ShareFile Technical FAQ

CITRIX 1
General ShareFile
Q: What is Citrix ShareFile?
A: Citrix ShareFile is an enterprise follow-me data solution that enables IT to deliver
a robust data sharing and sync service that meets the mobility and collaboration
needs of users and the data security requirements of the enterprise. By making
follow-me data a seamless and intuitive part of every users day, ShareFile enables
optimal productivity for todays highly mobile, anywhere and for any-device
workforce.

Q: Does ShareFile differentiate between internal employee users and external
client users?
A: Yes, within ShareFile you can set up your internal employees (employees that
work for your company with a company email domain) as employees in ShareFile.
You can also set up external clients (your clients, external from the company email
domain) as clients in ShareFile. For more information, click here.

Q: What types of provisioning options are available for both employees and
external clients?
A: There are four ways you can provision users:
Manual provision (Employee and Clients)
Bulk Import using Excel
Use the User Management Tool
Use the ShareFile API

Q: Which web browsers does ShareFile support?
A: ShareFile supports the following web browsers:
Internet Explorer versions 6.0 and newer.
Mozilla Firefox versions 3.5 and newer
Safari versions 4.x and newer.
Google Chrome versions 6.x and newer.
Q: Where to find the latest information regarding ShareFile?
A: You can find the latest information in the following sites:
Website
Forums
Documentation
Knowledge Base
Facebook
Twitter

CITRIX 2
LinkedIn
Authentication
Q: How to log into ShareFile?
A: You can log in with a ShareFile integrated user name and password or with your
Active Directory credentials.

Q: Can the internal employee users use their current Active Directory (AD)
credentials to log into ShareFile?
A: Yes. ShareFile supports SAML 2.0 authentication and can work with Identity
Providers (IdPs) such as Microsoft Active Directory Federation Service (ADFS 2.0),
Ping Federate, CA SiteMinder, and Citrix XenMobile App Controller which can be
used to authenticate against an Active Directory.

Q: What SAML authentication methods are supported with ShareFile?
A: ShareFile supports Basic, Windows Integrated Authentication and Forms Based
Authentication..

Q: Does ShareFile support LDAP?
A: Not directly. ShareFile supports SAML 2.0 and if the Identity Provider of your
choice supports LDAP to your AD but SAML 2.0 to ShareFile then yes.

Q: What are the pre-requisites for using SAML authentication with ShareFile?
A: ShareFile supports ADFS 2.0, Ping Federate, CA SiteMinder and Citrix XenMobile
AppController.

Q: Is there documentation on how to configure SAML 2.0 IdP with ShareFile?
A: Yes. For more information on configuring the SAML 2.0 IdP with ShareFile, click
here.

Q: What attribute in Active Directory determines the ShareFile user identity?
A: The SAML response from IdP must contain the users email address that matches
the users email address in ShareFile. Typically this is the email address field in
Active Directory.

Q: Will ShareFile store a users Active Directory credentials?
A: When configuring ShareFile to use your IdP, the only piece of information that
has to be provided to ShareFile is the employees email address. When an employee

CITRIX 3
logs in to a ShareFile native tool, there is an option for the user to save their
credentials in the tool for convenience. Administrators can disable this functionality
through policy.

Q: What SAML bindings are supported by ShareFile?
A: ShareFile uses HTTP Redirect (GET) by default and HTTP (POST) if Request
Signature is enabled.

Q: Does the ShareFile SAML authentication support IdP redirects (HTTP 302)?
A: Yes.

Q: Does ShareFile support IdP-Initiated or SP-Initiated Login?
A: Yes, ShareFile supports both SP-Initiated and IdP-Initiated Login from the WebUI.
Citrix only supports SP-Initiated in the tools.

Q: Can employee users and client user log into the ShareFile web UI from a
single interface?
A: Yes. You can create a split login screen with both SAML login and ShareFile
integrated (E-mail) login on the same screen.

Q: When I enable SAML login on the ShareFile customer account, can users still
login using their ShareFile integrated email address?
A: Yes, but only with the web UI. This can be disabled through policies. All other
ShareFile clients will automatically accept SAML based authentication.

