Skip to content

To help you set up NetScaler for ShareFile with on-premises storage zone controllers, an easy-to-use wizard is included in the GUI. The wizard prompts you for basic information about your StorageZones Controller environment and then generates a configuration that:

  • Load balances traffic across StorageZones Controllers
  • Provides user authentication for StorageZone Connectors
  • Validates URI signatures for ShareFile uploads and downloads
  • Terminates SSL connections at the NetScaler appliance

The diagram (courtesy of © Citrix Systems) shows these Netscaler components created by the configuration:

After running the built-in Setup Citrix ADC for ShareFile wizard, users starting complaining that they cannot access their network shares anymore. Those network shares have been provided via the integrated ShareFile Connector's funcionality and has been up and running very smoothly prior to adding Netscaler to the equation.

As soon as users tried to access a network share via a StorageZone Connector they received an error indicating "Failed to load folder -The folder you are looking for could not be found":

As per Citrix, you may see following error while accessing Network Shares on ShareFile Web App:

The folder you are looking for could not be found. This can occur if the link you used is incorrect, or if it points to a folder that has been deleted or to which you do not have access.

Mind that this happened with the ShareFile Web App only while accessing network shares, i.e. using within a browser, whereas accessing the exact same network share via Citrix Files for iOS worked like a charm. After having consulted our change management documentation, it quickly became clear that only one culprit could remain, as there has been no change in user passwords, permissions, group memberships, UNC paths regarding the underlying network shares, et al. All users have required permissions. The root cause could only be traced back to the changes in the Netscaler configuration a couple of days earlier. So I started investigating the details of the Setup Citrix ADC for ShareFile wizard, its configuration changes and effects on my setup by reading ShareFile On-prem and NetScaler: A Comprehensive Configuration Guide & Deep Dive, amongst others:

In case you messed up with your ShareFile Configuration: you can try to remove it with Remove ShareFile Configuration

With having a better understanding of all things Netscaler & Sharefile, I did a little research and found a Citrix Discussion dealing with my issue and it turned out that the Setup Citrix ADC for ShareFile wizard (to the contrary) does not handle all the configuration required to access network shares via a StorageZone connector. Further configuration as to be done manually to make it work (again), as can be read here:

To support restricted zones or web access to StorageZone Connectors, you must perform additional NetScaler configuration after you complete the NetScaler for ShareFile wizard.

The additional configuration provides the Netscaler components shown in the following diagram:

The description of the additional configuration of Netscaler in Citrix Docs is - to say the least - not very accurate. Without appropriate formatting of the corresponding text passages and additional depictions illustrating every single configuration step, manual adjustments are difficult to comprehend for non-Netscaler-aficionados. Therefore I'd like to expand on Citrix Docs and provide a more elaborate description of the configuration steps required. So, what do we need to add to the existing Netscaler configuration:

  1. a third NetScaler load-balancing virtual server
  2. a third CS policy to allow anonymous access from clients for the HTTP OPTIONS verb
  3. update the existing CS policy used for traffic to StorageZone Connectors (by default: _SF_CIF_SP_CSPOL)
  4. update the existing CS policy used for traffic to StorageZones for ShareFile Data (by default: _SF_SZ_CSPOL)
  5. create a heartbeat monitor for the StorageZones Controller service and bind it to the CS virtual server for ShareFile
  6. verify the ShareFile Load Balancing configuration

First, add a new Load Balancing vServer as follows:

add lb vserver vsrv_SF_ZONE_OPTION SSL 0.0.0.0 0 -persistenceType NONE -cltTimeout 180	
bind lb vserver vsrv_SF_ZONE_OPTION 	
set ssl vserver vsrv_SF_ZONE_OPTION -sslProfile ns_default_ssl_profile_frontend	
bind ssl vserver vsrv_SF_ZONE_OPTION -certkeyName 	
add cs policy _SF_ZONE_OPTIONS_CSPOL -rule "HTTP.REQ.METHOD.EQ(\"OPTIONS\")"
Load Balancing vServer settings
bind the corresponding Sharefile Service and certificate

