Category Archives: Security

Citrix Virtual Apps & Desktops or CVAD Service Migration Strategies

The path to operating from the Citrix Cloud Platform for Citrix Virtual Apps and Desktops often can appear like your need to climb to the summit of K2, this is purely because for IT its foreseen as another key yet, rapid IT Transformation project to solve a multitude of business and business IT challenges (its different organisation by organisation). I’ve therefore put together a simple blended digital doodle on this very topic highlighting some key learnings, leading practises from the field and my own thoughts and thinking on this very topic.

If you want to go deep or even get started on your own migration project today, then i strongly recommend that you read and review the “Proof of Concept: Automated Configuration Tool” available at – https://docs.citrix.com/en-us/tech-zone/learn/poc-guides/citrix-automated-configuration.html, which covers off a step by step guide from installation to migration of on-premises CVAD configurations to the CVAD Service operating and run in the Citrix Cloud Platform – https://citrix.cloud.com. The following series of TechZone articles list at – https://docs.citrix.com/en-us/tech-zone.html#citrix-virtual-apps-and-desktops will also add value in your pivot to the CVAD Service.

If you have the right subscription access at https://training.citrix.com, then you can also complete the following on-demand eLearning course “eCWS-2014 | Automated Configuration Tool for Virtual Apps and Desktops” – https://training.citrix.com/elearning/coursequests/1/quest/184, which took me around 45 minutes to complete.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Azure AD SAML Sign-in with Virtual Smartcard to Citrix Virtual Apps & Desktops

Consider this an evergreen post as of 10/06/2020

Introduction
The purpose of this blog post to aim for a consistent modern authentication experience for employees when consuming Citrix Virtual Apps & Desktops (CVAD) + CVAD Service regardless of where the (CVAD) workloads are running, either in *Azure, *AWS, *GCP or *On-Premises. The primary priority is that the employees identity is owned and managed by a cloud identity platform e.g Azure Active Directory (AAD) and the employees identity within each resource location* for CVAD usage maps to AD shadow accounts. These AD shadow accounts represent the employee as a UPN e.g human.name@domain, with a RANDOM long complex password that the employee doesn’t need to ever know and all IT is required to do beyond creating a AD shadow account is then assign the right vs. relevant security privileges and access to CVAD including Policies meeting local, geo of industry compliance and governance while maintaining a great employee experience.

The second priority is that the employees device can frictionlessly access CVAD resources using either a Forward Proxy, SD-WAN Overlay Network or ICA Proxy. I do recognise that many organisations are still required to make use of a VPN style strategy at the current moment and therefore this solution can also work for those devices as well repurposing the existing Citrix Gateway to also support a Full VPN beyond ICA Proxy or you can use other well established and trusted VPN solution providers.

Leveraging a Bring Your Own “either Enterprise vs. Personal” Identity (ByoI) is a concept I ponded way back in 2017 and now feels like the right time to pick that up concept again during the current Workplace transformation happening all around the world due to world wide COVID-19 pandemic. Using a ByoI strategy as high level vision you can efficiently deploy CVAD to any *Azure, *AWS, *GCP region or *On-Premises with less friction and you don’t need to be worry about “Password Syncing” just replicate the employee’s UPN + AD Security Privileges + CVAD Access & Policies where its required. It has the added benefit if you want do mix and match public cloud workloads to avoid lock-in amongst other topics, you’ll be providing a common and consistent login interface + experience irrespective of where the workload is sat.

It another brilliant benefit is the on-boarding of 3rd Parties (3P’s) using ByoI concept with a business check at the edge, the 3P brings there owned Identity and in the current world we live in I don’t think that is bad thing it could even strength that employees individual security as there identity will be bound to a smartphone which knows more about your individuals habits and you that you know yourself. If we can unlock a co-shared responsibility identity model between the individual + organisation we can truly aim for a passwordless workspace that only uses virtual smartcards or tokens.

Finally the on-boarding of M&A employees can be faster as you can generate them a few days after commercial signing with a new brand identity that resides in Azure AD (or Google, OKTA e.t.c) whilst they continue accessing existing workplace apps + data with current AD credentials, IT + HR + Business can choose when to layer in the “NEW” Workspace Platform for Work from group perspective into the existing Workspace with less friction and complexity. Yes this final topic is complex when we think about merging different Business IT and IT Systems together, a CVAD strategy with FAS bridges the GAP reducing friction and complexity for IT to sun rise a new Workspace stack for that newly acquired organisation while sunsetting the exciting Workspace stack and those new M&A employees get to on-board beyond the Workspace into there new organisations people, its culture, vision and values and avoids the IP drain that often can easily happen.

The Employee Experience

High Level Architecture
The scenario below depicts accessing a StoreFront server on any device type from within the Workplace fabric in any office locally or world wide or from a IT managed device that makes use of a Full VPN, Forward Proxy technology; WFH Citrix SD-WAN appliance where traffic passes over an SD-WAN overlay network; Citrix Endpoint Management enrolled smart device with per-app mVPN configured and finally irrespective of the devices management status you can use ICA Proxy* to access CVAD resources anywhere over the internet inclusive of any home via a Citrix ADC (formerly NetScaler) using the Gateway functionality which is “VPN-Less*”.

Systems Requirements & Pre-requisites
1. A UAT or Test CVAD 1912 LTSR Site that already setup. My personal one runs in AWS EC2 as it retains hosting connections or public clouds to preform MCS provisioning of machines from customer own and managed control plane. You can also use the Citrix Virtual Apps & Desktops (CVAD) Service or sign-up at https://citrix.cloud.com/ and engage your local Citrix representatives to get a trial setup for the CVAD Service.
2. Deploy a new VM which will run the following Citrix 1912 LTRS StoreFront and Federated Authentication Service (FAS) roles to create a new “Store” on StoreFront called “AAD” which will be configured to accept the Azure AD SAML token which will then convert the AAD SAML tokens into a Citrix virtual smartcard to SSO the employee onto CVAD resources.
3. Install StoreFront – https://docs.citrix.com/en-us/storefront/1912-ltsr/install-standard.html after reading the system requirements – https://docs.citrix.com/en-us/storefront/1912-ltsr/system-requirements.html.
4. Setup and Configure FAS Role on your StoreFront Server – https://docs.citrix.com/en-us/federated-authentication-service/1912/install-configure.html after reading the system requirements carefully – https://docs.citrix.com/en-us/federated-authentication-service/1912/system-requirements.html, this part shouldn’t be a problem e.g leaning on on Security teams whom control the Enterprise CA Admins as you’ll hopefully be using a proper UAT or Test CVAD environment with all the Microsoft management servers and roles including an Enterprise CA which FAS requires and access to AD introduce new GPO’s.
5. An Azure AD “personal or business test” tenant.