Q: Can we restrict employee users to login with only their AD credentials?
A: Yes, you can restrict employees to have to login with their AD user name and
password. It is also possible to restrict this login to a certain IP range.

Q: Where to find the SAML Metadata information for my ShareFile customer
account?
A: Go to https://<accountname>.sharefile.com/saml/metadata.





CITRIX 4
Employee Provisioning
User Management Tool
Q: What does the User Management Tool do?
A: The User Management Tool (UMT) enables you to provision employee user
accounts and ShareFile distribution groups from your Active Directory.

Q: Where to download the tool?
A: You can download the tool from citrix.com by logging in with your Citrix ID.

Q: What operating systems does the tool work with?
A: The UMT works with Windows 7, 8, Windows Server 2008, and Windows Server
2012.

Q: Is there documentation on how to use the tool?
A: Yes. For more information, click here. Video to get started, click here

Q: Can we use User Management Tool (UMT) with multiple domains?
A: Yes, you can use the UMT with multiple domains.

Q: Can we set up the tool to auto synchronize updates to our AD users and
groups with ShareFile?
A: Yes, you can use Windows Task Scheduler with the UMT.

Q: When I synchronize a group through the User Management Tool, how does it
appear in ShareFile?
A: AD groups synced with ShareFile through the UMT will sync as a distribution
group in ShareFile.

Q: I set up a group to synchronize with ShareFile and I see that group as a
Distribution group. However when I click in the group, all the employees are
not available. Why?
A: If the employee user is not in ShareFile, then they will not appear in the
Distribution group you created using the UMT.


CITRIX 5
Desktop tools and Deployment Options
Outlook Plugin
Q: Where to find the Outlook Plug-in for Enterprises?
A: You can download the ShareFile Outlook Plug-in from within your ShareFile
customer account in the Apps tab.

Q: What versions of Outlook are supported for the ShareFile Outlook Plug-in?
A: You can run the ShareFile Outlook plug-in on 64-bit and 32-bit Outlook 2007,
2010, and 2013.

Q: Does the ShareFile Plug-in work with Outlook Web Access (OWA) or Outlook
for Mac?
A: No. OWA and Outlook for Mac do not currently support plugins.

Q: Is there a plug-in for Lotus Notes?
A: No

Q: Can we deploy the plug-in with our published version of Outlook in XenApp?
A: Yes. For more information, click here.

Q: Can we control the Outlook Plug-in settings, such as attachment policy, link
options, and so on; and not let our employees change these settings?
A: Yes, you can accomplish this with a custom MSI package and with the assistance
of ShareFile support. For more information on the MSI package, click here.

Q: What authentication methods are available for the ShareFile Outlook Plug-
in?
A: ShareFile Integrated and SAML 2.0 Authentication. You can find out more by click
here.

Q: What customizations are available with the Outlook Plug-in link insertion
text?
A: You can customize the wording of the banner text. You must email
support@sharefile.com with the text you require.


CITRIX 6
Sync for Windows
Q: Which versions of Windows are supported with Sync?
A: ShareFile Sync for Windows supports the following operating systems (for 32-bit
and 64-bit versions):
Windows Server 2008 R2
Windows 8
Windows 7
Windows Vista
Windows XP

Q: Are there GPO settings that can be set when deploying Sync for Windows?
A: Yes. For more information, click here.

Q: Is there an MSI installer of Sync for Windows?
A: Yes, to download the MSI installer, click here.

Q: Does the MSI installer support both 32-bit and 64-bit formats?
A: Yes.

Q: Does Sync for Windows support standard actions through command line
interface (install, repair, and so on.)
A: Yes, using the MSI installer, users are redirected to an .exe installer that detects
pre-requisites and automatically installs either the 32-bit or 64-bit installer as
needed.

Q: Where are the settings saved for Sync for Windows?
A: The settings are stored in AppData\Roaming\ShareFile\SyncEngine, C:\Program
Files\Citrix\ShareFile\Sync,
[HKEY_CURRENT_USER\Software\Policies\Citrix\ShareFile\EnterpriseSync].
Caution! Using Registry Editor incorrectly can cause serious problems that might
require you to reinstall your operating system. Citrix cannot guarantee that
problems resulting from the incorrect use of Registry Editor can be solved. Use
Registry Editor at your own risk. Be sure to back up the registry before you edit it.


