Category Archives: CVPN

Front XenApp 7.11+ in Azure with NetScaler (Unified) Gateway 11.x.n

The following content is a brief and unofficial overview of how-to front your virtual apps & desktops powered by XenApp 7.11 with NetScaler 11.x.n using Microsoft Azure (ARM). The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions, best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
XENAPP – xa
XENSERVER – xs
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
INDEPENDENT COMPUTING ARCHITECTURE – ica
NETSCALER – ns
NETSCALER UNIFIED GATEWAY – nsug
AZURE RESOURCE MANAGER – arm
IDENTITY ACCESS & MANAGEMENT – iam
MULTI-FACTOR AUTHENTICATION – mfa
SECURITY ASSERTION MARKUP LANGUAGE – saml

Why this Blog Article?
I’ve had a lot of cloud 1st strategy conversations with IT Pro’s, Citrix SysAdmins & organisations alike recently so I thought everyone whom is searching for how-to front XenApp with an Azure NetScaler could benefit from this blog post :-). This blog post covers a how-to even with NetScaler in single IP mode to achieving https://FQDN (Image 2) for the gateway vs. https://FQDN:8443 (Image 1) when deploying NetScaler in Azure (ARM).

Deploying NetScaler 11.x.n using Azure Resource Manager (ARM)
1. Login to https://portal.azure.com
2. I presume that you have setup a your network, IAM if not refer to https://azure.microsoft.com/en-gb/get-started/ for getting started how-to from Microsoft.
3. Click on + New in the top left of the ARM web ui and type in NetScaler and select NetScaler VPX Bring Your Own License or for a quick review check out – https://azure.microsoft.com/en-gb/marketplace/partners/citrix/netscalervpx110-6531/.
4. Click Create
5. Enter in a name for your NS virtual appliance e.g ne1nug01 and select the VM disk type
5. Enter in a username and choose auth to be either SSH public key or Password I choose password to access the NS Admin WebUI for simplicity of all readers of this blog.
6. Select your chosen of default Subscription if you have more than one and then select your existing Resource Group where you XenApp 7.11+ environment and XenApp 7.11+ VDA Workers and your mgmt. VM running AD/DNS server resides. Remember I am keeping this simple as it’s intended for PoC’s only!
7. Continue to select your chosen Azure instance for NetScaler I choose DS2_V2 Standard which consists of 2 Cores, 7GB of RAM.
8. Select your storage account, virtual network & subnet e.t.c and high availability set then click Select to continue.
9. Review your purchase of NetScaler and then click Ok to purchase and Azure will begin building your NetScaler VPX in your Azure chosen subscription which will take no more typically than 10 minutes.

Setting up & Licensing your NetScaler on Azure
Firstly be aware that when deploying a NetScaler instance on Azure for virtual apps & desktops you’ll be setting up NetScaler to run in single IP mode (YES!) which means that you’re connecting to internal TRU resources on the NetScalers IP addr (NSIP) but you connect using different ports e.g ICA Proxy on 8443 so lets begin with the setup.

1. Login into your NetScaler using the NS Admin Web UI do not provide a SubnetIP Addr (SNIP) just select Do It Later and proceed with the initial setup as per normal.
2. Now that you have setup your NetScaler you need to license it so remain logged into and open a new tab in your browser of choice and Google “Citrix Eval Store” or save this link – http://store.citrix.com/store/citrix/en_US/cat/ThemeID.33753000/categoryID.63401700
3. Select under Networking -> NetScaler ADC
4. Next select the following model “VPX” select variation e.g “Platinum 1000” select duration e.g “90 Days”.
5. Complete the onscreen process note that you will require a .Citrix.com account or you need to create an account.
6. Once you receive an e-mail with your key/code head over to at https://www.citrix.com/account/toolbox/manage-licenses/allocate.html or goto and select find and allocate your licenses or look for the licensing button (link) and select it.
7. If your key/code it not visible select “Don’t see your product?” in text in/around the top right-hand side. A pop-up appears now enter in the code provided on e-mail from the Citrix Eval Store e.g “CTX34-XXXXX-XXXXX-XXXXX-XXXXX” and continue.
8. You will need to enter in the Host Id of your NetScaler it can be found once logged in using the NS Admin Web UI “NetScaler -> System -> System Information” then look under the heading “Hardware Information” and you find “Host Id” copy and paste it into the required field and then download the license file.
9. In the NS Admin Web UI click the cog icon top right then select licensing and upload the license and select to reboot the NS to apply the license.
10. Log back in and enable the features that you require e.g right click on the “NetScaler Gateway” and select “enable” e.t.c

Setup Type Choice 8443 Default without an Azure L/B for XenApp using the XenApp/XenDesktop Wizard
Now that you have setup NetScaler within your Azure subscription in your chosen region you’re ready to begin setting up NetScaler to front virtual apps & desktops (Server OS 2012 R2 or 2016) powered by XenApp 7.11+.

