain trust before sending credentials. An understanding of CORS is not needed to perform the configuration. However, for more information about CORS, including browser support, see http://enable-cors.org/. Step by step guidance Estimated time to complete this lab: 15 minutes. Step 1. | 12 | Action Navigate to Load Balancing | Virtual Servers and click Add. Step 2. Action Enter a Name: _SF_SZ_OPTIONS Change the Protocol to SSL. Change the IP Address Type to Non-Addressable. Click OK. | 13 | 3. Select the No Load Balancing Virtual Service Binding option. 4. Click to Select in the Select Service field. Step | 14 | Action 5. Check the boxes next to the service and click OK. 6. Click Bind. 7. This is what you should see. Click OK. Step | 15 | Action 8. Click the No Server Certificate option. 9. Click to Select in the Select Server Certificate field. Step | 16 | Action 10. Bullet the MCTWildcard certificate and select OK. 11. Click Bind. Step | 17 | Action 12. This is what you should see. Click OK. 13. This is what you should see. Click Done. Step | 18 | Action 14. Click the Refresh icon. 15. This is what you should see when finished. Step Action 16. Navigate to Traffic Management | Content Switching | Policies and click Add. 17. Enter a Name: _SF_SZ_OPTIONS_CSPOL. Next to the Action field click the + icon. | 19 | Step 18. Action Enter a Name: OPTIONS In the Target Load Balancing Virtual Server field use the pull down and select the _SF_SZ_OPTIONS virtual server just created. Click Create. 19. | 20 | Click Expression Editor. Step | 21 | Action 20. In the first drop down menu select HTTP. 21. In the 2nd drop down menu select REQ. Step | 22 | Action 22. In the 3rd drop down menu select METHOD. 23. In the 4th drop down menu select EQ(String). Step 24. Action Enter OPTIONS in the field next to EQ(String). Click Done. 25. This is what you will see when finished. Click Create. | 23 | Step | 24 | Action 26. You will be brought back to the Content Switching Policies window. 27. Select the _SF_CIF_SP_CSPOL policy and click Edit. Step 28. Action Place the cursor after (“/sp/”) followed by a space and select the Operators pull down menu. Select the || operator. 29. The Expression should look like the below expression. Enter another space after the || operator. Click Expression Editor. | 25 | Step 30. Action Similar to the way you accomplished steps 20-24, use the drop down menus to enter the information exactly as it is below. When finished click Done. 31. This is what it should look like when finished. Click Ok. | 26 | Step Action 32. You will be brought back to the Content Switching Policies window. 33. Navigate to Traffic Management | Content Switching | Virtual Servers and highlight the _SF_CS_ShareFIle virtual server. Click Edit. | 27 | Step | 28 | Action 34. Under CS Policy Binding select the 2 Content Switching Policies option. 35. Click Add Binding. Step | 29 | Action 36. Click to Select in the Select Policy field. 37. Bullet the _SF_SZ_OPTIONS_CSPOL policy and click OK. Step 38. Action Change the Priority to 10. This policy needs to have the highest priority which means it will have the lowest number of all content switching policies. Click Bind. 39. | 30 | Highlight the _SF_CIF_SP_CSPOL and using the Edit dropdown menu select Edit Binding. Step 40. Action Change the Priority to 20. In the Goto Expression field use the dropdown menu to select END. Click Bind. 41. This is what it should look like when finished. The priorities of these bindings is essential for traffic flow. Click Close. | 31 | Step Action 42. Click Done. 43. Click the Save icon. 44. 45. | 32 | That concludes this part of the configuration. In Part 2 you added the necessary components to enable Restricted StorageZones. | 33 | • You added a 3rd, non-addressable load-balanced vServer configured to accept traffic from the content switch policy created named _sf_sz_options_ cspol. This policy needs the highest priority of the 3 policies to ensure proper traffic flow. • Secondly, you added to the _sf_cifs_sp_cspol to include traffic that contained the term “proxyservice” in the URL header. This service is used to authenticate users to the Restricted StorageZone and subsequently decrypt the file and folder metadata. • Finally you edited the Content Switching policies priority to ensure that incoming ShareFile data was directed to the appropriate places. Part 3: Configuring NetScaler Gateway Overview Part 3 consists of creating a NS Gateway policy and profile, as well as make all configurations needed to enable SAML SSO to the XenMobile Server. Step by step guidance Estimated time to complete this lab: 10 minutes. Section 1: Creating NetScaler Gateway Session Policy and Profile. Step | 34 | Action 1. Navigate to NetScaler Gateway | Policies | Session and click Add. 2. Enter a Name: SF_SAML_SSO_POLICY 3. Click + next to Action. Step | 35 | Action 4. Enter a Name: SF_SAML_SSO_PROFILE 5. Select the Client Experience tab and Check the Override Global boxes of the three sections highlighted above. 