Category Archives: XenMobile Service

Did you know that Slack is interoperable with Citrix #SecureMail?

This is paramount to my productivity as I can get context externally from Citrix customers/partners and internally switch an email thread to a slack conversation(s) that are far more memorable and collaborative and if I or the other person is miss understood in anyway we can switch to a #SlackCall at the tap or click of a button and if necessary I can share my local vs. #virtualdesktop screen or view theres to get 360 degree feedback on a presentation, proposal e.t.c Check out – https://slack.com/apps/AAGN5FH9C-citrix-secure-mail to learn more today.

This micro blog post was originally posted at – https://www.linkedin.com/feed/update/urn:li:activity:6543957667881205762.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Citrix Workspace app is released Hello World

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Introduction
What is Citrix Workspace app? It brings together all your LOB tools which in todays modern world consists of (virtual/micro/installed/mobile) apps, SaaS, desktops & content. I’ve embedded a sample of what this actually looks like below.

Overview
The new Citrix Workspace app way more than purely an upgrade of Citrix Receiver e.g grey to blue icon and a skin change, this NEW Citrix client app release is simply extraordinary, working for Citrix I can be considered bias however once you actually begin to consume the Citrix Workspace app you’ll understand exactly what I mean. Citrix Workspace app is for me all about an experience, and that experience is extraordinarily AWESOME! As I begin consuming my LOB (Line of Business) tools wherever I am + want and in a setting/context that suites me (home, Paddington vs. partner offices, trains, taxi e.t.c) the chosen LOB tool delivered context can change dependant upon criteria (I won’t be covering this today) or how IT (say YES!) has chosen to deliver the LOB tool through Citrix Access Control Service – https://docs.citrix.com/en-us/citrix-cloud/access-control/get-started.html.

I now have all my content available all in the same AWESOME app thank you Citrix Content & Collaboration aka ShareFile. I can upload, download and even favourite particular content e.g “L-J’s H1/2 Citrix Partner Tech Super Deck” which is then available directly from the home view/tab. In the below example I am uploading the LeasePlan Citrix SD-WAN case study – https://www.citrix.co.uk/customers/leaseplan-en.html and the actual video is available at – https://www.youtube.com/watch?v=4Hq-yryxfS0 take a look and remember to listen to the outcomes Citrix SD-WAN provides LeasePlan.

How do I get started today?
Firstly I will do a more detail blog post on getting it all up and running with use cases time dependant of course.

1.Start by navigating to https://docs.citrix.com/en-us/citrix-workspace-app.html and then goto Citrix.com and login with your access details, next navigate to https://www.citrix.com/downloads/workspace-app/ and download Citrix Workspace app for your chosen end-point. If you are running a TP of Citrix Workspace app code base please UNINSTALL it prior to installing the GA production code base as a few community individuals I know had issues upgrading from TP code base. I would like to state for the record I upgraded from PRODUCTION Citrix Receiver to the Citrix Workspace app for Mac 1808 on my Mac without ANY issues see below tweet.

2. Please carefully read the System Requirements for your chosen platform here is the link for Mac – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/system-requirements.html and Windows https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/system-requirements.html.

3. Review the installation guidance for Mac – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/install-configure.html and Windows – https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/install.html.

4. Please carefully read the configuration of Workspace app for Mac – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/configure.html
and Windows – https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/install.html e.t.c. for other platform and if you are looking for multi-monitor support or Mac – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/improve-user-experience.html#using-multiple-monitors for Windows – https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/improve.html#multi-monitor-support, and securing communications between Workspace app and your StoreFront for Mac – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/secure-communications.html and Windows – https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/secure-communication.html (Pay attention to deprecated cipher suites node) and finally if your are you a Smart Card user pay attention to the recitations at the bottom of both docs for Mac – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/requirements-for-smartcard-authentication.html and for Windows – https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/authentication/config-smart-card.html and for WIF 5.4 (yes I know really however some of you still may need it while your upgrading to XAD 7.x platform) https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/secure-communication/config-smart-card–for-web-interface.html.

5. Sign-up vs. Login to Citrix Cloud today and trial vs. acquire a Citrix Cloud service e.g ShareFile Service or the XAD Service and if you want to aggregate on-premises LOB apps into the new Citrix Workspace experience then setup “Site Aggregation” today. To learn how please read this CTXS blog post and watch the embedded YouTUBE video which provides a how-to overview at – https://www.citrix.com/blogs/2018/08/03/site-aggregation-for-citrix-workspace-is-now-ga/.

Thats all folks for now on the technical overview its brief I know so I will follow-up in future with more detailed overview + how-to e.t.c either here or on the https://www.mycugc.org website in the experts area.

Upgrading to Citrix Workspace from Citrix Receiver for smart devices

In Closing
I work for Citrix, I have been a Citrix + IaaS advocate for well over a decade (now SD-WAN swell) so I am mostly likely bias you’ll think however Citrix Workspace app is truly AWESOME and way more than what you see at a glance, I encourage you all to begin consuming it today to see for yourself just what I am talking about and why I personally say its “AWESOME“.

Citrix Innovation Award Finalists for #CitrixSynergy 2018

Its that time of the year where you Citrix customers, partners can vote for your favourite Citrix Innovation Award Finalist.

This year see’s a great mixture of customers in different markets all leveraging Citrix technologies as the enabler for transformation within there organisations to embrace a new way of working or #ThisIsHowTheFutureWorks powered by Citrix Networking, Workspace and Security & Platform Analytics from https://www.cloud.com/.

I would encourage you to watch all three videos describing there journey before casting your vote as there is some really great innovation happening within these Citrix customers and if you want to get started visit https://www.citrix.com or https://www.cloud.com/ today.

Beazley from the UK – Insurance

Quote “A new mindset to work wherever I am, because I have the tools that Citrix provides and Beazley…” – @dalesteggles

Health Choice Network, US – Healthcare

WAGO, Germany – Engineering

All the very best to this years Finalists.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

How-to Deploy Citrix XenMobile Server 10.7

The following content is a brief and unofficial prerequisites guide to setup, configure and deploy Citrix XenMobile Server (XMS) 10.7 on-premises prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or leading best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
XENMOBILE – xm
XENMOBILE SERVER – xms
VIRTUAL APPLIANCE – v/a
NETSCALER – ns
XENMOBILE DEVICE MANAGER – xdm
XENMOBILR APPCONTROLLER – xac
XENMOBILE NETSCALER CONNECTOR – xnc
XENMOBILE MAIL MANAGER – xmm
WINDOWS – win
MOBILE DEVICE EXPERIENCE – mdx
REAL-TIME – r-t
MICRO VIRTUAL PRIVATE NETWORK – mvpn
FIREWALL – f/w
ACCESS CONTROL LISTS – acl
APPLE PUSH NOTIFICATION SERVICE – apns
UNIFIED ENDPOINT MANAGEMEMNT – uem
MOBILE DEVICE MANAGEMENT – mdm
MOBILE APPLICATION MANAGEMENT – mam
MOBILE CONTENT MANAGEMENT – mcm
CUSTOMER EXPERIENCE IMPROVEMENT PROGRAM – ceip
ACTIVE DIRECTORY – ad
TRUSTED NETWORK – tru
FIRST TIME USER EXPERIENCE – FTU

Author Note
Please be aware that I published this article today 19/02/2018 but it should be considered evergreen until I remove this section thank you.

Introduction
This is going to be one of the longest posts that I am about to write so come back from the moment its published over Feb/March/April 2018 as I will most likely be making adds/moves/changes. This blog post serves to provide the most right vs. relevant information to help you better understand how-to deploy the current Citrix XenMobile on-premises server which is 10.7.x.n as of February 2018. I will be writing a follow-up blog post on deploying the XenMobile Service powered by Citrix Cloud – https://citrix.cloud.com/ in due course.

What is XenMobile?
XenMobile is a complete UEM or MEM via https://twitter.com/JJVLebon (mobility) solution for managing apps, data, and devices from a single unified platform with MDM & MAM (mobile apps cut, copy & paste) policies, automated actions for enrolled (supported platforms) devices that will keep employees safe, secure and productive on vs. offline enabling them to work on there own terms.