Sample Text Based Diagram

User Azure NetScaler StoreFront XenApp
https://FQDN:8443/ Accepts requests from Azure to NSIP on https://8443 (Single IP Mode) Accepts requests on the Gateway & Call-back FQDN on https://FQDN:8443 Accepts & launches user’s virtual app(s) & desktop(s) as requested

1. Login to your NetScaler VPX click “Settings -> Licensing” now check that License type is Platinum and Model ID 1000
2. Select the XenApp/XenDesktop wizard and review the prerequisites carefully prior to continuing BUT in summary you’ll need an SSL Cert, LDAP service account + details, XenApp 7.11+ environment with StoreFront.
3. Enter in the static IP addr assigned by Azure or OTHER METHOD of your NetScaler VPX YES that’s right!
4. IMPORTANT STEP: Change the default port of 443 to 8443 on the Gateway IP addr
5. Set Up the rest of the XAD wizard as normal
6. IMPORTANT STEP: Setup StoreFront to allow remote access however the configured default gateway and Call-back FQDN addresses MUST include 8443 e.g https://go.x1co.eu:8443 instead of just https://go.x1co.eu
7. Setup external DNS entries e.g go.x1co.eu to point to your NetScalers static IP addr found in the Azure ARM Web UI and once you have verified it is functioning correctly using a shell (IPCONFIG /FLUSH after settin-up the DNS entries waiting 10-15 min depednant upon your ISP) the open up an internet browser and type in e.g https://go.x1co.eu:8443 and dont forget the :8443 at the end of the FQDN.
8. Attempt to login either using sAMAccountName e.g username or userPrincipalname e.g username@x1co.eu and then you should be able to successfully login and launch your virtual apps & desktop as per the below image.

Image 1


Setup Type 443 for XenApp using an Azure Load-Balancer & the NetScaler XenApp/XenDesktop Wizard

Sample Text Based Diagram

User Azure Azure Load-Balancer NetScaler StoreFront XenApp
https://FQDN/ https received request and forwarded to NetScaler on https://FQDN:8443

Accepts requests from Azure L/B on https://FQDN fwd to NSIP on https://8443 (Single IP Mode) Accepts requests on the Gateway from HTTPS://FQDN but the Call-back FQDN is on https://FQDN:8443 Accepts & launches user’s virtual app(s) & desktop(s) as requested
https://FQDN ↔ AzureL/B ↔ NetScaler:8443 NetScaler https://FQDN:8443 ↔https://FQDN StoreFront StoreFront Call-back https://FQDN:8443
StoreFront configured NetScaler Gateway https://FQDN

1. If you are choosing this option as your preferred lets hope then complete steps 1-5 and also step 7 to save you time!
2. IMPORTANT STEP: Setup StoreFront to allow remote access however the configured default gateway MUST BE e.g https://go.x1co.eu NOTICE NO :8433 YES not :8443 here. Now on the call-back FQDN addresses YOU MUST include 8443 e.g https://go.x1co.eu:8443 instead of just https://go.x1co.eu otherwise fronting NS with an Azure L/B to acheive HTTPS://FQDN for the XAD Gateway (ICA Proxy) will NOT WORK!!!!
3. Now switch to the Azure ARM Web UI. You should probably read the following useful resources – https://azure.microsoft.com/en-gb/documentation/articles/load-balancer-overview/ and for PowerShell creation check out – https://azure.microsoft.com/en-gb/documentation/articles/load-balancer-get-started-internet-arm-ps/ for any Citrix consultants out there.
4. Azure Load-balancer and click on the “+” at the top and provide a “Name” and for the type choose “Pubic” and select your Azure “Subscription” “Existing Resource Group” and its location (Same as NetScaler deployed instance) then click “Create”
5. Now it will list the available public IP addr just select the “+”
6. Enter in a name and choose your assignment choice “Dynamic” vs. “Static” and click OK.
7. Azure will then provision your Azure L/B (Wait….Maybe coffee or tea break?)
8. Once created select your Azure L/B
9. Select “Backend Pools” enter in a name then choose your availability set and then your VM’s or VM e.g NetScaler. Azure will then provision your Azure L/B with a backend pool (Wait….)
10. Select “Frontend IP Pool” click “+” enter in a name then choose your IP addr e.g NetScaler VM and then enter in a name (all names should differ makes identification easier so a good naming convention helps 🙂 now) and choose your assignment choice “Dynamic” vs. “Static” and click OK (Updating….)
11. IMPORTANT STEP: Select “Inbound NAT Rules” select the resource from your Frontend IP Pool list from the previous point (10). Select the service “HTTPS” and port to be 443 then select the target “NetScaler VM” and then vErY iMpOrtAnt select under “Port Mapping -> Custom” and in the “Target Port enter in 8443” and click save. (Wait…)
12: Now navigate to https://FQDN and attempt to login either using either sAMAccountName e.g username or userPrincipalname e.g username@x1co.eu and thereafter you should be able to successfully launch your virtual apps & desktop published by XenApp 7.11+. The below image represents the end goal when fronting an Azure NetScaler in Single IP Mode with an Azure Load-Balancer as per the below image.