CITRIX 7
Q: If Single Sign On is enabled for our ShareFile customer account, can an
employee still log into the sync tool with their ShareFile Integrated credentials?
A: Yes, if you specify the need for ShareFile Integrated credentials within the
registry policy.

Q: What Folders can you sync down to your local machine using sync?
A: Your Home Folder/Personal Folder syncs down by default but you have the
option to sync shared folders that you have been granted access to.

Q: Does the sync tool cache the data locally?
A: Yes, Sync for Windows can be configured for offline access to your files on your
local machine.

Q: Is the data encrypted locally?
A: No, ShareFile does not encrypt local on Mac and Windows; however, it works
with third party whole disk encryption tools like BitLocker and TrueCrypt.

Q: Does Sync for Windows currently support incremental or block level sync?
A: No. With ShareFile, each file is saved as a separate file with different IDs.

Q: Can certain file types be excluded from sync?
A: Yes, you can accomplish this using the configuration file of the sync tool. For more
information, click here.

Q: Can Sync be deployed on a terminal server?
A: Yes, Sync is fully supported on a terminal server by configuring On-Demand Sync.
For more information, see CTX136078 ShareFile On-Demand Sync Configuration.

Q: Can we use sync to point to existing data on file shares?
A: No, the file location must be local.

Sync for Mac
Q: What operating systems are required for Sync for Mac?
A: Sync for Mac supports Mac OS X 10.7.x, 10.8.x, and 10.9.


CITRIX 8
Q: If Single Sign On is enabled for our ShareFile customer account, can an
employee still log into the sync tool with their ShareFile Integrated credentials?
A: No, if SSO is enabled for your ShareFile customer account, then the sync tool will
accept the employees AD credentials only.

Q: What Folders can you sync down to your local machine using sync?
A: The Home Folder/Personal Folder syncs down by default. However, you have
the option to sync shared folders that you have been granted access to.

Q: Does the sync client cache the data locally?
A: Yes, Sync for Mac can be configured for offline access to your files on your local
machine.

Q: Is the data encrypted locally?
A: No, ShareFile does not encrypt local on Mac and Windows, however it works with
third party whole disk encryption tools like FileVault and TrueCrypt.

Q: Does Sync currently support Incremental or Block Level Sync?
A: No. With ShareFile, each file is saved as separately with different IDs.
Mobile and XenMobile Integration
Mobile Tools
Q: What mobile operating systems does ShareFile support?
A: Citrix has a native ShareFile application for iOS (4.3.x and above), Android
(2.1and above), Windows (7.x and above), Blackberry (5, 6, 7) and ShareFile can be
accessed through the mobile website.

Q: What account functionalities are available for a user using the native
application?
A: You can perform core ShareFile functions such as creating of folders, uploading of
files, adding users to a folder, send a file, download file for offline use (currently iOS
and Android device only), and so on.

Q: Does the application support remote wipe?
A: Yes, you have the option to wipe an employees specific ShareFile sandbox and
cached information from within the Main UI.


CITRIX 9
Q: What is a poison pill?
A: A poison pill allows you to set a predefined time that if an employee does not log
into the ShareFile native app, then the users files will be wiped from the users
mobile device. You can set up a poison pill (File Self Destruct) in the Admin tab
> Configure Device Security within the Main UI. The poison pill feature works only
on iOS and Android devices.

Q: Are the files located on the individuals mobile device encrypted?
A: The files are encrypted on iOS and Android when the device encryption is
enabled.

Q: Can we prohibit users from caching their login credentials and downloading
files for offline use on their device?
A: Yes, this can be configured using the Main UI in Admin > Configure Device
Security.

Q: Is ShareFile able to restrict Jail broken or modified devices?
A: Yes, this can be configured using the Main UI in Admin > Configure Device
Security.

