Category Archives: Infrastructure

How-to Deploy Citrix XenMobile Server 10.7

The following content is a brief and unofficial prerequisites guide to setup, configure and deploy Citrix XenMobile Server (XMS) 10.7 on-premises prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or leading best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names

Author Note
Please be aware that I published this article today 19/02/2018 but it should be considered evergreen until I remove this section thank you.

This is going to be one of the longest posts that I am about to write so come back from the moment its published over Feb/March/April 2018 as I will most likely be making adds/moves/changes. This blog post serves to provide the most right vs. relevant information to help you better understand how-to deploy the current Citrix XenMobile on-premises server which is 10.7.x.n as of February 2018. I will be writing a follow-up blog post on deploying the XenMobile Service powered by Citrix Cloud – in due course.

What is XenMobile?
XenMobile is a complete UEM or MEM via (mobility) solution for managing apps, data, and devices from a single unified platform with MDM & MAM (mobile apps cut, copy & paste) policies, automated actions for enrolled (supported platforms) devices that will keep employees safe, secure and productive on vs. offline enabling them to work on there own terms.

Preparation & Initial Guidance
I was one of the first set of individuals to pass the very first Citrix Certified Professional – Mobility (CCP-M) exam for XenMobile 9.x.n while at Citrix Summit in Jan 2014. Now that was one very tough exam as you needed to know Citrix NetScaler, XenMobile NetScaler Connector, (ZenPrise) XenMobile Device Manager, StoreFront, Citrix Mail Manager, Citrix AppController, ShareFile Control Plane and of course StorageZones. Its Fen 2018 and its still equally a tough exam to pass even though the XDM + XAC where merged into a virtual appliance now called the XenMobile Server (XMS).

If you have not deployed a mobility solution in the past or your an expert you’ll agree most likely that mobility or UEM/MEM is complex and is consistency changing with new devices, OS upgrades along with new vs. deprecated vs. behavioural changes to MDM APIs, app updates, push API’s vs. MDM platform + vendor signing of certificates and finally oh yes all those MDM ports that you need configured correctly through-out your organisations Wi-Fi network and so the list continues on and on….

In principle when preparing to deploy any mobility solution regardless of vendor, preparation is of paramount important to be successfully. The below is list of how I personally prepare for a mobility PoC for XenMobile on-premises (yes we at Citrix are cloud first and I live IaaS so I’ll be writing another post on deploy a XenMobile Service PoC in the future):

– Start by reading the XenMobile Security Whitepaper – This will provide a great insight into our XenMobile, FIPS compliance, how SSL VPN or mVPN for MDX enabled apps behaviour and so much more, that is definitely worth your time!
Configure the XMS with a public routable FQDN and NOT an IP addr if you intend to manage devices externally via the internet vs. internally over corporate Wi-Fi and if your enabling the self-help portal for personal management.
– Utilise the PostgreSQL database option for a PoC’s (up to 100 devices) however this will mean that you need to redeploy the XMS using a remote SQL database for PROD environments as you’ll most likely want to have your XMS v/a in a cluster for high-avaiability. NOTE: Do not pre-create a MS SQL database allow the XMS v/a to create your MS SQL database against the SQL server during the initial setup process when performing the initial FTU within the XMS CLI.
– Utilise local v6 licensing on the XMS v/a for a PoC’s but again for PROD utilise a remote Citrix licensing server which is 100% required to support a XMS Cluster as the XMS v/a are stateless with all the configuration held within the remote Microsoft SQL database.

TIP: You’ll need to active your XenMobile licenses from the available list when configuring the remote v6 license server prior to continuing!

– Create separate mobility admin mailboxes to then be used to create accounts with Apple, Google & Microsoft so that everyone has access to create, sign and revoke MDM push certificates vs. push API’s like FireBase.
– Deciding where to generate all of CSRs for all of your mobility + XMS + NS certs is quiet important not just for the initial PoC but thinking 12 months out when the cert begin to expire where did I generate those certs from now to begin the re-signing process hmmm….??? I prefer in my home lab to generate and renew all my certs on WDC but many SE’s I know will use NetScaler for this and the point I am making is that it does not matter BUT centralise and document the process, passwords e.t.c
– Setup a calendar invite vs. trigger in your choosen support platform to notify the mobility admin mailbox to alert you every 11 months to renew all your certs otherwise you’ll break your MDM deployment e.g no devices under mgmt anymore this applies to ANY MDM vendor to be 100% clear!
– Dont assume that one individual should be deploying the XenMobile (any mobility) PoC themselves as in my experience unless your 100% comfortable with networking, ACLs, SQL DBs, gateways. To be honest most often its 3 people from within the IT team for high security organisation its double I find. Typically the 3 people are the Citrix Admin whom will require help & support from a networking (f/w dude:-)) or netscaler admin and then the SQL guru.
– I typically advise partners and customers to focus and agree on 2x mobile devices and a defined list of UEM policies to configure for testing in the PoC against there use case(s).
– Ensure that all your required ports are opened up correctly in vs. outbound (internet <-> edge <-> dmx <-> tru).
– DO NOT USE A PROD NetScaler deploy a new and fresh NetScaler VPX for your XenMobile (Service) PoC on-premsies vs. your chosen resource location.
If you are intending to MDX wrap or enlighten your iOS – and Android mobile apps then I’d suggest that you sign-up for the required developer accounts well in advance as some customers & partners have experienced delays up to 1-8 weeks. You have been warned and also ensure that you understand the rules around these dev accounts!
– Disable the ability to perform a Full Wipe of the enrolled devices (in particular for BYO scenarios you don’t want a lawsuit!) or if your not bothered and you would like to test this capability then I’d suggest that you only use new mobile devices that contain no corporate vs. personal content + data during the PoC. Finally my own personal leading best practise is to setup RBAC for mobility admins and remove the full wipe capability completely! 🙂
– Screen record the PoC deployment e.g GoToMeeting so if you make a mistake you can review the recording to understand what you misconfigured and most importantly where on the NetScaler vs. XMS e.t.c is was that the mistake occurred.
– If your not going to utilise a public CA signed certificates (Strongly Preferred) as your deploying the XMS v/a in your home lab only, then when exporting your cert from your Enterprise CA export using the Base64 format and then export as a full chained PFX format cert.
– Deploy the XMS v/a first and attempt to enrol your chosen mobile device(s) and remember those MDM ports you’ll need to make sure they are available over your corporate wifi including the over air enrolment port especially for Apple iOS devices otherwise your MDM enrolment will fail so you’ll be defaulted to only been able to enrol your device for MAM only e.g Secure MDX enlighten mobile apps
– The XMS mgmt. Web UI for administration is restricted from the internet as the mgmt. web UI is only accessible over https://XMS:4443 which is not part of the XM 10 wizard as of e.g NSG 10.5-55.8+ for security harden purposes (double check eDocs to be safe!). This often leads to Mobility/Citrix Admins thinking that they have misconfigured the wizard on the NetScaler when in fact it most likely is your connecting connection on https://XMS-vip:4443 via the VIP owned by the NetScaler but if you connect directly to the XMS’s configured IP addr via https://XMS-direct:4443 you’ll be able to access the XMS Admin Web UI.
– SuGgEsTeD personal tip utilise Mozilla Firefox for configuring and managing your XMS v/a for me it works the best!
– Ensure that all users/admins have first, last name & e-mail addr fields populated in AD prior to any enrolment otherwise they will receive an error e.g “Invalid user for SSO” when users attempt to sign-on.