NetScaler VPX in Azure Deployment Guide
http://docs.citrix.com/content/dam/docs/en-us/workspace-cloud/downloads/NetScaler-VPX-in-AZURE-Deployment-Guide.pdf

Advanced Setup & Configuration
The following how-to’s are from a 2016 Citrix Technology Advocates (CTA) – https://www.citrix.com/blogs/2016/05/23/expanding-recognition-for-community-contributors-citrix-technology-advocates/ Dave Bretty – http://bretty.me.uk/ which covers off how-to setup and configure FAS, NetScaler SAML/ADFS Proxy, Azure MFA and much more, so follow the links in order listed below.

1. http://bretty.me.uk/putting-it-all-together-citrix-xendesktop-adfs-azure-mfa-netscaler-unified-gateway-and-citrix-fas-part-1/
2. http://bretty.me.uk/putting-it-all-together-citrix-xendesktop-adfs-azure-mfa-netscaler-unified-gateway-and-citrix-fas-part-2/
3. http://bretty.me.uk/putting-it-all-together-citrix-xendesktop-adfs-azure-mfa-netscaler-unified-gateway-and-citrix-fas-part-3/
4. http://bretty.me.uk/putting-it-all-together-citrix-xendesktop-adfs-azure-mfa-netscaler-unified-gateway-and-citrix-fas-part-4/
5. http://bretty.me.uk/putting-it-all-together-citrix-xendesktop-adfs-azure-mfa-netscaler-unified-gateway-and-citrix-fas-part-5/
6. http://bretty.me.uk/putting-it-all-together-citrix-xendesktop-adfs-azure-mfa-netscaler-unified-gateway-and-citrix-fas-part-6/

Upgrading a NetScaler 10.5.x.n Virtual Appliance to NetScaler Unified Gateway 11.x.n

The following content is a brief and unofficial prerequisites guide to upgrade from NetScaler Gateway 10.5.x.n to NetScaler Unified Gateway 11.x.n prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
VIRTUAL APPLIANCE – v/a
NETSCALER GATEWAY – nsg
NETSCALER UNIFIED GATEWAY – nug
VIRTUAL IP ADDRESS – vip

Deployment Preparation Overview (DRAFT & MAY CONTAIN ERROR(S))
The following is an upgrade process that I utilise within my own home lab. Please ref to http://docs.citrix.com/en-us/netscaler/11/license-upgrade-downgrade/upgrade-downgrade-the-system-software.html for an accurate and official upgrade process.