6. Home Page uncheck the Display Home Page box and verify that the word ‘none’ populates the field. 7. Session Time-Out (mins) set to 1 8. Check the Single Sign-On to Web Applications box Step | 36 | Action 9. Select the Security tab. 10. Click the Override Global box and the Default Authorization Action will change to ALLOW. Step | 37 | Action 11. Select the Published Applications tab and Check the Override Global boxes of the four sections highlighted below. 12. Set the ICA Proxy to On 13. Set the Web Interface Address to https://xms.training.lab:8443 14. Set the Web Interface Address Type to IPV4 15. Set the Web Interface Portal Mode to Normal 16. Set the Single Sign-On Domain to training 17. Click Create. Step | 38 | Action 18. The newly created Profile should be listed in the Action field. 19. Click Expression Editor. 20. An Add Expression window opens. 21. Change the Qualifier to HEADER. 22. Change the Operator to CONTAINS. 23. Enter NSC_FSRD as the Value. 24. Enter Cookie as the Header Name. Step Action 25. Click Done. 26. This is what the Policy should look like. 27. Click Create. 28. CheckPoint - This is what you should see. 29. Save the running configuration. In this section you created the SAML SSO policy and profile required by the NetScaler to provide SAML SSO communication to the XenMobile Server. | 39 | Section 2: Editing the NetScaler Gateway Virtual Server. Step | 40 | Action 1. Navigate to NetScaler Gateway | Virtual Servers. Select the NetScaler_Gateway virtual server and click Edit. 2. Click + in the Policies section. Step | 41 | Action 3. In the Choose Policy window verify that Session is selected (it should default to this) and in the Choose Type window Request is selected. 4. Click Continue. 5. Click to Select in the Select Policy field. 6. Bullet the SF_SAML_SSO_POLICY just created. 7. Click OK. Step | 42 | Action 8. Change the Priority to 10 and click Bind. 9. Checkpoint – This is what you should see. Step | 43 | Action 10. In the Advanced section on the right hand side click + in the Published Applications section. 11. Click the Right Arrow in the ‘No STA Server’ section. Step | 44 | Action 12. hType https://xms.training.lab in the Secure Ticket Authority Server window and tselect IPV4 from the Secure Ticket Authority Server Address Type drop down. t p s : / / a p p c 1 13. Click Bind. 14. From this window select the 1 STA Server section in Published Applications. Step | 45 | Action 15. This what you should see. 16. Click Close. 17. From the Advanced section on the right hand side click + in Other Settings. Step Action 18. Uncheck Redirect to Home Page. 19. In the ShareFile field type xms.training.lab:8443 In the AppController field type https://xms.training.lab:8443 20. | 46 | Click OK. Step | 47 | Action 21. Checkpoint: This is what you should see. 22. Click Done. 23. Click the Disk icon at the top right to save the running configuration. Step Action 24. Click Yes. 25. Click Logout and close the browser. In section 2 you configured the NetScaler Gateway to allow for SAML SSO to the XenMobile Server. This solution uses the NetScaler Gateway for traffic coming from the ShareFile clients to be redirected to the XenMobile Server for active directory authentication via SAML. Exercise Summary In Part 1 students learned how to use the NetScaler for ShareFile Wizard which created traditional Load Balancing rules to ensure StorageZone Controller high availability, as well as Content Switching for both ShareFile Data (including HTTP Callouts and Responder Policies) and ShareFile Connector traffic (including AAA Authentication). In Part 2 students configured an additional load-balanced vServer and content switching policy enabling Restricted StorageZones. In Part 3 students configured the NetScaler Gateway with the information necessary to enable it to provide SAML single sign-on authentication with the XenMobile Server. Key takeaways include: | 48 | You created the session policy and profile, necessary for the configuration. The NetScaler Gateway already had the authentication policy and SSL certificate bound to it. You configured the NetScaler Gateway virtual server. You added the XenMobile Server as an STA and in the options section you disabled the cginfra home page redirection, necessary for forms based SAML and under ShareFile URL you added the internal server name and port of your XenMobile Server; this configuration authorizes requests to the specified URL through the /cginfra path. Exercise 2 Configuring On-Premise Storage Zones Overview For this exercise, you will create an on premise storage zone that allows users to store files on premise in a CIFS file share instead of in the ShareFile cloud. An empty file share has been created for you at \\szc1.training.lab\sharefiledata. Note: When installing On-premise StorageZones without a NetScaler in front of the solution a server with a public Internet address and a trusted SSL certificate is required. Because this lab has a NetScaler configured this is not required as the NetScaler will handle the SSL communications on behalf of the StorageZones Controller servers. Step by step guidance Estimated time to complete this lab: 15 minutes. Section 1: Configuring StorageZones Controller Software on SZC1 Step Action 1. From the student desktop VM navigate to Start | Run and enter mstsc and click OK. Click OK. | 49 | Step Action 2. Enter SZC1 into the computer name. Click Connect. 