The full policy expression for the newly created CS policy (by default: _SF_ZONE_OPTIONS_CSPOL) should be as follows:

HTTP.REQ.METHOD.EQ("OPTIONS")

Adjust the existing _SF_CIF_SP_CSPOL policy in terms of Expression. The full policy expression for an existing _SF_CIF_SP_CSPOL should be as follows:

HTTP.REQ.URL.CONTAINS("/cifs/") || HTTP.REQ.URL.CONTAINS("/sp/") || HTTP.REQ.URL.CONTAINS("/ProxyService/")
_SF_CIF_SP_CSPOL Policy Expression

Adjust the existing _SF_SZ_CSPOL policy in terms of Expression. The full policy expression for an existing _SF_SZ_CSPOL should be as follows:

HTTP.REQ.URL.CONTAINS("/cifs/").NOT && HTTP.REQ.URL.CONTAINS("/sp/“).NOT && HTTP.REQ.URL.CONTAINS("/ProxyService/").NOT
_SF_SZ_CSPOL Policy Expression

In the end your CS policies should look like this (in terms of Expressions):

final CS policies and corresponding Expressions

Now adjust the existing CS vServer for Sharefile (in my case vsrv_SF_CS_ShareFile) regarding its Policy Bindings in that you add the newly created CS Policy (in my case _SF_ZONE_OPTIONS_CSPOL) as the third CS policy with a Priority of 90 and set the Target Load Balancing Virtual Server to the newly created LB vServer (in my case vsrv_SF_ZONE_OPTION):

The StorageZone Hearbeat Monitor can be added using CLI by running the following commands:

add lb monitor SZC_Heartbeat HTTP-ECV -send "GET /heartbeat.aspx" -recv "***ONLINE***” -secure YES
bind service <Name of your LB service i.e. internal SF server> -monitorName SZC_Heartbeat

The newly added StorageZone Heartbeat Monitor should look as follows:

StorageZone Heartbeat Monitor Configuration

The complete CLI command list would look like this, whereas the following values need replacement according to your environment:

  • CertDisplayName (server certificate name you want to bind to your vServer)
  • NameOfYourSFServer (i.e. the Sharefile Server you've added to your NetScaler configuration)
  • NameOfYourSFCSvServer (i.e. the Sharefile Content Switching vServer)
add lb vserver vsrv_SF_ZONE_OPTION SSL 0.0.0.0 0 -persistenceType NONE -cltTimeout 180	
bind lb vserver vsrv_SF_ZONE_OPTION 	
set ssl vserver vsrv_SF_ZONE_OPTION -sslProfile ns_default_ssl_profile_frontend	
bind ssl vserver vsrv_SF_ZONE_OPTION -certkeyName 	
add cs policy _SF_ZONE_OPTIONS_CSPOL -rule "HTTP.REQ.METHOD.EQ(\"OPTIONS\")"	
add cs policy _SF_SZ_CSPOL -rule "HTTP.REQ.URL.CONTAINS(\"/cifs/\").NOT && HTTP.REQ.URL.CONTAINS(\"/sp/\").NOT && HTTP.REQ.URL.CONTAINS(\"/ProxyService/\").NOT"
add cs policy _SF_CIF_SP_CSPOL -rule "HTTP.REQ.URL.CONTAINS(\"/cifs/\") || HTTP.REQ.URL.CONTAINS(\"/sp/\") || HTTP.REQ.URL.CONTAINS(\"/ProxyService/\")"
bind cs vserver  -policyName _SF_ZONE_OPTIONS_CSPOL -targetLBVserver vsrv_SF_ZONE_OPTION -priority 90

Finally, go to Traffic Management > Load Balancing > Virtual Servers to view the status of the load balancing virtual servers created for ShareFile. It may look similar to my configuration:

Virtual Servers configured for ShareFile Load Balancing

While testing your new configuration and accessing network shares via ShareFile connectors you should see an increasing hit number in the Hits column of your corresponding CS policies:

Increasing hit number in the Hits column

Update
You have to consider network restrictions as well, as Security can mess with ShareFile traffic and network flow, especially when Firewall settings do not allow corresponding (read: whitelisted) traffic to ShareFile domains, endpoints, and IPs, i.e. the ShareFile Control Plane IP ranges. Have a look at CTX208318 and CTX234446.