1: Download the firmware of your choice if more than one is available at – http://www.citrix.com/downloads/netscaler-adc.html. Please note that your will require either a valid Citrix account to download the firmware.
2: Upload the *.tgz file you downloaded to the following location on your NS V/A “/var/install“. Once you have confirmed its successfully uploaded disconnect and close your (s)FTP application. I use WinSCP myself which can be downloaded at – https://winscp.net/ as my (s)FTP client.
3: Open a Secure Shell (SSH) connection to the NS V/A and enter in the username and password access details where prompted. Once your have successfully logged in type “shell” then type “cd /var/nsinstall” to change to the nsinstall directory and then type “ls” to confirm the uploaded file is there.
4: Now to unpack the tarball package by typing in “tar –xvzf build_X_XX.tgz”, where build_X_XX.tgz (TIP: Enter in B and press TAB to complete typing the name of the file) is the name of the NS firmware build that we will be upgrading to. Once the tarball is successfully unpacked type in “ls” verifying that you can see the extracted files from the tarball.
5: Now type in “./installns” to begin the upgrade process and where prompted type in “Y” to reboot the NS V/A
6: Move to your hypervisors mgmt. console and watch the NS CLI reboot and once you can see the NS login prompt within the CLI navigate to the NS mgmt. IP addr and login using your NS access details and verify that the NS V/A has been successfully upgrade to your firmware of choice by looking at the firmware version in the top right-hand corner of the WebUI.

XenMobile AppController 9.0

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile AppController 9.0 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE APPCONTROLLER – xac
CERTIFICATE SIGNING REQUEST – csr
FULLY QUALIFIED DOMAIN NAME – fqdn
RECEIVER FOR WEB – rfw
CERTIFICATE AUTHORITY – ca
STOREFRONT SERVICES – sfs
PUBLIC KEY INFRASTRUCTURE – pki
NETSCALER GATEWAY – nsg
XENMOBILE DEVICE MANAGER – xdm
XENMOBILE NETSCALER CONNECTOR – xnc
SECURE TICKET AUTHORITY – sta
DOMAIN NAME SERVER – dns

New & Existing XenMobile AppController (XAC) Admin & User Consoles
1: The NEWEST console is a troubleshooting one which is accessible at https://XAC-FQDN:4443/ControlPoint/support which allows troubleshooting of NetScaler Gateway, XenMobile Device Manager
2: Control Point Admin console – https://XAC-FQDN:4443/ControlPoint/
3: Hidden Admin console – https://XAC-FQDN:4443/admin.
4: Receiver for Web (RfW) provides user access to SaaS, Web-links – https://XAC-FQDN:4443/Citrix/StoreWeb/ natively. You can integrate XAC with StoreFront to enumerate published Windows apps, Sever and Desktop VDI’s from XenApp, XenDesktop 7.x.

What’s New
0: XenMobile Security PDF document – http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/xenmobile-security.pdf and XenMobile security microsite is also available at – http://www.citrix.com/products/xenmobile/tech-info/mobile-security.html.
1: Support for Windows Phone 8.1 MDX Policy’s for WorxMail and WorxWeb only – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-worx-about-wrapper.html. You can learn how to wrap Worx apps for Windows Phone 8.1 using this useful CTX article entitled “FAQ: Windows Phone 8.1 and XenMobile 9” – http://support.citrix.com/article/CTX200105 and also watching the following video below from Citrix TV.

2: New troubleshooting and support console that can download logs, perform connectivity tests and upload logs to http://taas.citrix.com. The console is available at – https://XAC-FQDN:4443/ControlPoint/support once you have successful authenticated at https://XAC-FQDN:4443/ControlPoint/. You will need to know the admin access details for NSG, XAC and XDM in order to effectively use this console.

3: Wrapping iOS Worx Apps Video.

4: Wrapping Andriod Worx Apps including covering off how-to sign multiple *.APK files using a BASH script. Refer to the XenMobile 9.0 MDX Toolkit Documentation
– http://support.citrix.com/article/CTX140458 for more information once you have watched this video.

5: XenMobile 9.0 MDX Toolkit Documentation – http://support.citrix.com/article/CTX140458

Installing & Deploying XAC 9.0
1: Review and understand the systems & networking pre-requites of the XAC virtual appliance at – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-sysreqs-wrapper-con.html and http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-prepare-xenmobile-checklist-con.html.
2: Deploy the XAC virtual appliance on your chosen hypervisor and boot it and follow the onscreen instructions to apply the IP addr, DNS e.t.c and reboot upon completion connect to the Web Admin UI to compete the initialisation wizard thereafter you can begin to setup and configure your XAC virtual appliance and upload your MDX signed Worx apps and configure the MDX policies as required per app per supported platform. Don’t forget to generate and sign a CSR for the XAC and optionally sign it with your Enterprise CA (PoC/Demo environments) or a Public CA (PROD environments) and apply your own SSL certificate(s) to the XAC refer to – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-deploy-appc-cert-install-con.html or for a video demonstration watch – http://www.citrix.com/tv/#videos/9501.
3: Configuring MDX policies for Windows Phone 8.1 – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-mobile-apps-policies-wp81.html, iOS – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-mobile-apps-policies-ios-con-nike.html and Android – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-mobile-apps-policies-andr-con-1.html. Finally checkout how-to configure encryption policies – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-mobile-apps-encryption-con.html.
5: Once you have setup and configured your XAC appliance you can setup high-availability – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-ha-wrapper-con.html.
6: If you are looking for the XenMobile Reference Architecture please refer to http://support.citrix.com/article/CTX140433.