Deployment Guide

Azure AD Setup & Configuration – Personal Home Lab Edition
If you have a separate Azure AD tenant in Azure you can proceed to the next section, however if you are an IT Pro that wants to test out how to convert Azure AD SAML logins to Citrix virtual smartcards for CVAD the following the below guidance below for setting up a personal ADD tenant with a personal Azure account for your home lab. WARNING I am not an Azure AD nor on-premises AD expert, therefor follow the leading practises found in Microsofts documentation for Azure AD.

1. Navigate to https://portal.azure.com and sign-in with your live vs. personal Microsoft account. Select “Create a resource”.
2. Select “Identity” then select “Azure Active Directory”.
3. Enter in an “Organisation Name, Initial domain name and select your Country or region”.
4. The wizard will begin creating your AAD tenant .
5. Once it completes click the hyperlink within “Click here to manage your new directory”.
6. At the Overview page of your new AAD tenant select “Users” under “Manage” section.
7. Select “+ New user” under the “All Users (Preview)” Overview you’ll notice your personal email addr.
8. You’ll notice when creating a new employee account for your AAD tenant that you can only append domain.onmicrosoft.com to the username, I’ll explain how-to convert that to user@domain and remove the UPN requirement of user@doamin.onmicrosoft.com in the next few steps. For now fill the following fields “User name”; “Name”; “First name”; “Last name”; “Password” (choose or auto-generate) and the select “Create” keeping the defaults as they are.
9. Your new AAD employee is successful created, you can assign roles. NOTE for my personal testing purposes I didn’t configure anything as I’ll delete that test employee AAD account after my testing.
10. At this point I’m not going to deploy nor setup the “Azure AD Connect” in my Citrix Cloud Resource Location as I want the employees primary identity to always reside in Azure AD as the single source of truth, and then bring that identity to my Citrix Cloud Resource Location e.g Bring your own Identity (ByoI) and after a successful AAD SAML login map that to a hardened AD Shadow account with long complex password that the employee will never know and all I need to do it assign the AD security privilege and access for CVAD resources. This approach means that employee will NEVER enter in a AD password within a Citrix Cloud Resource Location that is configured for AAD (or Google, OKTA e.t.c) when using CVAD 1912 LTSR StoreFront and the Federated Authentication Service (FAS) in a Resource Location(s). For complex environments yes you’ll likely deploy the “Azure AD Connect” software as a role somewhere to replicate the employees but you don’t need to replicate there passwd or you can provision the employee twice once in AAD as in the example above and then again manually in AD in the Resource Location as there corresponding AD shadow account which matches the UPN from AAD when authenticating using SAML to StoreFront, the choice is yours but I found for testing purposes a manual in each is far less frictionless.

On-Premises Active Directory (AD) within your Resource Location
1.Create a new AD “Shadow” account that matches the “User Principal Name (UPN)” in AAD e.g user@domain, generate a random long complex password which they don’t need know and then assign or inherit the right vs. relevant AD security groups, GPOs that you would usually assign to a CVAD consumer.
2. On-board your domain into Azure AD which required verifying it with a MX record to avoid using user@domain.onmicrosoft.com so that you can use user@domain keeping it simple and less complex.

Installation and Configuring the Federated Authentication Service (FAS)
1. On the new VM that you just installed 1912 LTSR StoreFront role onto from the existing mounted ISO run the autorun splash screen and select “Federated Authentication Service”.
2.Read the EULA which you’ll need to “Accept the Licenses Agreement” to continue.
3. Accept the defaults and select “Next” on the “Core Components” page.
4. Accept the defaults and select “Next” on the “Firewall” page.
5. Once the installer is finished select “Finish” to close.
6. Open a PowerShell window in Admin mode then copy & paste the following code below, which will enable a trust between the CVAD Controller and the StoreFront server, minimise this window you’ll require it later.

Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

7. Navigate to the following path “C:\Program Files\Citrix\Federated Authentication Service\PolicyDefinitions\” on the current StoreFront server that you installed FAS role onto, copy the following two files “CitrixFederatedAuthenticationService.admx” and “CitrixBase.admx” the entire folder “en-US” to a network share which will need to be accessible from your Windows Domain Controller or WDC.
8. Connect to your Windows Domain Controller (WDC) via RDS from the current StoreFront + FAS server and copy the two *.admx FAS files including folder “en-US” from your network share to the following path on the “C:\Windows\PolicyDefinitions” on your WDC.
9. Open an “MMC” console and load the “Group Policy Management Editor” snap-in, at the prompt for a Group Policy Object, select “Browse and then select ”Default Domain Policy”.
10. In the MMC console navigate to “Default Domain Policy [server name] > Computer Configuration > Policies > Administrative Templates > Citrix Components > Authentication” and you should see the following three policies available “Federated Authentication Service”, “StoreFront FAS Rule” and “In-session Certificates”.
11. Select and open the “Federated Authentication Service” policy, next select to “Enable” it followed by selecting the “Show” button parallel to “DNS Addresses” label and enter in the FQDN e.g. “server.domain” of your StoreFront + FAS server and then select “OK” and then select “OK” to save the policy configuration and enabling FAS.
12. Next select and open “In-session Certificates” and select “Enabled” and in the “Consent timeout (seconds):” field type in a value of “30” which is the default.
13. Next close the MMC console and open up the existing PowerShell (Admin mode) and copy and paste the following code to force a Group Policy Update. 

gpupdate /force

14. Minimise the RDS connection from your WDC so that you are back on your StoreFront + FAS server. Search and open up Citrix FAS in Admin mode, if you don’t you will be notified in the UI and then select “run this program as administrator” which will reload the FAS UI in Admin mode.
15. Select to “Deploy” for “Deploy certificate templates”.
16. Select “Ok” on the pop-up window that appears.
17. You’ve now successfully deployed the certificate templates, now select “Publish” for “Set up a certificate authority”.
18. Select the right Enterprise Certificate Authority (CA) from the available list and select “Ok”.
19. You’ve now deployed the certificate templates successfully to your Enterprise CA, now select “Authorize” for “Authorize this service”.
20. Select the right Enterprise Certificate Authority (CA) from the available list (same as above) and select “Ok”.
21. The FAS UI will display a spinning icon as the authorisation request is pending on the Enterprise CA server. 
22. Connect to your Enterprise CA via RDS and the “Microsoft Certification Authority” MMC Console and navigate to “CA > CA Server > Pending Requests” you’ll see pending certificate right click it select “All Tasks > Issue” and the certificate will be issued. 
23. Verify the issues certificates are issued by selecting “Issued Certificates” and verify you can see two issues certificated that begin with “Citrix_RegistrationAu…”.
24. Minimise your RDS session to your Enterprise CA and return to the StoreFront + FAS server, you now notice the “Authorize this service” says “Reauthorize” which is correct as the FAS service is now authorised with the Enterprise CA. Next select “Create” for “Create a rule”, which launch a new window.
25. Accept the default “Create the default rule (recommended)” and select “Next”.
26. Accept the default “Citrix_SmartcardLogon (recommended)” and select “Next”.
27. Select the previously selected and configured Enterprise CA you Authorised and select “Next”.
28. Select “Allow in-session use” and select “Next” if you enabled the following policy “In-session Certificates” earlier.
29. Select “Manage StoreFront access permissions (access is currently denied)” in red text which will open a new window.
30. Remove “Domain Computers” and add the “Server” running the StoreFront + FAS roles and under “Permissions” to “Allow” then select “Apply” and “Ok”.
31. The screen will update with “Manage StoreFront access permissions” to now be in blue text, now select “Next”.
32. Select “Manage user access permissions (all users are currently allowed)” in red text which will open a new window.
33. You can change to default “Domain Users” to your own test AD security group, then under “Permissions” to “Allow” then select “Apply” and “Ok”.
34. The screen will update with “Manage user permissions (all users are currently allowed)” to now be blue text, now select “Manage VDA permissions (all VDAs are currently allowed)” which is in red text.
35. You can change to default “Domain Computers” to your own test AD security group that your Citrix Virtual Delivery Agents (VDA) are found within, then under “Permissions” to “Allow” then select “Apply” and “Ok”.
36. The screen will update with “Manage VDA permissions (all VDAs are currently allowed)” to now in blue text, now select “Next”.
37. Now select “Create” and a “Default” FAS rule.
38. You have now successfully setup and configured Citrix FAS, you still need to enable FAS Claims for your “AAD” store on StoreFront which is covered later in this blog post.

