After being involved in several small an midsize Sharefile environments I recently migrated a Enterprise customer to ShareFile. They had a great vision in terms of flexible working, which was really nice, but very challenging from a technical perspective. Beside the number of users, this customer didn’t start with ShareFile as a greenfield environment, but decided to migrate all data into ShareFile. The customer didn’t want to use CIFS or ShareFile connectors, all data had to be placed into on premise Storage Zones.
Data would be accessible only through ShareFile, no other file services would be offered
Clients
Although Citrix ShareFile offers a client for almost every platform, the different clients don’t have the same functionality. For example the Windows and Mac OSX Client are not able to display the ShareFile CIFS connector. We were told Citrix has a different vision/idea about a classic Windows/Mac OSX client, on these clients users are supposed to use a classic drive mapping. From a user perspective I hope ShareFile will add this functionality in a upcoming release of the Windows and MAC OSx clients, one interface for all data across all clients is much simpler and transparent for end users!
The “Sync for Windows” & “Sync for Mac” client don’t support CIFS Share integration
For Mac OSX and mobile devices the client to choose is evident. There is only one choice. For Windows it is a different ball game. Windows has several options available:
In our case we have chosen to use the “Sync for Windows” client on all Windows devices in the environment. An environment which exists of desktops, laptops and a Citrix XenDesktop farm. For desktop and laptops the installation was pretty straight forward and we didn’t need to customize much. With the ShareFile preferences GUI, users are able to determine which folders need to be available for them, after which the selected files are cached offline. For a desktop or laptop I don’t mind the files being cached offline, for my Citrix XenDesktop server however I don’t want all users caching all files locally. Lucky the Sync for Windows client is RDS aware and behaves different, in this case on-demand sync is used! Because of the on-demand sync, we wanted to present all files and folder a user was authorized for. This could easily be achieved by using the ShareFileOn-demand.admx to configure the Sync for Windows client on an RDS server. We added all root RemoteFolderId’s to the On-demandFolderIds part of the policy. Users are presented a full list of files and folders to which they have access and are only synchronized when accessed.
ShareFile On-Demand Sync is designed for integration with hosted desktops and applications running in XenApp and XenDesktop environments. Unfortunately the on-demand sync options is not available on desktops or laptops, in my opinion this would be a nice addition
XenMobile
Companies who purchase XenMobile Enterprise are entitled to use Citrix ShareFile as well. The integration of ShareFile and XenMobile creates whole new challenges, which I won’t discuss in the article. I’m currently writing a separate blog about the XenMobile / ShareFile integration.
XenMobile Enterprise are entitled to use Citrix ShareFile as well
Shared Folders
Every shared folder within ShareFile may contain other authorizations, which makes it very flexible as collaboration platform. Granting users access to folders however can be a very time consuming process and painful process. The most obvious method would be through the ShareFile website (Control Plane), but in our case it took up to 3 minutes to add a single user or distribution group to a folder. This was mainly caused by the large amount of distribution groups we initially used. With the default management tools it’s a real nightmare when 800+ folders have to be modified, lucky we were able to create a more efficient method. Later on I will explain how we were able to automate and speed-up several ShareFile tasks.
Limit the number of distribution groups in your ShareFile account to prevent the control plane from a decreased performance
Distribution Groups
To simplify the folder authorisation process ShareFile offers “Distribution Groups” which are similar to active directory groups. When distribution groups are being added to shared folder users only have to be member of the corresponding groups to get access to shared folders. Creating and maintaining Distribution Groups via the ShareFile website (Control Plane) can be done for small environments but is very labor intensive for enterprise accounts when the enterprise environment needs a lot of distribution groups and has a lot of users! In an enterprise environment I want the “Distribution Groups” to be in sync with linked active directory groups. For this, and several other tasks Citrix Sharefile offers a User Management Tools (UMT) which can be used to automatically synchronize those groups. In our case we used a different method which I will discuss later on.
Make use of UMT to synchronize ShareFile distribution groups with Active Directory groups!