In another case, if you attempt to access the ShareFile network share and it prompts for users credentials, the ShareFile Web App credentials may not work. Have a look at CTX233739 as well:

Solution
Authentication settings of an IIS CIFS server on StorageZone Controller needs correction. Please follow the steps to resolve the issue:

1. Log onto the StorageZone Controller(s) and open IIS.
2. Expand Default web site
3. Click on the CIFS virtual directory, then on Authentication.
4. Ensure Anonymous is Enabled
5. ASP .NET Impersonation is Disabled
6. Basic Authentication is Enabled
7. Forms Authentication is Disabled
8. Windows Authentication is Disabled

Reference: The Authentication settings of an IIS CIFS server

Further reading:

Citrix NetScaler - Firmware Upgrade using CLI

Upgrade methodology

  1. Download latest firmware from Citrix Homepage
  2. Backup existing NetScaler config
  3. Copy firmware to Netscaler
  4. Upgrade firmware via CLI
  5. Reboot NetScaler
  6. Verify configuration and functionality

Requirements

  1. Latest NetScaler firmware tar file
  2. Windows Client or Server
  3. Putty Client
  4. WinSCP Client
  5. NetScaler being accessible via SSH (Port 22)

As per Citrix:

Warning! Any customization within NetScaler or NetScaler Gateway might cause unexpected behavior during and after the upgrade or the downgrade process, and possible configuration loss. Any sort of customization within NetScaler or NetScaler Gateway should be backed up and removed before the upgrade or the downgrade process.

How to backup a existing NetScaler configuration

See my other blog entry on automated NetScaler backups:

  1. with GUI
  2. with CLI
  3. with Nitro/Powershell

Upgrade firmware via CLI

Before you run the install script, the files must be extracted and placed on the appliance. Use the following command to uncompress the bundle located, for instance, in /var/nsinstall/build-11.0-64.34_nc/:

tar -zxvf <archive_filename>.tgz

ns_install_01

The run the following command to initiate the upgrade process:

./installns

ns_install_02

root@ns# ./installns
installns: [78217]: BEGIN_TIME 1444030959 Mon Oct  5 09:42:39 2015
installns: [78217]: VERSION ns-11.0-62.10.gz
installns: [78217]: VARIANT v
installns: [78217]: No options

installns version (11.0-62.10) kernel (ns-11.0-62.10.gz)

installns: [78217]: installns version (11.0-62.10) kernel (ns-11.0-62.10.gz)

The Netscaler version 11.0-62.10 checksum file is located on
http://www.mycitrix.com under Support > Downloads > Citrix NetScaler.
Select the Release 11.0-62.10 link and expand the "Show Documentation" link
to view the SHA2 checksum file for build 11.0-62.10.

There may be a pause of up to 3 minutes while data is written to the flash.
Do not interrupt the installation process once it has begun.

