Implementing ShareFile On-Demand Sync - ShareFile

Find an Answer

Search ShareFile articles, videos and user guides   Your search term must have 2 or more characters.

Implementing ShareFile On-Demand Sync

ShareFile On-Demand Sync is designed for integration with hosted desktops and applications running in XenApp and XenDesktop environments.

This document is intended to provide implementation details for configuring ShareFile Sync in such environments, which includes installation, configuration, best practices, and troubleshooting tips. To download a full PDF version of this installation and troubleshooting guide, please click here.

Architectural overview

On-Demand Sync is required to make ShareFile Windows Sync compatible with XenApp and XenDesktop environments. In these environments end-users are using virtual desktops or applications which are running remotely in a XenApp or XenDesktop farm of servers. The way it works is seamless for end users. When they use Windows Explorer or click File…Open in applications like Microsoft Word they see all their data just like they expect. When they access a document, it is downloaded and cached locally from the ShareFile cloud or from ShareFile on-premise storage. For admins, this is a huge improvement as only a few kilobytes of metadata are synchronized and the file is only pulled into the session when the users are directly accessing the file.

ShareFile On-Demand Sync achieves this via a file system filter driver and Windows reparse point files (NTFS feature). A reparse point file is like a mockup file: when an application tries to access it the access is temporarily put on hold, the download of the real file is triggered and the access is resumed when the file download is competed and the reparse point has been replaced by the real file.

The following diagram shows a high level overview of the On-Demand Sync architecture.

Architecture

Process Details

SyncService.exe

  • Windows service running as local system.
  • This process will not run unless group policies are applied to enable On-Demand Sync.
  • It is responsible for uploading and downloading of files to the cloud storage provider.
  • SyncService will load the file system filter driver and will create and modify NTFS reparse points.
  • It will monitor local file system operations in the user's ShareFile directory.

SyncSessionAgent.exe

  • This process will persist within the user's session and will communicate with the SyncService for notifications.

ShareFileSyncConfig.exe

  • This process is for intial configuration to allow users to enter credentials or if users are required to re-authenticate.

ShareFileSyncMonitor.exe

  • This process runs during the session launch and checks for migration and group policy configurations. The process will exit and not continue running within the session.

SyncUpdateService.exe

  • By default the SyncUpdateService does nothing for On-Demand Sync due to change control policies put in place by IT administrators.

ShareFile Sync Directory Location

The default location for ShareFile Sync will be under %userprofile%\ShareFile. Citrix does not recommend changing this to a location outside the user profile. The ShareFile directory must reside on the local file system, therefore a network drive such as a redirected home folder cannot be used.

For any roaming profile solution, the local ShareFile Sync directory should be excluded. This is done to prevent duplicate data, profile bloat, and reduce the chance of any potential conficts.

In virtual environments, if users log on to multiple machines, you want to make sure that the Sync key within the HKEY_CURRENT_USER hive roams with the user.

  • HKEY_CURRENT_USER\Software\Citrix\ShareFile\Sync

Installation

ShareFile On-Demand Sync can be installed via EXE or MSI. Both installation types can be downloaded from http://www.citrix.com/downloads/sharefile.

  • EXE - Used for per-machine installation which will detect and install pre-requisites
  • MSI - For administrators to perform a push install

Installation Steps

  1. Apply the On-Demand Sync computer policies and user policies via GPO
  2. Ensure all sessions have been logged off from the XenApp or XenDesktop machines
  3. Log on to XenApp or XenDesktop machines as an Administrator
  4. Install the ShareFile Sync for Windows client
  5. Reboot the XenApp or XenDesktop machines
  6. Configure profile management solution to exclude the "ShareFile" directory from the user's profile

The ShareFile Sync service by default will be set to manual startup. This service will start from the Sync Session Agent process when a valid ShareFile sync user logs into the system.

Verification of Successful Installation

Once ShareFile Sync has been installed and configured via Group Policy you can verify that the installation was successful by doing the following:

  1. Log on to StoreFront and launch the hosted application or desktop that you've configured for your users.
  2. Depending on the authentication type that you've configured for ShareFile Sync, you may or may not be prompted for credentials.
  • ShareFile Authentication - You will be prompted to enter your ShareFile username and password.

