Monthly Archives: May 2013

ShareFile Storage Center 1.1

The following content is a brief and unofficial prerequisites guide to setting up Citrix ShareFile Storage Center (On-Prem StorageZone, StorageZone Connector) by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
SHAREFILE – sf
STORAGEZONE – sz
STORAGEZONECONNECTOR – szc
FULLY QUALIFIED DOMAIN NAME – fqdn
ON-PREMISE – on-prem

Certificates
1: You’ll need a publicly signed SSL certificate DO NOT use an Enterprise CA as the ShareFile storage center server connects externally to the ShareFile control plane via HTTPS and ShareFile checks to ensure that your SSL certificate is publiclly signed otherwise communicates between the Control Plane and SZ will fail.
2: Remember the higher the certificate encryption strength means you may need to consider adjusting the computing power resources applied to the VM hosted and delivering the ShareFile On-Prem service.

ShareFile Storage Center 1.1
1: Ensure that you have a ShareFile Enterprise account with StorageZones enabled.
2: You need to create and test your external FQDN records and open up port 443 in/out over TCP for your FQDN e.g sharefile.yourcompany.co.uk and once you’ve installed the IIS role + ASP.NET + .NET Framework 4.0 and bound the publicly SSL cert to your Windows Server 2008 R2 you should be able to navigate to the FQDN on HTTPS and see the default IIS landing page . NOTE: The SSL cert should match the FQDN otherwise your receive mismatch errors.
3: Navigate to http://www.sharefile.com with your super-admin credentials once your logged in select the “Admin” tab and select the “” option from the menu on the right hand-side and create a sub-domain. ShareFile offers a maximum of 3 per organisation.
4: Install the ShareFile storage center 1.1 software and follow the on-screen instructions.
5: Open up IIS Manager under the server’s ISAPI and CGI Restrictions, set the ASP.NET 4.0 Restrictionsh value to Allow.
6: Provision a CIFS share either locally on the ShareFile storage center on the C drive or attach another drive e.g and apply the appropriate permissions or ensure access over the necessary VLAN’s+ports to your organisations CIFS share on a NAS or SAN.
7: Launch the configuration page on the server locally and sign in with the ShareFile super-admin credentials now follow the on-screen instructions to complete the ShareFile storage center configuration.

Users
1: You can manually create users in control plane or upload a *.csv file to provision users
2: Download the ShareFile UMT Bit.ly link to http://www.sharefile.com and follow the on-screen installation instructions.
3: You can provide users with SAML based access via ADFS 2.0 for the Citrix XenMobile AppController Bit.ly link to http://axendatacentre.com/blog/?p=7

Troubleshooting Tips
1: The control plane www.sharefile.com will NOT accept SSL certificates that ARE NOT signed by a public CA installed on the Storage Center server offering up your On-Prem SZ to the Control Plane.

XenMobile AppController 2.6

The following content is a brief and unofficial prerequisites guide to setup, configure and test AppController 2.6 (Previously Cloud Gateway) part of the Mobile Solutions Bundle prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE APPCONTROLLER – xac
FULLY QUALIFIED DOMAIN NAME – fqdn
ACTIVE DIRECTORY – ad
STOREFRONT SERVER – sfs
HIGHLY-AVAILABLE – h/a
XENAPP – xa
XENDESKTOP -xd
NETSCALER GATEWAY – nsg
SOFTWARE-AS-A-SERVICE – SaaS
REMOTE ACCESS – r/a

Apple iOS Developer Account
1: Register for an Apple Enterprise iOS Developer Account and NOT Standard – bit.ly link to https://developer.apple.com/programs/ios/enterprise/. Why your probably asking? The enterprise account is designed to allow you to deliver your digitally signed wrapped apps e.g Worx Home, WorxWeb and WorxMail to an unlimited number of iOS devices from your enterprise app store e.g XAC. The standard account is designed for you to develop and then test your app to a fair number of iOS devices (iPad mini, iPhone) and then publish your app to the iTune’s AppStore.
2: Download the Citrix App Preparation Tool for iOS – http://www.citrix.com/downloads/
3: Prior to continuing please review review the following Citrix eDocs article – http://support.citrix.com/proddocs/topic/cloudgateway/clg-appwrap-landing-page-con.html
4: Following the instructions for digitally signing your iOS app using the Citrix App Preparation Tool for iOS

Certificates
1: By default the following two types of self-assigned certificates are issued to your XenMobile AppController upon initial deployment which are a Server, SAML certificates issued to the FQDN AppController.example.com.
2: It is safe to perform the initial xac with the default certificates thereafter I would recommend generating a CSR and signing with your Enterprise CA vs. self-assigned to the host name.