Installation will proceed in 5 seconds, CTRL-C to abort
Installation is starting ...
installns: [78217]: Installation is starting ...
installns: [78217]: detected  Version >= NS6.0
installns: [78217]: Installation path for kernel is /flash

CallHome feature is currently disabled. Enabling this feature lets this
NetScaler device/instance automatically alert Citrix support on detecting
critical errors and/or potential failures, before it impacts your network.
You can also configure this feature anytime using the command line interface
("enable feature callhome") or the configuration utility.  Please see the
documentation for further details.
Do you want to enable it NOW? [Y/N] N

installns: [78336]: Size of kernel ns-11.0-62.10.gz is 130936 kilobytes
installns: [78336]: Available space on /flash/ filesystem is 842440 kilobytes
installns: [78336]: Available space on /var is 7626642 kilobytes
installns: [78336]: Checking directories ...
installns: [78336]: Checksumming ns-11.0-62.10.gz  ...
installns: [78336]: Checksum ok.
Copying ns-11.0-62.10.gz to /flash/ns-11.0-62.10.gz ...
installns: [78336]: Copying ns-11.0-62.10.gz to /flash/ns-11.0-62.10.gz ...
installns: [78336]: BEGIN KERNEL_COPY
................
installns: [78336]: END KERNEL_COPY
installns: [78336]: Changing /flash/boot/loader.conf for ns-11.0-62.10 ...

Installing XML API documentation...
installns: [78336]: Installing XML API documentation...
Installing NSConfig.wsdl...
installns: [78336]: Installing NSConfig.wsdl...
Installing NSStat.wsdl...
installns: [78336]: Installing NSStat.wsdl...
Installing online help...
installns: [78336]: Installing online help...
Installing Cisco online help...
installns: [78336]: Installing Cisco online help...
Installing Logon Point ...
installns: [78336]: Installing Logon Point ...
Couldnt execute eula_upgrade.pl error: 6400
installns: [78336]: Couldnt execute eula_upgrade.pl error: 6400
Installing Login Schema files ...
installns: [78336]: Installing Login Schema files ...
Installing SCOM Management Pack...
installns: [78336]: Installing SCOM Management Pack...
Installing LoadBalancer Pack...
installns: [78336]: Installing LoadBalancer Pack...
Installing GUI...
installns: [78336]: Installing GUI...
Installing EPA Package ...
installns: [78336]: Installing EPA Package ...
Installing Mac EPA and Mac EPA version file...
Installing Linux EPA and Linux EPA version file...

installns: [78336]: Installing Linux EPA and Linux EPA version file...

Installing NITRO...
installns: [78336]: Installing NITRO...
Installing Debian, RPM packages ...
installns: [78336]: Installing Debian, RPM packages ...
Installing Jazz certificate ...
installns: [78336]: Installing Jazz certificate ...
Installing Call Home certificate ...
installns: [78336]: Installing Call Home certificate ...
Installing Upload server certificate ...
installns: [78336]: Installing Upload server certificate ...
/var/opt/nfast directory exists. Extracting hardserver files.
installns: [78336]: /var/opt/nfast directory exists. Extracting hardserver files.
Creating before PE start upgrade script ...
installns: [78336]: Creating before PE start upgrade script ...
Creating after upgrade script ...
installns: [78336]: Creating after upgrade script ...
installns: [78336]: prompting for reboot
installns: [78336]: END_TIME 1444031171 Mon Oct  5 09:46:11 2015

Installation has completed.

Reboot NOW? [Y/N] Y

ns_install_03

After the upgrade has been successfully completed simply reboot your NetScaler by entering Y and pressing <Enter>. After abouot 90 seconds the NetScaler will be back online and accessible through your browser. Log back in and verify whether the upgrade has been completed successfully by checking your firmware version and license status:

netscaler_upgrade_13

netscaler_upgrade_14

In case you get bogged by the newly added feature called CUXIP (Citrix User Experience Improvement Program), you're free to chose whether you want to enable it or not.

ns_install_04

After that verify the NetScaler Gateway's functionality by logging in to your vServer's public Gateway and launching any published resources.

Further reading:

If you want to use your NetScaler for all things that need to be accessible from the outside, over a single IP address, that poses an issue. As is usually a problem with small to medium sized businesses which only have one public IP address at their disposal, and need to implement features like a fully functional RDS environment (with RD Web Access, RD Gateway, etc), a XenApp/XenDesktop evnironment with StoreFront, and even AD FS, say, for Office365. Generally all these services require port 443 (https) to be fully functional, and you can only set up one distinctive IP address on your NetScaler providing this service, pointing it to your internal resources via Firewall rules, thus leaving you with only one option: NetScaler's Unified Gateway and Content Switching features. 