User Management Tool (UMT)
As just discussed the User Management Tool (UMT) can be used to simplify some ShareFile administration tasks. UMT can be used to provision new ShareFile user accounts, create distribution groups, link distribution groups to AD groups and accordingly update group membership of distribution groups. Unfortunately we experienced some issues with the User Management Tool 1.7 and initially weren’t able to make use of it. Despite the fact that all groups were visible in the logs files, several AD groups were not visible in the GUI, without this we weren’t able to create new rules for those. UMT Rules are used to create and maintain membership of distribution groups, according the linked AD groups. The UMT Rules which were in place, didn’t update the groups membership correctly in several cases.
Finally we discovered why several AD Groups were not being displayed in the UMT GUI. UMT uses the group displayname when it’s available, in our case we had several active directory groups with a different displayname (Previously someone renamed them renamed incorrectly). Second thing we found out was that UMT can only manage distribution groups and sharefile users which were created by UMT itself.
Using UMT to manage distribution groups without also creating and updating ShareFile users is a non-supported option for the tool.
Don’t worry if you are currently running in à mixed mode were accounts are created by both thé App Controller and UMT. The missing UMT attribute in the ShareFile user account (within the Control Plane) can be updated afterwards by running a created new user account rule. Existing accounts won’t be overwritten or created twice, but the existing account will be updated and will be manageable from UMT afterwards.
UMT versus AppC Auto Provisioning
So here we have a dilemma, we are using the XenMobile AppController for ShareFile SSON and auto provisioning, but in fact we should be using the UMT tool. What will happen with ShareFile SSON within XenMobile if were are switching over to UMT? This raises some challenges, how where we going to manage this enterprise account?
Disable AppC Auto Provisioning
ShareFile Support informed us of a non official workaround which would disable the XenMobile Appcontroller auto provisioning.
- Create a ShareFile user account with limited permission. The required admin priviliges are “Modify account-wide policies” and “Configure single sign-on settings
- Within the AppController create a Roles, for example “APP-XAM-ShareFile” and add the AD Group containing all ShareFile users.
- Within the AppController on the Apps & Docs tab configure ShareFile. Assign the previously created ShareFile user and Role.
- Check the SSON url within the ShareFile control plane, update ShareFile settings in the AppController causes SSON url reset !
The way the App Controller is designed, AppC will still try to provision the users in ShareFile. Checking at the backend logs from the AppC database, it can be seen that the AppC is under the impression that it has successfully provisioned the users in SF and get a success status. However, because of the way the PseudoSuperUser permissions are configured, it actually fails at the ShareFile end based on user permissions. This achieves the purpose of stopping provisioning.
Be aware updating the ShareFile configuration in the AppController will reset the Login URL on the control plane!
If user are not able to logon through SAML and receives a error message “ShareFile SAML is no longer accessible to you” check the users group membership assigned in bullet 3.
Update Mirror List
Independently of the tool used to provision new ShareFile users, u are dependent of mirror list to get updated by the ShareFile Control Plane The mirror list is updated once a day at 02:00! This schedule can not be adjusted of forced manually. So even though the provisioning of a new ShareFile user can be triggered manually, SAML users won’t be able to logon until 02:00 the next morning. We were told the ShareFile team is working on a global update, which would increase the frequency of the mirror list sync jobs, unfortunately they didn’t gave us an ETA
The ShareFile_SAM_SP mirror list is only update once a day at 02:00 and cannot be forced manually!
At first we configured our ShareFile / XenMobile setup according to Citrix documentation Configure ShareFile Single Sign-On with XenMobile. In this case we are dependant of the 02:00 Control Plane synchronization which prevents new ShareFile users from using their account right away. However if you forget this and configure it exactly as we described in the section “Disable AppS Auto Provisioning” you are not affected by the 02:00 sync! In this case you are only making use of the ShareFile SAML mirror list within the App Controller, which can be synchronized manually. Provisioning a new ShareFile SAML user can be done in minutes !
- Add new active directory user to corresponding active directory ShareFile group
- Refresh and Commit changes in UMT (Manually in GUI, or through scheduled task)
- Sync ShareFile Configuration in AppController
- Just to be sure check if user exists on ShareFile_SAML mirror list and user is good to go!