Preparation & Initial Guidance
I was one of the first set of individuals to pass the very first Citrix Certified Professional – Mobility (CCP-M) exam for XenMobile 9.x.n while at Citrix Summit in Jan 2014. Now that was one very tough exam as you needed to know Citrix NetScaler, XenMobile NetScaler Connector, (ZenPrise) XenMobile Device Manager, StoreFront, Citrix Mail Manager, Citrix AppController, ShareFile Control Plane and of course StorageZones. Its Fen 2018 and its still equally a tough exam to pass even though the XDM + XAC where merged into a virtual appliance now called the XenMobile Server (XMS).

If you have not deployed a mobility solution in the past or your an expert you’ll agree most likely that mobility or UEM/MEM is complex and is consistency changing with new devices, OS upgrades along with new vs. deprecated vs. behavioural changes to MDM APIs, app updates, push API’s vs. MDM platform + vendor signing of certificates and finally oh yes all those MDM ports that you need configured correctly through-out your organisations Wi-Fi network and so the list continues on and on….

In principle when preparing to deploy any mobility solution regardless of vendor, preparation is of paramount important to be successfully. The below is list of how I personally prepare for a mobility PoC for XenMobile on-premises (yes we at Citrix are cloud first and I live IaaS so I’ll be writing another post on deploy a XenMobile Service PoC in the future):

– Start by reading the XenMobile Security Whitepaper – https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/xenmobile-security-understanding-the-technology-used-by-xenmobile.pdf. This will provide a great insight into our XenMobile, FIPS compliance, how SSL VPN or mVPN for MDX enabled apps behaviour and so much more, that is definitely worth your time!
Configure the XMS with a public routable FQDN and NOT an IP addr if you intend to manage devices externally via the internet vs. internally over corporate Wi-Fi and if your enabling the self-help portal for personal management.
– Utilise the PostgreSQL database option for a PoC’s (up to 100 devices) however this will mean that you need to redeploy the XMS using a remote SQL database for PROD environments as you’ll most likely want to have your XMS v/a in a cluster for high-avaiability. NOTE: Do not pre-create a MS SQL database allow the XMS v/a to create your MS SQL database against the SQL server during the initial setup process when performing the initial FTU within the XMS CLI.
– Utilise local v6 licensing on the XMS v/a for a PoC’s but again for PROD utilise a remote Citrix licensing server which is 100% required to support a XMS Cluster as the XMS v/a are stateless with all the configuration held within the remote Microsoft SQL database.

TIP: You’ll need to active your XenMobile licenses from the available list when configuring the remote v6 license server prior to continuing!

– Create separate mobility admin mailboxes to then be used to create accounts with Apple, Google & Microsoft so that everyone has access to create, sign and revoke MDM push certificates vs. push API’s like FireBase.
– Deciding where to generate all of CSRs for all of your mobility + XMS + NS certs is quiet important not just for the initial PoC but thinking 12 months out when the cert begin to expire where did I generate those certs from now to begin the re-signing process hmmm….??? I prefer in my home lab to generate and renew all my certs on WDC but many SE’s I know will use NetScaler for this and the point I am making is that it does not matter BUT centralise and document the process, passwords e.t.c
– Setup a calendar invite vs. trigger in your choosen support platform to notify the mobility admin mailbox to alert you every 11 months to renew all your certs otherwise you’ll break your MDM deployment e.g no devices under mgmt anymore this applies to ANY MDM vendor to be 100% clear!
– Dont assume that one individual should be deploying the XenMobile (any mobility) PoC themselves as in my experience unless your 100% comfortable with networking, ACLs, SQL DBs, gateways. To be honest most often its 3 people from within the IT team for high security organisation its double I find. Typically the 3 people are the Citrix Admin whom will require help & support from a networking (f/w dude:-)) or netscaler admin and then the SQL guru.
– I typically advise partners and customers to focus and agree on 2x mobile devices and a defined list of UEM policies to configure for testing in the PoC against there use case(s).
– Ensure that all your required ports are opened up correctly in vs. outbound (internet <-> edge <-> dmx <-> tru).
– DO NOT USE A PROD NetScaler deploy a new and fresh NetScaler VPX for your XenMobile (Service) PoC on-premsies vs. your chosen resource location.
If you are intending to MDX wrap or enlighten your iOS – https://developer.apple.com/programs/enterprise/ and Android mobile apps then I’d suggest that you sign-up for the required developer accounts well in advance as some customers & partners have experienced delays up to 1-8 weeks. You have been warned and also ensure that you understand the rules around these dev accounts!
– Disable the ability to perform a Full Wipe of the enrolled devices (in particular for BYO scenarios you don’t want a lawsuit!) or if your not bothered and you would like to test this capability then I’d suggest that you only use new mobile devices that contain no corporate vs. personal content + data during the PoC. Finally my own personal leading best practise is to setup RBAC for mobility admins and remove the full wipe capability completely! 🙂
– Screen record the PoC deployment e.g GoToMeeting so if you make a mistake you can review the recording to understand what you misconfigured and most importantly where on the NetScaler vs. XMS e.t.c is was that the mistake occurred.
– If your not going to utilise a public CA signed certificates (Strongly Preferred) as your deploying the XMS v/a in your home lab only, then when exporting your cert from your Enterprise CA export using the Base64 format and then export as a full chained PFX format cert.
– Deploy the XMS v/a first and attempt to enrol your chosen mobile device(s) and remember those MDM ports you’ll need to make sure they are available over your corporate wifi including the over air enrolment port especially for Apple iOS devices otherwise your MDM enrolment will fail so you’ll be defaulted to only been able to enrol your device for MAM only e.g Secure MDX enlighten mobile apps
– The XMS mgmt. Web UI for administration is restricted from the internet as the mgmt. web UI is only accessible over https://XMS:4443 which is not part of the XM 10 wizard as of e.g NSG 10.5-55.8+ for security harden purposes (double check eDocs to be safe!). This often leads to Mobility/Citrix Admins thinking that they have misconfigured the wizard on the NetScaler when in fact it most likely is your connecting connection on https://XMS-vip:4443 via the VIP owned by the NetScaler but if you connect directly to the XMS’s configured IP addr via https://XMS-direct:4443 you’ll be able to access the XMS Admin Web UI.
– SuGgEsTeD personal tip utilise Mozilla Firefox for configuring and managing your XMS v/a for me it works the best!
– Ensure that all users/admins have first, last name & e-mail addr fields populated in AD prior to any enrolment otherwise they will receive an error e.g “Invalid user for SSO” when users attempt to sign-on.

Pre-requisites & System Requirements
The currently available XMS v/a as of writing this blog article is 10.7.x.n which is where these system requirements have been obtained from dated Feb 2018 – https://docs.citrix.com/en-us/xenmobile/server/system-requirements.html.

Trial Licensing for On-Premsies Only
Citrix Customer Evaluation licenses can be obtained at – http://store.citrix.com/store/citrix/en_US/cat/ThemeID.33753000/categoryID.63401700 if you are having trouble please contact your local Citrix representative vs. partner for assistance and guidance.

Supported Devices
https://docs.citrix.com/en-us/xenmobile/server/system-requirements/supported-device-platforms.html

Certificates
– APNs see below
– SSL Listener used for HTTPS traffic communication e.g like securing your web server with https

AD/LDAP
– Open up 389 between the XMS v/a(s) and your AD server in your trusted network, you can optionally configure secure AD/LDAP on 636 but you will required extra certs for this configuration and its well documented in Citrix eDocs vs. obviously I believe.
– Windows service account for XMS v/a(s) to query AD/LDAP

NetScaler (Unified) Gateway
– Versions 10.5.x.n, 11.0.x.n, 11.1.x.n and 12.x.n (My current preferred firmware release now)
– 2vGPU, 4GB of RAM and 20GB available storage for HDD
– On-premises Hypervisors include XenServer 6.5 or 7.x.n; VMware ESXi 4.1, ESXi 5.1, ESXi 5.5, ESXi 6.0; Hyper-V Windows Server 2008 R2/2012/2012 R2
– Cloud Hypervisors include Azure (ARM is preferred); AWS EC2 not supported for XenMobile.
– NetScaler service account I’d advise against the default which is nsroot:nsroot slightly obvious but I see this time and again can you believe it!!!!
– AD/LDAP service account that is utilised to check validate and authenticate users against your organisations AD/LDAP.
– IP addressing (Please please please pay attention)

1x private static IP addr that is used for the NetScalers IP Addr (NSIP)

1x private static routable IP addr between your DMZ <-> TRU which is referred to a the NetScalers Subnet IP Addr (SNIP)

1x private static IP addr that is used for the XMS

1x public internet routable FQDN e.g uem.axendatacentre.com with 1x public static internet routable IP addr that resolves to 1x private static IP addr in your DMZ that are owned by the NetScaler.

