Configure Citrix ADC for storage zones controller 编辑
NetScaler, version 10.1 build 120.1316.e and later, includes a wizard that prompts you for basic information about your storage zones controller environment. Then it generates a configuration that:
- Load balances traffic across storage zones controllers
- Provides user authentication for storage zone connectors
- Validates URI signatures for ShareFile uploads and downloads
- Terminates SSL connections at the Citrix ADC appliance
The diagram shows these Citrix ADC components created by the configuration:
- Citrix ADC content switching virtual server — Sends user requests for data from ShareFile and from storage zone connectors to the appropriate Citrix ADC load balancing virtual server.
- Citrix ADC load balancing virtual server — Load balances the traffic for your storage zones controllers and also handles the following:
For requests for data from your private data storage, a load balancing virtual server performs hash validation, to ensure valid URI signatures are present on incoming requests.
For requests for data from storage zone connectors, a load balancing virtual server can perform user authentication. It stops a user request at the Citrix ADC, authenticates the user, and then performs single sign-on of the user to storage zones controller.
Note:
Authentication to storage zone connectors through Citrix ADC is optional. Due to a known issue, if authentication is enabled in Citrix ADC, storage zone connectors in WebApp do not work in Chrome, Chromium, Safari, and Edge browsers. It is compatible with other browsers and desktop/mobile clients.
As of storage zones controller 4.0, administrators can limit inbound connections to the storage zones controllers to TLS v1.2. If protocols earlier than TLS v1.2 are disabled for inbound traffic to the storage zone controller, all client software components that interact with the storage zone must also support TLS v1.2. Click here for additional information and configuration instructions.
Note:
To set up NetScaler versions before 10.1 build 120.1316.e, see Configure Citrix ADC manually.
The setup of Citrix ADC for ShareFile wizard does not handle the configuration required to use Citrix Endpoint Management as a SAML identity provider for ShareFile. For more information, click here.
Prerequisites
- A working Citrix ADC configuration
- Security certificate: If one is not already available in Citrix ADC, the wizard enables you to install one on the content switching virtual server.
- Information about your Active Directory configuration (The Citrix ADC for ShareFile Wizard must be completed with the Citrix NetScaler Enterprise Edition License):
- IP address and port of your Active Directory server
- Active Directory domain name
- LDAP Base DN where users are stored
- Account name and password for an administrator account that has permissions to communicate with Active Directory
Configure Citrix ADC for storage zones controllers
The following steps describe how to use the Citrix ADC for ShareFile wizard.
Log on to the Citrix ADC appliance and, on the Configuration tab, navigate to Traffic Management.
Under Citrix ShareFile, click Set up Citrix ADC for ShareFile.
You can also access the wizard as follows: Under Mobility, click Configure Endpoint Management, ShareFile, and Citrix Gateway.
Supply the information requested in the wizard.