For completeness the App Controller mirror list can be accessed through https:/AppCFQDN:4443/admin/
Make it easy on yourself, don’t use the ShareFile_SAML_SP application for SSON in a XenMobile / ShareFile setup!
Reconcile-User
Despite a active directory user is member of the correct ShareFile group, and a ShareFile account is provisioned in the Control Plane a user sometimes still isn’t able to logon through SAML. Depending of the ShareFIle client being used all kind of weird error messages are being reported. After the obvious causes have been checked which are:
- Does a ShareFile account exists in the Control Plane;
- Has the AD user object a similar email and UPN name;
- Is the AD user member of the correct AD ShareFile security group
Most likely something is wrong with the “Active Directory” of “ShareFile” mirror list within the App Controller. Logon to the admin console https:/AppCFQDN:4443/admin/ and check both mirror lists. Even do everything looks correct, sometime you need to reconcile the user from both mirror lists to get it working again.
Upload Data
From a user perspective ShareFile did a great jobs to facilitate users with a easy way to migrate their data. In our situation the case was slightly different, the IT department was supposed to migrate all existing shared and personal data into ShareFile. After examining the various methods we decided the ShareFile Sync for PowerShell would be our best option. Unfortunately there is not that many information on this, Helge Klein wrote a nice blog about this. Only challenge with this is the RemoteFolderName which needs to be extracted, folder by folder, not something you would like to manually. Lucky we were able to automate this, which I will discuss later.
RemoteFolderName My Files & Folders
Just like the ‘shared folders’ the ‘my files and folder’ (personal folder) also contains a RemoteFoldersName. You will need this RemoteFolderName to upload all personal userdata into ShareFile. The personal folder is being created soon as the users logs on the first time, not when the account is being provisioned. So therefore, you (the migration team), have to logon with all ShareFile user accounts just to get the personal folder created. To our knowledge there currently is no other option, so again we had to think of another trick.
The My Files & Folder is created on first user access! Every ShareFile user needs to logon once before data can be uploaded
MaxDirSize Netapp
When we started the project we used a CIFS share hosted on a NetApp. After a while ShareFile suddenly stopped adding new files. Files were being upload to the temp folder, but not moved to the persistentstorage folder anymore, even tho we had plenty of storage available. It took us a while to figure out what was causing the issue. Fortunately ShareFile support came with the answer it probably had to do with the default MaxDirSize value of the NetApp. After uploading ShareFile moves all data into one single folder, in our case that folder contained 500.000 + files, which exceeded the maximum default number of files on a NetApp. After we increased this limit we were good to go again.
The log files were misleading, and first we misinterpreted those.
ERROR in MoveLocalFileToCache NetAppShare$filesul-api-xxxx to s3sf-eu-1xx
System.ApplicationException: Failure moving file ‘NetAppShare$filesul-api-xxxx’ to cache location ‘NetAppShare$persistentstoragesf-eu-1xxxx’! —> System.IO.IOException: There is not enough space on the disk.
No changes to the file system are required since NTFS supports more than 4 billion files in one folder. In practice, according to ShareFile support, one customers had an issue on NTFS because of the 8.3 file names. There is an article that provides some recommendations for Windows file servers: http://blogs.technet.com/b/josebda/archive/2012/11/13/windows-server-2012-file-server-tip-disable-8-3-naming-and-strip-those-short-names-too.aspx . Unfortunately, ShareFile support do not have much real-life data on that and cannot verify if the change is required/useful. ShareFile support noticed a performance decrease on Windows Server 2008 with 1.5M files, although this caused no zone corruption.
ShareFile stores all data into one folder called persistentstorage, make sure that it can contain (very)many files
Limited Access
Somewhere during the project we noticed several settings were suddenly grayed out and couldn’t be changed anymore. For example we were not able to change a user’s default StorageZone. After some investigation we noticed the StorageZones were not healthy, which was normal because the secondary on premise storagezone controller where offline for maintenance. Soon as the Storage Zone were reporting healthy again, all grayed out fields were editable again
Check your StorageZone health status if access to ShareFile administrative settings are limited
Spinning Icon
After we migrated several users from the public to the on premise storage zone, ShareFile was reporting “File operation in progress” for ever, even with completely empty accounts.