Pre-requisites & System Requirements
The currently available XMS v/a as of writing this blog article is 10.7.x.n which is where these system requirements have been obtained from dated Feb 2018 –

Trial Licensing for On-Premsies Only
Citrix Customer Evaluation licenses can be obtained at – if you are having trouble please contact your local Citrix representative vs. partner for assistance and guidance.

Supported Devices

– APNs see below
– SSL Listener used for HTTPS traffic communication e.g like securing your web server with https

– Open up 389 between the XMS v/a(s) and your AD server in your trusted network, you can optionally configure secure AD/LDAP on 636 but you will required extra certs for this configuration and its well documented in Citrix eDocs vs. obviously I believe.
– Windows service account for XMS v/a(s) to query AD/LDAP

NetScaler (Unified) Gateway
– Versions 10.5.x.n, 11.0.x.n, 11.1.x.n and 12.x.n (My current preferred firmware release now)
– 2vGPU, 4GB of RAM and 20GB available storage for HDD
– On-premises Hypervisors include XenServer 6.5 or 7.x.n; VMware ESXi 4.1, ESXi 5.1, ESXi 5.5, ESXi 6.0; Hyper-V Windows Server 2008 R2/2012/2012 R2
– Cloud Hypervisors include Azure (ARM is preferred); AWS EC2 not supported for XenMobile.
– NetScaler service account I’d advise against the default which is nsroot:nsroot slightly obvious but I see this time and again can you believe it!!!!
– AD/LDAP service account that is utilised to check validate and authenticate users against your organisations AD/LDAP.
– IP addressing (Please please please pay attention)

1x private static IP addr that is used for the NetScalers IP Addr (NSIP)

1x private static routable IP addr between your DMZ <-> TRU which is referred to a the NetScalers Subnet IP Addr (SNIP)

1x private static IP addr that is used for the XMS

1x public internet routable FQDN e.g with 1x public static internet routable IP addr that resolves to 1x private static IP addr in your DMZ that are owned by the NetScaler.

1x public internet routable FQDN e.g with 1x public static internet routable IP addr that resolves to 2x private static IP addrs in your DMZ that are owned by the NetScaler one for direct NAT and the other one is for *L/B of the MAM traffic.

Internet DMZ – NetScaler + XMS TRU
nug01 (NetScaler V/A) <-> NSIP
SNIP <-> 81.x.x.1 <-> UEM Listener on XMS <-> 81.x.x.2 + * <-> MAM Listener on XMS (XMS V/A) <->

Total private IP addrs required are 6x.
Total public static internet routable IP addrs required are 2x.
Total public internet routable FQDNs 2x.

MDM Certificates for Apple and Firebase Cloud Messaging (FGM) with Android for Mobile Notification Service Capabilities

Apple’s APNs Certificates portal is accessible at –, if you like a technical overview of how APNs works check out Apples developer documentation on the subject at – its quiet extensive and in-depth.

1. Create an organisation Apple ID at –
2. Generate your a CSR on NetScaler – or on a Windows Server e.g WDC using e.g IIS NOTE: Please use 2048 cipher encryption for the cert.
3. Navigate to and sign in where prompted with your partner access details.
4. Follow the onscreen process for signing your XenMobile APNS CSR which will return a *.plist file.
5. Login to and upload your CSR to the APNS portal at – by following the onscreen process.
6. Download the generated *.pem file from the APNS portal to the Windows server that you initially created the CSR on.
7. Import the *.pem file into IIS using the complete a CSR response and specfic a friendly name. NOTE: Optional Import Apples Certificates (*.cer, *.crl) from – also see
8. Export the imported certifcate as a *.pfx and specifiying a password. Note: DO NOT FORGET the password.
9. When prompted during the XMS configuration of the WebUI rememeber to enter the your chosen password and import it’s a keystore -> pfx format and select aPNS as the cert type.

Citrix provides a more detailed how-to and overview at –

Firebase Cloud Messaging (FCM)
Google or FireBase Cloud Messaging (GCM or FCM) enables push capabilities for Android vs. implement during enrolment an “Active poll period policy” for the Android handset to check back into the XMS to receive new policies, apps, check compliance e.t.c. Finally note that if you do any research FCM is the natural evolution of GCM platform, so think FireBase first for Android :-).

1. Create a organisation Google Developer account at –, if your keen to understand how it works visit the XenMobile eDocs web page for Firebase at –
2. The process to create the push capabilities is in my personal view way easier than APNs as all you need to do is generate an “API Key” and “Sender ID” which is then stored on the XMS at “Settings – > Google Cloud Messaging“. Visit the above URL to learn how to implement Firebase.
3. Please pay attention to the Firebase XenMobile diagram in the above eDocs link which includes the following Firebase ports 5228, 5229 and 5230 between the enrolled XenMobile handset and the GCM platform. Why is this important well these ports will beed to made available from the corporate network outbound like APNs to enable enrolment from within the corporate enterprise or high security environments otherwise you will need to enrol over 3/4G or via home/guest Wi-Fi.

Deploying the XMS v/a
Before you even attempt to begin I’d strongly advise you to read and or print out the following webpage via Citrix eDocs – * which contains a Preinstallation checklist and deployment flowchart. My goal in this section to provide some context with some of the deployment options during the initial configuration of the XMS v/a, you can refer to * for full installation instructions.

1. Download the current XMS 10.7.x.n+ v/a from –
2. Unzip the v/a and upload it to e.g Citrix XenServer 7.1 LTSR via XenCenter or you could use any other Citrix supported on-premises hypervisor. Once successfully uploaded check that your v/a has the minimum required computed requirements 2-4vCPU and 4-8GB of RAM assigned (increase to MAX if 10 or more users in the PoC as its all about the experience but for home lab purposes I utilise 2vCPU and 4GB of RAM as I only have 3 devices connected.
3. Start the XMS v/a via XenCenter it will take longer to boot-up if you have assigned the bare min compute resources and if your underlying storage is (shared) HDD based.
4. Once the XMS v/a has started decide if you are intending to create a XMS h/a cluster this is so that you select the correct options during there FTU, otherwise you will need to redeploy the XMS v/a and start all over. Notes:

4.1 – The CLI uses admin while the Admin account used for the Web UI uses administrator, also be aware they are LOWER CASE!
4.2 – Nothing appears when typing in select inputs.

5. Enter in a strong suitable passwd
6. Next you are promoted for network settings the IP addr will be e.g as per my text diagram above.
7. Next your asked about an “Encrypting Phrase” most people select “y” to randomise it however you’ll never know what it is, nor can you obtain file to read it! If you are considering deploying a cluster of XMS v/a for H/A then most individuals will select “n” and create there own “encryption passphrase“.
8. I currently at the moment will not provide any context on FIPS so I will differ to for configuration options otherwise this blog will get out of hand. I will do a follow-up or adjustment to this post in the future to cover FIPS in greater detail.
9. Next your asked about configuring a database for the v/a to store configuration information. The “l – Local” option will enable PostgreSQL which is now only supported for customer PoC’s while historically prior to Citrix acquiring ZenPrise is was a supported configuration but that was 5+ years ago under XDM, so be 100% clear PostgreSQL is for PoCs ONLY with a XMS v/a! It is also NOT supported with XMS clusters as the v/a’s are stateless relying on the SQL database for configuration information e.g users, policies, delivery groups e.t.c so you require a “r – Remote” SQL database.