Uploading & Configuring Wrapped iOS Apps
1: Once the app has been digitally signed with your iOS Enterprise developer account please navigate to your AppControllers Mgmt. FQDN e.g yourdomain.co.uk:4443 and login with your administrative credentials.
2: Navigate to Apps & Docs tab select iOS then upload and locate the signed iOS app and follow the onscreen instructions – http://support.citrix.com/proddocs/topic/appcontroller-26/clg-appc-mobile-apps-wrapper-d-con.html.
3: To configure any of the MDX policies i.e MDX Access, InterApp, Vault for your iOS app – http://support.citrix.com/proddocs/topic/appcontroller-26/clg-appc-mobile-apps-policies-d-con.html
4: The iOS app is now available and ready to be selected and downloaded onto the users end-point mobile device via StoreFront.

Deployment Modes
1: There are two types of deployment modes for the XenMobile AppController which is either direct or integrated. It is important to understand that this is NOT h/a.
2: Direct mode is where users connect directly to the XenMobile AppController bypassing StoreFront. In this deployment scenario the xac can only service and deliver Mobile apps, SaaS and web links to users. If you would like to test this mode deploy and configure your xac with mobile apps, web links within your environment and connect to the xac’s https://FQDN/ either internal or external using a internet browser on an iOS device as an example and it will redirect you to https://FQDN/Citrix/StoreWeb where you will be able to login using your AD credentials thereafter you’ll be able to select and launch a web link or click and install a Mobile app.
4: Integrated mode is where all the requests for mobile apps, SaaS, web links are aggregated through to the sfs over a HTTPS connection. ( xac <-- HTTPS 443 -->sfs ). The xac is setup as a delivery controller within StoreFront must the same a XA, XD. TIP: Prior to setting this configuration connect to the xac admin console from the sfs to ensure there is no SSL mismatch issues or errors with the certificate (Using IE you’ll receive a blue bar + background around the lock icon). If you would like to test this mode deploy and configure your xac with mobile apps, web links and configure the trust setting to point to your sfs e.g. https://sfs.local/ from the xac. Now attempt to connect to the xac’s https://FQDN/ either internal or external using a internet browser on an iOS device as an example and it will redirect you to https://FQDN/Citrix/StoreWeb but you will NOT be able to complete the request! Why? The xac disables its local StoreWeb as another trust setting has been configured i.e https://sfs.local. Now connect to your sfs FQDN and login using your AD credentials thereafter you’ll be able to select and launch a web link, published windows application e.g Notepad, Windows 7 desktop and select and click to install a Mobile app. How? As long as you have a setup the following delivery controllers servers in StoreFront xac, xa, xd and published the resources you can tap to select and launch any of the described resources. TIP: Allows ensure that if you have configured your delivery controllers to use HTTPS (443) there are no SSL mismatch errors with the FQDN as this is the most common error causing SysAdmins alot of headaches in troubleshooting where the issue lies.

Users
1: Users are provisioned using your organisations AD but first ensure that all users you attempt to provision have a first, last name and email fields populated even if you don’t have a mail server within your domain populate the e-mail address field as are a mandatory requirement for the xac.

Troubleshooting Tips
1: Setup a reoccurring calendar invite using your support ticketing system or group exchange invite to renew your iOS Enterprise Developer Account which expires annually and needs to be renewed.
2: Use a Enterprise CA to sign your CSR’s for your xac, sfs instead of using self-assigned certificates but use a publicly signed SSL certificate for R/A using a NetScaler Gateway.
3: Read through the Citrix Reference Architecture for MDM and MAM.

XenMobile Device Manger 8.0.1

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile Device Manager 8.0.1 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE DEVICE MANAGER – xdm
CERTIFICATE SIGNING REQUEST – csr
APPLE PUSH NOTIFICATION SERVICE – apns
FULLY QUALIFIED DOMAIN NAME – fqdn
LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL – ldap

Apple APNS
1: Generate a CSR on the intended XDM server via IIS
2: Create an Apple ID – https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/wa/createAppleId?localang=en_US
3: Login with your newly created Apple ID to Apple APNS Portal – https://identity.apple.com/pushcert/
4: Upload your signed CSR from Citrix which then be generated into an *.pem certificate file.
5: Import your *.pem certificate file from APNS into IIS using complete certificate request then export from IIS filling in the password fields.

