Restricted storage zones
Restricted storage zones are utilized to protect sensitive data. Only employees can access restricted storage.
Third-party user authentication is not supported in the restricted zone.
Note:
Restricted storage zones are End of Maintenance. This lifecycle policy is described in more detail under the Lifecycle Milestones Definitions. The creation of new restricted storage zones is not supported. Existing customers utilizing restricted storage zones will receive further communication about any future product milestones.
Restricted zone features
Zone authentication: In addition to logging on to ShareFile, users must authenticate separately to the storage zones controller to access documents stored in a restricted zone. Directory lookup ensures that the user logging on to ShareFile is the same one authenticating to the zone. This extra authentication requirement limits sharing. Documents can be shared only with others who have access to the storage zones controller and who can authenticate using enterprise credentials. In a restricted zone, files cannot be shared anonymously. Users must be granted permission to view a file and must always log on to receive a shared file.
Metadata encryption: All information about files and folders in the zone is encrypted with your key before being sent to ShareFile. As a result, no one outside of your organization can see folder or file names in restricted zones. Access to encryption keys, decrypted files, and metadata is available only through enterprise authentication to storage zones controller.
Internal address for storage zones controller: For a restricted zone, authorization occurs between storage zones controller and ShareFile clients instead of between storage zones controller and the ShareFile cloud. As a result, a storage zones controller that hosts restricted zones does not require an external address or external SSL certificate. When the storage zones controller is configured with an internal-only address, users must connect to the company network or VPN to access documents in the restricted zone.
Email notifications from your mail server: When users receive email notifications about shared files and folders in a restricted zone, the email is sent from your internal mail server instead of a ShareFile server.
Differences between standard and restricted zones
| Properties | Standard zones | Restricted zones |
|---|---|---|
| Storage zone servers can be managed by… | Citrix or account administrator | account administrator |
| User authentication is handled by… |
ShareFile.com or ShareFile.eu
|
a combination of ShareFile.com or ShareFile.eu plus your on-premises storage zones controller |
| Files can be shared with… | employees and third party users (that is, anyone with an email address) | employees or other users who have a domain account |
| File and folder metadata stored in the ShareFile control plane is… | stored in clear text, visible to some Citrix employees | encrypted with your private keys, which are not available to Citrix |
| Email notifications are sent using… | ShareFile mail servers or your SMTP servers | your SMTP servers |
| An external address for the zone is… | required | not required |
Standard and restricted storage zones
You can designate a storage zone as standard or restricted.
- A standard storage zone is intended for non-sensitive data and enables employees to share data with non-employees.
- A restricted storage zone protects sensitive data: Only employees can access the data stored in the zone.
The following table summarizes the differences between standard and restricted zones.
| Properties | Standard zones | Restricted zones |
|---|---|---|
| Storage zone servers can be managed by… | Citrix or account administrator | account administrator |
| User authentication is handled by… |
ShareFile.com or ShareFile.eu
|
a combination of ShareFile.com or ShareFile.eu plus your on-premises storage zones controller |
| Files can be shared with… | employees and third party users (that is, anyone with an email address) | employees or other users who have a domain account |
| File and folder metadata stored in the ShareFile control plane is… | stored in clear text, visible to some Citrix employees | encrypted with your private keys, which are not available to Citrix |
| Email notifications are sent using… | ShareFile mail servers or your SMTP servers | your SMTP servers |
| An external address for the zone is… | required | not required |
In a Citrix-managed zone, the ShareFile cloud performs all operations except for employee authentication, which is handled by storage zones controller.
In the standard zone, website maintenance and updates, client and application updates, file metadata, upload and download authorization, email notifications (SMTP), third-party user authentication, and folder permissions are handled in the cloud. Employee authentication and file storage and encryption are handled by the controller.
In the restricted zone, website maintenance and updates, client and application updates, and folder permissions are handled in the cloud. Employee authentication, file storage and encryption, file metadata, upload and download authorization, and email notifications (SMTP) are handled by the controller. Third-party user authentication is not supported in the restricted zone.
ShareFile supports a mix of standard and restricted zones within an account. You can create multiple restricted zones, each with their own unique authentication requirements. For example, if users in Domain A should not be allowed to share files with users in Domain B, install a separate restricted zone for each domain.