  • SAML Web Forms Authentication - You will be prompted for your email address and then you will be asked to authenticate against your Identity Provider (IDP).

  • SAML Integrated Authentication (aka Single Sign-On using AD Credentials) - You will not be prompted for credentials. The current logged on user's credentials will be passed to your IDP.

Once you've successfully authenticated to ShareFile Sync, you will be able to access the ShareFile directory.

Directory

Environment Configurations

ShareFile On-Demand sync is currently tested in the following environments and operating systems.

  1. XenApp 6.5 (Windows Server 2008R2)
  2. XenDesktop 7.1 (Windows Server 2008R2, Windows Server 2012R2, Windows 7 SP1 {x86/x64}, Windows 8.1 {x86/x64})
  3. Citrix Profile Managment 4.x
  4. Citrix Profile Management 5.x

Roaming Profiles

For any roaming profile solution, the local ShareFile Sync directory should be excluded. This is done to prevent duplicate data, profile bloat, and reduce the chance of any potential conflicts.

In virtual environments, if users log on to multiple machines, you want to make sure that the Sync key within the HKEY_CURRENT_USER hive roams with the user. By default the HKCU registry hive is saved for roaming profiles, but some profile management solutions offer options for exclusions.

 

Group Policy Configuration

On-Demand Sync ADMX Template

As of the Windows Sync 2.10 release, the On-Demand Sync ADMX and ADML are included as part of the installation.

The ADMX and ADML files can be found in the following locations after installing Windows Sync:

  • %ProgramFiles%\Citrix\ShareFile\Sync\Configuration\PolicyDefinitions\ShareFileOn-demand.admx
  • %ProgramFiles%\Citrix\ShareFile\Sync\Configuration\PolicyDefinitions\en-US\ShareFileOn-demand.adml

How to Add ADMX File to Group Policy Management

  1. Logon to the machine from which you run the Group Policy Management console
  2. Copy the ADMX file to %WinDir%\PolicyDefinitions directory
  3. Copy the ADML file to the %WinDir%\PolicyDefinitions\en-US directory

Group Policy Settings

Policy

Location in Group Policy Snap-In

Description

Account

User Configuration\Policies\Administrative Templates\ShareFile\Enterprise Sync

Lets you specify the ShareFile account to use e.g. acme.sharefile.com

 

Required:

Enabled - ShareFile account must be specified

 

AuthenticationType

User Configuration\Policies\Administrative Templates\ShareFile\Enterprise Sync

Lets you specify the authentication type used by the ShareFile account:

 

  • ShareFile Authentication
  • SAML Integrated
  • SAML Forms

 

Required:

Enabled –Must match the authentication settings configured in ShareFile account

 

LocalSyncFolder

User Configuration\Policies\Administrative Templates\ShareFile\Enterprise Sync

 

This policy specifies the path to the local Sync folder.

 

If this policy is not configured, the default location of the ShareFile folder is in the user profile. e.g. %userprofile%\ShareFile

 

The folder path specified here must be on the same volume as On-demand Sync disk volume if On-demand sync is configured.

This setting cannot be set to the root of the drive.

 

Recommendation: Not configured

 

On-demandFolderIds

User Configuration\Policies\Administrative Templates\ShareFile\Enterprise Sync

This policy configures additional ShareFile folders to sync using On-demand Sync.

The folder Ids can be retrieved from the account web page's Get Direct Link action of the folder.

 

The folder id consists of alpha-numerical characters that begins with 'fo'.

 

Sample Folder Id: fof8e4ee-ee90-127e-849f-88a3263323eb

If the folder id maps to a Shared folder that has also been marked as a Favorite, the folder will appear only within Favorite Folders.

 

Recommendation: Not configured

 

On-demandPersonalFolder

User Configuration\Policies\Administrative Templates\ShareFile\Enterprise Sync

This policy enables On-Demand Sync for the user

 

Required: Enabled – Sync Personal Folder checkbox must be selected

 

On-demandSyncDiskVolume

Computer Configuration\Policies\Administrative Templates\ShareFile\Enterprise Sync

This policy enables On-Demand Sync. The volume letter selected in this policy will be monitored by On-Demand Sync.