After consulting the detailed information, we noticed all migrations seemed to be stuck at 100%. Hitting the cancel button stopped “File operation in progress”, but somehow this didn’t felt ok. We contacted ShareFile support and were told this currently is a know issue, for which a solution would be available shortly
FINRA Archiving
ShareFile is FINRA compliant, but only in case cloud storage is being used, the cannot be used with on-premise storage. There currently is no way for Citrix to enable Archiving since they do not control the data that is stored in your private zone. Archiving is used for compliance on ShareFile Financial accounts and that option is not available on this Enterprise account.
Data Backup and Restore
To backup all ShareFile data we daily backup the persistancestorage folder to an offsite location. This way we are able to meet the customer’s requirement to restore files 7 years back in time. Files deleted in ShareFile remain in the persistent storage 7 days, before really removed. The file meta data, which exists in the ShareFile control plane is kept for 2 years by Citrix. This can be a challenge because without the metadata we don’t know which file we need. We asked ShareFile support if we are able to backup the metadata our self, or if ShareFile is able to keep the meta data for at least 7 years, but until now we are still awaiting the answer. More information regarding ShareFile backups can be found within the eDocs.
http://support.citrix.com/proddocs/topic/sharefile-storagezones-22/sf-storage-center-recovery.html
http://support.citrix.com/proddocs/topic/sharefile-storagezones-22/sf-manage-recover.html
Enterprise Ready Toolkit
Going this blog articles I very often wrote I would reveal our automated tips and tricks later on, well now that time has come! While discussing our ShareFile challenges with a community member Daniel Nikolic, we realised there was a gab between services ShareFile offered out-of-the-box and Enterprise requirements. I’m able to indicate what I would like, in terms of functionality but unfortunately my programming skills are quite limited. Luckily visual studio is a piece of cake for Daniel. Daniel has invested a considerable amount of free time to write a application, which was our lifesaver. With the use of this application, which makes use of the ShareFile API we were able to automate and speed up several challenges we were facing. Our Enterprise Ready Toolkit currently is capable of:
- Automatically logon with all ShareFile accounts, so the personal folder is being created.
- Extract all RemoteFolderNames from shared and personal folders
- Extract all distribution groups
- Extract all shared folders (name / path)
- Automatically add distribution groups to shared folder, with the required authorizations (Excel Sheet)
- Automatically add ShareFile account to distribution groups (Excel Sheet)
- Automatically change settings like the default storage zone on multiple users, located in several OU’s
We are planning to release this freeware toolkit somewhere around our E2EVC 2014 Barcelona ShareFile presentation, presented by Martijn Hulsman and Esther Barthel.
Success Manager Program
Citrix offers a ShareFile success manager program for customers with + 1000 users. The purpose of the program is a single point of contact within Citrix ShareFile. Responsible for overseeing all phases of implementation and overall account management. Making use of this program makes your life much easier! Quickstart Program Details
Summary
Despite the technical challenges we faced during this project I really like ShareFile, it certainly increase my ability to access my data from any device, from any place, in a secure way. By using our Enterprise Ready Toolkit upcoming ShareFile migrations will be going much smoother and we’ll be able to serve our customers much better. I do hope several needed features will be added to upcoming releases of the User Management Tool, so everyone can profit those. Finally I would like to thank all Citrix ShareFile Support members and Success Managers who have accompanied us to make this project a success! And do not forget Daniel Nikolic for the time he invested in the Enterprise Ready Toolkit !
Useful links
I’m not going into detail on the next subjects, but these articles were very helpful to me
- Custom Login Screen
- ShareFile Support 1-800-441-3453 (US), (0800) 680-0621 (UK)
- [email protected]
- Knowledge Base: https://www.sharefile.com/support
- Citrix eDocs: http://support.citrix.com/proddocs/topic/sharefile/sf-landing-page.html
- Tools and Software downloads: http://www.citrix.com/downloads/sharefile/
- ShareFile System Status http://status.sharefile.com/
Versions
At the time written these versions were used:
- StorageZone Controller 2.2.2
- User Management Tool 1.7.12
- Sync for Windows 2.12.108.1