9.1 – Let the first XMS v/a that you configure as part of the your XMS cluster create the required XM database itself DO NOT pre-populate a database name on your MS SQL database cluster vs. server!
9.2 – If you select to enable XMS clustering you will need to enable port 80 within the XMS f/w ACL and do this BEFORE performing a clone to create your XMS cluster. Also in high security environments remember to include in your submitted ACL to allow the XMS v/a’s to communicate over TCP port 80 to enable R-T comms between all v/a members within the cluster.
9.3 – Finally Citrix does NOT support DB migration e.g PoC to UAT-PROD environments.

10. The most important step that I often see vs. hear vs. receive requests about is what do I type in for the “XenMobile hostname”? Please type in the fully qualified and internet routable FQDN e.g, what does this mean? It means that if your where to type in on your device that you reading this blog post inside the corporate file or at home it is reachable. Please do not type in e.g xms01 and then internal vs. external DNS entries are entered in for to xms01 this will NOT work properly and devices will NOT enrolling you have been warned! If you do this you will beed to START all over with a fresh XMS v/a!
11. For the XMS comm port requirements i.e the v/a communicates with the users (SHP) and devices (UEM or MDM/MAM) it is perfecting fine to accept the defaults ports here unless you a high security organisation + e.g Bank, Government agency e.t.c and want to further harden yourself however remember the most complexity you add e.g changing ports here will mean that you will need to adjust the auto defined ports on the NetScaler if you do the XenMobile Wizard on the NetScaler v/a.
12. Skip the upgrading from a previous XMS version as its a PoC
13. Next we get to the Public Key Infrastructure (PKI) which I’d prefer to configure configure all the certs with the same passwd or pass phrase or you can define a different passwd or pass phrase for each of the four certs (root, intermediate for device enrolment, intermediate for SSL cert and finally an SSL for your connectors +. Finally you’ll require the eXaCt passwd(s) for an XMS v/a within your h/a cluster.
14. Finally now create a passwd for the default “administrator” account. I would personally as my own leading best practise make the CLI admin vs. Web UI administrator passwords different for security purposes as one member of the team maybe the hypervisor admin whom does all the CLI stuff aswell while the Mobility admin handles all the logical configuration via the Web UI administrator account.


14.1 – Make both admin, administrator passwords random and securely store them BUT separately from one another. Setup and assign AD domain admins security group as FULL Administrators of the XMS v/a via RBAC –

15. Once you select “Return” to above set the initial configuration is stored and you are prompted to upgrade from a previous release please select “n” which is also the default! The XMS v/a will stop and start the app and once its completed the you see a FQDN e.g this now indicates that you can complete the Web UI part of the XMS v/a setup and configuration. Note this can take up to 5-7 mins dependant upon how much vCPU, RAM that you assigned to the v/a and if your on SSD vs. HDD storage this will speed up the process naturally.
16. The biggest mistake Mobility/Citrix Admins makes with XenMobile is that when they attempt to access and configure the Web UI part of the setup they will typically access it via the NetScaler owned VIP for <-> 81.x.x.1 <-> when they should be accessing the direct IP addr of the XMS v/a <-> Most individual do this to test there NetScaler setup, please DO NOT setup the NetScaler do it after you have setup the XMS v/a. Finally the reason you can’t connect to the Web Admin UI via the NS VIP e.g either internally or externally is that the NS disables 4443 via the VIP to harden and protect the Web Admin UI from the Internet so you’ll need to connect to the direct XMS v/a <-> IP addr on Once your at the login prompt of the Web UI type username “administrator” and your chosen passwd and “Sign-in” and the “Get Started page” appears only once to complete the Admin Web UI part of the XMS v/a setup and configuration.
17. The first web page provides an overview of the available licensing configuration options, for a PoC or if its your first time using XenMobile then I’d suggest that you utilise the built-in 30 day evaluation license to give you time better understand how to configure XenMobile so that you can enforce the required UEM policies against devices vs. (MDX) apps. If you intend to deploy a XMS h/a cluster then like the XMS database you’ll need to setup or make use of your existing remote v6 Citrix licensing server however IMPORTANT make sure that this lic server version meets the minimum release requirements of 11.12 for 10.7.x.n XMS firmware/release version. If you choose to use the 30 day trial LOCAL license servers on XMS and now wish to use a REMOTE lic server then please refer to I would also suggest to test from each XMS v/a(s) within your cluster that you can successful connect to the remote v6 lic server which is available under the Wrench icon -> Licensing.
18. Next its cert mgmt. and a word of caution as this catches everyone out is that after uploading any certs reboot the XMS v/a(s) is required in order for the new certs to bound to the SSL listener interfaces and the existing ones to be unbind! You’ll need at this point your APNs and SSL certs for e.g to upload the XMS v/a when importing your certs follow:

SSL Listener
Import: Keystore
Keystore Type: PKCS#12
Use as: APNs and or SSL Listener
Keystore file: Password: *********
Description: Date uploaded and what is it? APNs vs. SSL listener?

For in-depth information on Cert types and how-to’s for XenMobile check out – which includes guides on configuring PKI Entities, certificate-based authentication for SecureMai and finally NS cert delivery in XenMobile.
19. NUG

Wrench icon -> NetScaler Gateway
Authentication: ON (default)
Deliver user certificate for authentication: OFF (default)
Credential Provider: (default)

Select “Add”

Name: NUG
Alias: (default)
External URL:
Logon Type: Domain only (default)
Password Required: OFF (default)
Export Configuration Script: Allows you to download conf bundle to upload to NUG to configure XenMobile. I prefer to do this manually myself.

Select “Save”

Next add the following to your NetScaler Gateway configuration on the XMS.

^Callback URL: FQDN to verify that the request originated from NetScaler Gateway BUT make sure the callback URL resolves to an IP addr that is reachable by the XMS v/a(s)
^Virtual IP: (See text diagram above in HTML table format)

^ These settings are optional.

20. Next your promoted to setup your AD binding I always prefer using an FQDN vs. IP Addr here as IP addr’s can change however FQDN’s typically don’t otherwise a lot of things in your environment will break.

AD Binding
Port: 389 (Leave defaults unless changed within high security environments)
Domain name:
User Base DN: ou=Users,dc=axendatacentre,dc=com (I am just using the AD default location of the Users OU here when you would have setup AD so configure to meet your organisations default OU location of Users)
Group Base DN: cn=Users,dc=axendatacentre,dc=com
User ID: XMS AD service account used to query your AD e.g
Password: *****
Domain Alias: (yours maybe different)
XenMobile Lockout Limit: 0 (default)
XenMobile Lockout Time: 1 (default)
Global Catalog TCP Port: 3268 (default)
Global Catalog Root Context: (default)
User search by: userPrincipalName (preferred for the modern world)
Use secure connection: (default)

21. Final configuration you’ll need to do is to setup XMS notifications – which is required for things like bulk enrolment (users e-mail addr must be in AD field), communicating with users when automated actions are configured and users have violated your organisations UEM strategy.
22. Now please logout of the Web Admin UI and log back into the XMS CLI via your chosen hypervisor and follow the below instructions to reboot your XMS v/a

Reboot XMS v/a
– Select “[2] System”
– Select “[10] Restart server”
– Select “Y”

Your XMS v/a will begin to restart and once it is successfully rebooted navigate to the XMS v/a direct FQDN or IP addr and check that the HTTPS cert status in your internet browser to ensure that it is no longer self-assigned by the XMS v/a but matches your uploaded SSL cert bound the SSL Listener.