1x public internet routable FQDN e.g mam.axendatacentre.com with 1x public static internet routable IP addr that resolves to 2x private static IP addrs in your DMZ that are owned by the NetScaler one for direct NAT and the other one is for *L/B of the MAM traffic.

Internet DMZ – NetScaler + XMS TRU
nug01 (NetScaler V/A) <-> NSIP 10.1.0.5
SNIP 10.1.0.100
uem.axendatacentre.com <-> 81.x.x.1 10.1.0.20 <-> UEM Listener on XMS
mam.axendatacentre.com <-> 81.x.x.2 10.1.0.21 + *10.1.0.22 <-> MAM Listener on XMS
uem.axendatacentre.com (XMS V/A) <-> 10.1.0.99

SUMMARY
Total private IP addrs required are 6x.
Total public static internet routable IP addrs required are 2x.
Total public internet routable FQDNs 2x.

MDM Certificates for Apple and Firebase Cloud Messaging (FGM) with Android for Mobile Notification Service Capabilities

Apple
Apple’s APNs Certificates portal is accessible at – https://identity.apple.com/pushcert, if you like a technical overview of how APNs works check out Apples developer documentation on the subject at – https://developer.apple.com/library/content/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/APNSOverview.html#//apple_ref/doc/uid/TP40008194-CH8-SW1 its quiet extensive and in-depth.

1. Create an organisation Apple ID at – https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/wa/createAppleId
2. Generate your a CSR on NetScaler – https://support.citrix.com/article/CTX211887 or on a Windows Server e.g WDC using e.g IIS NOTE: Please use 2048 cipher encryption for the cert.
3. Navigate to https://xenmobiletools.citrix.com/ and sign in where prompted with your Citrix.com partner access details.
4. Follow the onscreen process for signing your XenMobile APNS CSR which will return a *.plist file.
5. Login to and upload your CSR to the APNS portal at – https://identity.apple.com/pushcert/ by following the onscreen process.
6. Download the generated *.pem file from the APNS portal to the Windows server that you initially created the CSR on.
7. Import the *.pem file into IIS using the complete a CSR response and specfic a friendly name. NOTE: Optional Import Apples Certificates (*.cer, *.crl) from – http://www.apple.com/certificateauthority/ also see http://support.apple.com/kb/ht5012
8. Export the imported certifcate as a *.pfx and specifiying a password. Note: DO NOT FORGET the password.
9. When prompted during the XMS configuration of the WebUI rememeber to enter the your chosen password and import it’s a keystore -> pfx format and select aPNS as the cert type.

Citrix provides a more detailed how-to and overview at – https://docs.citrix.com/en-us/xenmobile/server/authentication/apns.html.

Firebase Cloud Messaging (FCM)
Google or FireBase Cloud Messaging (GCM or FCM) enables push capabilities for Android vs. implement during enrolment an “Active poll period policy” for the Android handset to check back into the XMS to receive new policies, apps, check compliance e.t.c. Finally note that if you do any research FCM https://firebase.google.com/docs/cloud-messaging/ is the natural evolution of GCM platform, so think FireBase first for Android :-).

1. Create a organisation Google Developer account at – https://console.firebase.google.com/?pli=1, if your keen to understand how it works visit the XenMobile eDocs web page for Firebase at – https://docs.citrix.com/en-us/xenmobile/server/provision-devices/google-cloud-messaging.html.
2. The process to create the push capabilities is in my personal view way easier than APNs as all you need to do is generate an “API Key” and “Sender ID” which is then stored on the XMS at “Settings – > Google Cloud Messaging“. Visit the above URL to learn how to implement Firebase.
3. Please pay attention to the Firebase XenMobile diagram in the above eDocs link which includes the following Firebase ports 5228, 5229 and 5230 between the enrolled XenMobile handset and the GCM platform. Why is this important well these ports will beed to made available from the corporate network outbound like APNs to enable enrolment from within the corporate enterprise or high security environments otherwise you will need to enrol over 3/4G or via home/guest Wi-Fi.

Deploying the XMS v/a
Before you even attempt to begin I’d strongly advise you to read and or print out the following webpage via Citrix eDocs – *https://docs.citrix.com/en-us/xenmobile/server/install-configure.html which contains a Preinstallation checklist and deployment flowchart. My goal in this section to provide some context with some of the deployment options during the initial configuration of the XMS v/a, you can refer to * for full installation instructions.

1. Download the current XMS 10.7.x.n+ v/a from – https://www.citrix.com/downloads/.
2. Unzip the v/a and upload it to e.g Citrix XenServer 7.1 LTSR via XenCenter or you could use any other Citrix supported on-premises hypervisor. Once successfully uploaded check that your v/a has the minimum required computed requirements 2-4vCPU and 4-8GB of RAM assigned (increase to MAX if 10 or more users in the PoC as its all about the experience but for home lab purposes I utilise 2vCPU and 4GB of RAM as I only have 3 devices connected.
3. Start the XMS v/a via XenCenter it will take longer to boot-up if you have assigned the bare min compute resources and if your underlying storage is (shared) HDD based.
4. Once the XMS v/a has started decide if you are intending to create a XMS h/a cluster this is so that you select the correct options during there FTU, otherwise you will need to redeploy the XMS v/a and start all over. Notes:

4.1 – The CLI uses admin while the Admin account used for the Web UI uses administrator, also be aware they are LOWER CASE!
4.2 – Nothing appears when typing in select inputs.

5. Enter in a strong suitable passwd
6. Next you are promoted for network settings the IP addr will be e.g 10.1.0.99 as per my text diagram above.
7. Next your asked about an “Encrypting Phrase” most people select “y” to randomise it however you’ll never know what it is, nor can you obtain file to read it! If you are considering deploying a cluster of XMS v/a for H/A then most individuals will select “n” and create there own “encryption passphrase“.
8. I currently at the moment will not provide any context on FIPS so I will differ to https://docs.citrix.com/en-us/xenmobile/server/install-configure/fips.html#par_anchortitle_8dcb for configuration options otherwise this blog will get out of hand. I will do a follow-up or adjustment to this post in the future to cover FIPS in greater detail.
9. Next your asked about configuring a database for the v/a to store configuration information. The “l – Local” option will enable PostgreSQL which is now only supported for customer PoC’s while historically prior to Citrix acquiring ZenPrise is was a supported configuration but that was 5+ years ago under XDM, so be 100% clear PostgreSQL is for PoCs ONLY with a XMS v/a! It is also NOT supported with XMS clusters as the v/a’s are stateless relying on the SQL database for configuration information e.g users, policies, delivery groups e.t.c so you require a “r – Remote” SQL database.

TIP:

9.1 – Let the first XMS v/a that you configure as part of the your XMS cluster create the required XM database itself DO NOT pre-populate a database name on your MS SQL database cluster vs. server!
9.2 – If you select to enable XMS clustering you will need to enable port 80 within the XMS f/w ACL and do this BEFORE performing a clone to create your XMS cluster. Also in high security environments remember to include in your submitted ACL to allow the XMS v/a’s to communicate over TCP port 80 to enable R-T comms between all v/a members within the cluster.
9.3 – Finally Citrix does NOT support DB migration e.g PoC to UAT-PROD environments.