 

Required: Enabled – Set volume to C:\

 

On-demandSyncFolderReparse

Computer Configuration\Policies\Administrative Templates\ShareFile\Enterprise Sync

This policy settings can enable or disable folder reparse points when using On-demand Sync v2.6 or greater.

 

Citrix User Profile Management 4.x and earlier may have issues deleting reparse point folders to clean up user's profile. Disabling folder reparse points in On-demand sync will resolve this issue.

 

If this setting is enabled and On-demand Sync Reparse Folder is checked, reparse point folder is enabled.

 

If this setting is enabled and On-demand Sync Reparse Folder is unchecked, reparse point folder is disabled.

 

If this setting is disabled, reparse point folder is disabled.

 

If this setting is not configured, reparse point folder is enabled.

 

Recommendation: If using Citrix Profile Management 4.x, set the policy to Disabled

 

Without this setting configured it is possible that the Folder reparse cannot be deleted and the profile could be left in an inconsistent state, possibly leading to profile related issues.

 

Citrix Profile Manager 5.x does not require this setting.

 

If using Citrix Profile Management 5.x, set the policy to Not Configured

Citrix Profile Management Group Policy Settings

Policy

Location in Group Policy Snap-in

Description

Exclusion list - directories

Computer Configuration\Policies\Administrative Templates\Citrix\Profile Management\File System

 

List of directories that are ignored during synchronization.

 

Folder names should be specified as paths relative to the user profile.

 

The ShareFile folder should be added to the Exclusion list. e.g. ShareFile

 

Required: Enabled – ShareFile added to list of exclusions

SAML Forms Authentication

As of Windows Sync 2.10, SAML Forms authentication is now supported in On-Demand Sync configurations. At this time, XenMobile is the officially supported Identity Provider for SAML Forms authentication and On-Demand Sync.

As a requirement for SAML Forms, Internet Explorer must be configured with the appropriate URLs in the trusted zone.

Adding Sites to Trusted Zone

Method 1 – Internet Explorer

Within your desktop session and if you have access to Internet Explorer, you can manually add the required URLs to the Trusted Sites zone via Internet Options > Security.

  1. Launch Internet Explorer within your desktop session
  2. Go to Tools > Internet Options > Security tab
  3. Within the Trusted Sites zone, click on the Sites button
  4. Add XenMobile URL that ShareFile will redirect to in order to authenticate
  5. In most cases, this will be the URL that leads to your NetScaler. For example, https://netscaler.acme.com
  6. Add https://*.sharefile.com or https://*.sharefile.eu

Method 2 – Registry and Group Policy

Add the Trusted Sites to your users by configuring the registry via Group Policy Object.

1. Configure the Group Policy to add *.sharefile.com to the Trusted Sites.

  • Action: Update
  • Hive: HKEY_CURRENT_USER
  • Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sharefile.com\*
  • Value name: https
  • Value type: REG_DWORD
  • Implementing Citrix ShareFile On-Demand Sync
  • Value data: 00000002

2. Configure the Group Policy to add *.sharefile.com to the Trusted Sites.

  • Action: Update
  • Hive: HKEY_CURRENT_USER
  • Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ESCDomains\sharefile.com\*
  • Value name: https
  • Value type: REG_DWORD
  • Value data: 00000002

3. Configure the Group Policy to add your XenMobile URL (e.g. https://netscaler.acme.com) to the Trusted Sites.

  • Action: Update
  • Hive: HKEY_CURRENT_USER
  • Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\acme.com\netscaler
  • Value name: https
  • Value type: REG_DWORD
  • Value data: 00000002

4. Configure the Group Policy to add your XenMobile URL (e.g. https://netscaler.acme.com) to the Trusted Sites.

  • Action: Update
  • Hive: HKEY_CURRENT_USER
  • Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ESCDomains\acme.com\netscaler
  • Value name: https
  • Value type: REG_DWORD
  • Value data: 00000002

SAML Forms Configuration

The following steps must be taken in order to configure On-Demand Sync to use SAML Forms authentication:

1. Within the On-Demand Sync group policy that is applied to the users, set the Authentication type to SAML Web Forms

Auth Type 1

2. Ensure *.sharefile.com and the XenMobile URL have been added to the trusted sites for the users who are logging on to XenApp or XenDesktop sessions as shown in section 8.1.