Option | Description |
---|---|
Name | A display name for the content switching virtual server. |
IP Address | The external (public or DMZ) IP address to be used for the content switching virtual server. If you use a DMZ IP address, you must define a Network Address Translation (NAT) mapping from your external firewall address to this DMZ IP address. |
ShareFile Data | This option is enabled, indicating that you will use the Citrix ADC connection for storage zones for ShareFile Data. |
storage zone connectors for Network File Share/SharePoint | If you use connectors and you want to perform user authentication at the Citrix ADC, select the check box. |
Certificate | Choose a certificate or install one for the content switching virtual server. If you choose to install a certificate, you are prompted to upload the certificate and private key. For standard zones, certificates must be publicly trusted and not self-signed. |
storage zones controller IP Address | The internal IP addresses for one or more storage zones controller servers. These IP addresses define the storage zones controller servers as entities inside Citrix ADC. If you already added the servers to Citrix ADC, click Add From Existing and select the servers. To use Citrix ADC for load balancing, enter an internal IP address for each storage zones controller server. To use Citrix ADC only for SSL and authentication, enter just one IP address. |
Port and Protocol | The port and protocol used for communication from the Citrix ADC to storage zones controllers. |
The authentication, authorization, and auditing (Citrix ADC AAA) virtual server IP Address | An unused internal IP address for the Citrix ADC AAA virtual server. Citrix ADC creates this virtual server for its own use. The server does not require outside access. |
LDAP Server IP Address and Port | The IP address and port of your Active Directory server. If you already added an LDAP server to Citrix ADC, click the Choose LDAP tab and choose the server. |
Time out | The maximum number of seconds that the Citrix ADC waits for a response from the LDAP server. Defaults to 3 seconds. The minimum value is 1 second. |
Single Sign-on Domain | The Active Directory domain name. |
Base DN (location of users) | The LDAP Base Distinguished Name (DN) where users are stored. Specify the DN using the general form: CN=Users,dc=domain, dc=Net |
Administrator Bind DN and Password | An administrator account that has permissions to communicate with Active Directory. |
Logon Name | An LDAP attribute, used by Citrix ADC to determine whether users log on with their user name or email address. Defaults to sAMAccountName, which enables users to log on with their user names. To require users to enter their email address to log on, change this field to userPrincipalName. |
Configure Citrix ADC for web access to connectors
To support web access to storage zone connectors, you must perform additional Citrix ADC configuration after you complete the Citrix ADC for ShareFile wizard.
Create and configure a third Citrix ADC load-balancing virtual server, used to ensure that ShareFile clients send credentials only when logged on to a trusted ShareFile domain.
As described in the following steps, you will configure the additional virtual server to allow anonymous access from clients for the HTTP OPTIONS verb. The OPTIONS request passes through to storage zones controller without being authenticated and without HTTPS callouts to validate the signature. The CORS preflight check validates domain trust before sending credentials.
An understanding of CORS is not needed to perform the configuration. However, for more information about CORS, see http://enable-cors.org/.
To support web access to storage zone connectors, add a path (/ProxyService) to the content switching policy used for traffic to /cifs and /sp.
Perform the following steps in Citrix ADC after you complete the Citrix ADC for ShareFile wizard.
- Create a third load-balancing virtual server:
Navigate to Traffic Management > Load Balancing > Virtual Servers.
Click Add.
Specify the following values:
Option Value Name A policy name, such as SF_ZONE_OPTIONS Protocol SSL IP Address Type Non Addressable Click through to create the virtual server.
To bind the same services to it as the load-balancing virtual servers created by the wizard: In the Load Balancing Virtual Server screen, across from Service, click > and then click Save.
Add a certificate to the virtual server.
- Create a policy for the virtual server you just added:
Navigate to Traffic Management > Content Switching > Policies.
In the details pane, click Add and then specify the Name, Target LB Virtual Server, and Expression values. Click Expression Editor and then build this expression. Select HTTP. Select REQ. Select METHOD. Select EQ(String) and type OPTIONS. The expression should read as follows:
HTTP.REQ.METHOD.EQ("OPTIONS")
Click Done.
Click Create.
- Bind the policy you just created to the new load-balancing virtual server:
Navigate to Traffic Management > Content Switching > Virtual Servers.
In the list, click the virtual server and click Edit.
Navigate to the section of Content Switching Policy Binding and click 2 Content Switching Policies.
Click Add Binding.
Select the new Content Policy and select the Target Load Balancing Virtual Server.
Click Bind.
Click Edit Binding and update the Priority. Change the priority of the new policy so it has the lowest number of the three policies.
The policy with the lowest value has the highest priority and so is handled first.
- Update the policy used for traffic to storage zone connectors (_SF_CIF_SP_CSPOL):
Navigate to Traffic Management > Content Switching > Policies.
Select the _SF_CIF_SP_CSPOL policy.
Add the following to the policy expression:
|| HTTP.REQ.URL.CONTAINS("/ProxyService/") <!--NeedCopy-->
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论