3. You will be prompted to enter credentials to make an RDP connection. Log in with the administrators credentials. Click OK. User name: training\administrator Password: Citrix123 | 50 | Step Action 4. Click on the IIS Manager icon in the taskbar and navigate to the Default Web Site. Select Browse localhost on: 80 (http). 5. Verify that Citrix ShareFile is displayed. 6. Close web browser and close IIS Manager. 7. Open Internet Explorer and enter the following in the URL window. (You can use the pulldown arrow). http://localhost/configservice/login.aspx | 51 | Step Action 8. Enter the details for your ShareFile lab account and click Log In. Email: [email protected] Password: citrix123 Subdomain: <student account>.sharefile.com | 52 | 9. Bullet Create New Zone and enter a name. 10. Enter the External Address which is the IP1 FQDN address from your lab documentation in the form listed above. Step Action 11. Check the 2 boxes to Enable StorageZone Connectors. 12. Check the box next to Enable StorageZone for ShareFile Data. Check the box next to Create a Restricted Zone. Complete the Local Network Share Configuration fields using the following information: Network Share Location: \\szc1.training.lab\sharefiledata Network Share Username: training\administrator Network Share Password: Citrix123 | 53 | Step Action 13. Enter a Passphrase (Citrix123 as an example) and confirm it by entering it again and click Register. 14. Once completed you will see the following message. Click Go there now. | 54 | Step Action 15. Enter the following information: SMTP server address: exchange.training.lab SMTP port number: 25 Sender address: [email protected] Send sample email to: [email protected] Click Send Test email. | 55 | Step Action 16. | 56 | Click Apply. Step Action | 57 | 17. This is the message you will see. 18. Click Log Out. 19. Navigate to Start (Windows Icon) | Run type Drivers and click OK. Step Action | 58 | 20. Open the etc folder. 21. Open the Hosts file. 22. You will be prompted How do you want to open this file? Select Notepad. Step Action 23. Enter the information similar to below. On the left side enter 192.168.10.30 (the IP address of the SZC server). On the right side enter the FQDN of YOUR IP1 address from the Lab website. 24. Click File | Save. 25. Close all windows and close the RDP session. 26. Normally this is where you would configure the 2nd StorageZones Controller server and link it to the primary server. The configuration is redundant so to ensure you finish the entire lab it has been removed. Exercise Summary In this exercise students learned how to configure a StorageZones Controller servers for Restricted StorageZones, including the SMTP service needed for e-mail communication from ShareFile. | 59 | Exercise 3 Configuring ShareFile User Management Tool Overview In this exercise students will configure and use the ShareFile User Management Tool (UMT) to add users to their ShareFile training account. The UMT is considered the best practice for provisioning users into ShareFile as it provides the most configurable options through the user interface. Step by step guidance Estimated time to complete this lab: 10 minutes. Section 1: Exploring StorageZones Step Action 1. From the student desktop VM navigate to Start | Run and enter mstsc click OK. 2. Enter win7 into the computer name. Click Connect. | 60 | Step 3. Action You will be prompted to enter credentials to make an RDP connection. Log in with the administrators credentials. Click OK. User name: training\administrator Password: Citrix123 | 61 | 4. From the desktop launch the ShareFile User Management Tool. 5. Log in using your ShareFile training account and administrator credentials. Step 6. Action Enter the domain information in the Connect to Domain window. Domain: training.lab UserName: administrator Password: Citrix123 Click Connect. | 62 | Step | 63 | Action 7. From the Dashboard tab select the Users icon. 8. Select the ShareFile OU and click Add Rule. Step | 64 | Action 9. You will be prompted with the Edit Users Rule window. 10. Change How will your employees log in? to AD-Integrated 11. Change StorageZone to ShareFile US East 12. Change Default Company Name to Training 13. Check the box next to Add to Shared Address Book 14. Click Save and then click Close. Step | 65 | Action 15. Select the Rules tab and click Refresh. 