10. The most important step that I often see vs. hear vs. receive requests about is what do I type in for the “XenMobile hostname”? Please type in the fully qualified and internet routable FQDN e.g uem.axendatacentre.com, what does this mean? It means that if your where to type in uem.axendatacentre.com on your device that you reading this blog post inside the corporate file or at home it is reachable. Please do not type in e.g xms01 and then internal vs. external DNS entries are entered in for uem.axendatacentre.com to xms01 this will NOT work properly and devices will NOT enrolling you have been warned! If you do this you will beed to START all over with a fresh XMS v/a!
11. For the XMS comm port requirements i.e the v/a communicates with the users (SHP) and devices (UEM or MDM/MAM) it is perfecting fine to accept the defaults ports here unless you a high security organisation + e.g Bank, Government agency e.t.c and want to further harden yourself however remember the most complexity you add e.g changing ports here will mean that you will need to adjust the auto defined ports on the NetScaler if you do the XenMobile Wizard on the NetScaler v/a.
12. Skip the upgrading from a previous XMS version as its a PoC
13. Next we get to the Public Key Infrastructure (PKI) which I’d prefer to configure configure all the certs with the same passwd or pass phrase or you can define a different passwd or pass phrase for each of the four certs (root, intermediate for device enrolment, intermediate for SSL cert and finally an SSL for your connectors +. Finally you’ll require the eXaCt passwd(s) for an XMS v/a within your h/a cluster.
14. Finally now create a passwd for the default “administrator” account. I would personally as my own leading best practise make the CLI admin vs. Web UI administrator passwords different for security purposes as one member of the team maybe the hypervisor admin whom does all the CLI stuff aswell while the Mobility admin handles all the logical configuration via the Web UI administrator account.

TIP:

14.1 – Make both admin, administrator passwords random and securely store them BUT separately from one another. Setup and assign AD domain admins security group as FULL Administrators of the XMS v/a via RBAC – https://docs.citrix.com/en-us/xenmobile/server/users/rbac-roles-and-permissions.html.

15. Once you select “Return” to above set the initial configuration is stored and you are prompted to upgrade from a previous release please select “n” which is also the default! The XMS v/a will stop and start the app and once its completed the you see a FQDN e.g https://10.1.0.99:4443/ this now indicates that you can complete the Web UI part of the XMS v/a setup and configuration. Note this can take up to 5-7 mins dependant upon how much vCPU, RAM that you assigned to the v/a and if your on SSD vs. HDD storage this will speed up the process naturally.
16. The biggest mistake Mobility/Citrix Admins makes with XenMobile is that when they attempt to access and configure the Web UI part of the setup they will typically access it via the NetScaler owned VIP for uem.axendatacentre.com <-> 81.x.x.1 <-> 10.1.0.20 when they should be accessing the direct IP addr of the XMS v/a <-> 10.1.0.99. Most individual do this to test there NetScaler setup, please DO NOT setup the NetScaler do it after you have setup the XMS v/a. Finally the reason you can’t connect to the Web Admin UI via the NS VIP e.g https://uem.axendatacentre.com:4443 either internally or externally is that the NS disables 4443 via the VIP to harden and protect the Web Admin UI from the Internet so you’ll need to connect to the direct XMS v/a <-> 10.1.0.99 IP addr on https://10.1.0.9:4443. Once your at the login prompt of the Web UI type username “administrator” and your chosen passwd and “Sign-in” and the “Get Started page” appears only once to complete the Admin Web UI part of the XMS v/a setup and configuration.
17. The first web page provides an overview of the available licensing configuration options, for a PoC or if its your first time using XenMobile then I’d suggest that you utilise the built-in 30 day evaluation license to give you time better understand how to configure XenMobile so that you can enforce the required UEM policies against devices vs. (MDX) apps. If you intend to deploy a XMS h/a cluster then like the XMS database you’ll need to setup or make use of your existing remote v6 Citrix licensing server however IMPORTANT make sure that this lic server version meets the minimum release requirements of 11.12 for 10.7.x.n XMS firmware/release version. If you choose to use the 30 day trial LOCAL license servers on XMS and now wish to use a REMOTE lic server then please refer to https://docs.citrix.com/en-us/xenmobile/server/system-requirements/licensing.html. I would also suggest to test from each XMS v/a(s) within your cluster that you can successful connect to the remote v6 lic server which is available under the Wrench icon -> Licensing.
18. Next its cert mgmt. and a word of caution as this catches everyone out is that after uploading any certs reboot the XMS v/a(s) is required in order for the new certs to bound to the SSL listener interfaces and the existing ones to be unbind! You’ll need at this point your APNs and SSL certs for e.g uem.axendatacentre.com to upload the XMS v/a when importing your certs follow:

SSL Listener
Import: Keystore
Keystore Type: PKCS#12
Use as: APNs and or SSL Listener
Keystore file: Password: *********
Description: Date uploaded and what is it? APNs vs. SSL listener?

For in-depth information on Cert types and how-to’s for XenMobile check out – https://docs.citrix.com/en-us/xenmobile/server/authentication/client-certificate.html which includes guides on configuring PKI Entities, certificate-based authentication for SecureMai and finally NS cert delivery in XenMobile.
19. NUG

Wrench icon -> NetScaler Gateway
Authentication: ON (default)
Deliver user certificate for authentication: OFF (default)
Credential Provider: (default)

Select “Add”

Name: NUG
Alias: (default)
External URL: https://mam.axendatacentre.com
Logon Type: Domain only (default)
Password Required: OFF (default)
Export Configuration Script: Allows you to download conf bundle to upload to NUG to configure XenMobile. I prefer to do this manually myself.

Select “Save”

Next add the following to your NetScaler Gateway configuration on the XMS.

^Callback URL: FQDN to verify that the request originated from NetScaler Gateway BUT make sure the callback URL resolves to an IP addr that is reachable by the XMS v/a(s)
^Virtual IP: 10.1.0.21 (See text diagram above in HTML table format)

^ These settings are optional.

20. Next your promoted to setup your AD binding I always prefer using an FQDN vs. IP Addr here as IP addr’s can change however FQDN’s typically don’t otherwise a lot of things in your environment will break.

AD Binding
FQDN: ldap.axendatacentre.com
Port: 389 (Leave defaults unless changed within high security environments)
Domain name: axendatacentre.com
User Base DN: ou=Users,dc=axendatacentre,dc=com (I am just using the AD default location of the Users OU here when you would have setup AD so configure to meet your organisations default OU location of Users)
Group Base DN: cn=Users,dc=axendatacentre,dc=com
User ID: XMS AD service account used to query your AD e.g xms@axendatacentre.com
Password: *****
Domain Alias: axendatacentre.com (yours maybe different)
XenMobile Lockout Limit: 0 (default)
XenMobile Lockout Time: 1 (default)
Global Catalog TCP Port: 3268 (default)
Global Catalog Root Context: (default)
User search by: userPrincipalName (preferred for the modern world)
Use secure connection: (default)

21. Final configuration you’ll need to do is to setup XMS notifications – https://docs.citrix.com/en-us/xenmobile/server/users/notifications.html which is required for things like bulk enrolment (users e-mail addr must be in AD field), communicating with users when automated actions are configured and users have violated your organisations UEM strategy.
22. Now please logout of the Web Admin UI and log back into the XMS CLI via your chosen hypervisor and follow the below instructions to reboot your XMS v/a

Reboot XMS v/a
– Select “[2] System”
– Select “[10] Restart server”
– Select “Y”

Your XMS v/a will begin to restart and once it is successfully rebooted navigate to the XMS v/a direct FQDN https://uem.axendatacentre.com or IP addr and check that the HTTPS cert status in your internet browser to ensure that it is no longer self-assigned by the XMS v/a but matches your uploaded SSL cert bound the SSL Listener.

Fronting your XMS with a NetScaler v/a

1. Coming… but in the interim start with https://docs.citrix.com/en-us/xenmobile/server/authentication/netscaler-gateway-and-xenmobile.html.