Fronting your XMS with a NetScaler v/a

1. Coming… but in the interim start with

Troubleshooting & Leading Best Practises
1. Citrix provides a XenMobile tools platform available at – and also be sure to please refer to XenMobile compatibility documentation – for compatibility of devices vs. MDX apps + release versions.
2. Users receive Profile Installation Failed The server certificate for “https://XM-FQDN:8443” is invalid when enrolling a device against XenMobile when using iOS devices. I have personally have not seen this issue occur again for quiet some time but I thought its worth including encase it reappears in the future. So what causes this issue? It is to do with the private key of your *.p12 or *.pfx full chained SSL/TLS cert and appears to only occur when exporting your cert from a new CSR on a Windows OS. To resolve the issue I’d suggest that you download, extract and run the DigiCert Certificate Utility available at – on the originating windows server that you generated your CSR on for tier XMS v/a for your SSL Listener cert e.g HTTPS. Next follow the guide available from Digicert at – to help you find and export your XMS v/a HTTPS cert correctly (advise to use TEST feature button before export) and re-upload it to the XMS v/a and remember to REBOOT the XMS v/a(s) when you change any certs on the XMS v/a(s)!!! You should now be able to begin re-enrolling your devices BUT I would strongly advise to remove any MDM certs via Settings in iOS and then delete SecureHub and re-download it and now the enrolment error messages should no longer appear to your users while enrolling there iOS devices.

Understanding the Citrix Cloud, its Services, Architecture & Connectors (Draft)

The following content is a brief and unofficial prerequisites guide to better understand Citrix Cloud, Connector technology and the overall architecture required to setup, configure and test delivering virtual apps and desktops powered by XenApp & XenDesktop Service prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names

The Three Primary Cloud Types (Draft Section)
Firstly i’d like to provide my definition of public, private vs. hybrid cloud and in my personal view things like SaaS, PaaS have naturally been spin out or off from IaaS e.g Public Cloud.

Public Cloud is whereby a ISP provides you with SPLA licensing (OS, Application, Service), compute, storage and network capabilities which in turn enables you to create your very own VM instances running in a virtual datacentre on the ISP’s h/w and example providers may include AWS, Azure, Google Cloud Platform e.t.c

Private Cloud is where you the organisation owns there own OS, Application or Service licenses as well as the physical hardware that allows you to create your own VM instances within your virtual datacentre. In this scenario the h/w is could (a) be purely Colocatied (Colocation) at ISP with or without managed services over and above the Colocation and example providers could include Rackspace, Qubems, Peer1 or (b) your h/w is hosted within your own custom and purpose built data centres facility or comms room dependant upon the organisations size and IT/Technology requirements.

Hybrid Cloud is when public and private clouds are connected securely over a IPSec R/A, L2L or SSL VPN connection.

What is and how Citrix Cloud works
Citrix Cloud is an evergreen, managed control plane from Citrix that provides the traditional Citrix management technologies to delivery e.g Virtual Apps & Desktops as Services thereby reducing overhaul management updates & upgrades. This means that Citrix is responsible for the availability of your Citrix management infrastructure in there Control Plane including ensuring that it is on the latest up to day and production version of e.g XAD to deliver DaaS and or virtual apps. Citrix customers and partners are responsible for what is known as a resource location which is where your apps, network and data resides and can exist in a public, private or hybrid cloud deployment scenario and each resource location is securely connected to the control plane using the Citrix Cloud Connector which initiates an outbound HTTPS connection so your completely in control of your apps, network & data within your resource location(s) at all times.

If I have not technically explained what is and how Citrix Cloud works successfully then please feel free to watch the below embedded YouTUBE video.

Please note that Citrix Workspace Cloud is now know as Citrix Cloud

Citrix Cloud Services as of Jan 2017
The following is my own technical spin/view of each of the Citrix services you can review the Citrix official view of each service at –

XenApp and XenDesktop Service – HDX virtual app & desktop delivery from any supported resource location running server/workstation VDA(s) while all the XenApp/XenDesktop mgmt infrastructure (Studio/Director) resides in your tenant/account at

XenMobile Service – Deploy Secure Apps (MAM), MDM to control your organisation devices with no need to deploy the XenMobile v/a even at your resource location all you need is either an IPSeC VPN tunnel or the Connector to enumerate users in AD to be assigned to delivery groups.

ShareFile Service – Follow-me data now controlled within one WebUI.

NetScaler Gateway Service – Provides a simple and easy deployment method to gain external remote access to virtual apps & desktops from your resource location(s) via the Citrix Cloud Connector.

Smart Tools Service previously Lifecycle Management – Design, build, automate, auto check & update your resource locations with Citrix validated blue prints.

Secure Browser Service – Provides a secure remote virtual browser(s) to access web (internal vs. external), SaaS apps from the Citrix Cloud with zero configuration, with only a link to access your published web apps via the HTML5 Receiver.

Citrix Cloud Labs – My personal favourite as this area of Citrix Cloud allows you get to test out some of the latest Citrix Innovations from our Labs team as services e.g AppDNA Express; Citrix Provisioning for Microsoft Office 365; IoT Automation; Citrix Launch for Microsoft Access; XenMobile MDX Service and Session Manager

Connector Architecture & Security
The following diagram depicts the H/A deployment of Citrix Cloud Connector for use with the XenApp and XenDesktop Service from Citrix Cloud. Please note that this is a simple architectural diagram that does not include a NetScaler in resource location so the assumption is that you users will connect to their virtual apps and desktops either from within the actual Resource Location or via the NetScaler Gateway service hosted and managed by Citrix Cloud. My personal preference is to leverage a NetScaler physical or virtual appliance within your resource location as the benefits of a NetScaler far exceed and go above and beyond that of a simple ICA Proxy gateway for XenApp/XenDesktop. Perhaps a follow-up blog article why I presume NetScaler in the resource location from my personal view point only or I may decide to update this blog article.

To better understand how to best secure or harden your Cirix Cloud implmentation and its services please refer to – for leading best practises, process & procedures and configuration requirements.

Citrix Cloud Connector
The following is deep dive overview of Citrix Cloud connector technology for all the services with the exception of the Smart Tools service which leverages its own connector which is used to check your Citrix workloads, scale up/down and or even build or tear down workloads in resource location(s) via blueprints.

Installation & Troubleshooting
You must download and only install the Citrix Cloud Connector for your resource location from “Identity and Access Management” that matched your domain forest, don’t mix and match these! The installation is fairly straight forward and simple as descriobed and outlined at, once the installation completes wait for the connectvity test to pop-up and complete successfully prior to navigating back to Citrix Cloud to validate that the Connector has scuessfully registered with Citrix Cloud+.

You can also perform automated installation leveraging the following command line arguments when installing the Connector “CWCConnector.exe /q /Customer:Customer /ClientId:ClientId /ClientSecret:ClientSecret /ResourceLocationId:ResourceLocationId /AcceptTermsOfService:true.

Although the Connector communicates outbound on HTTPS 443 it make also require one or more of the following ports outbound only as described at – for one or more of the Citrix Cloud Services so please consultant the documenation for each Service carefuly for high security enviroments to ensure that the organisations firewall ACL’s for the PoC are correctly configured.

You can install hypervisor tools, anti-virus software (Tested as of 26/10/2016++ McAfee VirusScan Enterprise + AntiSpyware Enterprise 8.8) on your VM instances that have the Citrix Cloud Connector technology installed however it is not recommended to install any other software or unnecessary system services nor should you allow any domain users access unless they are a Domain or System administrator of the Citrix environment. In summary treat these Connectors as you would your XAD Controller(Broker).

The installation logs are available at “%LOCALAPPDATA%\Temp\CitrixLogs\CloudServicesSetup” and post the installation its consolidated to the following location “%ProgramData%\Citrix\WorkspaceCloud\InstallLogs“.