16. Click Commit Now Step | 66 | Action 17. Click OK. 18. This is what you should see when finished. Close the UMT tool and close the Win7 RDP session. Exercise Summary In this exercise students configured the ShareFile User Management Tool (UMT) which is primarily used by our enterprise customers for ShareFile account provisioning from Active Directory. You configured a rule to sync users in the ShareFile Users OU into your ShareFile student lab account and you could have set a schedule so that the sync would run at specific times of the day. When configured this way any changes to the ShareFile Users OU would be synced at the next time interval keeping the 2 systems in sync. | 67 | Exercise 4 Configuring ShareFile Enterprise Overview In this exercise students will explore StorageZones within ShareFile.com. You will create a folder that uses the on-premise Restricted StorageZone you created in Exercise 2 and you will upload some files in it to demonstrate the Restricted StorageZone authentication requirements and file structure. Finally you will use the Win7 virtual machine to check the e-mail for user1. Step by step guidance Estimated time to complete this lab: 20 minutes. Section 1: Exploring StorageZones Step Action 1. From your student laptop, open a browser and go to the URL of your ShareFile account and login using the Client Login with the following credentials: URL: https://student-x.sharefile.com Email Address: [email protected] Password: citrix123 | 68 | Step Action | 69 | 2. After logging in click on Admin in the menu bar. 3. Click StorageZones in the left-hand column. Step Action | 70 | 4. Select the name of the StorageZone you just created. 5. Statistics on each StorageZone Controller, as well as any users or folders that are using that StorageZone are presented on this page. Step Action 6. Now you’ll create a new ShareFile folder that uses your Restricted StorageZone for file storage. Click Home in the menu bar followed by the Shared Folders tab to reach a top level folder in the ShareFile account. 7. Click Create Folder. 8. Name the folder RESTRICTED and select your Restricted StorageZone name from the drop-down list of StorageZones. In the Add Users select Add From Shared Address Book Click Create Folder. | 71 | Step Action | 72 | 9. Check the boxes next to both users and click Add Selected Users. 10. Check all boxes under Configure custom permissions and click Add Users. Step Action 11. Click Save Changes. 12. You will be prompted to enter AD credentials. Enter the following: User Name: user1 Password: Citrix123 Click Log In. | 73 | Step Action | 74 | 13. Once authenticated you will be taken into the RESTRICTED folder. 14. Logout of your ShareFile account and completely close the browser. 15. Download some sample files from https://mhowell.sharefile.com/d/s121a13afbf34841b unzip the downloaded file and store on the student laptop. Step Action 16. From your student laptop, open a browser and go to the URL of your ShareFile account and login using the Client Login with the following credentials: URL: https://student-x.sharefile.com Email Address: [email protected] Password: citrix123 17. Navigate to the Shared Folder tab and open the RESTRICTED shared folder just created. 18. You will be prompted to authenticate to Active Directory. Enter the following: User Name: user1 Password: Citrix123 Click Log In. | 75 | Step Action | 76 | 19. Select Upload Files. 20. Select Choose Files or drag and drop files Step Action | 77 | 21. Navigate to the location where you stored the test documents. Select a couple of documents and click Open. 22. Click Upload Files. Step Action 23. This is what you should see when finished. 24. Click Log Out and close the browser. 25. From the student desktop VM you can view the file objects as they are added to the folder structure beneath \\SZC1\sharefiledata\persistentstorage\... When prompted for credentials use: Username: training\administrator Password: Citrix123 26. From the student desktop VM navigate to Start | Run and type mstsc. 27. Log in to the Win7 VM. Click Connect. | 78 | Step Action 28. Enter Citrix123 for the Password. Click OK. 29. From the Win7 VM desktop launch the Chrome – Outlook Web Access shortcut. Bullet This is a private computer. Password: Citrix123 Click Sign In | 79 | Step Action 30. Verify that an email was sent to [email protected] notifying that user that files were uploaded to the RESTRICTED shared folder. 31. You will also see the test e-mail sent when you initially configured the SMTP service on the StorageZones Controller server. 