The rest of this section describes the workflow in ShareFile-managed, standard, and restricted zones.
Proof-of-concept deployment for restricted storage zones
A storage zones controller configured for restricted zones does not need to accept in-bound connections from the ShareFile cloud: You can configure it with an internal address. The following figure indicates the traffic flow between user devices, the ShareFile cloud, and storage zones controller.
In this scenario, one firewall stands between the Internet and the secure network. Storage zones controller resides inside the firewall to control access. User connections to ShareFile must traverse the firewall and use the SSL protocol on port 443 to establish this connection. To support this connectivity, you must open port 443 on the firewall and install an SSL certificate, which can be private, on the IIS service of the storage zones controller.
For restricted zones, storage zones controller sends email notifications from your local SMTP server instead of from ShareFile.
High availability deployment for restricted zones
Storage zones controllers configured for restricted zones do not need to accept in-bound connections from the ShareFile cloud: You can configure each one with an internal address. The following figure shows a high availability deployment for restricted zones.
In this scenario, one firewall stands between the Internet and the secure network. The storage zones controllers reside inside the firewall to control access. User connections to ShareFile must traverse the firewall and use the SSL protocol on port 443 to establish this connection. To support this connectivity, you must open port 443 on the firewall and install an SSL certificate, which can be private, on the IIS service of the storage zones controller.
For restricted zones, storage zones controller sends email notifications from your local SMTP server instead of from ShareFile.
Restricted zones
The following table describes the network connections that occur when a user logs on to ShareFile and then downloads a document from a restricted zone. All connections use HTTPS.
| Step | Source | Destination |
|---|---|---|
|
Client | company.sharefile.com |
|
Client | SAML Identity Provider URL |
|
Client | szc.company.com |
|
szc.company.com |
company.sharefile.com |
|
Client | szc.company.com |
Deployment for restricted storage zones
The following figure shows a high availability deployment for restricted zones.
For restricted zones, storage zones controller sends email notifications from your local SMTP server instead of from ShareFile.
Network connections for restricted zones
The following diagram and table describe the network connections that occur when a user logs onto ShareFile and then uploads a document to a restricted zone. In this case, the account uses Active Directory Federation Services (ADFS) for SAML logon. Authentication traffic is handled by an ADFS proxy server that communicates with an ADFS server on the trusted network.
| Step | Source | Destination | Protocol |
|---|---|---|---|
|
Client |
company.sharefile.com or company.sharefile.eu
|
HTTPS |
|
Client | SAML Identity Provider URL | HTTPS |
|
Client |
company.sharefile.com or company.sharefile.eu
|
HTTPS |
|
Client | Storage zones controller | HTTPS |
|
Storage zones controller | Domain controller | Kerberos |
|
Client | Storage zones controller | HTTPS |
|
Storage zones controller | Local storage | CIFS |
|
Storage zones controller |
company.sharefile.com or company.sharefile.eu
|
HTTPS |
For restricted storage zones:
-
Use an internal or external host name.
-
Enable SSL for communications with ShareFile.
If you use an internal host name, you can use a private certificate. The certificate must be trusted by user devices.
If you use an external host name, the SSL certificate on the storage zones controller must be trusted by user devices and ShareFile web servers.
-
Provide outbound HTTP access from storage zones controller to one of the following service bus URIs:
- ShareFile.com accounts:
sf-zk-email-use.servicebus.windows.net - ShareFile.eu accounts:
sf-zk-email-euw.servicebus.windows.net
Be sure to arrange network dependencies with your networking team.
- ShareFile.com accounts:
Client requirements for restricted storage zones
The ShareFile web application supports restricted storage zones from the following web browsers:
-
Internet Explorer 11
To enable access from the ShareFile web application to folders and connectors in restricted zones:
- Open Internet Explorer, go to Internet Options, click the Security tab, and then click Trusted Sites.
- Click Sites and then add your subdomain and the external storage zones controller address.
- Click Close and then click Custom Level.
- For Miscellaneous > Access data sources across domains, select Enable.
- For User Authentication > Logon, select Prompt for user name and password.