Understanding Credential Handling

Monitoring your Citrix Cloud Services
1. is your friend and will provide you with vital up to date information about the Citrix Cloud platform (control plane or SaaS tier) and each of its Services e.g XenApp and XenDesktop Service or Smart Tools.
2. Monitor the following Connector services described below ++
3. The leading best practises is for the Citrix Cloud Connectors to not be offline longer than two weeks as the connectors are regularly updated from Citrix Cloud with the latest updates (Evergreen) which is why each resource location requires at a bare min 2x or a pair of Connectors.

Connectivity & High-Availability
The Citrix Cloud Connector firstly should always be implemented in pairs at a minimum within any resource location and installed onto either Windows Server 2012 R2 or 2016 AD joined VM instances. The connectors are stateless and brokering requests are load-balanced via Citrix Cloud to the connectors within your resource location(s) and if a connector does not respond the queued tasks are redistributed to the remaining connector(s). As the connectors are stateless this also means that they do store any mgmt configuration for Citrix Workloads at the resource location as this is held within the Citrix Cloud by the Service that you are utilising e.g XenApp and XenDesktop Service.

+If you setup a PoC with a single Connector it will probably display as amber for a period of time prior to turning green as you have only configured 1x Connector for your resource location. You can check your Connector status for your resource locations by navigating from to and under “Domains” select your domain forest(s) and expand it and you can review your Connectors name e.g servername.dommain e.g and its status (red, amber or green).

The leading best practise for h/a at your resource location is for your Citrix Cloud Connectors to be implemented as N+1 for redundancy – –

Logs & Services++ of the Connector
The Connector logs are stored at “C:\ProgramData\Citrix\WorkspaceCloud\Logs or use %ProgramData%\Citrix\WorkspaceCloud\Logs” for verifying ongoing communication and helping with troubleshooting. Once the log(s) size exceeds a certain threshold its deleted BUT Administrators are able to control the log retention size by adjusting the following entry in the Windows registry “HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CloudServices\AgentAdministration\MaximumLogSpaceMegabytes” to meet your organisations logging/auditing requirements.

The core four primary functions/roles of the Connector are Authentication, Proxy, Provisioning and Identity which are powered by the following Citrix Cloud services listed below (as of Jan 2017). You can view a detailed architecture technical diagram of the Connector under the XenApp and XenDesktop Service online documentation at –

Connector Functions/Roles
For a more accurate diagram please check out –

Authentication Proxy Provisioning Identity
Unified Gateway

Server VDA
 Server 2012 R2, 2016
Desktop VDA
Windows 10

Active Directory, DNS

I’ll update this section with what each of the Connector services actually does

Citrix Cloud AD Provider
Citrix Cloud Agent Logger
Citrix Cloud System
Citrix Cloud WatchDog
Citrix Cloud Credential Provider
Citrix Cloud WebRelay Provider
Citrix Cloud Config Synchronizer Service
Citrix Cloud High Availability Service
Citrix Cloud NetScaler Cloud Gateway
Citrix Cloud Remote Broker Provider
Citrix Cloud Remote HCL Server
Citrix Cloud Session Manager Proxy

Citrix Cloud PoC Guide for the XenApp and XenDesktop Service
I have writen a fairly detailed blog article describing how-to deploy the XenApp and XenDesktop Service here.

XenMobile 10.0

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile 10.0 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names

What’s New
1: XenMobile is now a single unified hardened Linux virtual appliance.
2: Complete overhaul of the Web UI which dramatically simplifies policy setup & configuration of MDM + MAM policies and it allows for the management of multiple platforms within a single policy.
3: Built-in V6 Citrix Licensing server provides a 30 day trial/evaluation and also support for remote V6 CTX licensing server.
4: Built-in PostgreSQL database recommended for PoC’s and there’s also support for remote MS SQL database which is recommended for production deployments.
4: XMS V/A includes IPtables which is a Linux firewall –
5: XMS placement is in the DMZ. The V/A is hardened and is FIPS 140-2 compliant and remember you data is actually stored in a MS SQL database unless your utilising PostgreSQL database within the XMS V/A.
6: Traffic flow and ports between NetScaler Gateway and the XenMobile Server (XMS) have changed please refer to eDocs for an architecture overview of the changes at –
7: The Admin Web UI is now on https://XMS-FQDN:4443/. This port is not configured as part of the XenMobile 10 wizard on NetScaler Gateway build 10.5-55.8 which means that you will not be able to access the mgmt. Admin Web UI from the internet it will only be accessible from the DMZ and the TRU network dependant upon your firewall(s) ACL list.
8: New WorxHome build which is also backwards compatible from XenMobile 10.x.n
9: The XenMobile NetScaler Connector (XNC) currently is still a separate Windows Server.
9: You can find our more by watching the following Mobility Master Class: What’s New in XenMobile 10 available from Citrix TV.

Mobility Master Class: What’s New in XenMobile 10

Mobility Master Class: Citrix XenMobile 10 Clustering & MDM Migrations

Deploying XenMobile 10
1: Review the system requirements for XMS at – to understand the supported hypervisors, computing requirements. You should also make sure that you review the latest XM architecture as it has changed between XenMobile 9.0 vs. 10.0 and it can be viewed at – You’ll notice that the traffic between NSG and the XMS V/A has changed however all traffic externally still occurs on there traditional ports (443, 8443, 2195, 2196, 5223).
2: Review and understand the NetScaler Gateway compatible requirements at –
3: Make sure that you print out and fill-in all the pre-requitses for the XMS V/A ref – prior to deploying your XMS V/A on your chosen hypervisor.
4: Once you have uploaded the V/A to the hypervisor and booted it complete the onscreen instructions ref – Once you are finished login into the Admin WebUI replacing the IP Addr with your XMS V/A ip addr from this example https://XMS-IPADDR:4443/ and login with Administrator account your specified during the deployment and NOT admin which is used to access the XMS V/A CLI from your hypervisor only.
5: Once you’ve logged in you’ll need to have the following listed below available to successfully complete the second part of the initial XenMobile 10 deployment. There is also a pre-requites check list available at –

– Citrix v6 licensing file for either local or remote. Remote is recommended for H/A purposes.*
– Microsoft Active Directory (AD) ip addr or FQDN, base DN, domain, search service account with read-only permissions.
– Certificate in *.p12 or *.pfx format for the SSL_Listener which is used for two way secure HTTPS communication to the XMS V/A.
– APNS certificate.
– Separate MDM and MAM+ FQDN’s correctly setup in DNS with fwd and reserve lookup’s configured and each configured with its own static IP addr for external resolution.
– 3x VIP for configuring XenMobile 10 with NetScaler Gateway +. You can find a compatible NSG V/A version and builds at –
– MS SQL Database server configured to accept traffic and with write/read privileges to create and manage the remote XMS database.
– Mail server configuration which enables and provides workflow email messages, notifications to users e.t.c

6: Follow the onscreen prompts and once completed the web UI deployment wizard then you have successfully deployed a XMS V/A. Please not reboot the XMS V/A so that the existing SSL certificates for HTTPS can be unbound and the newly uploaded SSL cert(s) can be bound to HTTPS.
7: You may now setup a XMS cluster and configure H/A with a NSG and thereafter begin configuring your XenMobile 10.0 environment. See the H/A section for a how-to.
8: Logon to one of the XMS v/a direct IP addr e.g https://XMS:4443/ if in H/A fronted by the NSG as the XenMobile 10 wizard will not configure 4443 which means that you cannot access the mgmt interface via the VIP owned by the NSG. This means that the mgmt interface is not accessible either internally or externally on the FQDN that resolves the VIP owned by the NSG.
9: Scaling XenMobile 10.0 from 1000 up to 100,000 devices –