Creating a new Store call “AAD” for Azure AD SAML Authentication in StoreFront
1. Open Studio and select “StoreFront” then select “Stores” and the on the “Actions tab” select “Create Store”.
2. On the splash screen select “Next“.
3. Type in “AAD” for the “Store Name” field and click “Next”.
4. Select “Add” list a CVAD controller, a new window will appear where you need provide the following information a “Display Name” e.g Citrix Cloud Connectors vs. CVAD 1912 LTSR, for the “Type” select “Citrix Virtual Apps and Desktops” and under “Servers” list select “Add” and type in the Citrix Cloud Connector or CVAD 1912 LTSR addresses and choose “Transport type” either HTTP 80 or HTTPS 443 (Preferred) and click “OK”.
5. You are now returned to the “Delivery Controller” page with a list of either Citrix Cloud Connectors or CVAD Controllers 1912 LTSR, click “Next“.
6. Now on the “Configure Authentication Methods” page select “SAML Authentication” and leave “User name and password” checked as YES, then click “Next”.
7. Ignore “Remote Access” configuration and click “Next“. NOTE: I will update this blog post at a later date with the Remote Access via Citrix Gateway formerly NetScaler Gateway.
8. Accept the default’s on the “Configure XenApp Services URL” and click “Create”.
9. StoreFront will begin creating your new “AAD” Store on your StoreFront server, once the wizard completes select “Test Site” to verify you can see a webpage that displays Citrix Receiver or you can navigate to “https://FQDN/Citrix/AADWeb/” replacing the FQDN with your own to verify the webpage is available.

Generating AAD SAML Configuration for StoreFront
1. In the Azure AD UI in the Azure Portal select “Enterprise applications” node.
2. When the UI updates in the centre select “Select “New application”.
3. You are taken to the “Add an Application” wizard and presented with three options select “Non-gallery application“.
4. Next provide a name for your own application e.g AAD-SAML-CVAD1912LTSR and then click “Add” at the bottom.
5. The AAD wizard completes and you are taken to the “Overview” page for “AAD-SAML-CVAD1912LTSR“, now select “Users and groups” from within this view.
6. Add an native AAD user(s). Note do not add any employee that does not have a AD shadow account setup and configured in the Citrix Cloud Resource Location (RL).
7. Now from the same “Overview” page for “AAD-SAML-CVAD1912LTSR” select “Single Sign-on” and on the “Select a single sign-on method” wizard select “SAML” and will start the AAS SAML wizard.
8. Select the pencil icon for “Basic SAML Configuration” to configure the following fields as follows below and select “Add“.

Identifier (Entity ID): https://FQDN/Citrix/AADAuth
Reply URL (Assertion Consumer Service URL):https://FQDN/Citrix/AADAuth/SamlForms/AssertionConsumerService
Sign on URL: https://FQDN/Citrix/AADWeb

9. Check under “User Attributes & Claims” portion that the “Name” field is configured to “user.userprincipalname”.
10. Scroll to “SAML Signing Certificate” and click to download the “Federation Metadata XML” e.g. AAD-SAML-CVAD1912LTSR.xml, now save or transfer it to your StoreFront server at C:\Temp.

Create and Configure a Azure AD SAML Trust in StoreFront
1. If you have transferred the *.xml file e.g “AAD-SAML-CVAD1912LTSR.xml“, then on your StoreFront server create a folder called “Temp” on “C:\” and transfer the downloaded *.xml file.
2.Open PowerShell in admin mode or launch it from Studio 1912 LTSR. Copy & paste the following code below, however if opening the PowerShell with Admin privileges without Studio 1912 LTSR then copy & paste this cmdlet first before proceeding with the configuration & “$Env:PROGRAMFILES\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1“. You will notice the virtual path for the Store is already set here to AAD so you can copy and paste it as is. This code sets up and configures SAML for the ADD Store.

$storeVirtualPath = “/Citrix/AAD” 
$auth = Get-STFAuthenticationService -Store (Get-STFStoreService -VirtualPath $storeVirtualPath) 
$spId = $auth.AuthenticationSettings[“samlForms”].SamlSettings.ServiceProvider.Uri.AbsoluteUri 
$acs = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + “/SamlForms/AssertionConsumerService”) 
$md = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + “/SamlForms/ServiceProvider/Metadata”) 
$samlTest = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + “/SamlTest”) 
Write-Host “SAML Service Provider information: 
Service Provider ID: $spId 
Assertion Consumer Service: $acs 
Metadata: $md 
Test Page: $samlTest “
 

3. Next copy and paste the following code which will ingest SAML configuration from the Azure AD *.xml that you downloaded earlier and copied to C:\Temp on the StoreFront server.

Get-Module “Citrix.StoreFront*” -ListAvailable | Import-Module
# Remember to change this with the virtual path of your Store.
$StoreVirtualPath = “/Citrix/AAD”
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Update-STFSamlIdPFromMetadata -AuthenticationService $auth -FilePath “C:\Temp\AAD-SAML-CVAD1912LTSR.xml”


4. Validate there are not error(s) on screen that need resolving.
5. Minimise your PowerShell window you’ll need it again shortly, now open up Studio or StoreFront MMC console and navigate to the “Stores” and select “AAD” and select “Manage Authentication Methods“.
6. Select the cog icon parallel to “SAML Authentication” and then select “Identity Provider” you should see that your AAD SAML configuration is setup and configured, leave it as is DO NOT TOUCH it!
7. Close all windows including Studio or StoreFront.