32. Close Outlook and close the Win7 RDP session. Exercise Summary In this exercise students learned how to configure a shared folder in ShareFile to use a customermanaged StorageZone. They uploaded some files to that folder and verified that the SMTP server configured in Exercise 2 is functioning properly. | 80 | Exercise 5 Configuring XenMobile Server Overview In this exercise students will learn how to configure the XenMobile Server as the IDP to allow for SAML Single Sign-On. Step by step guidance Estimated time to complete this lab: 15 minutes. Section 1: Adding a ShareFile Users Delivery Group to XenMobile Server. Step | 81 | Action 1. From the student desktop VM open Google Chrome and navigate to https://192.168.10.50:4443 you will be prompted with a “Your connection is not private” message. 2. Click Advanced. Step Action 3. Click Proceed to 192.168.10.50 (unsafe). 4. Log on using the following credentials: Username: administrator Password: Citrix123 | 82 | Step | 83 | Action 5. Select the Configure tab. 6. Select Delivery Groups and click Add. Step | 84 | Action 7. Enter a Name: ShareFile Users and Description (optional). 8. sClick Next. 9. Type the word ShareFile into the Include User Groups field and click Search. Step | 85 | Action 10. Check the box next to the training.lab\ShareFile Users security group. 11. Click Next. 12. Don’t make any changes. Click Next. Step | 86 | Action 13. Don’t make any changes. Click Next. 14. Don’t make any changes. Click Next. Step Action 15. Click Save. 16. This is what you will see when finished. In section 1 you added a ShareFile user’s Delivery Group to the XenMobile Server. This is important for user provisioning because using the default ‘All Users’ group would allow provisioning of all users into your ShareFile account which is typically not what customers want to do. In this lab there are 2 users in the ShareFile Users security group, user1 and user2. | 87 | Section 2: Configuring ShareFile integration. Step | 88 | Action 1. Select the Configure tab and select Settings and More. 2. Under the ShareFile section, select ShareFile. Step Action 3. | 89 | 4. Enter the Domain which is the test ShareFile account assigned to you. 5. Check the box next to the ShareFile Users Delivery Group. 6. UUse the following credentials for the ShareFile Administrator Account Login: s User name: [email protected] Password: citrix123 7. Click Save. Step | 90 | Action 8. This is what you will see when Save is complete. 9. Click Sync. Step 10. | 91 | Action Click OK Step Action 11. Click Cancel. 12. This completes this exercise. Keep this window open. This section configures the ShareFile communications from the XenMobile Server to the ShareFile account. In your lab you will be assigned a student account (student-x.sharefile.com), this will be the account information entered above. This configuration is used for 2 things in ShareFile, account provisioning and SAML communications. | 92 | Section 3: Configuring XenMobile Server to Communicate with NetScaler Step | 93 | Action 1. Select the Configure tab and select Settings and More. 2. Select NetScaler Gateway. 3. Click the Add button. Step Action 4. Enter a Name: NS01 5. Enter an Alias: NetScaler_Gateway 6. The External URL is the IP2 FQDN address provided when the lab was provisioned. Enter the External URL in the form https://<IP2 FQDN.mycitrixtraining.net> (https://75-126-165-68.mycitrixtraining.net as an example) | 94 | 7. Select the Set as Default switch. 8. Click Save. Step 9. Action This is what you should see. Authentication should have switched to On. If it didn’t switch it to On. | 95 | 10. Click Save. 11. Click OK. Step Action 12. Click Log Out. 13. Close the browser. Exercise Summary In this exercise students integrated the XenMobile Server with ShareFile and NetScaler making the necessary configurations to allow it to serve as the IDP for ShareFile SAML Single sign-on. Key takeaways include: | 96 | Configuring a Delivery Group that limits the overall Active Directory environment to a specific set of users designed to use ShareFile. Integrating the ShareFile account with the XenMobile Server and in doing so adding SSO configurations to ShareFile enterprise specific to the XenMobile Server. Configuring the NetScaler deployment allowing the XenMobile Server to communicate to NetScaler. Exercise 6 Configuring ShareFile Account for SAML SSO Overview In this exercise students will learn how to configure the ShareFile account for SAML SSO using the XenMobile Server as the IDP Step by step guidance Estimated time to complete this lab: 5 minutes Section 1: Configuring ShareFile Account for SAML SSO Step 1. Action From your Student Laptop open a browser and navigate to your ShareFile training account. (student-x.sharefile.com) Log in to the Client Login with the following credentials: Email Address: Password: | 97 | [email protected] citrix123 Step 2. | 98 | Action Navigate to Admin | Configure Single Sign-On. Step Action 3. 