Troubleshooting & Leading Best Practises
1. Citrix provides a XenMobile tools platform available at – https://xenmobiletools.citrix.com and also be sure to please refer to XenMobile compatibility documentation – https://docs.citrix.com/en-us/xenmobile/server/system-requirements/compatibility.html for compatibility of devices vs. MDX apps + release versions.
2. Users receive Profile Installation Failed The server certificate for “https://XM-FQDN:8443” is invalid when enrolling a device against XenMobile when using iOS devices. I have personally have not seen this issue occur again for quiet some time but I thought its worth including encase it reappears in the future. So what causes this issue? It is to do with the private key of your *.p12 or *.pfx full chained SSL/TLS cert and appears to only occur when exporting your cert from a new CSR on a Windows OS. To resolve the issue I’d suggest that you download, extract and run the DigiCert Certificate Utility available at – https://www.digicert.com/util/ on the originating windows server that you generated your CSR on for tier XMS v/a for your SSL Listener cert e.g HTTPS. Next follow the guide available from Digicert at – https://www.digicert.com/util/pfx-certificate-management-utility-import-export-instructions.htm to help you find and export your XMS v/a HTTPS cert correctly (advise to use TEST feature button before export) and re-upload it to the XMS v/a and remember to REBOOT the XMS v/a(s) when you change any certs on the XMS v/a(s)!!! You should now be able to begin re-enrolling your devices BUT I would strongly advise to remove any MDM certs via Settings in iOS and then delete SecureHub and re-download it and now the enrolment error messages should no longer appear to your users while enrolling there iOS devices.

My 30 Days of Citrix SecureNotes

The views expressed here are my own and do not necessarily reflect the views of Citrix.

The past 30 days I thought I’d try a XenMobile secure app I’d honestly never really used before as I store my notes within a secure app which is only accessible from my Citrite Windows 7-10 virtual desktop. This blog is a summary of my views about using Citrix Secure Notes why I am now going to switch to Secure notes from my primary note taking app and its NOT a traditional noting taking app at all!. It is also worth mentioning that before I begin discussing Secure Notes I personally have never really found a note taking app that meets my personal requirements vs. DEMANDS maybe that is because I been doing personal/business web development with languages such as PHP, HTML(5), CSS, Javascript in my personal time since I was a teenage so prehaps I’m looking for something that looks vs. feels like something i’d develop one day? Who knows! For now I’ll leave this thought as it stands and back to Secure Notes!

I thought i first start off with a tour of Secure Notes followed on by my personal views and thoughts of using Citrix’s Secure Notes thereafter.

Tour of Secure Notes

1. You can login from a web browser at http://securenotes.citrix.com and if you want to sign-in via your organisations IdP select “Log in with my company credentials
2.Enter in your organisations ShareFile subdomain e.g MyOrgName
3. It will redirect you to you’re organisations IdP login where you will be prompted for a username + password and potentially another form of authentication like a receiving a telephone call, virtual token or asked to verify yourself using your biometric authentication.
4. Once you are signed in your can begin creating a note (secure website version of Secure Notes) by providing it a heading and then in the body text your notes or drag and drop pictures, tag your notes and assign it to a notebook (collection of notes perhaps by project vs. organisation vs. team meetings e.t.c), delete unwanted or irrelevant notes, set a reminder against a note, favourite the note or search of other notes that you’ve created.
5. Now you can see in this image that I have been using for sometime now its still less than 30 days but I’m using notebooks to assign my notes by partner, customer vs. major events and i’ve tagged selective notes that require a follow-up and then I remove tags once its completed.
6. I have switched to the Notebooks view from theAll Notes which organises your notes based upon your created notebooks in my case by customer, partner & events and then I assign my notes to these notebooks so i can easily navigate notes for example by a partner or just use the search filter (whats right vs. relevant to you).
7. All your notes are stored securely within your ShareFile personal folder, and if your using Drive Mapper with your Citrix virtual apps & desktops the path to see your notes is at – “S:\Personal Folders\WorxNotes.root” and it does not matter whether your creating your notes using the website version of Secure Notes at – http://securenotes.citrix.com or even if you create your notes using the secure XenMobile enabled app called “Secure Notes” which is available from the public app store for iOS – https://itunes.apple.com/us/app/citrix-secure-notes/id1157570015?mt=8 and Android – https://play.google.com/store/apps/details?id=com.citrix.note.droid&hl=en_GB and controlled by XenMobile MDX technology to stop cut, copy and paste. You can learn more about MDX by reading the XenMobile security white paper available at – https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/xenmobile-security-understanding-the-technology-used-by-xenmobile.pdf.
8. If I now switch to a mobile world and I mean using a smart phone or tablet and for convenience sake I’ll be using the Secure Notes app I can see that I have the similar same capabilities and functionality vs. the secure website versions.
9. I can insert a picture, tag it, favourite it, set a reminder e.t.c but now I can record audio.
10. I can create my notes offline and when your back online it will sync your note(s) back up to ShareFile and you’ll notice the red cloud icon disappear.
11. Send your notes as an embedded message within Secure Mail body vs. PDF file attachment by selecting your preferred choice.

My Personal Views
Coming….

Lite Tech Overview of Secure Notes
Review all the features and caveat at – https://docs.citrix.com/en-us/xenmobile-apps/10/secure-notes.html

1. Currently only iOS 9-10, Android 5-8 phones BUT its not supported on Tablets!*
2. Selecting a storage location for your notes upon setting up the app your asked if your prefer to store your notes in Microsoft Exchange Server or for your Secure Notes + within a ShareFile StorageZone. You can provide users with a choice of both upon on-boarding within the Secure Notes app.
3. Once users have been setup the XenMobile Secure Hub agent can handle SSO or push the app to users whom have enrolled into XenMobile’s MDM.
4. Supported file formats include – *.M4A, *.JPEG, *.PNG, *.BMP, *.GIF, *.WebP for rich editing experience.

2017 UKI #CitrixPartnerLove Challenge #6 Traffic Flows

The views expressed here are my own and do not necessarily reflect the views of Citrix.

You can download the image at https://lnkd.in/dN74-97 to print.

Understanding the Citrix Cloud, its Services, Architecture & Connectors (Draft)

The following content is a brief and unofficial prerequisites guide to better understand Citrix Cloud, Connector technology and the overall architecture required to setup, configure and test delivering virtual apps and desktops powered by XenApp & XenDesktop Service prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
HIGH-AVAILABILITY – h/a
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
CITRIX CLOUD – cc
INFRASTRUCTURE AS A SERVICE – iaas
CITRIX CLOUD CONNECTOR – connector

The Three Primary Cloud Types (Draft Section)
Firstly i’d like to provide my definition of public, private vs. hybrid cloud and in my personal view things like SaaS, PaaS have naturally been spin out or off from IaaS e.g Public Cloud.

Public Cloud is whereby a ISP provides you with SPLA licensing (OS, Application, Service), compute, storage and network capabilities which in turn enables you to create your very own VM instances running in a virtual datacentre on the ISP’s h/w and example providers may include AWS, Azure, Google Cloud Platform e.t.c

Private Cloud is where you the organisation owns there own OS, Application or Service licenses as well as the physical hardware that allows you to create your own VM instances within your virtual datacentre. In this scenario the h/w is could (a) be purely Colocatied (Colocation) at ISP with or without managed services over and above the Colocation and example providers could include Rackspace, Qubems, Peer1 or (b) your h/w is hosted within your own custom and purpose built data centres facility or comms room dependant upon the organisations size and IT/Technology requirements.

Hybrid Cloud is when public and private clouds are connected securely over a IPSec R/A, L2L or SSL VPN connection.

What is and how Citrix Cloud works
Citrix Cloud is an evergreen, managed control plane from Citrix that provides the traditional Citrix management technologies to delivery e.g Virtual Apps & Desktops as Services thereby reducing overhaul management updates & upgrades. This means that Citrix is responsible for the availability of your Citrix management infrastructure in there Control Plane including ensuring that it is on the latest up to day and production version of e.g XAD to deliver DaaS and or virtual apps. Citrix customers and partners are responsible for what is known as a resource location which is where your apps, network and data resides and can exist in a public, private or hybrid cloud deployment scenario and each resource location is securely connected to the control plane using the Citrix Cloud Connector which initiates an outbound HTTPS connection so your completely in control of your apps, network & data within your resource location(s) at all times.

If I have not technically explained what is and how Citrix Cloud works successfully then please feel free to watch the below embedded YouTUBE video.

