Configure Citrix ADC for storage zones controller 编辑

NetScaler, version 10.1 build 120.1316.e and later, includes a wizard that prompts you for basic information about your storage zones controller environment. Then it generates a configuration that:

  • Load balances traffic across storage zones controllers
  • Provides user authentication for storage zone connectors
  • Validates URI signatures for ShareFile uploads and downloads
  • Terminates SSL connections at the Citrix ADC appliance

The diagram shows these Citrix ADC components created by the configuration:

  • Citrix ADC content switching virtual server — Sends user requests for data from ShareFile and from storage zone connectors to the appropriate Citrix ADC load balancing virtual server.
  • Citrix ADC load balancing virtual server — Load balances the traffic for your storage zones controllers and also handles the following:
    • For requests for data from your private data storage, a load balancing virtual server performs hash validation, to ensure valid URI signatures are present on incoming requests.

    • For requests for data from storage zone connectors, a load balancing virtual server can perform user authentication. It stops a user request at the Citrix ADC, authenticates the user, and then performs single sign-on of the user to storage zones controller.

    Note:

    Authentication to storage zone connectors through Citrix ADC is optional. Due to a known issue, if authentication is enabled in Citrix ADC, storage zone connectors in WebApp do not work in Chrome, Chromium, Safari, and Edge browsers. It is compatible with other browsers and desktop/mobile clients.

As of storage zones controller 4.0, administrators can limit inbound connections to the storage zones controllers to TLS v1.2. If protocols earlier than TLS v1.2 are disabled for inbound traffic to the storage zone controller, all client software components that interact with the storage zone must also support TLS v1.2. Click here for additional information and configuration instructions.

Note:

To set up NetScaler versions before 10.1 build 120.1316.e, see Configure Citrix ADC manually.

The setup of Citrix ADC for ShareFile wizard does not handle the configuration required to use Citrix Endpoint Management as a SAML identity provider for ShareFile. For more information, click here.

Prerequisites

  • A working Citrix ADC configuration
  • Security certificate: If one is not already available in Citrix ADC, the wizard enables you to install one on the content switching virtual server.
  • Information about your Active Directory configuration (The Citrix ADC for ShareFile Wizard must be completed with the Citrix NetScaler Enterprise Edition License):
    • IP address and port of your Active Directory server
    • Active Directory domain name
    • LDAP Base DN where users are stored
    • Account name and password for an administrator account that has permissions to communicate with Active Directory

Configure Citrix ADC for storage zones controllers

The following steps describe how to use the Citrix ADC for ShareFile wizard.

  1. Log on to the Citrix ADC appliance and, on the Configuration tab, navigate to Traffic Management.

  2. Under Citrix ShareFile, click Set up Citrix ADC for ShareFile.

    You can also access the wizard as follows: Under Mobility, click Configure Endpoint Management, ShareFile, and Citrix Gateway.

  3. Supply the information requested in the wizard.

OptionDescription
NameA display name for the content switching virtual server.
IP AddressThe external (public or DMZ) IP address to be used for the content switching virtual server. If you use a DMZ IP address, you must define a Network Address Translation (NAT) mapping from your external firewall address to this DMZ IP address.
ShareFile DataThis option is enabled, indicating that you will use the Citrix ADC connection for storage zones for ShareFile Data.
storage zone connectors for Network File Share/SharePointIf you use connectors and you want to perform user authentication at the Citrix ADC, select the check box.
CertificateChoose a certificate or install one for the content switching virtual server. If you choose to install a certificate, you are prompted to upload the certificate and private key. For standard zones, certificates must be publicly trusted and not self-signed.
storage zones controller IP AddressThe internal IP addresses for one or more storage zones controller servers. These IP addresses define the storage zones controller servers as entities inside Citrix ADC. If you already added the servers to Citrix ADC, click Add From Existing and select the servers. To use Citrix ADC for load balancing, enter an internal IP address for each storage zones controller server. To use Citrix ADC only for SSL and authentication, enter just one IP address.
Port and ProtocolThe port and protocol used for communication from the Citrix ADC to storage zones controllers.
The authentication, authorization, and auditing (Citrix ADC AAA) virtual server IP AddressAn unused internal IP address for the Citrix ADC AAA virtual server. Citrix ADC creates this virtual server for its own use. The server does not require outside access.
LDAP Server IP Address and PortThe IP address and port of your Active Directory server. If you already added an LDAP server to Citrix ADC, click the Choose LDAP tab and choose the server.
Time outThe maximum number of seconds that the Citrix ADC waits for a response from the LDAP server. Defaults to 3 seconds. The minimum value is 1 second.
Single Sign-on DomainThe Active Directory domain name.
Base DN (location of users)The LDAP Base Distinguished Name (DN) where users are stored. Specify the DN using the general form: CN=Users,dc=domain, dc=Net
Administrator Bind DN and PasswordAn administrator account that has permissions to communicate with Active Directory.
Logon NameAn LDAP attribute, used by Citrix ADC to determine whether users log on with their user name or email address. Defaults to sAMAccountName, which enables users to log on with their user names. To require users to enter their email address to log on, change this field to userPrincipalName.