-
Chrome
-
Firefox
-
Safari
-
Secure Web
To support restricted storage zones, ShareFile clients must be upgraded to the following versions or later:
- ShareFile Sync for Windows 3.1
- ShareFile Outlook Plug-in 3.2.2
- ShareFile for iOS 3.3
- ShareFile for Android 3.4
- ShareFile for Windows Phone 2.3.10
These ShareFile clients and tools are not supported for use with restricted storage zones as of the publication date of this article:
Note: For the latest information about ShareFile client capabilities, see the ShareFile support site or contact your ShareFile support representative.
-
Off-domain use of ShareFile Desktop Sync for Windows 3.1 and ShareFile Outlook Plug-in
The clients must be on a domain-joined Windows desktop that is in the same Active Directory forest as the storage zones controller server. Clients can use NTLM or Kerberos for silent authentication to a restricted zone.
-
On-Demand Sync for Windows
-
Sync for Mac
-
ShareFile Enterprise Sync Manager
-
Secure Mail for iOS
-
ShareFile Desktop Widget
-
ShareFile for BlackBerry
-
ShareFile mobile website
The following alternative account access methods are not supported for use with restricted storage zones:
- FTP
- PowerShell
- ShareFile Command Line Interface (SFCLI)
- HTTPS API (V1)
- WebDav
- SMTP
Important
ShareFile does not officially support and does not recommend utilizing DFS replication. It has been known to cause locking failures for larger files. If DFS replication must be used, use separate backup solutions during off-peak hours when the zone is not actively in use.
Upgrade Restricted Storage Zone
When you upgrade a storage zones controller to the latest version, that controller continues to use standard zones. You cannot upgrade a standard zone to a restricted zone.
To replace a standard zone with a restricted zone, you must install a new storage zones controller and configure a restricted zone.
To support restricted zones or web access to connectors, you must perform additional Citrix ADC configuration after you complete the wizard. The configuration ensures that ShareFile clients send credentials only when logged on to a trusted ShareFile domain. To support web access to connectors, you also add a path (/ProxyService) to the content switching policy used for traffic to /cifs and /sp.
Additional restricted zones information
Support for restricted storage zones affects all aspects of the ShareFile service. As a result of protocol changes required to support metadata encryption and zone authentication, some ShareFile clients and features are not supported when working with documents in a restricted storage zone.
Contents
- Clients and tools
- Browsers
- Features
- Sync for Windows
- Mobile Apps
- Outlook Plug-in
Clients and tools
| Sync for Windows | 3.1 and up | |
| Plug-in for Microsoft Outlook | 3.2.2 and up | |
| On-Demand Sync for Windows | Not supported | |
| Drive Mapper | 3.01.171.0 and up | |
| ShareFile for iOS | 3.3 – MDX Only | |
| ShareFile for Android | 3.4 and up | |
| ShareFile for Windows Phone 8 | 2.3.10 and up | |
| Sync for Mac | Not supported | |
| ShareFile Desktop | Not supported | |
| XenMobile WorxMail for iOS | Not supported | |
| XenMobile WorxMail for Android | Supported | |
| Print to ShareFile | Not supported | |
| Mobile website | Not supported | |
| Other account access methods | ||
| PowerShell | Not supported | |
| SFCLI | Not supported | |
| REST API(V3) | Supported | |
| HTTPS APT(V1) | Not supported | |
| RSZ Test Coverage | Not supported | |
| FTP | Not supported | |
| Email files to a folder | Not supported | |
| .Net SDK | Supported | |
Browsers
| Windows | Internet Explorer 11, Firefox (latest version), Chrome (latest version) | |
| macOS | Safari (latest version), Firefox (latest version), Chrome (latest version) | |
| iOS | Safari, Secure Web | |
| Android | Secure Web | |
Features
End user actions: Working with files:
| Browse and download files | Supported | |
| Upload files (uploader type) | HTML5: Supported; Flash: Not supported; Java: Not supported; Standard HTML form: Not supported | |
| Recycle Bin | Supported | |
| Bulk download and delete | Supported | |
| File Box | View: Supported; Delete: Supported; Upload: Supported; Download: Not supported; Send from Filebox: Not supported | |
| File Preview (thumbnails) | Not supported | |
| View documents in web browser | Not supported | |