Please note that Citrix Workspace Cloud is now know as Citrix Cloud

Citrix Cloud Services as of Jan 2017
The following is my own technical spin/view of each of the Citrix services you can review the Citrix official view of each service at – https://www.citrix.com/products/citrix-cloud/services.html.

XenApp and XenDesktop Service – HDX virtual app & desktop delivery from any supported resource location running server/workstation VDA(s) while all the XenApp/XenDesktop mgmt infrastructure (Studio/Director) resides in your tenant/account at https://citrix.cloud.com.

XenMobile Service – Deploy Secure Apps (MAM), MDM to control your organisation devices with no need to deploy the XenMobile v/a even at your resource location all you need is either an IPSeC VPN tunnel or the Connector to enumerate users in AD to be assigned to delivery groups.

ShareFile Service – Follow-me data now controlled within one WebUI.

NetScaler Gateway Service – Provides a simple and easy deployment method to gain external remote access to virtual apps & desktops from your resource location(s) via the Citrix Cloud Connector.

Smart Tools Service previously Lifecycle Management – Design, build, automate, auto check & update your resource locations with Citrix validated blue prints.

Secure Browser Service – Provides a secure remote virtual browser(s) to access web (internal vs. external), SaaS apps from the Citrix Cloud with zero configuration, with only a link to access your published web apps via the HTML5 Receiver.

Citrix Cloud Labs – My personal favourite as this area of Citrix Cloud allows you get to test out some of the latest Citrix Innovations from our Labs team as services e.g AppDNA Express; Citrix Provisioning for Microsoft Office 365; IoT Automation; Citrix Launch for Microsoft Access; XenMobile MDX Service and Session Manager

Connector Architecture & Security
The following diagram depicts the H/A deployment of Citrix Cloud Connector for use with the XenApp and XenDesktop Service from Citrix Cloud. Please note that this is a simple architectural diagram that does not include a NetScaler in resource location so the assumption is that you users will connect to their virtual apps and desktops either from within the actual Resource Location or via the NetScaler Gateway service hosted and managed by Citrix Cloud. My personal preference is to leverage a NetScaler physical or virtual appliance within your resource location as the benefits of a NetScaler far exceed and go above and beyond that of a simple ICA Proxy gateway for XenApp/XenDesktop. Perhaps a follow-up blog article why I presume NetScaler in the resource location from my personal view point only or I may decide to update this blog article.

To better understand how to best secure or harden your Cirix Cloud implmentation and its services please refer to – http://docs.citrix.com/en-us/citrix-cloud/overview/get-started/secure-deployment-guide-for-the-citrix-cloud-platform.html for leading best practises, process & procedures and configuration requirements.

Citrix Cloud Connector
The following is deep dive overview of Citrix Cloud connector technology for all the services with the exception of the Smart Tools service which leverages its own connector which is used to check your Citrix workloads, scale up/down and or even build or tear down workloads in resource location(s) via blueprints.

Installation & Troubleshooting
You must download and only install the Citrix Cloud Connector for your resource location from “Identity and Access Management” that matched your domain forest, don’t mix and match these! The installation is fairly straight forward and simple as descriobed and outlined at http://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-connector/installation.html, once the installation completes wait for the connectvity test to pop-up and complete successfully prior to navigating back to Citrix Cloud to validate that the Connector has scuessfully registered with Citrix Cloud+.

You can also perform automated installation leveraging the following command line arguments when installing the Connector “CWCConnector.exe /q /Customer:Customer /ClientId:ClientId /ClientSecret:ClientSecret /ResourceLocationId:ResourceLocationId /AcceptTermsOfService:true.

Although the Connector communicates outbound on HTTPS 443 it make also require one or more of the following ports outbound only as described at – http://docs.citrix.com/en-us/citrix-cloud/overview/get-started/secure-deployment-guide-for-the-citrix-cloud-platform.html for one or more of the Citrix Cloud Services so please consultant the documenation for each Service carefuly for high security enviroments to ensure that the organisations firewall ACL’s for the PoC are correctly configured.

You can install hypervisor tools, anti-virus software (Tested as of 26/10/2016++ McAfee VirusScan Enterprise + AntiSpyware Enterprise 8.8) on your VM instances that have the Citrix Cloud Connector technology installed however it is not recommended to install any other software or unnecessary system services nor should you allow any domain users access unless they are a Domain or System administrator of the Citrix environment. In summary treat these Connectors as you would your XAD Controller(Broker).

The installation logs are available at “%LOCALAPPDATA%\Temp\CitrixLogs\CloudServicesSetup” and post the installation its consolidated to the following location “%ProgramData%\Citrix\WorkspaceCloud\InstallLogs“.

Understanding Credential Handling
Coming…http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/technical-security-overview.html

Monitoring your Citrix Cloud Services
1. http://status.cloud.com/ is your friend and will provide you with vital up to date information about the Citrix Cloud platform (control plane or SaaS tier) and each of its Services e.g XenApp and XenDesktop Service or Smart Tools.
2. Monitor the following Connector services described below ++
3. The leading best practises is for the Citrix Cloud Connectors to not be offline longer than two weeks as the connectors are regularly updated from Citrix Cloud with the latest updates (Evergreen) which is why each resource location requires at a bare min 2x or a pair of Connectors.

Connectivity & High-Availability
The Citrix Cloud Connector firstly should always be implemented in pairs at a minimum within any resource location and installed onto either Windows Server 2012 R2 or 2016 AD joined VM instances. The connectors are stateless and brokering requests are load-balanced via Citrix Cloud to the connectors within your resource location(s) and if a connector does not respond the queued tasks are redistributed to the remaining connector(s). As the connectors are stateless this also means that they do store any mgmt configuration for Citrix Workloads at the resource location as this is held within the Citrix Cloud by the Service that you are utilising e.g XenApp and XenDesktop Service.

+If you setup a PoC with a single Connector it will probably display as amber for a period of time prior to turning green as you have only configured 1x Connector for your resource location. You can check your Connector status for your resource locations by navigating from https://citrix.cloud.com/ to https://citrix.cloud.com/identity and under “Domains” select your domain forest(s) and expand it and you can review your Connectors name e.g servername.dommain e.g connector1.x1co.eu and its status (red, amber or green).

The leading best practise for h/a at your resource location is for your Citrix Cloud Connectors to be implemented as N+1 for redundancy – – https://en.wikipedia.org/wiki/N%2B1_redundancy.

Logs & Services++ of the Connector
The Connector logs are stored at “C:\ProgramData\Citrix\WorkspaceCloud\Logs or use %ProgramData%\Citrix\WorkspaceCloud\Logs” for verifying ongoing communication and helping with troubleshooting. Once the log(s) size exceeds a certain threshold its deleted BUT Administrators are able to control the log retention size by adjusting the following entry in the Windows registry “HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CloudServices\AgentAdministration\MaximumLogSpaceMegabytes” to meet your organisations logging/auditing requirements.

The core four primary functions/roles of the Connector are Authentication, Proxy, Provisioning and Identity which are powered by the following Citrix Cloud services listed below (as of Jan 2017). You can view a detailed architecture technical diagram of the Connector under the XenApp and XenDesktop Service online documentation at – http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/technical-security-overview.html.

Connector Functions/Roles
For a more accurate diagram please check out – http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/technical-security-overview.html

Authentication Proxy Provisioning Identity
NetScaler
Unified Gateway
StoreFront
(Optional)

Hypervisor 
Server VDA
 Server 2012 R2, 2016
Desktop VDA
Windows 10

Active Directory, DNS

I’ll update this section with what each of the Connector services actually does

Citrix Cloud AD Provider
Citrix Cloud Agent Logger
Citrix Cloud System
Citrix Cloud WatchDog
Citrix Cloud Credential Provider
Citrix Cloud WebRelay Provider
Citrix Cloud Config Synchronizer Service
Citrix Cloud High Availability Service
Citrix Cloud NetScaler Cloud Gateway
Citrix Cloud Remote Broker Provider
Citrix Cloud Remote HCL Server
Citrix Cloud Session Manager Proxy

Citrix Cloud PoC Guide for the XenApp and XenDesktop Service
I have writen a fairly detailed blog article describing how-to deploy the XenApp and XenDesktop Service here.