Q: Can I edit documents from within the ShareFile mobile application?
A: You can edit Office documents (Word, Excel and PowerPoint) and annotate PDFs
within the iOS ShareFile mobile application.

XenMobile Integration
Q: What are the ShareFile integration options within XenMobile?
A: ShareFile can be deployed as a MDX wrapped application through XenMobile
AppController and you can also access the ShareFile account through WorxMail for
secured attachments.

Q: If we deploy the ShareFile MDX wrapped app through XenMobile, can we
use AppController for AD authentication/SSO?
A: Yes, if you deploy the ShareFile MDX wrapped app, you can use AppController for
AD authentication/SSO.


CITRIX 10
Q: Can we control what devices can access ShareFile?
A: You can control the devices that connect to ShareFile by utilizing the XenMobile +
ShareFile integration. Turn off the traditional clients and allow only the enterprise
distributions.

Q: Is it possible to set application level policies, including policies such as
deciding when a user can access ShareFile based on the network they are on,
when deploying ShareFile through XenMobile?
A: Yes, this advanced app level policies can be achieved through deploying the MDX
wrapped ShareFile application through XenMobile.
StorageZones Controller, Control Plane, ShareFile Data and
StorageZones Connectors
Q: What is Citrix ShareFile StorageZones?
A: Citrix ShareFile StorageZones provides IT the flexibility to choose between
customer-managed StorageZones to leverage on-premises storage within their
private cloud or Citrix-managed secure cloud storage options in multiple worldwide
locations.
Q: What is the terminology associated with ShareFile StorageZones?
A: The following product names are associated with StorageZones:
Citrix-Managed StorageZones (using Citrix managed cloud storage utilizing
Amazon or Microsoft Azure).
Customer-managed StorageZones (Using your own storage as the backend
storage of ShareFile. This requires a dedicated CIFS share for ShareFile).
ShareFile StorageZone Controller (previously known as Storage Center: the
ShareFile software installed on premises). One or more StorageZone
Controllers make up a StorageZone.
StorageZones for ShareFile Data (native StorageZones cloud-optimized
storage technology) can be either Citrix-managed or Customer-managed and
offers the full ShareFile feature set (sync, send/share, retention, versioning,
and so on).
StorageZones Connector for Network Shares utilizes an on-premise ShareFile
StorageZone Controller to connect to existing network shares).
StorageZones Connector for SharePoint (utilizes an on-premise ShareFile
StorageZone Controller to connect to existing SharePoint document libraries).





CITRIX 11
Citrix Managed StorageZones
Q: Who hosts the servers that are used for file storage with Citrix managed
StorageZones?
A: Citrix uses SSAE-16 compliant Amazon Web Services (AWS) and Microsoft Azure
servers.
Q: Can we use more than one AWS or Azure region on the same ShareFile
customer account?
A: No, the ShareFile customer account will be associated only with one AWS or
Azure region.
Q: Are the files encrypted at rest?
A: Yes, Citrix uses AES-256 bit encryption on files at rest.
Q: Do you perform regular backups of the data?
A: Yes, the files are stored redundantly within the cloud regions. Citrix also back up
all US based customer files daily to a Windstream Hosted Solutions datacenter in
Charlotte, NC.
Q: Do you periodically test backup media to ensure data completeness,
consistency, and data restoration within a defined timeframe?
A: Yes. Citrix implements hash based integrity and disk based online backups so we
can switch over from Amazon Web Services on demand.
Q: Will Client data be co-mingled with data from other clients in AWS?
A: Your files will co-exist within Amazon S3 with files other clients upload and
transfer using ShareFile. Access controls are enforced logically. Citrix maintains the
databases that do not store client files and maintains only the file
attributes/metadata including file ownership, privileges, and authentication data.
Essentially, anyone who wants to upload, download, or transfer a file must have the
appropriate privileges within the database. For more information, review the
Amazon Web Services "Overview of Security Processes" document, specifically.
Q: Does Citrix employ encryption technologies or other controls to protect
client data while stored on the Citrix information systems?
A: Yes, all client files are encrypted using AES 256-bit symmetric key encryption.
File integrity is confirmed using an MD5 hashing algorithm. Each 1 MB sector of a
client file is encrypted with a unique AES 256-bit encryption key generated using
the XTS-AES NIST standard and 512 bits of key data (the XTS-AES key) for that file.
Each files 512-bit XTS-AES key is derived using a per-file portion of the key and is
stored physically within the control plane (SQL Server) separately from the system-
wide HMAC key which is stored on the Storage Center server that receives and
processes the file. The file is stored within an Amazon Web Services Simple Storage
Service (S3) bucket. The Microsoft data protection API (DP API) protects the
confidentiality of the system-wide Storage Center HMAC key. Only select senior

