Resources – they can be tough to come by; or even easy to come by, but expensive and/or difficult to maintain. Luckily, Citrix has an answer. I know there are a number of resources (no pun intended) out there for leveraging NetScaler Unified Gateway for various purposes. Today, I plan to explain how to leverage your NetScaler to minimize resource utilization when working with ShareFile.
That’s right, with Unified Gateway, Citrix customers can put multiple resources behind a single IP. Let’s talk about how we do it:
First, let’s look at a traditional configuration for ShareFile. I have written about configuring ShareFile within NetScaler (here); and even configuring Microsoft Office Online Server to create/edit on-prem documents from ShareFile StorageZones (here). However, with Unified Gateway, we can now take those two resources, and combine them into one!
With previous setup guides for ShareFile (and my previous posts), we have leveraged a dedicated resource for each piece of the puzzle – if you do the math here, and we’re only talking one IP for each resource (no HA), that’s at least three IPs that need to be obtained – one for the NetScaler IP, one for the ShareFile FQDN and the third for the Office Online Server (not required). AND, if we want Single Sign-on, that ups it to FOUR!
With Unified Gateway, we can minimize the resources needed down to TWO (including the NSIP).
But… But, how?
Well, ladies and gentlemen, I give you: Content Switching Policies.
Rather than point each piece to its own IP resource, we can leverage Gateway’s content switch to redirect traffic based on the incoming request. So, from the above diagram, we can go to the following:
For now, I am only inserting the information on configuring this setup via the GUI – I will update this post in the future to include the CLI commands.
Please note, this post assumes:
- You already have a ShareFile Enterprise Account with administrator permissions to manage Single Sign-On settings
- You have Enterprise NetScaler Entitlements with Content Switching, Load Balancing and the Unified Gateway features enabled
- The aforementioned ShareFile account already has a StorageZone successfully configured with content switching polices and load balancing configured within a NetScaler
Configuring ShareFile SAML Settings:
Navigate to your ShareFile account at “https://<subdomain>.sharefile.com” and authenticate using administrator credentials.
Open the Admin Settings page, drop down the “Security” section and select the “Login & Security Policy”
Scroll down to the “Basic Settings” under “Single Sign-On / SAML 2.0 Configuration”.
The ShareFile Issuer/Entity ID will be the ACS URL: “https://<subdomain>.sharefile.com/saml/acs”.
Your IDP Issuer ID should read “https://<subdomain.sharefile.com”.
For the x509 certificate, copy and paste the body of the SSL certificate used to secure the Gateway vServers. To do this, open the certificate with an application like Notepad and copy & paste the text (including the —begin— and —end—) into the ShareFile pane.
The Login URL will be “https://sharefile.company.com/saml/login”.
The Logout URL will be “https://sharefile.company.com/cgi/tmlogout”.
Continue to the Optional Settings of the SAML configuration.
If you so choose, configure the “Require SSO” and “SSO IP range”, we will not be using those in this example.
SP-Initiated SSO Certificate needs to be “HTTP Post (2048 bit certificate)”.
Leave “Force the SP-Initiated SSO Certificate to Regenerate” at “No”.
Enable Web Authentication should be set to “Yes”.
SP-Initiated Auth Context should be set to “Unspecified” and “Minimum”.
Click “Save” and scroll back down to the Optional Settings.
Select to “View” the SP-Initiated SSO Certificate.
Copy the certificate data from the SP-Initiated SSO certificate and paste it into a new Notepad document.
Save the certificate as “ShareFile_SAML.cer” and head back to the NetScaler UI.
Navigate to Traffic Management -> SSL -> Certificates -> CA Certificates and click “Install”.
Name the Cert-Key Pair “ShareFile_SAML”.
Click the drop-down menu to select “Choose File” from “Local”.
Select the newly created “ShareFile_SAML.cer”.
Configuring NetScaler Unified Gateway:
Luckily, if you already have ShareFile configured in your NetScaler, most of the work is done for you – all we need to do is reassign a few policies and configure our Gateway for authentication into ShareFile.
Let’s start with configuring our Gateway using the wizard:
To start, we’ll navigate to the quick-access for Unified Gateway under “Integrate with Citrix Products” and select “Get Started”.
Note: if you already have an existing Gateway, we’ll select “Create New Gateway” from the top-right (just above any existing Gateways).
We’ll be brought to a splash page to get started – continue by clicking “Continue”
Here, we’ll give our Gateway a friendly name and allocate an IP address – we can come back to edit the IP later to from the existing ShareFile configuration, so let’s just use 18.104.22.168 in this example.
Once we select to continue, we’ll be brought into the Gateway configuration where we will select our server certificate. Use the same one that is currently used with the ShareFile configuration – whether it is a wildcard or not, we will be repurposing our ShareFile FQDN to be used as our gateway.
After we bind our certificate/certificate chain, we’ll be prompted to add an authentication method and server – again, we can select the existing LDAP policy that was created with our previous ShareFile configuration:
For now, we’ll use the default portal theme for our gateway. This can be edited at a later date. If you’re looking for info on customizing your portal login experience, check out this post by my colleague, Kim Marroquin!
Lastly, we will bind our applications to our gateway.
Select the plus (+) button in the top right of the “Applications” pane to add a service.
Select “Web Application” to configure ShareFile for this example.
Give your application a friendly name (I recommend something simple, such as “ShareFile”). Change the application type to “SaaS”.
Configure the URL to be your ShareFile account (“https://<subdomain>.sharefile.com”).
Check “Enable SAML based single sign-on to your application.”
Once the checkbox is enabled for SAML authentication, we’ll need to either configure a SAML SSO Profile.
Click the plus (+) button to create a new SAML SSO Profile:
Give the profile a friendly name – in this example, we use “ShareFile_SSO_profile”.