Deploying a Citrix Cloud – XenApp and XenDesktop Service PoC

The following content is a brief and unofficial overview of how-to front your virtual apps & desktops powered by Citrix Cloud XenApp & XenDesktop Service and the NetScaler Gateway Service using an Azure (IaaS) resource location. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions, best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
XENAPP – xa
XENDESKTOP – xd
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
VIRTUAL DESKTOP – vd
THINWIRE COMPATIBLE MODE – tcm also known as ecm or thinwire+
SELF-SERVICE PASSWORD RESET – sspr
VIRTUAL GPU – vgpu
PROOF OF CONCEPT – poc
XENAPP AND XENDESKTOP SERVICE – xad service
CITRIX CLOUD CONNECTOR – CC Connector
ACCESS CONTROL LISTS – acl
FIREWALL – f/w

What is Citrix Cloud?
Firstly this blog post will be updated through-out Nov, Dec 2016 as I still have a few minor additions and adjustments to make but in principle this blog post should help you stand up a Citrix Cloud – XAD Service PoC successfully with your chosen resource location.

Citrix Cloud provides a control plane that includes Citrix technologies as services e.g XenApp and XenDesktop Service that allows Citrix SysAdmin’s to setup, configure and deliver virtual apps & desktops to users on any device, anytime and from any location from your chosen resource location which could be hosts runnings in a data centre running XenServer, Hyper-V, Acropolis*, vSphere vs. hyper-converged appliances (Nutanix*, Atlantis) or it could running in an IaaS or public cloud providers e.g Azure or AWS e.t.c

Your resource location of choice is connected to the Citrix Cloud control plane through something called the Citrix Cloud Connector which is installed onto a supported Windows server OSes that is domain-joined in pairs which runs a services that communicates to the control plane outbound on HTTPS/443 which also has the added benefit of NOT requiring any type of VPN (SSL, R/A or IPSec GRE Tunnel)!

Adopting Citrix Cloud introduces an evergreen or SaaS-style update(s) approach to the Citrix infrastructure components as an example within the XenApp and XenDesktop Service e.g the controller, licensing server, storefront are hosted and managed by Citrix and auto updated (evergreen) thus reducing infrastructure updates, upgrades so IT can focus on other workspace projects e.g implementing Skype for Business – http://axendatacentre.com/blog/2016/04/25/deploying-skype4b-2015-offloaded-from-a-citrix-hdx-virtual-app-or-desktop/ or daily tasks, activities thus reducing System Administration time which equates to cost savings or shifting more IT time onto providing the very best near to local like delivery and user experience as they have more time.

The Goal of this PoC
In this blog post I will describe how-to setup and deploy the “Citrix Cloud – XenApp and XenDesktop Service” using Microsoft Azure as my resource location of choice for this PoC to deliver virtual apps & desktops (Server based) including enabling remote access in its simplest form using the NetScaler Gateway Service which enables secure, remote access to virtual apps & desktops from anywhere with an internet connection using the Citrix Receiver or the HTML5 Receiver all without having to deploy a NetScaler in your resource location – https://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/netscaler-gateway-as-a-service.html and accesing a published Skype for Business 2015 HDX optimised virtual app powered by the HDX Optimisation Pack 2.x.n – http://docs.citrix.com/en-us/hdx-optimization/2-1.html published from a Windows Server 2012 R2 OS server to virtual desktop powered by Windows Server 2016.

Traffic Flows, Metadata & Credential Handling
The following provides insight into the traffic flows when/how users connect to there virtual apps & desktop when using the Citrix Cloud – XenApp and XenDesktop Service.

NetScaler Gateway Service
http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/netscaler-gateway-as-a-service.html

XAD Service
http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/technical-security-overview.html

Comparing services and pricing is available at – https://www.citrix.com/products/citrix-cloud/subscriptions.html

Pre-requisites & System Requirements
0. Trial Checklist – http://docs.citrix.com/content/dam/docs/en-us/workspace-cloud/downloads/apps-desktops-trial-checklist.pdf which via the XAD Service eDoc root at – http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service.html.
1. An Azure subscription with sufficient credits and compute resources for your own personal requirements for your own PoC. You’ll also need to understand the concepts of Azure so I’d suggest you begin with reviewing the online documentation available at – https://azure.microsoft.com/ or visit VMFocus blog at https://vmfocus.com/2016/11/07/70-533-implementing-microsoft-azure-infrastructure-solutions-prep-exam-experience/ and scroll to the prepartion text in bold.
2. A Citrix Cloud account with access to the XAD Service check out – https://www.citrix.com/products/citrix-cloud/ for details and information about a trial.
3. Citrix Cloud Connector downloaded from your XAD Service to your Azure resource location onto a shared folder e.g network share on your Windows domain controller or file server. For the basic’s of how-to download and install check out the installation overview at – http://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-connector/installation.html.
4. Download the VDA’s from https://apps.cloud.com/downloads which is only accessiable once your have sucessfully authenticated at https://citrix.cloud.com/.
5. A Windows Server 2012 R2 VM running at a min “Active Directory”, “DNS” and the “Citrix Cloud Connector” and one more VM optional only if you want to keep costs down but preferred to match a real-work scenario would be to have a second Windows Server 2012 R2 VM running the “Citrix Cloud Connector” so that you have a pair of connectors talking to Citrix Cloud.
6. A pair of Windows Server 2012 R2 one to be used for or as a +hosted shared server virtual desktop and the other to deliver virtual apps e.g Skype for Business 2015-16 HDX Optimised Doc’s – http://docs.citrix.com/en-us/hdx-optimization/2-1/hdx-realtime-optimization-pack-overview.html, video overview at – https://www.youtube.com/watch?v=IpOSi_FkA7c.
7. A Windows Server 2016 VM to be your second +hosted shared server virtual desktop (Preferred choice for me :-)) so you can demonstrate publishing virtual apps into both +virtual desktops and demonstrate Windows Server 2016 as a DaaS VD or just a show and tell back to your organisations management to begin thinking moving to Windows Server 2016 from 2008 R2 or 2012 R2.

Deploying your Citrix Cloud Connectors
1. Prior to starting your installation please be sure to switch “Enhanced Security Configuration (ESC)” off during the installation.
2. Right-click on the CC Connector and run as Administrator.
3. Enter in your Citrix Cloud Administrator access details and you’ll receive a list of available customer accounts in your case you should only have one so select it and continue.
4. The installation will install the required software components and prior to finishing it will perform “connectivity test” this will take up to 60 seconds.
5. Make some coffee or tea if you’re British or a British South African born while the Citrix Cloud Connector communicates with the Citrix CLoud control plane successfully registers.
6. Navigate to Citrix Cloud select from the menu bar in the top left-hand corner “Identity & Access Management” on the “Domains” tab you should now see your domain with a status of “Ready ” if you see amber anywhere this is because one of your connectors is not in a ready state or you only have 1x connector in your choosen resource location.
7. Don’t proceed until your connector(s) are in a Ready state in Citrix Cloud, this is very important!

Deploy your Virtual Apps & Desktops
1. At https://citrix.cloud.com/ select under “Services List” parallel to the “XenApp and XenDesktop Service” click on “Manage” blue button. Note that you can also get to mgmt consoles by clicking the menu icon top left-hand corner and from the list select the service that you wish to administer e.g XAD Service.
2. You’ll now be redirected to https://apps.cloud.com/ and scroll to the bottom of the webpage to identify what your cloud hosted StoreFront server address is e.g https://tttemea10.xendesktop.net/Citrix/StoreWeb/, right click and say open in a new tab.
3. Now click on the downwards arrow on “Manage” and you’ll see two options e.g “Service Creation” and “Service Delivery”. Please click on Service Delivery which should take you to https://apps.cloud.com/delivery and you’ll see the below available options. Simply toggle to select your preferred delivery options for delivery of your virtual apps & desktops choosing in this case to utilise the Citrix Cloud – XAD Service cloud hosted StoreFront and or NetScaler Gateway Service. I will follow-up with another blog post in the future covering off deploying this PoC BUT using StoreFront and NetScaler (Unified) Gateway in your chosen “resource location” BUT for now I am keeping it clean and simple. Please verify that your toggle’s match what you see in the below image prior to proceeding (Also see the 3rd tip!!!). If want to use StoreFront – http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/setting-up-storefront.html and NetScaler – http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/getting-started.html#par_anchortitle_1403 in your resource location the read the provided links above.