CITRIX 12
team members within ShareFile have access either to the production SQL Servers,
which contain the per-file portion of the key or the production Storage Center
servers that contain the master HMAC key.
StorageZones Controller with ShareFile Data
Q: Are there specific requirements needed to install a customer-managed
StorageZones?
A: Yes, requirements include a ShareFile Enterprise customer account, the
customer-managed StorageZones software (Storage Center), Windows Server 2008
R2, CIFS based network share, IIS, .Net 4.5, publicly-resolvable Internet hostname
and a public SSL certificate. For more information on the requirements, click here.
Q: Does Citrix ShareFile recognize non-English versions of Windows Servers
2008 R2?
A: Yes, you can install the English version of StorageZone controller on the following
operating system versions: French, German, Japanese, Simplified Chinese and
Spanish. More information found here.
Q: Can we use a Windows Server 2012?
A: No, currently the Storage Center can be installed on Windows Server 2008 R2.
Q: Which storage systems are supported (NetApp, EMC, and so on)?
A: For StorageZone with ShareFile Data, any CIFS compatible storage system can be
used.
Q: Should I have a dedicated machine for StorageZones Controller?
A: Yes, because of potential load, StorageZone Controller should run on a dedicated
windows server. This may be either a physical or virtual machine.
Q: How to size the server?
A: For 5,000 users, Citrix recommends two midrange machines each running 2 CPUs
and 4 GBs of RAM.
Q: Can I have two StorageZone Controllers for high availability?
A: Yes, it would be ideal to have at least two separate StorageZone Controllers for
redundancy and performance connected to a single CIFS share. For more
information, click here.
Q: Can I install more than one StorageZone Controller on the same server?
A: No, only one instance of the StorageZone Controller can be installed per server.
Q: Should the StorageZone Controller be installed within my DMZ?
A: The preferred deployment is to install StorageZone Controller on your internal
network and then have a NetScaler or other load balancer in your DMZ. For more
information, click here. It is possible (for a proof of concept, for example) to install
Storage Center, along with its storage, in the DMZ if required.

CITRIX 13
Q: When installing the StorageZone Controller is it best practice to use the
service account for the UNC access in the configuration wizard?
A: There is no preference, however, it is very common and often regarded as a best
practice to use a service account.
Q: Does the service account information get stored in the Control Plane?
A: No, the information is strictly saved in the configuration on the StorageZone
Controller server.
Q: Is the StorageZone data encrypted?
A: Yes, if you choose to check the box for encryption in the configuration wizard
then the files will be encrypted with 128 RC4 encryption. Most of our customers
choose to leave encryption disabled for customer-managed StorageZones, just as
most internal network shares are stored unencrypted. Of course, any disk-level
encryption you might employ in your data center would be transparent to our
solution.
Q: Should I enter a passphrase while going through the StorageZone
configuration wizard?
A: Yes, the passphrase is used to protect your file encryption key. Ensure to archive
the passphrase because it will be required if you choose to add more StorageZone
Controllers in a zone. If lost, you cannot reinstall StorageZone Controllers, join
additional StorageZone Controllers to the StorageZone or recover the StorageZone if
the server fails.
Q: Can the files saved in a customer-managed StorageZone be altered
afterwards from the server side?
A: No, the files are saved as immutable objects and are not intended to be modified
by administrators or tools.
Q: Are the stored files in a customer-managed StorageZone deployment in
readable format?
A: No, they are binary files with obscured filenames and are not in readable format.
The file name and folder structure of StorageZones continues to be stored in the
ShareFile.com control plane.
Q: What protocol is being used by the StorageZone Controller when it initiates
with UNC?
A: ShareFile does not interface directly with the CIFS share. ShareFile uses Windows
File APIs referencing the UNC as a path. Windows will negotiate the actual protocol
for ShareFile.
Q: Can we house the entire service, files, and application in house?
A: No, as a SaaS product Citrix is keeping the Control Plane (that houses the
application, account information, brokering, reporting, access control, and so on) on
our servers so that Citrix can push updates to you, your employees and your clients.