4. Change the Login URL to the following: https://<IP2FQDN>.mycitrixtraining.net/cginfra/https/xms.training.la b:8443/samlsp/websso.do?action=authenticateUser&app=ShareFile_SAML&reqtyp e=1&nssso=true **Do not try to cut and paste this expression, it will not work, manually type information into the Login URL. Make sure the Login URL in ShareFile matches this exactly. If not SAML SSO will NOT work. 5. Check the Enable Web Authentication box. 6. Change the SP-Initiated Auth Context to Username and Password 7. Click Save 8. Logout of ShareFile. Exercise Summary In this final configuration exercise students finished up the SAML SSO configuration by adding the necessary information to the Login URL which ShareFile will use when redirecting login requests that will use SAML single sign-on, changing the authentication model to forms-based using User Name and Password as the authentication context. | 99 | Exercise 7 Testing the Solution – (Optional) Overview In this exercise students will test the solution that they’ve just built. Testing is limited to using the browser to log into ShareFile using SAML as instructed. Step by step guidance Estimated time to complete this lab: 5 minutes Section 1: Testing SAML via a Browser Step 1. Action From your Student Laptop open a browser and navigate to your ShareFile training account. (student-x.sharefile.com) Log in to the Employee Login by clicking the LogIn button. 2. | 100 | You will be redirected to a NetScaler Gateway authentication page. Step 3. Action Enter the credentials: Username: user1 Password: Citrix123 Click Log On. | 101 | 4. You’ll be logged in to ShareFile with a Welcome message, click Close Tour. 5. Navigate to Shared Folders. 6. Open the Restricted folder. Step 7. Action Enter the AD credentials for user1 and click Log In. User Name: user1 Password: Citrix123 8. When you enter the domain credentials to get into the Restricted StorageZone folder what you are doing is authenticating to the StorageZone Proxy Service that in turn decrypts the file metadata allowing you to see and understand the file names inside the folder. 9. The Restricted folder will open. This concludes the lab. To quickly recap what you’ve done: | 102 | First you used the Setup ShareFile for NetScaler wizard to configure NetScaler to provide HA and secure communications to the ShareFile StorageZones Controller server. You then configured the NetScaler to allow for Restricted StorageZones. Next you configured NetScaler Gateway with the necessary information to allow SAML authentication to the XenMobile Server. In exercise 2 you configured the StorageZone Controller server for a customer-managed Restricted StorageZone and configured an SMTP server for Restricted StorageZone emails. In the 3rd exercise students configured the ShareFile User Management Tool (UMT) which is primarily used by our enterprise customers for ShareFile account provisioning from Active Directory. In the 4th exercise you configured the ShareFile account with a shared folder that uses the customer-managed Restricted StorageZone and uploaded files to that shared folder. In exercise 5 you configuring the XenMobile Server with a delivery group specific to ShareFile. You configured the ShareFile integration to the ShareFile account, using the delivery group you previously created and finally you integrated the NetScaler Gateway to the XenMobile Server. Finally in exercise 6 you entered the final pieces of information into the ‘Configure Single Sign-On’ section of the ShareFile web application to complete the solution. What you’ve accomplished is building the most secure ShareFile Enterprise deployment. Users will be authenticated to ShareFile using their Active Directory credentials, so no need for additional usernames/passwords and authentication happens in the customer datacenter and not in the cloud. Additionally, all ShareFile traffic destined to the customer-managed Restricted StorageZone will be stopped and authenticated in the DMZ using the NetScaler, allowing only valid, authenticated traffic into the datacenter, thus achieving all of the CEO and CTO requirements as defined in the opening scenario. | 103 | Revision: 1.0 Change Description Updated By Date Original Version Mark Howell May 2015 About Citrix Citrix (NASDAQ:CTXS) is a cloud company that enables mobile workstyles—empowering people to work and collaborate from anywhere, securely accessing apps and data on any of the latest devices, as easily as they would in their own office. Citrix solutions help IT and service providers build clouds, leveraging virtualization and networking technologies to deliver high-performance, elastic and cost-effective cloud services. With market-leading cloud solutions for mobility, desktop virtualization, networking, cloud platforms, collaboration and data sharing, Citrix helps organizations of all sizes achieve the speed and agility necessary to succeed in a mobile and dynamic world. Citrix products are in use at more than 330,000 organizations and by over 100 million users globally. Annual revenue in 2012 was $2.59 billion. Learn more at www.citrix.com. | 104 | | 105 |