TIP/HINT 1: You can choose to toggle off “Session Reliability”.
TIP/HINT 2: Where you configure the XAD Controller point this to the Citrix Cloud Connector.
TIP/HINT 3: The NetScaler Gateway Service is sold separately from the XAD Service as of 2017 Q1 ref – https://www.citrix.com/products/citrix-cloud/subscriptions.html

4. Now click on the downwards arrow on “Manage” and now please click on Service Creation which should take you to https://apps.cloud.com/manage you’ll notice a spinning icon in the middle of your screen for a few seconds and then your securely hardened Studio console will be avaiable to you published using the latest HTML5 Receiver which includes auto screen resizing dynamically (change the browser window size :-)), copy and paste.
5. Create your “Machine Catalog(s)” as per normal if your unsure then follow the steps as outlined at http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-11/install-configure/machine-catalogs-create.html then return back to Citrix Cloud published Studio. Create three machine catalog’s if following the blog post 1x machine catalog for virtual apps powered by Win Srv 2012 R2, 2x virtual desktops one powered by Win Server 2012 R2 and one by 2016. Once you have created your machine catalog’s then check that the VM within each “Machine Catalog(s)” have a successful Registered State if the VM(s) in your each catalog(s) don’t register then review my quick troubleshooting guidance below at the end of this blog article.
6. Next create a “Delivery Group” almost like normal once agian if your are unsure the how-to is avaiable at – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-11/install-configure/delivery-groups-create.html remeber agin if following this blog post 1x delivery group for virtual apps powered by Win Srv 2012 R2 and 2x delivery groups for virtual desktops powered by Win Server 2012 R2 and 2016 BUT there is one very important exception which is that once you select the machines and you get to the user section be very sure to select “⚹Leave user management to Citrix Cloud. This makes the Delivery Group available as an offering when configuring your Citrix Cloud Workspaces.”http://docs.citrix.com/en-us/citrix-cloud/overview/get-started/creating-and-publishing-a-workspace.html.



6. Now that you have created a Machine Catalog, Delivery Group you need to assign users to these resources so click the menu icon in the top left-hand corner and select “Workspaces“. You’ll see “My First Workspace” just ignore it for now and select the “+ Workspaces” icon it’s large you just cannot miss it! Note that workspaces are now referred service offerings which you assign to users from your Library – http://docs.citrix.com/en-us/citrix-cloud/overview/get-started/assigning-users-to-offerings-using-library.html.
7. Enter in a name for your workspace e.g PoC Workspace.
8. Select “✎ Manage” under your Workspace name and now from the available “Citrix Cloud Services” list select the “XenApp and XenDesktop Service” and you’ll see your delivery group(s) dependant if you completely followed this blog post on the right-hand side so simply select your virtual apps and virtual desktops that you wish to publish to this workspace, it’s your choice but in this PoC we’ll be selecting all avaiable delivery groups to delivery virtual apps & desktops. Once selected click on “Update Workspace” blue button above.
9. Your workspace now contains virtual apps & desktops that can be consumed by subscribers e.g users.
10. Now that you have created your first Workspace e.g PoC Workspace in Citrix Cloud using the XenApp & XenDesktop Service all that is left to do is to add users BUT in a Citrix Cloud world they are known as “subscribers“!
11. Select your e.g PoC Workspace once more and click on “Subscribers” tab and you’ll see a domain list below on your left-hand side so select your “domain” and to your right you’ll see an input field type in your subscriber’s username e.g lynd which will then query your AD via the Citrix Cloud connector securely and it will find and return your user(s) e.g lyndon-jon@x1co.eu and once it is listed select the user(s) from your query and they will be added to the list below, now repeat the process to add all other test/poc subscribers or AD test/poc security groups to your e.g PoC Workspace and then click on the “Update Workspace” blue button above to save the subscribers to this workspace.


TIP/HINT: You can also select AD Security Groups not just AD users.

Initial Test
Your users/subscribers should now be able to login to the Cloud hosted StoreFront available at e.g https://YOURCUSTOMERNAME.xendesktop.net using an HTML5 internet browser or Citrix Receiver.

HDX Policies
Please assign your policies as you prefer to users, delivery groups e.t.c. You’ll also notice that I have not applied a FPS limit to every policy only the ones that are balanced as most often these need to adjusted to be fit for purpose for standard office workers to enable user density gains on the backend and bandwidth savings while maintaining a decent and good UX. My personal preference is “HDX Adaptive Display v2“.

HDX Adaptive Display v2 HDX Adaptive Display v2 (Balanced) Thinwire Compatible Mode Thinwire Compatible Mode (Balanced) H.264
1.”Use video codec for compression” then select the option to be “For actively changing regions 1.”Use video codec for compression” then select  “For actively changing regions
2. “Preferred color depth for simple graphics” then select “16 bits per pixel” and also try 24.
1.”Use video codec for compression” then select the option to be “Do not use video codec 1.”Use video codec for compression” then select the option to be “Do not use video codec
2. “Preferred color depth for simple graphics” then select “16 bits per pixel” and also try 24.
3. “Frames Per Second” then enter in a value of “25-30“.
1.”Use video codec for compression” then select the option to be “For the entire screen
2. “Frames Per Second” then enter in a value of “30” (Optional)
My personal preferred choice My 2nd personal preferred choice

Advanced Remote Access using a NetScaler in your Resource Location with(out) StoreFront
The following has been tested using the latest NS firmware 11.1 available in the Azure marketplace as of 05/03/2017.

1. Login to NetScaler admin WebUI using the following firmware 11.1.x.n
2. Check that your appliance is correctly licensed.
3. Select the “Unified Gateway” wizard.
4. Enter in your assigned VIP (private IP addr or in Azure NSIP:8443) and enter in a vServer friendly name e.g myUG
5. Select to “Install Cert” a valid public CA signed cert either *.pfx vs. *.pem.
6. Configure LDAP either use an exciting or add a new server for LDAP auth and choose the “Server Logon Name Attribute” as userPrincipalName .
7. Select “Portal Theme” and select “RfWebUI”
8. Now under the under “Applications” select and add “XenApp/XenDesktop” and now enter in your resource location or Cloud-Hosted StoreFront “FQDN” and select “Test Connection” which should retrieve and auto configure the required settings and thereafter a green bar will appear if successful if not then manually configured based upon the following guidance below.

– Enter in “Site Path” e.g /Citrix/StoreWeb/
– Enter in your Sign Sign-on Domain e.g x1co.eu
– Enter in “Store Name” e.g Store
– Enter in “Secure Ticket Authority (STA) Server” which will be the Citrix Cloud Connector IP addr
– StoreFront server IP Addr:

Option 1 – If using the cloud-hosted StoreFront FQDN e.g https://*.xendesktop.net then please use the IP addr of the Citrix Cloud Connector in your resource location.
Option 2 – If using a StoreFront server in the resource location please use its IP addr.

9. Do not configure a “Xen Farm” please just select and “Continue” and complete steps to finish the Wizard.
10. The dashboard overview of “Unified Gateway” should indicate all up and green.

Remote PowerShell SDK for the XenApp and XenDesktop Service
Coming but have a read of – http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/remote-powershell-sdk.html in the intermin.

Troubleshooting Guidance
VDA Registration Issue
1. Make sure that forward and reverse DNS is setup correctly for the VDA’s and the CC Connectors.
2. Check that the following Citrix Cloud services “Citrix Remote Broker Provider” and “Citrix Cloud Agent System, Logger & WatchDog“are successfully started on your Citrix Cloud Connector(s) VM instances.
3. Ensure that HTTPS/443 is NOT disabled outbound on any of your CC Connectors either via the Windows Firewall or your hardware or virtual f/w ACL’s.