...continue reading "Citrix NetScaler v11 – How to setup your NetScaler as an RDS RD Gateway"

This short blog describes how to enable NetScaler 11's Content Switching feature to proxy your AD FS infrastructure thus getting rid of a dedicated AD FS Proxy server.

...continue reading "Citrix NetScaler v11 – How to setup your NetScaler as an AD FS proxy"

As I'm always thankful for any tool that might come in handy during troubleshooting sessions I thought that this might be interesting for you NetScaler/XenMobile guys as well. Just recently I stumbled upon this neat little article: CTX141060 - Citrix Cerebro - XenMobile Troubleshooting Tool and the tool it provides: Citrix Cerebro (what kind of name is that actually?):

cerebro_1

This quite comprehensive article explains the tool's core functionality pretty well, so there's not much to add right now. Therefore I simply share my experience here while using this tool in order to troubleshoot some XenMobile issues I had just recently: Access to your company network is not currently available while setting up WorxMail.

...continue reading "How to use Citrix Cerebro – XenMobile Troubleshooting Tool"

During implementing quite some XenMobile 10.x solutions in the last couple of months I came across some issues that caused quite some headaches. Therefore I'd like to document and share my lessons learned in this new blog.

As all my implementations were with existing NetScaler 10.x configurations already in place, I was not able to follow all those XenMobile 10.x installation and configuration guides out there by the book. All of those blogs and guides have one thing in common: they assume your start from scratch with both XenMobile 10.x and NetScaler 10.x and thus miss the point in merging XenMobile 10.x requirements with NetScaler 10.x, i.e. adding all those nasty MDM/MAM LB VIPs, DNS records, firewall rules, certificates, Session Policies and Profiles, et al.

I'm trying to shed some light on how to add a new XenMobile 10.x installation to an already existing NetScaler Gateway configuration.

...continue reading "XenMobile 10.x and NetScaler 10.x – A Comprehensive HowTo Guide"

Almost everybody has struggled with the now infamous Error 1030 (The connection to "ApplicationName" failed with status (1030)) when connecting with Citrix Receiver for Windows to XenDesktop through NetScaler and StoreFront. There even is an whole armada of articles available out there, totally dedicating their content to troubleshooting this quite generic network error indicating that the connection has failed. Just google it!

error_1030_4

The solution to this error? Well, it depends...

...continue reading "Citrix Receiver for Windows – The connection to “ApplicationName” failed with status (1030) – Updated"

After upgrading my existing and fully functional NetScaler v10.5 Build 57.7 to the latest v11.0 Build 55.23 and implementing Unified Gateway for XenMobile and XenDesktop, my users were unable to SAML authenticate with ShareFile, i.e.

  • by using their MDX wrapped ShareFile app on iOS devices and locking it into an endless authentication loop without any errors:

Photo_20150714_081802

  • by using their ShareFile Outlook Plugin in order to send Download and/or Upload links as they received an error stating Authentication Error - http/1.1 Service Unavailable while trying to utilize the Browser Login included with the ShareFile Outlook Plugin Configuration Wizard:

sharefile_saml_6

  • by authenticating to our company's custom ShareFile SAML Login page via Browser:

sharefile_saml_11

...continue reading "Citrix ShareFile – SAML Authentication Error after upgrading to NetScaler v11 and Unified Gateway – http/1.1 Service Unavailable"

When trying to connect to a XenDesktop 7.x and StoreFront 2.x based environment through NetScaler from an external Windows computer you could receive the following error upon finishing the Citrix Receiver initial wizard: Your account cannot be added using this server address:

receiver_error_1

...continue reading "Citrix Receiver 4.x – Your account cannot be added using this server address – Updated!"