| File reupload | Not supported | |
| Multiple versions per file | Not supported | |
| Search | Restricted Zone items not included in search results | |
| Mark a folder as a favorite | Not supported | |
| Copy or move files | Not supported | |
| Edit Folder Options: Folder expiration date, file retention policy | Supported | |
| Shared Folder Bubbling | Not supported | |
End user actions: Sharing and collaboration:
| Send a file: requiring upload, send email using ShareFile, give me a link I can copy, require user to log on, limit number of downloads | Supported | |
| Receive and download a shared file | Supported | |
| Create a shared folder in a restricted storage zone | Supported | |
| Add users to a folder: control permissions for upload and download | Supported | |
| Request a file | Supported | |
| Request a file with “Require ShareFile Login” enabled | Not supported | |
| Email notifications | Supported | |
| Inbox: Files sent to me | Supported | |
| Inbox: Sent messages | View, expire, resend, edit: supported | |
| View activity log | Supported | |
| Get signature (via RightSignature) | Not supported | |
Administrative actions:
| Create a user in a restricted zone | Supported | |
| Migrate user to a different zone | Not supported | |
| Reporting: Access audit, usage report, messaging report, bandwidth report, storage report | HTML viewer: supported; Excel/CSV/PDF viewers: encrypted metadata is shown | |
| Zone Administration | ||
| Monitor storage usage | Supported | |
| Monitor bandwidth usage | Supported | |
| Monitor file activity | Supported | |
| Recover files | Not supported | |
| Reconcile files | Not supported | |
| Delete zone | Supported | |
| High availability | Supported | |
Sync for Windows
Minimum version - 3.1
| Authenticate from a domain-joined client - NTLM or Kerberos | Supported |
| Authenticate from a non-domain client - User prompted for password | Supported |
| Sync “My Files and Folders” in a restricted zone | Supported |
| Sync shared folders from a restricted zone | Supported |
| Upload, download, sync | Supported |
| On-demand Sync for XenApp and XenDesktop environments | Not supported |
| View favorite folders | Not available for restricted storage zone folders |
| Right-click > Copy link | Supported |
| Right-click > Email file | Supported |
Mobile apps
See the app-specific tables below:
iOS - Minimum version 3.3
| Browse and download files | Supported |
| View content offline | Supported |
| Create a folder | Supported |
| Create or edit a file | Supported |
| Upload photo or video | Supported |
| Authenticate with username/password | Supported |
| Single sign-on with Worx micro VPN | Supported |
| Share: Copy a link | Supported |
| Share: Share by email | Not supported |
| Add or edit folder notes | Not supported |
| Create a note or edit existing notes | Not supported |
| Add people to folder or edit existing folder permissions | Not supported |
| Mark/unmark a folder as a favorite | Not supported |
| Request a file | Not supported |
| Thumbnail previews | Not supported |
| Multi-item delete | Not supported |
| Make folder available offline | Supported except for root-level “Shared with me” folders |
| Share a folder | Supported except for root-level “Shared with me” folders |
| Create a connector in a restricted storage zone | Not supported |
Android - Minimum version 3.4
| Browse and download files | Supported |
| View content offline | Supported |
| Send a file | Supported |
| Create a folder | Supported |
| Create or edit a file | Supported |
| Upload files | Supported |
| Authenticate with username/password | Supported |
| Single sign-on with Worx micro VPN | Supported |
| Request a file | Not supported |
| Create a note | Not supported |
| Overwrite existing file after upload | Not supported |
Outlook plug-in
| Authenticate from a domain-joined client - NTLM or Kerberos | Supported | |
| Authenticate from a non-domain client - User prompted for password | Supported | |
| Browse and select files from ShareFile | Supported | |
| Browse and select files from ShareFile with “Require recipients to log in” enabled | Not supported | |
| Convert attachment to ShareFile link | Supported | |
| Convert attachment to ShareFile link with “Require recipients to log in” enabled | Not supported | |
| Request a file | Supported | |
| Request a file with “Require recipients to log in” enabled | Not supported | |