Enabling FAS for Converting Azure AD SAML Tokens to Virtual Smartcards
1.Open up your existing PowerShell window and copy and paste the following code below, which will ENABLE FAS for your ADD Store to convert AAD SAML tokens received into virtual smartcard that will be used to SSO the employee onto his/her Citrix virtual app and or desktop. You’ll notice the code is configured for the “AAD” Store so you can copy and paste as is.

Get-Module “Citrix.StoreFront.*” -ListAvailable | Import-Module
$StoreVirtualPath = “/Citrix/AAD”
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName “FASClaimsFactory”
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider “FASLogonDataProvider”


2. Validate there are not error(s) on screen that need resolving, if there are none you can nose close the PowerShell window.

Testing your Azure AD SAML to Virtual Smartcard Login
1. Navigate to https://FQDN/Citrix/AADWeb which will redirect you to a AAD login.
2. Enter in your UPN e.g user@domain and then complete the required 2FA vs. MFA requirements setup by your organisation as requirement onscreen.
3. You will be returned to https://FQDN/Citrix/AADWeb and SSOed onto UI, depending on your setting your desktop will either auto launch of you’ll have to manually launch it yourself. The initial login will take slightly longer than usual as its generating you that initial virtual smartcard between StoreFront, FAS, AD and your Enterprise CA.
4. Your Citrix vDesktop or vApp should launch successfully and SSO the on without prompting for any credentials.

Troubleshooting
1.If you receive ANY error once returned to https://FQDN/Citrix/AADWeb post the AAD SAML login open a new browser tab in the same session and copy and paste the following URL https://FQDN/Citrix/StoreAuth/SamlTest to see if you have any oblivious errors e.g user@domain.onmicrosoft.com from Azure AD which doesn’t map to the AD Shadow account that is user@domain so its a UPN mismatch and the sign-on will continue to fail.
2. If the employee can sign on to https://FQDN/Citrix/AADWeb and the Citrix vApp or vDesktop launches but they see a credential prompt with “Other User” check and see that you configured FAS for the correct Store with SAML Authentication setup and configured if not using my example of “AAD” as the Store setup and configured on StoreFront.

ICA Proxy Remote Access with Azure AD SAML
Coming…

Concept on Bring your own Identity (ByoI) Strengthening Security through Co-Shared Responsibility owned by IT with different operating models
Its a simple concept which I like and yes it adds in complexity but it times today its far better to harden against unwanted 3rd party access whilst making it harder to achieve lateral movements. If the employee’s account is compromised by a 3rd party, they would need to compromise the employees identity in the cloud directory e.g AAD and in Active Directory (AD) on-premises as both passwords are completely different with different types of multi-factor authentication methods bound including access privileges.

The views expressed here are my own and do not necessarily reflect the views of Citrix.


Citrix Workspace app is released Hello World

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Introduction
What is Citrix Workspace app? It brings together all your LOB tools which in todays modern world consists of (virtual/micro/installed/mobile) apps, SaaS, desktops & content. I’ve embedded a sample of what this actually looks like below.

Overview
The new Citrix Workspace app way more than purely an upgrade of Citrix Receiver e.g grey to blue icon and a skin change, this NEW Citrix client app release is simply extraordinary, working for Citrix I can be considered bias however once you actually begin to consume the Citrix Workspace app you’ll understand exactly what I mean. Citrix Workspace app is for me all about an experience, and that experience is extraordinarily AWESOME! As I begin consuming my LOB (Line of Business) tools wherever I am + want and in a setting/context that suites me (home, Paddington vs. partner offices, trains, taxi e.t.c) the chosen LOB tool delivered context can change dependant upon criteria (I won’t be covering this today) or how IT (say YES!) has chosen to deliver the LOB tool through Citrix Access Control Service – https://docs.citrix.com/en-us/citrix-cloud/access-control/get-started.html.

I now have all my content available all in the same AWESOME app thank you Citrix Content & Collaboration aka ShareFile. I can upload, download and even favourite particular content e.g “L-J’s H1/2 Citrix Partner Tech Super Deck” which is then available directly from the home view/tab. In the below example I am uploading the LeasePlan Citrix SD-WAN case study – https://www.citrix.co.uk/customers/leaseplan-en.html and the actual video is available at – https://www.youtube.com/watch?v=4Hq-yryxfS0 take a look and remember to listen to the outcomes Citrix SD-WAN provides LeasePlan.

How do I get started today?
Firstly I will do a more detail blog post on getting it all up and running with use cases time dependant of course.

1.Start by navigating to https://docs.citrix.com/en-us/citrix-workspace-app.html and then goto Citrix.com and login with your access details, next navigate to https://www.citrix.com/downloads/workspace-app/ and download Citrix Workspace app for your chosen end-point. If you are running a TP of Citrix Workspace app code base please UNINSTALL it prior to installing the GA production code base as a few community individuals I know had issues upgrading from TP code base. I would like to state for the record I upgraded from PRODUCTION Citrix Receiver to the Citrix Workspace app for Mac 1808 on my Mac without ANY issues see below tweet.

2. Please carefully read the System Requirements for your chosen platform here is the link for Mac – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/system-requirements.html and Windows https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/system-requirements.html.

3. Review the installation guidance for Mac – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/install-configure.html and Windows – https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/install.html.

4. Please carefully read the configuration of Workspace app for Mac – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/configure.html
and Windows – https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/install.html e.t.c. for other platform and if you are looking for multi-monitor support or Mac – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/improve-user-experience.html#using-multiple-monitors for Windows – https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/improve.html#multi-monitor-support, and securing communications between Workspace app and your StoreFront for Mac – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/secure-communications.html and Windows – https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/secure-communication.html (Pay attention to deprecated cipher suites node) and finally if your are you a Smart Card user pay attention to the recitations at the bottom of both docs for Mac – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/requirements-for-smartcard-authentication.html and for Windows – https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/authentication/config-smart-card.html and for WIF 5.4 (yes I know really however some of you still may need it while your upgrading to XAD 7.x platform) https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/secure-communication/config-smart-card–for-web-interface.html.

5. Sign-up vs. Login to Citrix Cloud today and trial vs. acquire a Citrix Cloud service e.g ShareFile Service or the XAD Service and if you want to aggregate on-premises LOB apps into the new Citrix Workspace experience then setup “Site Aggregation” today. To learn how please read this CTXS blog post and watch the embedded YouTUBE video which provides a how-to overview at – https://www.citrix.com/blogs/2018/08/03/site-aggregation-for-citrix-workspace-is-now-ga/.

Thats all folks for now on the technical overview its brief I know so I will follow-up in future with more detailed overview + how-to e.t.c either here or on the https://www.mycugc.org website in the experts area.