3. Logon to XenApp or XenDesktop session and verify that user is prompted to enter their e-mail address and is then able to click on the Begin browser Login button to be redirected to the XenMobile environment for authentication

Please note the e-mail is required in order to validate the ShareFile account against the Active Directory credentials submitted to the Identity Provider.

Auth Type 2

4. Click the Begin browser Login button to bring the user to the XenMobile logon screen

Auth Type 3

Proxy Configuration

As of Windows Sync 2.10, proxy auto detection is disabled by default. This is the recommended configuration unless a proxy is required for your environment. Proxy can be enabled by configuring one of the following:

Per Machine Proxy Settings

To set proxy configuration on a per-machine basis, you must manually modify the Windows registry under HKEY_LOCAL_MACHINE\Software\Citrix\ShareFile\ProxyConfig.

See Proxy Registry Settings section below.

Per User Proxy Settings

Per-user configuration can be enabled from the Control Panel option under System and Security for ShareFile Sync.

Control Panel

Proxy Settings

If the user does not have access to the control panel, you must manually modify the Windows registry under HKEY_CURRENT_USER\Software\Citrix\ShareFile\ProxyConfig

If using Group Policy to deploy the proxy settings, ShareFile On-Demand Sync will also read the settings under HKEY_CURRENT_USER\Software\Policies\Citrix\ShareFile\ProxyConfig

Proxy Registry Settings

Name

Type

Data

Description

AutoDetectProxy

REG_DWORD

0 – Disabled

1 – Enabled

Automatically detect proxy settings  

Note: May cause performance degradation

 

LocalAddressBypass

RED_DWORD

0 – Disabled

1 – Enabled

Bypass proxy for addresses specified in ProxyBypassList

Note: You must enable UseProxyServer

 

ProxyBypassList

REG_MULTI_SZ

 

Addesses can be specified in IP or hostname format

 

ProxyConfigurationScriptUrl

REG_SZ

 

URL that points to the proxy auto configuration script

 

Note: You must enable UseAutoConfigurationScript

 

ProxyServerUrl

REG_SZ

 

Specify the proxy URL to be used by ShareFile Sync

 

UseAutoConfigurationScript

REG_DWORD

0 – Disabled

1 – Enabled

Use a proxy auto configuration script

Note: You must specify ProxyConfigurationScriptUrl

 

UseCurrentLoggedInUser

REG_DWORD

0 – Disabled

1 – Enabled

Use the current logged in user to authenticate against the proxy server

 

UseIESettings

REG_DWORD

0 – Disabled

1 – Enabled

Use proxy settings specified in IE

 

UseProxyServer

REG_DWORD

0 – Disabled

1 – Enabled

Use a proxy server for ShareFile Sync

 

Troubleshooting

Force Logoff Screen

Scenario: User will be shown a Force Logoff screen if they attempt to log off a session while Sync is uploading data.

Cause: On-Demand Sync will cancel the logoff to prevent data loss if there are uploads in progress. Once the uploading is complete, the logoff will resume. If the user forces the logoff, they could lose data.

Force Logoff

Spontaneous File Downloads

Scenario: Files are downloaded prior to user attempting to access them.

Cause: The Windows Explorer thumbnails preview feature can cause the spontaneous download of image and executable files in ShareFile On-Demand Sync.

Solution: Complete details can be found at here.

Log Files

Log files are the typical means of troubleshooting On-Demand Sync.

Sync Service Logs

The SyncService process (Windows service) logs files are located in the Windows temp directory (as defined by the TEMP system environment variable) in the ShareFile subdirectory. Typically the corresponding path is C:\Windows\Temp – but may be different based on environment configuration. The SyncUpdateService log file names are in the format:SyncService2_<timestamp>.log.

Session Logs

The user configuration logs (such as group policy settings) can be found in the user TEMP directory, which is definied by the user environment variables. Typically the corresponding path is %userprofile%\appdata\local\temp.

 

Related

Desktop Apps

Did this article answer your question?
Yes
No
Why?