XenMobile Enterprise 9.0

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile Enterprise 9.0 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE ENTERPRISE – xme
XENMOBILE CLOUD – xc
CERTIFICATE SIGNING REQUEST – csr
FULLY QUALIFIED DOMAIN NAME – fqdn
RECEIVER FOR WEB – rfw
CERTIFICATE AUTHORITY – ca
STOREFRONT SERVICES – sfs
PUBLIC KEY INFRASTRUCTURE – pki
NETSCALER GATEWAY – nsg
XENMOBILE DEVICE MANAGER – xdm
XENMOBILE APPCONTROLLER – xac
XENMOBILE NETSCALER CONNECTOR – xnc
SECURE TICKET AUTHORITY – sta
DOMAIN NAME SERVER – dns
PUBLIC KEY INFRASTRUCTURE – pki

XenMobile Security
1: Citrix have published a Whitepaper in PDF format covering the security within XenMobile which can be downloaded directly at – http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/xenmobile-security.pdf there is also a new security web page within the XenMobile microsite on Citrix.com at – http://www.citrix.com/products/xenmobile/tech-info/mobile-security.html.
2: Security harden your XDM implementation leveraging Microsoft’s leading best practises I have listed below are a few (starter) useful resources. I always believe that you should challenge the way you are manage your infrastructure periodically from the services, ports, packages running on servers to the ACL at the edge of your network to ensure that you are using the latest leading best practises for monitoring, managing and supporting your environment(s) end-2-end and often this will require input from a Server, DBA SysAdmin & network engineer.

Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/gg236605.aspx
http://technet.microsoft.com/en-us/library/dd548350(v=ws.10).aspx

Windows Server 2012
http://technet.microsoft.com/en-us/library/jj898542.aspx
http://technet.microsoft.com/en-us/library/hh831360.aspx.

What’s New & Fixed
1: Support for Windows Phone 8.1 MDM API’s which include but not limited to software inventory, disabling of the camera, encryption e.t.c and for a complete list checkout – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-dm-manage-config-win-81.html.
2: New MDX policies for Windows Phone 8.1 e.g Document exchange (Open In), App restrictions, iOS e.g AirDrop, Social media integration and others.

For a full list of MDX policies for iOS checkout – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-mobile-apps-policies-ios-con-nike.html and Android checkout – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-mobile-apps-policies-andr-con-1.html and for Windows Phone 8.1 checkout – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-mobile-apps-policies-wp81.html.

3: Cloud enabled Enterprise Mobility Management (EMM) powered by with XenMobile Cloud – http://www.citrix.com/products/xenmobile/tech-info/cloud.html.

4: New RBAC options within XDM to optionally ring or disown devices.
5: IPv6 licensing is now supported for XDM 9.0 check out – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-deploy-xenmobile-licenses-con.html in addition checkout this Citrix Blog article for a set by step how-to – http://blogs.citrix.com/2014/07/02/install-license-server-for-xenmobile-device-manager-in-xenmobile-9-0/.
6: XDM clustering for multiple geographic sites so that the device management service is resilient to outages at individual sites – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-dm-manage-ha-wrapper-con.html.
7: FIPS Compliance – http://support.citrix.com/proddocs/topic/xenmobile-90/clg-appwrap-fips-con.html
8: Secret Vault for iOS and Android- http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-secret-vault-ios-andr.html.
9: Penetration tested by Veracode and Gotham who are specialists in digital science and research.
10: Full a complete and full list of Whats new in XenMobile 9.0 please take a look at – http://support.citrix.com/proddocs/topic/xenmobile/xmob-understand-whats-new.html.
11: XenMobile 9.0 – Issues Fixed in This Release – http://support.citrix.com/article/CTX140926.
12: Always check in with the XenMobile data sheet for the most up to date and accurate features and details for XenMobile vs. editions at – http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-xenmobile-the-revolutionary-way-to-mobilize-your-business.pdf?accessmode=direct.