XMS V/A High-Availability (H/A)
1: Prior to understanding how-to setup a XMS H/A or clustering you need to understand that the minimum requirements are for a remote CTX v6 licensing server and MS SQL database as the XMS V/A do not hold any user/cfg information this is all held in the remote database.
2: Once your have setup XMS follow the prompts in the CLI to enable clustering and configure the IPtables firewall ACL and then finally shut it down and clone it.
3: Rename the cloned XMS V/S to your required naming convention and then boot up the cloned XMS V/A login to the CLI and changed the IP addr and ensure that the IPtables firewall ACL ports are correctly enabled then shutdown the V/A.
4: Boot the first XMS V/A and then 60 seconds later boot the cloned XMS V/A and login to the CLI to very the cluster is enabled and then login into the XMS admin WebUI to verify that the cluster is up and functioning as expected. The original XMS V/A will be the oldest in the cluster.
5: You can now proceed to setting up the load-balancing for the XMS V/A’s with NSG to service MDM + MAM requests.

Supported NetScaler Gateway (Builds & Versions) for XM 10
1: MR5; MR4; MR3; 10.1.130 MR & 10.1.129 MR ref –

Deploying XM 10 with NetScaler Gateway 10.5.x.n (Draft)
1: Before beginning its worth mentioning that the way I will be describing how-to deploy XenMobile 10 in this blog article will be to utilise to external static IP addr’s + FQDN’s that are NATed to DMZ IP addr’s and I will utilising SplitDNS for device mgmt. in/outside of my TRU network. I will also be implementing the described XenMobile 10 environment below utilising an SSL Bridge although offloading includes a few more minor steps the intention of this section is aimed at helping you front your XenMobile 10.0 deployment with a NSG 10.5.x.n V/A.
2: Please review the following CTX article entitled “FAQ: XenMobile 10 and NetScaler 10.5 Integration” – which will aid you in been able to setup and configure load-balancing for XMS V/A’s, mVPN for Worx’s apps for XenMobile 10 with NetScaler Gateway 10.5.x.n.
3: You’ll require the following prior to be beginning:

– Correct NetScaler (Gateway) build +_ version the NSG version + build I’ll be discussing here is NetScaler Gateway MR5 but you can check the latest supported version + builds at –
– 1x FQDN for MDM e.g. * that resolves to both external internet routable static IP addr and your internal assigned static IP. Please note that this should match exactly the FQDN entered in at the time of the deployment of your XMS V/A during the first phase in the CLI the text your looking for is/was “XenMobile Server FQDN:” and its highlighted in yellow. It is also worth/noting that if you have utilised an internal domain e.g as the FQDN this will only manage devices internally as that FQDN is not routable on the internet so you’ll only be able to manage devices INSIDE of the trusted network to its recommended to a FQDN that is internet routable and you can utilise SplitDNS to manage traffic requests to the NSG VIP’s for XenMobile.
– 1x FQDN for MAM (Worx’s Apps) e.g. * that resolves to both external internet routable static IP addr and your internal assigned static IP
– 2x External routable internet IP addr’s * e.g which most IT Pro’s utilise to ping to check internet connectivity
– 3x Internal IP addr’s owned by the NSG as VIP
|- 1x for MDM
|- 1x for MAM Gateway
|- 1x for Load-balancing IP
– Wildcard certificate for your domain e.g *
– If your implementing SSL Offloading (HTTP) of your XenMobile traffic for MAM then you’ll require the devices cert from the XMS V/A which can be downloaded from the XMS Web AdminUI at https://xms:4443/

4: Setup the NetScaler Gateway configuration within the Admin WebUI of the XMS V/A following the process outlined at – its fairly straight forward and simple.
5: Login into the NSG Admin WebUI interface and click the XenMobile Wizard in the bottom left-hand corner and then you’ll be prompted to setup either XenMobile 9.0 or XenMobile 10.0 please selected XenMobile 10.0 and click “Get Started” to continue.
6: Ensure that “Access through NetScaler Gateway” which is for MAM, “Load Balance XenMobile Servers” which is for MAM are checked they should be by default, however you know have the opportunity to deselect either if one depending upon your deployment scenario/use case and obviously your acquired license. The current XenMobile 10 datasheet is available at –
7: Enter in your first VIP for the MAM Gateway then port should be 443 and provide a suitable name.
8: Select your previously uploaded SSL certificate (I am utilising a wildcard cert for my domain * or upload your SSL cert.
9: Create your (s)LDAP binding you will need to provide the following:

– LDAP IP addr
– LDAP Port default is 389
– Base DN e.g Cn=Users,dc=axendatacentre,dc=com
– Service account username & password
– Timeout default is 3 seconds
– Server Login sAMAccountName or UserPrincipalName (SuGgEsTeD)

10: Now enter in your MDM FQDN and then the Load-balancing IP addr beneath and accept the default port of 8443. You can now also choose to select HTTPS (SSL Bridge) vs. HTTP (SSL Offload) and you can choose your DNS mode including split tunnelling.
11: Select your previously uploaded SSL certificate (I am utilising a wildcard cert for my domain * or upload your SSL cert.
12: Enter in your MDM VIP and you’ll notice the default ports are 443, 8443 for communication to the XMS V/A(s). You’ll notice that you cannot change the SSL traffic configuration as I specified to not to perform any SSL offloading in set 10 above or its under section “Load Balancing IP address for MAM” within the NSG XenMobile 10 wizard.
13: Next add in the XMS ip addr’s of each V/A in your XMS cluster and provide an appropriate name and ports are automated defaulted to 443, 8443.
14: Click continue to finish and then click done and you have now setup and configured all your traffic for XenMobile to route through your NSG V/A and we are performing SSL Bridging in the above scenario.

Worx Features by Platform
1:The following eDocs web page lists the features by Worx app which includes WorxHome, WorxMail, WorxWeb, WorxEdit, WorxNotes, WorxTasks & WorxDesktop ref –
2: Be sure to also checkout the known issues list at – and it is also worth noting that as of writing this blogging entry WorxTask’s is in Tech Preview (TP) ref –

You should follow the XenMobile team on twitter at – for the very latest on Worx’s apps, updates, upgrades and so much more.

1: The XenMobile security web page is available at –
2: The XenMobile Security whitepaper is available at – and I would strongly advise that you read/review it to get a better understanding of how XenMobile can help and assist any organisations EMM (Mobility) requirements.
3: The Mobile Application Management with XenMobile and the Worx App SDK –, this is well worth reading.

Citrix XenServer 6.5

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenServer 6.5 with XAD 7.6 including HDX 3D Pro with a supported server from either the Citrix or nVidia HCL prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names

What’s New
1: Dom0 is now x64
2: vGPU scalability from 64 to 96 vGPU’s sessions per host with the correctly supported HCL server h/w which can support up to 3x nVidia GRID cards.
3: In-memory read-caching enables XS to take advantage of storing a golden image build in the hosts RAM which means guest VM’s boot 3x faster hello faster XAD 7.6 workloads and use cases.
4: Storage improvements include LiVE LUN expansion, tapdisk3 support, device mapper multi-path (updated).
5: Workload Balancing (WLB) is back take a look at – and
6: For a complete overview checkout –,
7: Don’t forget to read through the release notes which is available at –

Pre-requites & System Requirements
Coming soon…

Installation & Configuration
Coming soon…

What is Infrastructure-as-a-Service (IaaS)?