XenMobile Device Manager Version 8.0.1
1: You’ll need a license file which can be downloaded from www.citrix.com.
2: APNS *.pem certificate file converted into a *.pfx12 certificate file.
3: External FQDN e.g xdm.yourdomain.co.uk or devicemanager.yourdomain.co.za
4: Server requirements check out – http://support.citrix.com/proddocs/topic/xmob-dm-8/xmob-dm-sys-reqs-con.html
5: Test that your external FQDN resolves to the intended xdm server using a trace or ping then apply the following changes to your f/w to allow the following networking ports access – http://support.citrix.com/proddocs/topic/xmob-dm-8/xmob-dm-sys-reqs-other-prereqs-con.html
6: Install XDM using the default postgres DB for 100x users or less alternatively then utilise the documented best practises for alternatively SQL DB engines.
7: Once installed navigate to http://xdm.yourdomain.co.uk/zdm to access the console. Note you can also access the following resources aswell after the FQDN of the xdm server /zdm/enroll which provides links to the current enrolment agents for xdm.

User Provisioning
1: You can optionally create users manually within the xdm console this approach is time consuming and a manual task for a SysAdmin.
2: You can upload a *.csv file containing all the required user information to provision users this approach is far more favourable but its a manual approach to user provisioning.
3: Provision users using your organisations AD environment is the best approach and less time consuming for SysAdmins. The xdm supports LDAP and LDAPS* and performs a real-time query to your AD server instead of caching a local dataset copy and then periodically updating this cache at a predefined intervals.

* LDAPS is a secure connection of LDAP between the xdm server and your organisations AD server.

Troubleshooting Tips
1: Setup a reoccurring calendar invite using your support ticketing system or group exchange invite to renew your APNS certificate which expires annually and needs to be renewed and uploaded to the xdm server otherwise iOS devices will become unresponsive as they reply on the APNS network.
2: Always deploy the xdm server using a FQDN over a Static IP as it is easier to adjust DNS records if and when moving your xdm server is needs be to another IP address range e.g changing ISPs. It is also easier to remember a FQDN over a IP address.
3: OS harden the server no matter if the xdm server is placed in the DMZ or a TRUSTED network it prevents and limits exposing the xdm server to network related threats or attacks.
4: Place the xdm server behind a networking appliance e.g NetScaler to load-balance the HTTP, HTTPS traffic, scale-out more xdm servers.
5: Read through the Citrix Reference Architecture for MDM and MAM.

Troubleshooting & Resources

The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Citrix
1: http://edocs.citrix.com provides a great fundamental knowledge base to install, configure and deploy Citrix products standalone or in a H/A pair configuration.
2: http://support.citrix.com provides a variety or supporting documentation surrounding Citrix’s product stacks that include best practises, guides and much more.
3: http://blogs.citrix.com is an absolutely great resource for past, present and future Citrix product knowledge i.e master class webinars, best practises articles, announcements and much more.
4: http://www.citrix.com/tv provides video based delivery of Citrix’s technologies.
5: http://community.citrix.com/p/success-kits requires the appropriate www.citrix.com access privileges.
6: https://www.citrix.com/buy/licensing/agreements.html Citrix Product EULA, EUSA.
7: https://www.citrix.com/buy/licensing.html Licensing Basic’s.
8: https://www.citrix.com/support/product-lifecycle/product-matrix.html Citrix Product Life Cycle Matrix.
9: https://www.citrix.com/downloads.html Citrix Software Package and Virtual Appliance Downloads area.
10: https://taas.citrix.com/AutoSupport/ the link explains it what this service is all about.
11: http://store.citrix.com purchase select Citrix licensing online e.g XenServer, NetScaler VPX.

Microsoft
1: http://technet.microsoft.com/en-us/ provides a wealth of good technical resources.
2: http://msdn.microsoft.com/en-us/ is a great developer network.

Apple
1: http://www.apple.com/certificateauthority/ useful for downloading and installing the certs, crl’s onto the IIS to resolve any APNS chaining issues. Learn more about APNS workflow, security and more at – https://developer.apple.com/library/mac/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/Chapters/ApplePushService.html#//apple_ref/doc/uid/TP40008194-CH100-SW3.
2: https://developer.apple.com/programs/ios/enterprise/ & https://developer.apple.com/support/ios/enterprise.html – which is required in order to obtain an Apple iOS distribution profile and certificate to digitally sign and wrap your *.IPA file to become an *.MDX file using the Citrix AppPreparation Tool + XCode.
3: https://developer.apple.com/xcode/ is used with the Citrix AppPreparation Tool.
4: http://www.apple.com/uk/support/appleid/basics/ explains the different processes for creating an Apple ID with and without a credit card. Also visit http://support.apple.com/kb/HT5622 which provides general FAQ surrounding an Apple ID.