Citrix Support Forums for XenMobile 9.0
You can access the latest online Citrix Discussions focused on XenMobile 9 at – discussions.citrix.com/forum/1487-xenmobile-9x/ and previous discussions can be found at – discussions.citrix.com/forum/302-xenmobile/, including ZenPrise 7.x.

Wrapping & Deploying Worx Mobile Apps for Windows Phone 8.1
1: This CTX article provides a lot of detailed pre-requites & FAQ – http://support.citrix.com/article/CTX200105.
2: http://blogs.citrix.com/2014/07/11/deploying-worx-home-and-worx-apps-to-windows-phone-8-1-with-xenmobile/.

Xenmobile 9 Basic Upgrade Video Demonstration

XME Supported Mobile OS/Hardware Platforms
http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-understand-device-platforms.html

XenMobile 9.0 MDM Policies by OS Platform
http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-understand-device-platform-matrix.html

XenMobile 9.0 Compatibility Matrix
Currently the following NetScaler (Gateway) builds are supported for XenMobile 8.6 and 8.7 is 10.1.124.1308.e and for XenMobile 9.0 the following are supported 10.1.126.1203.e, 10.1.124.1308.e and 10.5 reference – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-understand-compatibilitymatrix-con.html.

Worx features by Platform
http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-understand-worx-feature-platform-matrix-con.html

XenMobile Public Key Infrastructure (PKI) Integration
Prior to implementing with XME I would suggest that you review and read through the PKI section in eDocs for XenMobile Enterprise 9.0 at – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-dm-manage-security-pki-overview-con.html so that you are aware and familiar with the supported PKI capabilities supported by XenMobile 9.0. The below embedded videos are from Citrix TV and covering the Symantec PKI integration for XenMobile 9.0.


http://www.citrix.com/tv/#videos/10866XenMobile Symantec PKI Integration Part1


http://www.citrix.com/tv/#videos/10867XenMobile Symantec PKI Integration Part2

Deploying & Hardening XenMobile 9.0
1: Here is a really good blog article to help you understand XenMobile Bandwith requirements and considerations – http://blogs.citrix.com/2014/07/10/xenmobile-bandwidth/ .
2. How-to restrict the XDM admin console from the Internet when using SSL Offloading – http://blogs.citrix.com/2014/07/14/mobility-experts-restrict-xenmobile-device-manager-admin-web-console-access-from-internet-when-deployed-in-ssl-offload-mode/.

XenMobile AppController 2.10

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile AppController 2.10 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE APPCONTROLLER – xac
XENMOBILE DEVICE MANAGER – xdm
CERTIFICATE SIGNING REQUEST – csr
APPLE PUSH NOTIFICATION SERVICE – apns
FULLY QUALIFIED DOMAIN NAME – fqdn
GoToMeeting – gtm
GoToAssist – gta
CERTIFICATE AUTHORITY – ca

Understanding MDX Technologies
1: Citrix MDX technologies provides and enable IT to wrap enhanced security, traffic around mobile apps for Android and iOS. The technologies can be segregated into 3 tiers called MDX ACCESS, MDX INTERAPP & MDX VAULT when determining what policy(s) to enforce. I will not look into the capabilities of each tier at a high level.
2: MDX VAULT enables encryption of the private data storage of MDX wrapped mobile apps. Check out – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-appc-mobile-apps-encryption-con.html.
3: MDX INTERAPP allows IT to control the application fabric of MDX wrapped mobile apps e.g restricting what apps it can open in (Document Open In); opening a service of the mobile platform e.g maps when a user clicks on an address in WorxMail.
4: MDX ACCESS enables and allows IT to set a MDX wrapped mobile apps traffic to be tunnelled via a mVPN, blocked or to the internet. The mVPN can be configured with either SecureBrowse (Only internal traffic traverses up the mVPN and anything bound for the internet does not) or FullVPN (All traffic flows up the mVPN).
5: You can find more surrounding the MDX policies at these two links one for iOS at – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-appc-mobile-apps-policies-ios-con-nike.html and Android at – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-appc-mobile-apps-policies-andr-con-1.html.