The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names

Infrastructure as a Service (IaaS) enables a tenant i.e you the reader of this blog post to purchase an allocated amount of computing, storage and networking resources from a (Managed) ISP. You then have the capability to assign or carve up these IaaS resources to create your own virtual datacentre (VDC) through a safe, secure web-based management console.

The IaaS management consoles typically will offer and allow the tenant the ability to create there own ACL, VLANs, placement of virtual machines (VM) within your VDC, building VMs from generic templates maintained by the (Managed) ISP and so much more.

The IaaS resources provided by the (Managed) ISP should be fully managed e.g border routers, core switches, hosts and mgmt. infrastructure of the IaaS platform and hosted within a highly-available N+1 data centre so that in the unlikely event of a logical or hardware failure your VDC environment will not be compromised or should automatically failover to onto alternative infrastructure and be rebooted and return to an online and active status within a few minutes.

What is the benefit of IaaS? You don’t have to secure any capital investment to acquire the nesscary hardware to support your existing organisations growth demands or if your a start-up it eases your cash flow requirements as you only pay for the computing, storage and networking resources that you need effectively require month by month.

Today IaaS is also referred to by some as a Software-Defined Data Centre.

Examples of IaaS Platforms

XenApp 7.5 XenDesktop 7.5

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenApp 7.5, XenDesktop 7.5 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names

XenApp 7.5 XenDesktop 7.5 Announcement
Citrix have recently announced XenApp 7.5 which is built upon Flexcast Management Architecture (FMA) and has been available within XenDesktop 7.0, 7.1 within the App Edition license tier. The least releases also brings with it XA hybrid cloud provisioning meaning that SysAdmins now are able to extend there private cloud to IaaS hosted cloud providers (ISP’s) provided they leverage Citrix CloudPlatform which will enable quick scalability and elasticity and without having to learn the ISP’s chosen design, build, provision and management consoles to provision your environment as it’s all integrated into Studio. The announcement can be found at – and it’s also worth reading up on about the benefits and features of Flexcast technology for XA at –

What’s New & Different in XenApp 7.5 from XenApp 6.5?
0: Check out –

What’s New & Highlights of XenApp/XenDesktop (XAD) 7.5
1: The platform architecture is now powered by FMA and not Independent Management Architecture (IMA) anymore thus providing enhanced scalability and ease of management through two consoles Studio which is used for deign, building, assigning polices and resources to users and Director which is used for management of user support & troubleshooting.
2: StoreFront 2.5 is included within XenApp and XenDesktop 7.5 app binaries and includes a number of new enhancements including an updated HTML5 Receiver, SDK to apply organisational logic if required and much more.
3: Support for Web Interface (WiF) 5.4 on supported Windows Server OSes.
4: AppDNA is included in Platinum edition.
5: Virtual Graphical Processing Unit (vGPU) and GPU support for supported Windows Desktop & Server OSes.
6: Support for Windows Server 2012 R2 and Windows 8.1 in addition to current supported OSes in XenDesktop 7.0, 7.1.
7: The Citrix Profile management 5.0 is installed silently by default on master images when the Virtual Delivery Agent is installed (Note: You do not have to use Citrix profile management solution).
8: Support for IPv4, IPv6 or dual-stack (IPv4/IPv6) environments from clients to core components.
9: MCS support for Microsoft Key Management System (KMS) activation.
10: For a complete list please check out – and also review the XA 7.5 data sheet at –

Synergy SYN405: Best Practices for Implementing Administering and Troubleshooting Xendesktop 7.5

Pre-requisites, Understanding & How-to Install XenApp 7.5 and enable R/A for your PoC or Custer Demo Environment (DRAFT & MAY CONTAIN ERROR(S))
Coming soon!

ShareFile StorageZone Controller 2.2

The following content is a brief and unofficial prerequisites guide to setup, configure and test ShareFile StorageZone Controller 2.2 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names

What’s New
1:This release coupled with prior versions now integrates both the Storage Center and Controller server software packages into one unified software package now called the “ShareFile StorageZone Controller 2.2”.
2: Access your organisations trusted existing or new network CIFS shares and SharePoint sites via a ShareFile On-Prem SZC which always users to securely connect via a FQDN over 443 (HTTPS) this ensuring secure and encrypted communication between the users device and the On-Prem SZC. It is worth mentioning that your organisations datasets do not traverse the ShareFile Control Plane in any way ref –
3: ShareFile also introduced an EMEA Control Plane for organisations to meet local, regional and geo requirements and or restrictions one basic example could be Safe Harbor – as well as preferring to have localised data centre’s within the EU to manage and handle user requests and more. Note this feature was already widely available prior to this WordPress post/blog entry.
4: For information regarding what else is new please check out –

ShareFile Security Whitepaper PDF

Synergy SYN310: Deep Dive into ShareFile Enterprise Functionality

Deploying an On-Prem SZC (DRAFT & MAY CONTAIN ERROR(S))
1: Initially would suggest that your read/review the following CTX Article – and which covers numerous technical FAQ and may answer a number of your questions.
2: Setup a ShareFile Enterprise Account and request that On-Prem SZC be enabled against your account when setting up your account or if you already have one request that SZC be enabled by sending a email to ShareFile support – and online help & support including videos is available at – Verify that StorageZones are available under the Admin tab when you sign into your ShareFile sub-domain e.g or prior to continuing with the installation and configuration.
3: Prepare a Windows Server 2008 R2 and install IIS (include dependencies ASP, Basic Authentication if you want to connect to existing network shares for a PoC).
4: Setup and configure your external DNS A record e.g or and ensure that you can successful connect to the default IIS page on TCP Port 80.
5: Generate a CSR on the intended ShareFile On-Prem SZC for your FQDN and sign it with an external CA e.g or e.t.c. Your are required to use an external CA as IIS self-signed or Enterprise CA certificates are not permitted and will not work with the ShareFile Control Plane. Download and install the cert response from your chosen external CA and Complete The Certificate Response in IIS.
6: Once the cert is successfully imported bind it to HTTPS (443) and the restart IIS and navigate to the FQDN via HTTPS externally to ensure that you can connect to it without any SSL cert mismatches, errors e.t.c
7: * Create a ShareFile service account within and assign full r/w access it to the intended On-Prem SZ folder located either on the local disk or secondary disk of the VM or remotely. Please do the same for your PoC Shared Area that you intend to access as an existing network share.
8: *Install the ShareFile Storage Zone Controller 2.2 software package and leave the checkbox to launch the Configuration Web Page. Once the page launches sign in with your Super Admin ShareFile Admin access details.
9: Follow the onscreen instructions which are fairly self explanatory however should you require any further help & support re the exact requirements please navigate to – and
10: Please stop and ensure that you safely backup the SCKeys.txt file within the root of On-Prem SZ CIFS share to a alternative and secure location that is also backed up.
11: Provision a test user that resides within your domain and has also been created within the ShareFile Control Plane. For help with setting up users please take a look at – .
12: Ensure that your test user has permission to your intended CIFS Shared Area e.g your SZC that you setup and configured within the ShareFile Control Plane.
13: Now that you have successfully setup and configured your On-Prem SZ and SZC proceed to download a ShareFile mobile app from e.g iTunes – iPad, iPhone or Google Play – Once downloaded enter in your test users account details and test uploading and downloading a picture taken from within the ShareFile iOS app as an example.
14: Once you test that your On-Prem SZ

SZ Controller Management
This eDocs node will help you to proactively manage your On-Prem SZ Controller environment covering on to add/remove controllers for H/A as well as how-to promote, demote and disable SZ Controller – These eDoc articles are essential for the ongoing management and routine scheduled maintenance task(s).