Upgrading to Citrix Workspace from Citrix Receiver for smart devices

In Closing
I work for Citrix, I have been a Citrix + IaaS advocate for well over a decade (now SD-WAN swell) so I am mostly likely bias you’ll think however Citrix Workspace app is truly AWESOME and way more than what you see at a glance, I encourage you all to begin consuming it today to see for yourself just what I am talking about and why I personally say its “AWESOME“.

2017 UKI #CitrixPartnerLove Challenge #6 Traffic Flows

The views expressed here are my own and do not necessarily reflect the views of Citrix.

You can download the image at https://lnkd.in/dN74-97 to print.

My Best of #CitrixSynergy 2017

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
CITRIX USER GROUP COMMUNITY – cugc
HYPER CONVERGED INFRASTRUCTURE – hci

Introduction
Its my 5th #CitrixSynergy and this is def one of the best Synergy’s I have ever had the privilege of watching virtually from London, England. Why not in person? I prefer to watch virtually as I am to consume more content faster and translate that into content to update Citrix partners/customers in a timely manner at high level and tech deep dive where required in particular areas or topics. Finally this blog post will most likely change over the next 2-3 weeks as I consume all of the Synergy 2017 content as when/how I can.

My Highlights of the Key Notes
Vision Keynote

– 4:45 Citrix User Group Community – https://www.mycugc.org THANK YOU! Join the community today its powered by some of the most passionate Citrix and Technology advocates from around the global!
– 11:00 Red Bull Racing I’m not going to say anything you need to watch it!
– 21:45 Cloud powers the world
– 27:00 Digital Frontier Companies
– 39:00 Citrix Secure Digital Workspace with a software-defined preimeter
– 40:57 Citrix Workspace Services and a brief demonstration by Citrix’s CEO
– 42:25 SD-WAN / Gateway / WebApp Firewall / DDoS (NS 12+) as a Service
– 47:35 Citrix Analytics Service
– 1:01:00 “Better Together” and video message from Microsoft CEO Satya Nadella
– 1:12:25 Citrix + Google Chromebook (Skype for Business, Office365 and much more…)
– 1:18:00 Healthcare customer story “Partners Healthcare”

Technology Keynote

– 22:00 Unified Workspace (its Adaptive and Contextual by device/location and it changes the users published resources and its access type!) which brings together some of the most crucial aspects of todays modern apps, desktops, data & your location in a single view with casting capabilities but not demoed as instead instead*
– 29:00 *Workspace IoT (SmartSpaces) demonstration with a users own mobile phone enables an auto login to a Win 10 VD at guest location including welcoming the user based upon his/her smart phone used as there identity. Security people feel free or you will be going nuts right now!
– 32:30 Its all about layering you guessed it Citrix App Layer enabling IT to say YES! Note demo was demoed using a Samsung DEX check it out – https://www.citrix.com/blogs/2017/03/29/instant-desktop-computing-from-the-new-samsung-galaxy-s8-smartphone/
– 39:40 Workspace Appliance Program e.g HCI
– 42:35 Protect against Zero day attacks with XenServer and BitDefender which is available but is something which Citrix announced on 21/06/2016 yes thats right 2016 entitled “A Revolutionary Approach to Advanced Malware Protection” – https://www.citrix.com/blogs/2016/06/21/a-revolutionary-approach-to-advanced-malware-protection/ 21/06/2016 yes 2016!
– 47:00 Brad Anderson Corporate Vice President of the Enterprise Client & Mobility @Microsoft discusses shortly and then prefers to demonstrates our joint Citrix + Microsoft “Better Together” capabilities in Mobility, Virtualisation delivery from Azure and more.
– 1:01:38 Digital Jungle discussion its def worth your time if you about security and managing the experiences of your users workspace!
– 1:47:25 Vision of how the Digital Workspace is going to evolve

Citrix Synergy TV Breakout Sessions
The following are my current top sessions to watch in no particular order that I believe you’ll gain a lot of value out of watching BUT note that this may change as I continue to consume more of the on-demand content from Synergy 2017.

– SYN318 A to Z: best practices for delivering XenApp, XenDesktop – https://www.youtube.com/watch?v=jnnZTKBy18c&feature=youtu.be

– SYN111 – What’s new with Citrix Cloud and what’s to come – https://www.youtube.com/watch?v=C-UunHGKqLY

– SYN120 – NetScaler SD-WAN updates – https://www.youtube.com/watch?v=CdqIkCb86uU

– SYN103 – Citrix App Layering – https://www.youtube.com/watch?v=KBYoVeAYnSA

– SYN118 – What’s new with NetScaler ADC – https://www.youtube.com/watch?v=uMefjGwRMeU

– SYN121 – What’s new with NetScaler Unified Gateway – https://www.youtube.com/watch?v=-ovb4TIb5JY&t=28s

– SYN115 – Why should I use ShareFile if I already have Office 365? – https://www.youtube.com/watch?v=kESgKT7_mJw

Innovation Super Session
Awaiting for the on-demand video publication but for now I will leave you with the following Tweet as a thought or rather a reminder to make sure that you watch it if you missed it!

Synergy 2017 Advocates Blog Posts
Citrix Synergy 2017 – It’s a Wrap – See all the most important announcements listed here! By Christiaan Brinkhoff. – https://blog.infrashare.net/2017/05/29/citrix-synergy-2017-its-a-wrap-see-all-the-most-important-announcements-listed-here/

XenMobile 10.0 PoC Considerations

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile 10.0 prior to deploying in a PoC which will eventually mature to a Pilot, UAT then finally into an Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE – xm
XENMOBILE SERVER – xms
VIRTUAL APPLIANCE – v/a
FEDERAL INFORMATION PROCESSING STANDARDs – fips
NETSCALER GATEWAY – nsg
MICROVPN – mVPN
FIREWALL – f/w
CERTIFICATE – cert
ACTIVE DIRECTORY – ad
INFRASTRUCTURE-AS-A-SERVICE – iaas
ENTERPRISE MOBILITY MANAGEMENT – emm
MOBILE CONTENT/INFORMATION MANAGEMENT – mc/im
MOBILE DEVICE MANAGEMENT – mdm
MOBILE APPLICATION MANAGEMENT – mam

Preparation & Pre-requisites (DRAFT & MAY CONTAIN ERROR(S))
1: XenMobile 10 is completely different from XenMobile 9 as it is now a single harden Linux V/A and the communication paths between the NSG and the XMS V/A are also now differently likewise setting and configuring XM 10 is different from XM 9 and its substantially more quicker and easier.
2: Never use a production NSG for a customer PoC why? When you upload the trial licenses it will require the NSG V/A to reboot which cannot be completed in a production environment without a scheduled and carefully planned maintenance window.
3: You may want to use the latest NS(G) firmware for the XM PoC to achieve the best possible outcome, result and of course to have the best optimal performance.
4: XenMobile has the ability to integration of a number of the Citrix products to form an end-2-end EMM solution that encompasses MDM, MAM, MC/IM.
5: Identify and visually understand where potentially all the components/products sit within the whole overall mobility solution. Here is a great visual reference that is clean and clear to understand – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-arch-overview-con.html for XenMobile 10.
6: Review the pre-requites and checklists if available for each product that you wish to deploy within XenMobile. I have listed a few here for you starting with all the required ports:

Architecture – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-arch-overview-con.html
System Requirements – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-system-requirements.html
Ports – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-deploy-component-port-reqs-con.html
Pre-Installation Checklist – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-xenmobile-install-checklist.html

7: Now that you have an understanding of the requirements I would strongly advise that you also read through the XenMobile security whitepaper available at – http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/xenmobile-security.pdf. Although you may not actually want to read through this whitepaper even just a brief glance at the MDX technology sections will provide you with a greater understanding of mVPN’s and the MDX framework that powers all of Citrix’s Worx App’s – http://www.citrix.com/products/xenmobile/tech-info/worx-mobile-apps.html.

Pre & Post Discovery Meetings (DRAFT & MAY CONTAIN ERROR(S))
1: Ensure that you educate the organisation as to what XenMobile is and it’s capabilities surrounding enterprise mobility management commonly referred to EMM. I often find that individuals still today don’t have a very clear and defined understanding of what is MDM and MAM are so its worth educating your customer.
2: I would suggest that you setup 2-3 GoToMeeting sessions a minimum. This is to ensure and allow the organisation to ask any questions surrounding the pre-requites and system requirements of XenMobile including supporting any and all external dependencies e.g iOS Enterprise Developer Account for signing Worx’s apps. The second reason is to ensure that all the pre-requites have been completed successfully prior to you arriving onsite to complete a PoC implementation and to answer any further Q&A the organisation has. If the organisation has not completed the pre-requites then proceed with the third GoToMeeting and if the pre-requites have still not being completed successfully I would strongly advise escalating to managers on both organisations and rescheduling your PoC deployment date to an alternative date as the chances of your PoC being successfully will be less likely and as for example the required ports may not be opened correctly, certificates for securing communication are completed etc. If you do choose to proceed you’ll more than likely spend a great deal of time troubleshooting in order to successfully complete your XenMobile 10 PoC deployment.
3: Decide on a database platform note that Postgres SQL is built-in to the XMS V/A and it is recommended PoC deployments only, where as a remote MS SQL database is best utilised for production deployments.
4: Decide upon the MDM management addr for mobile devices which should be a FQDN e.g mdm.axendatacentre.com. If you intend to manage devices both in and outside of your organisation I would recommended implementing SplitDNS ref – http://en.wikipedia.org/wiki/Split-horizon_DNS.

Example of SplitDNS
///////////////////
Internal 10.10.1.1 resolves to mdm.axendatacentre.com over the corporate trusted Wi-Fi or wired ethernet
External 8.8.8.100 resolves to mdm.axendatacentre.com over 3/4G

5: Login to your Citrix My Account at – http://www.citrix.com/ locate and click Partner Central (Opens a new tab) then once the web page loads click Sales in the navigation menu bar and click on SalesIQ (Opens a new tab) then once loaded click on PoC Central scroll down and download the XenMobile PoC kit. Note only valid Citrix Partners may download content from Citrix SalesIQ.

How-to resolve – Profile Installation Failed The server certificate for “https://XM-FQDN:8443” is invalid when enrolling a device against XenMobile
1: The following error message Profile Installation Failed The server certificate for ‘https://XM-FQDN:8443″ is invalid is received when enrolling iOS 7.x.n + with XenMobile 10.
2: The issues is related to the private key within the exported *.p12/pfx certificate when exported from a Windows machine with either Certificate Manager or IIS Manager on Windows Server.
3: I would suggest that you download and run DigiCert Certificate Utility for Windows from – https://www.digicert.com/util/ on the server that originated the CSR that was used to generate a wildcard certificate. Once the tool is open find your wildcard cert and follow the steps at – https://www.digicert.com/util/pfx-certificate-management-utility-import-export-instructions.htm to export the certificate BUT before you proceed with the export please highlight the intended wildcard certificate and select “Test Key” once its completed successfully select “Export Certificate” option.
4: Upload the exported DigiCert p12/pfx cert to the XMS V/A for both the server and the SSL listener and restart the XMS V/A.
5: Once the XMS V/A is online login to both the SFP and the Admin WebUI to validate that the XMS V/A is active and responding as normal/expected.
6: Begin enrolling your iOS device and the following error message Profile Installation FailedThe server certificate for “https://” is invalid should no longer appear and you should be able to successfully enroll your iOS device.

PoC Notes & Tips
1: Deploy your first few XenMobile 10.0 PoC as single entities without the complexity of clustering, load-balancing e.t.c
2: Stick with 2 devices during a PoC to maximise your success and remember a PoC is designed to prove a concept or that a technology works as described.
3: If your deploying ShareFile On-Prem SZ remember to backup the SZKeys.txt in the root of your ShareFile Data CIFS share.
4: Support NetScaler Gateway (Builds + Versions) for XM 10.0 currently include – 10.5.55.8 MR5, 10.5.54.9 MR4, 10.5.53.9 MR3, 10.1.130 MR and 10.1.129 MR ref – http://support.citrix.com/proddocs/topic/worx-mobile-apps/xmob-10-understand-compatibilitymatrix-con.html. Please review the following CTX article entitled “FAQ: XenMobile 10 and NetScaler 10.5 Integration” available at – http://support.citrix.com/article/CTX200430 which is a great and resourceful CTX article.
5: Although this is typically not considered during a PoC Citrix provides detailed overview of scaling XenMobile 10.0 from 1000 up to 100,000 devices fronted by both VPX and MPX NS appliances – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-scaling-xm.html.