Wrapping native *.APK, *.IPA mobile apps to become MDX enabled
1: Take a look at the following documentation in eDocs at – http://support.citrix.com/proddocs/topic/xenmobile-87/xmob-appwrap-toolkit-wrapper.html then the MDX Toolkit Documentation –http://support.citrix.com/servlet/KbServlet/download/37081-102-709208/MDXToolkit%20Documentation%20v1.0.pdf and video available at showing how to wrap Android mobile apps – http://www.citrix.com/tv/#videos/9465. I have embedded the video below from Citrix.com/TV:

Pre-requisites, Understanding & Installing The XenMobile 8.7 Components End-2-End for a PoC or a Demo Environment (DRAFT & MAY CONTAIN ERROR(S))
Coming soon!

NetScaler Gateway 10.1.120.1316.e

The following content is a brief and unofficial prerequisites guide to setup, configure and test NetScaler Gateway 10.1.120.1316.e to support a XenMobile Enterprise 8.6 deployment prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
NETSCALER GATEWAY – nsg
CERTIFICATE SIGNING REQUEST – csr
FULLY QUALIFIED DOMAIN NAME – fqdn
SECURE LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL – (s)ldap
CERTIFICATE – cert
REMOTE ACCESS – r/a
XENAPP – xa
XENDESKTOP – xd
XENMOBILE ENTERPRISE – xm
XENMOBILE APPCONTROLLER – xac
XENMOBILE DEVICE MANAGER – xdm

What Is A NetScaler Gateway
It allows you to safely, securely expose your organisations trusted network and resources to an end-point either via a MicroVPN (CVPN) – http://support.citrix.com/article/CTX136914 or a FULL VPN. The NSG provides and supports a simple yet secure R/A solution for Citrix XenDesktop, XenApp, XenMobile solutions. There have been recent updates to the NSG to incorporate setup wizards to enable organisations to more rapidly setup, configure and deploy a R/A solution without having to request a NetScaler Gateway expert to setup and configure the policies to enable R/A. What is a e release of a NSG check out – http://blogs.citrix.com/2013/03/29/citrix-access-gateway-demystifying-the-e-releases/.

Deploying & Configuring The NetScaler Gateway 10.1.120.1316.e For A XenMobile Enterprise 8.6 Solution
1: Physical or Virtual System requirements – http://support.citrix.com/proddocs/topic/xenmobile-prepare/xmob-deploy-netscaler-gateway-reqs-con.html, VPX – http://support.citrix.com/proddocs/topic/access-gateway-hig-appliances/ag-vpx-introduce-wrapper-con.html#ag-vpx-introduce-wrapper-con and MPX – http://support.citrix.com/proddocs/topic/access-gateway-hig-appliances/ag-model-MPX-spec-ref.html.
2: Pre-requites and checklist – http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-checklist-10-1-con.html, http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-deploy-xenmobile-con.html
3: Deploying the NSG and performing the initial configuration – http://support.citrix.com/proddocs/topic/xmob-deployment/xmob-deploy-install-ng-network-con.html.
4: Creating a certificate for NSG – http://support.citrix.com/proddocs/topic/xmob-deployment/xmob-deploy-create-csr-ng-tsk.html also watch the NSG certificate video at – http://support.citrix.com/proddocs/topic/xenmobile-understand/xmob-product-videos-con.html.
5: Uploading a license to the NSG – http://support.citrix.com/proddocs/topic/xmob-deployment/xmob-deploy-install-license-on-ng-tsk.html.
6: Configuring the NSG for XenMobile – http://support.citrix.com/proddocs/topic/xmob-deployment/xmob-deploy-config-ng-wizards-con.html.
7: Configure DNS suffixes – http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-connect-mobile-devices-android-split-dns-tsk.html#ng-connect-mobile-devices-android-split-dns-tsk or http://support.citrix.com/proddocs/topic/xmob-deployment/xmob-deploy-mobile-device-dns-suffix-tsk.html and if you will be supporting Android handsets within your organisation remember to configure DNS for Android devices – http://support.citrix.com/proddocs/topic/xmob-deployment/xmob-deploy-mobile-devices-android-split-dns-tsk.html.
8: Configuring the STA for WorxMail – http://www.citrix.com/tv/#videos/9210.
9: Testing your NSG – http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-test-ag-configuration-tsk.html.

Worx Mobile App Suite NSG Support Table Matrix
http://support.citrix.com/proddocs/topic/xenmobile-connect-users/xmob-worx-supported-platforms-con.html.

Coming Soon!
More coming soon in the inter in check out – http://support.citrix.com/proddocs/topic/xenmobile-understand/xmob-deploy-architect-netscaler-gateway-con.html.