Add the Assertion Consumer Service URL as “https://<subdomain>.sharefile.com/saml/acs”.
Set the Relay State Expression to “HTTP.REQ.URL.Contains(“saml”)”.
The Signing Certificate Name should match the SSL cert bound to the gateway.
For SP Certificate Name, select the “ShareFile_SAML” CA certificate that we installed previously.
Leave “Encrypt Assertion” and “Send Password” at their default settings: unchecked and “ON”, respectively.
For Issuer Name, enter the ShareFile FQDN that was previously used for ShareFile configuration: “https://sharefile.company.com”.
Signature Algorithm and Digest Method should remain as “RSA-SHA1” and “SHA1”, respectively.
Our audience will be our ShareFile account, so let’s set it to: “https://<subdomain>.sharefile.com”.
Skew Time can remain at “5” minutes.
Sign Assertion should be “Assertion”.
Name ID Format should be set to “Transient” with the Name ID Expression set to: “HTTP.REQ.USER.ATTRIBUTE(1)”.
Once all of this is set, click “OK” to be redirected back to the gateway configuration. If the profile isn’t selected for you already, select our newly created SSO profile for the ShareFile application. You are welcome to add an icon for users to see upon login to gateway.
The (semi-) finished product should look something like this:
You may notice that, in creating this Gateway, we are creating a content switching vIP and a NetScaler Gateway vIP. To get the most out of our NetScaler/ShareFile integration, we’ll use the content switch to redirect ShareFile traffic to the proper load balancing resources and to direct traffic to the NSG for authentication using our SAML profile.
Configuring the NetScaler Gateway Content Switch
First things first, let’s focus on the ShareFile configuration:
Navigate to the newly-created Content Switch vIP and click to bind a new “Content Switching Policy” to the vServer. There should be one bound by default – click the “1 Content Switching Policy” window to open the bindings.
Because of the nature of ShareFile’s requests and this configuration, we’ll first need to create a content switching policy for ShareFile Connector access via web:
Select “Add Binding” from the bindings page and create a policy labeled “_sf_options_pol”.
Set the Expression to equal: “HTTP.REQ.HOSTNAME.CONTAINS(“sharefile.company.com”) && HTTP.REQ.METHOD.EQ(“OPTIONS”)”
Click “OK” to configure the binding.
Set Priority to 90 and continue to the Target Load Balancing Virtual Server section.
Click the plus (+) button to add a new load balancing vIP.
Name the vServer “_sf_options_lb”.
Set Protocol to “SSL”.
IP Address Type should be set to “NonAddressable”.
Click “OK” to continue.
From here, bind the virtual service created by the ShareFile wizard: “_sf_szc_svc”
Select “Bind” and “Continue”.
Bind the SSL cert to the vServer, click “Continue” and then “Done” to be returned to the policy binding page.
Select the new Target Load Balancing Virtual Server (if not already selected) and click “Bind” to complete.
Next, bind the additional ShareFile policies:
Select “Add Binding”.
Select the “_sf_data_pol” for the Policy.
Set Priority to 100.
Select the Target Load Balancing Virtual Server as the “_sf_data_lb” that was previously configured by the wizard.
Again, select “Add Binding”.
Select the “_sf_cif_sp_pol” for the Policy.
Set Priority to 110.
Select the Target Load Balancing Virtual Server as the “_sf_cif_sp_lb” that was previously configured by the wizard.
Optional for those hosting a Microsoft Office Online Server
Lastly, we’ll add a policy for those using Microsoft Office Online to enable users to co-author and edit documents live in the web from an on-prem StorageZone.
Select “Add Binding”
Click “Add” to create a new content switching policy.
Name the policy “_sf_oos_cs_pol”.
Set the Expression to “HTTP.REQ.HOSTNAME.CONTAINS(“oos.company.com”)”.
Create the policy and return to the binding page.
Set the priority to any unused priority as priority will not matter for this policy – I use 140 in this example.
Select the Target Load Balancing Virtual Server as the “_oos_lb” that you created while configuring Office Online with this post!
Once completed, you should have a total of five (5) content switching policies bound to this vServer.
Before we are finished and able to change the IP of the Content Switch, we need to finish configuring our Single Sign-on settings.
Navigate to the NetScaler Gateway vServer that was created when the wizard was run earlier.
The vServer should have the LDAP policy bound under Basic Authentication.
Continue to Advanced Authentication and click to add a SAML IdP Policy.
Click the plus (+) button to add a new policy.
Name the policy “ShareFile_SSO_pol”.
For the Action, set the “ShareFile_SSO_pro” that was created earlier.
Skip down to expression and set the expression as: “HTTP.REQ.URL.CONTAINS(“saml”)”.
Scroll to the bottom of the page and select “Done”.
All that’s left is to head back to the Content Switching vServers and re-IP the new vServer with the IP address from the ShareFile FQDN. To do this, mark the ShareFile Content Switch as “Disabled”, open the new Gateway content switch, click the pencil under the “Basic Settings”, set the IP address and click “OK”, then “Done” at the bottom of the page.
Save your running configuration and test it out!
Open a new, private/incognito browser window.
Navigate to your ShareFile account: https://<subdomain>.sharefile.com
Select the “Sign In” option on the left side of the screen:
You will be redirected to your NetScaler Gateway for authentication:
Enter username (UPN, unless configured otherwise) and password for the desired users – please note that, in order for Single Sign-on to work with ShareFile, a user’s email address must match in the ShareFile user profile and the AD user profile.
Your user should be redirected to their Dashboard in ShareFile!
You can test the rest of what was configured by accessing Connectors and previewing/editing files that are in a folder within an on-prem StorageZone.