XenMobile 10.0

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile 10.0 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE – xm
XENMOBILE SERVER – xms
VIRTUAL APPLIANCE – v/a
FEDERAL INFORMATION PROCESSING STANDARDs – fips
NETSCALER GATEWAY – nsg
VIRTUAL IP ADDRESS – vip
MOBILE APPLICATION MANAGEMENT – mam
MOBILE DEVICE MANAGEMENT -mdm

What’s New
1: XenMobile is now a single unified hardened Linux virtual appliance.
2: Complete overhaul of the Web UI which dramatically simplifies policy setup & configuration of MDM + MAM policies and it allows for the management of multiple platforms within a single policy.
3: Built-in V6 Citrix Licensing server provides a 30 day trial/evaluation and also support for remote V6 CTX licensing server.
4: Built-in PostgreSQL database recommended for PoC’s and there’s also support for remote MS SQL database which is recommended for production deployments.
4: XMS V/A includes IPtables which is a Linux firewall – http://en.wikipedia.org/wiki/Iptables.
5: XMS placement is in the DMZ. The V/A is hardened and is FIPS 140-2 compliant and remember you data is actually stored in a MS SQL database unless your utilising PostgreSQL database within the XMS V/A.
6: Traffic flow and ports between NetScaler Gateway and the XenMobile Server (XMS) have changed please refer to eDocs for an architecture overview of the changes at – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-arch-overview-con.html.
7: The Admin Web UI is now on https://XMS-FQDN:4443/. This port is not configured as part of the XenMobile 10 wizard on NetScaler Gateway build 10.5-55.8 which means that you will not be able to access the mgmt. Admin Web UI from the internet it will only be accessible from the DMZ and the TRU network dependant upon your firewall(s) ACL list.
8: New WorxHome build 10.0.3.83 which is also backwards compatible from XenMobile 10.x.n
9: The XenMobile NetScaler Connector (XNC) currently is still a separate Windows Server.
9: You can find our more by watching the following Mobility Master Class: What’s New in XenMobile 10 available from Citrix TV.

Mobility Master Class: What’s New in XenMobile 10

Mobility Master Class: Citrix XenMobile 10 Clustering & MDM Migrations

Deploying XenMobile 10
1: Review the system requirements for XMS at – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-system-requirements.html to understand the supported hypervisors, computing requirements. You should also make sure that you review the latest XM architecture as it has changed between XenMobile 9.0 vs. 10.0 and it can be viewed at – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-arch-overview-con.html. You’ll notice that the traffic between NSG and the XMS V/A has changed however all traffic externally still occurs on there traditional ports (443, 8443, 2195, 2196, 5223).
2: Review and understand the NetScaler Gateway compatible requirements at – http://support.citrix.com/proddocs/topic/worx-mobile-apps/xmob-10-understand-compatibilitymatrix-con.html.
3: Make sure that you print out and fill-in all the pre-requitses for the XMS V/A ref – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-xenmobile-install-checklist.html prior to deploying your XMS V/A on your chosen hypervisor.
4: Once you have uploaded the V/A to the hypervisor and booted it complete the onscreen instructions ref – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-install.html. Once you are finished login into the Admin WebUI replacing the IP Addr with your XMS V/A ip addr from this example https://XMS-IPADDR:4443/ and login with Administrator account your specified during the deployment and NOT admin which is used to access the XMS V/A CLI from your hypervisor only.
5: Once you’ve logged in you’ll need to have the following listed below available to successfully complete the second part of the initial XenMobile 10 deployment. There is also a pre-requites check list available at – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-xenmobile-install-checklist.html.

– Citrix v6 licensing file for either local or remote. Remote is recommended for H/A purposes.*
– Microsoft Active Directory (AD) ip addr or FQDN, base DN, domain, search service account with read-only permissions.
– Certificate in *.p12 or *.pfx format for the SSL_Listener which is used for two way secure HTTPS communication to the XMS V/A.
– APNS certificate.
– Separate MDM and MAM+ FQDN’s correctly setup in DNS with fwd and reserve lookup’s configured and each configured with its own static IP addr for external resolution.
– 3x VIP for configuring XenMobile 10 with NetScaler Gateway 10.5.55.8 +. You can find a compatible NSG V/A version and builds at – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-10-understand-compatibilitymatrix-con.html.
– MS SQL Database server configured to accept traffic and with write/read privileges to create and manage the remote XMS database.
– Mail server configuration which enables and provides workflow email messages, notifications to users e.t.c

6: Follow the onscreen prompts and once completed the web UI deployment wizard then you have successfully deployed a XMS V/A. Please not reboot the XMS V/A so that the existing SSL certificates for HTTPS can be unbound and the newly uploaded SSL cert(s) can be bound to HTTPS.
7: You may now setup a XMS cluster and configure H/A with a NSG and thereafter begin configuring your XenMobile 10.0 environment. See the H/A section for a how-to.
8: Logon to one of the XMS v/a direct IP addr e.g https://XMS:4443/ if in H/A fronted by the NSG as the XenMobile 10 wizard will not configure 4443 which means that you cannot access the mgmt interface via the VIP owned by the NSG. This means that the mgmt interface is not accessible either internally or externally on the FQDN that resolves the VIP owned by the NSG.
9: Scaling XenMobile 10.0 from 1000 up to 100,000 devices – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-scaling-xm.html.

XMS V/A High-Availability (H/A)
1: Prior to understanding how-to setup a XMS H/A or clustering you need to understand that the minimum requirements are for a remote CTX v6 licensing server and MS SQL database as the XMS V/A do not hold any user/cfg information this is all held in the remote database.
2: Once your have setup XMS follow the prompts in the CLI to enable clustering and configure the IPtables firewall ACL and then finally shut it down and clone it.
3: Rename the cloned XMS V/S to your required naming convention and then boot up the cloned XMS V/A login to the CLI and changed the IP addr and ensure that the IPtables firewall ACL ports are correctly enabled then shutdown the V/A.
4: Boot the first XMS V/A and then 60 seconds later boot the cloned XMS V/A and login to the CLI to very the cluster is enabled and then login into the XMS admin WebUI to verify that the cluster is up and functioning as expected. The original XMS V/A will be the oldest in the cluster.
5: You can now proceed to setting up the load-balancing for the XMS V/A’s with NSG to service MDM + MAM requests.

Supported NetScaler Gateway (Builds & Versions) for XM 10
1: 10.5.55.8 MR5; 10.5.54.9 MR4; 10.5.53.9 MR3; 10.1.130 MR & 10.1.129 MR ref – http://support.citrix.com/proddocs/topic/worx-mobile-apps/xmob-10-understand-compatibilitymatrix-con.html.

Deploying XM 10 with NetScaler Gateway 10.5.x.n (Draft)
1: Before beginning its worth mentioning that the way I will be describing how-to deploy XenMobile 10 in this blog article will be to utilise to external static IP addr’s + FQDN’s that are NATed to DMZ IP addr’s and I will utilising SplitDNS for device mgmt. in/outside of my TRU network. I will also be implementing the described XenMobile 10 environment below utilising an SSL Bridge although offloading includes a few more minor steps the intention of this section is aimed at helping you front your XenMobile 10.0 deployment with a NSG 10.5.x.n V/A.
2: Please review the following CTX article entitled “FAQ: XenMobile 10 and NetScaler 10.5 Integration” – http://support.citrix.com/article/CTX200430 which will aid you in been able to setup and configure load-balancing for XMS V/A’s, mVPN for Worx’s apps for XenMobile 10 with NetScaler Gateway 10.5.x.n.
3: You’ll require the following prior to be beginning:

– Correct NetScaler (Gateway) build +_ version the NSG version + build I’ll be discussing here is NetScaler Gateway 10.5.55.8 MR5 but you can check the latest supported version + builds at – http://support.citrix.com/proddocs/topic/worx-mobile-apps/xmob-10-understand-compatibilitymatrix-con.html
– 1x FQDN for MDM e.g. mdm.axendatacentre.com * that resolves to both external internet routable static IP addr and your internal assigned static IP. Please note that this should match exactly the FQDN entered in at the time of the deployment of your XMS V/A during the first phase in the CLI the text your looking for is/was “XenMobile Server FQDN:” and its highlighted in yellow. It is also worth/noting that if you have utilised an internal domain e.g xms.abc.local as the FQDN this will only manage devices internally as that FQDN is not routable on the internet so you’ll only be able to manage devices INSIDE of the trusted network to its recommended to a FQDN that is internet routable and you can utilise SplitDNS to manage traffic requests to the NSG VIP’s for XenMobile.
– 1x FQDN for MAM (Worx’s Apps) e.g. mobileapps.axendatacentre.com * that resolves to both external internet routable static IP addr and your internal assigned static IP
– 2x External routable internet IP addr’s * e.g 8.8.8.8 which most IT Pro’s utilise to ping to check internet connectivity
– 3x Internal IP addr’s owned by the NSG as VIP
|- 1x for MDM
|- 1x for MAM Gateway
|- 1x for Load-balancing IP
– Wildcard certificate for your domain e.g *.domain.com
– If your implementing SSL Offloading (HTTP) of your XenMobile traffic for MAM then you’ll require the devices cert from the XMS V/A which can be downloaded from the XMS Web AdminUI at https://xms:4443/

4: Setup the NetScaler Gateway configuration within the Admin WebUI of the XMS V/A following the process outlined at – http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-netscaler-gateway.html its fairly straight forward and simple.
5: Login into the NSG Admin WebUI interface and click the XenMobile Wizard in the bottom left-hand corner and then you’ll be prompted to setup either XenMobile 9.0 or XenMobile 10.0 please selected XenMobile 10.0 and click “Get Started” to continue.
6: Ensure that “Access through NetScaler Gateway” which is for MAM, “Load Balance XenMobile Servers” which is for MAM are checked they should be by default, however you know have the opportunity to deselect either if one depending upon your deployment scenario/use case and obviously your acquired license. The current XenMobile 10 datasheet is available at –
https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-xenmobile-the-revolutionary-way-to-mobilize-your-business.pdf.
7: Enter in your first VIP for the MAM Gateway then port should be 443 and provide a suitable name.
8: Select your previously uploaded SSL certificate (I am utilising a wildcard cert for my domain *.axendatacentre.com) or upload your SSL cert.
9: Create your (s)LDAP binding you will need to provide the following:

– LDAP IP addr
– LDAP Port default is 389
– Base DN e.g Cn=Users,dc=axendatacentre,dc=com
– Service account username & password
– Timeout default is 3 seconds
– Server Login sAMAccountName or UserPrincipalName (SuGgEsTeD)

10: Now enter in your MDM FQDN and then the Load-balancing IP addr beneath and accept the default port of 8443. You can now also choose to select HTTPS (SSL Bridge) vs. HTTP (SSL Offload) and you can choose your DNS mode including split tunnelling.
11: Select your previously uploaded SSL certificate (I am utilising a wildcard cert for my domain *.axendatacentre.com) or upload your SSL cert.
12: Enter in your MDM VIP and you’ll notice the default ports are 443, 8443 for communication to the XMS V/A(s). You’ll notice that you cannot change the SSL traffic configuration as I specified to not to perform any SSL offloading in set 10 above or its under section “Load Balancing IP address for MAM” within the NSG XenMobile 10 wizard.
13: Next add in the XMS ip addr’s of each V/A in your XMS cluster and provide an appropriate name and ports are automated defaulted to 443, 8443.
14: Click continue to finish and then click done and you have now setup and configured all your traffic for XenMobile to route through your NSG V/A and we are performing SSL Bridging in the above scenario.

Worx Features by Platform
1:The following eDocs web page lists the features by Worx app which includes WorxHome, WorxMail, WorxWeb, WorxEdit, WorxNotes, WorxTasks & WorxDesktop ref – http://support.citrix.com/proddocs/topic/worx-mobile-apps/xmob-worx-feature-platform-matrix.html.
2: Be sure to also checkout the known issues list at – http://support.citrix.com/proddocs/topic/worx-mobile-apps/xmob-worx-knownissues-con.html and it is also worth noting that as of writing this blogging entry WorxTask’s is in Tech Preview (TP) ref – http://support.citrix.com/proddocs/topic/worx-mobile-apps/xmob-worx-tasks.html.

Twitter
You should follow the XenMobile team on twitter at – https://twitter.com/xenmobile for the very latest on Worx’s apps, updates, upgrades and so much more.

Security
1: The XenMobile security web page is available at – http://www.citrix.com/products/xenmobile/tech-info/mobile-security.html.
2: The XenMobile Security whitepaper is available at – https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/xenmobile-security.pdf and I would strongly advise that you read/review it to get a better understanding of how XenMobile can help and assist any organisations EMM (Mobility) requirements.
3: The Mobile Application Management with XenMobile and the Worx App SDK –
https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/mobile-containers-with-citrix-mdx.pdf, this is well worth reading.

What is Infrastructure-as-a-Service (IaaS)?

The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
INFRASTRUCTURE-AS-A-SERVICE – iaas
ACCESS CONTROL LIST – acl
VIRTUAL NETWORKS – vlan
VIRTUAL MACHINE – vm
DEMILITARIZED ZONE – dmz

Infrastructure as a Service (IaaS) enables a tenant i.e you the reader of this blog post to purchase an allocated amount of computing, storage and networking resources from a (Managed) ISP. You then have the capability to assign or carve up these IaaS resources to create your own virtual datacentre (VDC) through a safe, secure web-based management console.

The IaaS management consoles typically will offer and allow the tenant the ability to create there own ACL, VLANs, placement of virtual machines (VM) within your VDC, building VMs from generic templates maintained by the (Managed) ISP and so much more.

The IaaS resources provided by the (Managed) ISP should be fully managed e.g border routers, core switches, hosts and mgmt. infrastructure of the IaaS platform and hosted within a highly-available N+1 data centre so that in the unlikely event of a logical or hardware failure your VDC environment will not be compromised or should automatically failover to onto alternative infrastructure and be rebooted and return to an online and active status within a few minutes.

What is the benefit of IaaS? You don’t have to secure any capital investment to acquire the nesscary hardware to support your existing organisations growth demands or if your a start-up it eases your cash flow requirements as you only pay for the computing, storage and networking resources that you need effectively require month by month.

Today IaaS is also referred to by some as a Software-Defined Data Centre.

Examples of IaaS Platforms
http://www.citrix.com/products/cloudplatform/overview.html.
http://cloudstack.apache.org/.
http://www.vmware.com/uk/products/vcloud-director.