Configure Citrix ADC for web access to connectors

To support web access to storage zone connectors, you must perform additional Citrix ADC configuration after you complete the Citrix ADC for ShareFile wizard.

  • Create and configure a third Citrix ADC load-balancing virtual server, used to ensure that ShareFile clients send credentials only when logged on to a trusted ShareFile domain.

    As described in the following steps, you will configure the additional virtual server to allow anonymous access from clients for the HTTP OPTIONS verb. The OPTIONS request passes through to storage zones controller without being authenticated and without HTTPS callouts to validate the signature. The CORS preflight check validates domain trust before sending credentials.

    An understanding of CORS is not needed to perform the configuration. However, for more information about CORS, see http://enable-cors.org/.

  • To support web access to storage zone connectors, add a path (/ProxyService) to the content switching policy used for traffic to /cifs and /sp.

Perform the following steps in Citrix ADC after you complete the Citrix ADC for ShareFile wizard.

  1. Create a third load-balancing virtual server:
    1. Navigate to Traffic Management > Load Balancing > Virtual Servers.

    2. Click Add.

    3. Specify the following values:

      OptionValue
      NameA policy name, such as SF_ZONE_OPTIONS
      ProtocolSSL
      IP Address TypeNon Addressable
    4. Click through to create the virtual server.

    5. To bind the same services to it as the load-balancing virtual servers created by the wizard: In the Load Balancing Virtual Server screen, across from Service, click > and then click Save.

    6. Add a certificate to the virtual server.

  2. Create a policy for the virtual server you just added:
    1. Navigate to Traffic Management > Content Switching > Policies.

    2. In the details pane, click Add and then specify the Name, Target LB Virtual Server, and Expression values. Click Expression Editor and then build this expression. Select HTTP. Select REQ. Select METHOD. Select EQ(String) and type OPTIONS. The expression should read as follows: HTTP.REQ.METHOD.EQ("OPTIONS")

    3. Click Done.

    4. Click Create.

  3. Bind the policy you just created to the new load-balancing virtual server:
    1. Navigate to Traffic Management > Content Switching > Virtual Servers.

    2. In the list, click the virtual server and click Edit.

    3. Navigate to the section of Content Switching Policy Binding and click 2 Content Switching Policies.

    4. Click Add Binding.

    5. Select the new Content Policy and select the Target Load Balancing Virtual Server.

    6. Click Bind.

    7. Click Edit Binding and update the Priority. Change the priority of the new policy so it has the lowest number of the three policies.

      The policy with the lowest value has the highest priority and so is handled first.

  4. Update the policy used for traffic to storage zone connectors (_SF_CIF_SP_CSPOL):
    1. Navigate to Traffic Management > Content Switching > Policies.

    2. Select the _SF_CIF_SP_CSPOL policy.

    3. Add the following to the policy expression:

      || HTTP.REQ.URL.CONTAINS("/ProxyService/")
      <!--NeedCopy-->
      

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:60 次

字数:13040

最后编辑:6 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文