Two-Step Verification = Stronger Security

NetScaler Gateway

The following content is a brief and unofficial prerequisites guide to setup, configure and test NetScaler Gateway to support a XenMobile Enterprise 8.6 deployment prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names

What Is A NetScaler Gateway
It allows you to safely, securely expose your organisations trusted network and resources to an end-point either via a MicroVPN (CVPN) – or a FULL VPN. The NSG provides and supports a simple yet secure R/A solution for Citrix XenDesktop, XenApp, XenMobile solutions. There have been recent updates to the NSG to incorporate setup wizards to enable organisations to more rapidly setup, configure and deploy a R/A solution without having to request a NetScaler Gateway expert to setup and configure the policies to enable R/A. What is a e release of a NSG check out –

Deploying & Configuring The NetScaler Gateway For A XenMobile Enterprise 8.6 Solution
1: Physical or Virtual System requirements –, VPX – and MPX –
2: Pre-requites and checklist –,
3: Deploying the NSG and performing the initial configuration –
4: Creating a certificate for NSG – also watch the NSG certificate video at –
5: Uploading a license to the NSG –
6: Configuring the NSG for XenMobile –
7: Configure DNS suffixes – or and if you will be supporting Android handsets within your organisation remember to configure DNS for Android devices –
8: Configuring the STA for WorxMail –
9: Testing your NSG –

Worx Mobile App Suite NSG Support Table Matrix

Coming Soon!
More coming soon in the inter in check out –

XenDesktop 7

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenDesktop 7 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names

What is and does it do?
Citrix XenDesktop 7 allows you to deliver Remote Desktop Services (RDS), Virtual Desktop Infrastructure (VDI) workloads and secure remote access to an existing PC estate by installing the Virtual Delivery Agent (VDA) into those existing PC’s. All this capability is enabled from one single common architecture – FlexCast Management Architecture (FMA). If you are a Citrix XenApp 5.0, 6.5 Administrator I would encourage you to read through the following Citrix eDoc article – and follow on with this free Citrix 2 hour long course covering XenDesktop 7 weather your sales, pre-sales, sysadmin or engineer its useful in getting your mindset ready for XenDesktop 7 –

Citrix TV & YouTube Videos To Watch
SYN320: XenDesktop 7: What You Should Know About FlexCast Management and XenApp Migration
Citrix XenDesktop 7 3D Pro Demonstration –
XenDesktop 7 Masterclass –

XenDesktop 7 Handbook
Check out the blog article announcement – You download the XenDesktop 7 Handbook directly at – and the XenDesktop 5.x Handbook at –

Components of XenDesktop 7 Explained
1: Studio is allows you to design and build your RDS, VDI workloads.
2: Director allows you to support and monitor your organisations XenDesktop 7 virtual machines, user sessions via MS RemoteAssistance, historical trending & metrics, network analytic’s if you have a NetScaler.
3: Delivery Controller is responsible for brokering the connections to your servers (ICA/RDS), virtual machines (VDI) or existing workstation PC’s.
4: Citrix Licensing Server is responsible for checking in/out of your FlexCast licenses. XenDesktop 7 requires CLS 11.11.
5: StoreFront provides users with a self-serve AppStore to tab to click to add your Windows hosted apps, hosted shared desktops (Windows Server 2008 R2) or VDI desktops (Windows 7,8).
6: Machine Creation Services (MCS) is built into XenDesktop 7 which enables as allows you to provision virtual machines from your master VM images. All you need to do to configure it is to input either XenServer, Hyper-V (Requires SCVMM) or ESX (Remember to trust the root certificate) hypervisor FQDN and the access details.
7: Provisioning Services (PVS)
8: User Profile Manager 5 (UPM) is built into XenDesktop 7 and provide Citrix’s profile management solution.
9: MS SQL is required to store configuration information and details about your XenDesktop 7 site. MS SQL express, standard, enterprise and data center* editions are supported and for H/A configuration options please visit this eDocs article at – *
10: Virtual Delivery Agent (VDA) is responsible for delivering a hosted shared desktop, windows hosted app and VDI desktop to users brokered via the Delivery Controller.

What Editions Are Available? VDI, App (XenApp capabilities e.g delivery of RDS workloads) , Enterprise and Platinum. To compare the feature sets of edition please check out – At the time of writing this post you are required to login to with your access details.

Setup & Configure nVidia GRID VIRTUAL GPU (vGPU) on Citrix XenDesktop 7.1
To learn how-to setup and configure a test demo or PoC environment to leverage the vGPU capabilities of XenServer 6.2 and XenDesktop 7.1 Tech Preview check out – You can download the XenDesktop 7.1 Tech Preview at – and the system requirements can be found at – and the HDX system requirements please check out –

NVidia Resources
XenApp 6.5 GPU Sharing –
XenDesktop vGPU –

Multi-Site Configurations & High Availability
Coming soon! I will cover multiple data centres and sites and how-to enable and ensure H/A access to your published resources if you lost/lose communication with your XenDesktop 7 delivery controller(s) and the pitfalls. I would strongly recommend your environment is N+1 and with VM’s common these days setting and configuring an N+1 environment should be best practise for H/A, business continuity and DR.

How-to Enable Local App Access
Coming soon! However in the mean time please refer to

XenDesktop Introduction Training Course CXD-102
Citrix training offers a 2 hour introduction course to XenDesktop 7 for free. The course is available at –

Howto Configure Email Based Discovery& Why It’s Important
Configuration of email based discovery using SRV records is simple and greatly enhances the users login experiences as they all know there email addr and domain password much like logging into Facebook, Twitter e.t.c so offering the same login user experience weather users are in or outside or the organisation means they don’t need to remember logging in with the following format domain\username and domain password they can simple use there corporate email addr and domain password.

There is a great Citrix blog article that covers covers configuration of e-mail based discovery in and outside of your organisation leveraging a NetScaler Gateway check out –

The process below is for configuration of SRV records within a trusted corporate environment. If you would like to know more about what else you can configure in terms of SRV records check out –, (A Windows 2000 article but will get you thinking if your new to SRV records) and howto add other resources records into your organisations DNS –

1: Launch your Microsoft DNS management console
2: Right click on your organisations Forward Lookup Zone that contains the StoreFront FQDN
3: Click “Other New Records”
4: Scroll down and select “Service Locaiton (SRV)” and click “Create Record”
5: Your organisations domain should already be pre-populated e.g citrix.lab or
6: Type in “_citrixreceiver” in the Service feild
7: Type in “_tcp” in the Protocol field
8: Type in “443” in the Port number field or 80 if you don’t use 443 internally
9: Type in “storefront.domain” in the Hosting offering this service e.g or storefront.axendc.local
10: Save/Commit the changes and close the current active window in DNS
11: Navigate to physical or virtual machine install and launch Citrix Receiver when prompted enter in your email addr and password when prompted.

Open up a Windows Command prompt and execute these two commands below and for more information in validating your SRV records check out –

1: Type in “ipconfig /flushdns”
2: Type in “nslookup”
3: Type in “set type=srv”
4: Type in “_citrixreceiver._tcp.domain” e.g

Microsoft Windows Server 2012 R2 & Windows 8 Support

More coming soon!
In the mean time check out and Design Guide: Mobilising Windows Apps (Requires Form Input From Citrix)