CITRIX 14
Q: Is any file information stored in the Control Plane?
A: Yes, currently there is metadata (file and folders names, records and
permissions) stored in our data centers.
Q: How is backup and recovery enabled for customer managed StorageZones?
A: Information on setting up the recovery queues and how to perform a recovery is
found within the install package:
C:\inetpub\wwwroot\Citrix\StorageCenter\Tools\Disaster Recovery. Three years
of metadata for your StorageZone account is archived at ShareFile.com starting on
February 15, 2013.
ShareFile StorageZone Connectors for Network Shares and
SharePoint
Q: What is ShareFile StorageZone Connectors?
A: ShareFile StorageZone Connectors allows you to provide instant mobile access to
data on existing network file shares and in existing SharePoint site data repositories
to your employees.
Q: Are there requirements or software for StorageZone Connectors to work?
A: Yes, you must install the StorageZone Controller. To find list of all the
requirements, click here.
Q: What client devices does StorageZone Connectors support?
A: Currently StorageZone Connectors works on iOS and Android devices.
Q: Can we make changes to the files on an iOS device?
A: Yes, you can read and write to both network shares and SharePoint Site data
repositories.
Note: With Connectors for SharePoint you can also check-in/check-out files.
Editing is available only for Office files and annotation is available for PDFs.
Q: How are the permissions set for the Windows file shares that the employees
have access to?
A: ShareFile StorageZone Connectors will take into account the users NTFS
permissions.
Q: What is the user experience when accessing existing Network Shares or
SharePoint document libraries?
A: When an end user opens the ShareFile application on their iOS or Android device,
they will first authenticate to their ShareFile account. If the administrator has
configured access to Network Shares or SharePoint document libraries, they will
select the required document library and be prompted to authenticate with their
Active Directory credentials. The end user will then have access to documents using

CITRIX 15
their existing NTFS permissions. These include the ability to upload, download,
check in, and check out (SharePoint), edit and delete.
Note: If a user only has the ability to read files, they cannot alter the document on
the Network Share.
Q: How does the authentication occur from mobile device to SharePoint or
Network Shares?
A: If you have a NetScaler in the environment, then the user would authenticate
against the NetScaler using Basic Authentication. The user will then be
authenticated to the StorageZone Controller server and finally to either SharePoint
or Network Shares based on that location's authentication requirements (Basic,
NTLM or Kerberos).
If there is no NetScaler in the environment, then the user will be authenticated to
the StorageZone Controller server using Basic authentication and then authenticate
to either SharePoint or Network Shares based on that location's authentication
requirements (Basic, NTLM or Kerberos).
API
Q: Does ShareFile have a public API?
A: Yes, you can access information on our API and some of the API calls. For more
information, click here.
Q: What type of API does ShareFile provide?
A: ShareFile has an REST API that is accessible through a variety of programming
languages.
FTP
Q: Does ShareFile support file transferring over FTP?
A: Yes, ShareFile does support file transferring over FTP as long as the file is located
in a Citrix Managed StorageZone (Cloud storage).
Q: Does ShareFile support FTPS?
A: Yes, ShareFile does support file transferring over FTPS (SSL) as long as the file is
located in a Citrix Manage StorageZone (Cloud storage).
Q: Does ShareFile support SFTP?
A: No, ShareFile only supports FTPS.
Q: Can you connect to your ShareFile StorageZone, housed on-premises,
through any FTP method?
A: No, ShareFile only supports access to your files through FTP when the files are
stored in a Citrix Managed StorageZone (Cloud storage).