Overview of Optimised vs. Un-Optimised Zoom Meetings in Citrix VDI (DaaS) The below image represents both an (un)optimised Zoom meeting running within a Citrix virtual desktop. If an employee access’s his/her Citrix virtual desktop from an endpoint e.g BYO that doesn’t have the “Zoom Media Plugin” installed like it was on there e.g CORP device then the once “Optimised” HDX offloaded A/V traffic for there Zoom Meeting is effectively now “Un-Optimised” and the A/V processing that was shifted onto the employee’s endpoint will now be processed within the Citrix virtual desktop in the resource location (data centre) causing a degraded experience, macro uplift in computing and networking resources to process the A/V for the Zoom meeting and the A/V traffic sent and received from the employees endpoint which is then sent out via the Zoom client within the Citrix virtual desktop.
— Lyndon-Jon Martin 👨🏻💻 (@lyndonjonmartin) May 7, 2020
UPDATEDZoomPre-requisites & System Requirements Follow my original guidance at – http://axendatacentre.com/blog/2020/04/22/zoom-hdx-offloading-for-citrix-virtual-desktops-part-1/. My initial test focused on testing the viability of using Zoom meetings in a Citrix virtual desktop when HDX Offloading was enabled to “Optimise” Zoom meetings and improve the employee experience by shift the A/V processing to the employee’s endpoint, the initial results where hugely promising with minimal effort.
I found some time to continue with further tests but I hit a wall the “Zoom Client for VDI” was displaying a “Grey blank screen” during the meeting and when checking the video settings within the “Zoom Client for VDI” app in system tray, you get the same result a “Grey blank screen” even though Citrix Workspace app is doing its job of automatically connecting “Microphones and Webcams” as I tested a GoToMeeing without any issues so I knew there where no policies conflicts or issues. I googled the problem briefly and found nothing useful, I then decide to revisit Zoom’s on-line documentation and found this important notification published within the last 6 days of this blog post stating that Zoom now requires both the “Zoom Media Plugin” + “Zoom Client for VDI” to match exactly from version 2.1.5 documented at – https://support.zoom.us/hc/en-us/articles/360031768011-New-Updates-for-Virtual-Desktop-Infrastructure-VDI- as, anything prior to the pending date 30/05/2020 you can configure the MinPluginVersion via registry settings – https://support.zoom.us/hc/en-us/articles/360032343371 to be able to use older versions for backwards compatibility – https://support.zoom.us/hc/en-us/articles/360041602711.
Zoom Meeting Test & Citrix Lab Overview 1.CVAD 1912 LTSR running in my personal AWS EC2 in N.Virgina, USA delivering a Citrix virtual desktop to me in London, England. The virtual desktop is running Windows Server 2019 its a “t2.medium” instance type running the 1912 LTSR Virtual Delivery Agent (VDA), also installed was the “Zoom Client for VDI” product version 4.6.15322 used during my orginal testing – https://twitter.com/lyndonjonmartin/status/1253036938992529408?s=20. To resolve the “Grey blank screen” download and install the latest product version I was running 4.6.15630. 2. Personal iPhone 7S running Zoom app setup with my account to start/stop Zoom meetings. 3. Zoom doesn’t support HDX Offloading on MacBooks therefore I used my wife Windows 10 laptop in these tests, which is running Citrix Workspace app 1912, and I installed the Zoom Plugin for Citrix Receiver product version 4.6.15630. You’ll notice that the product versions between the Citrix virtual desktop running the “Zoom Client for VDI” – https://zoom.us/download/vdi/ZoomInstallerVDI.msi and the Zoom Plugin “Zoom Media Plugin” – https://zoom.us/download/vdi/ZoomCitrixHDXMediaPlugin.msi on the endpoint are an exact match. 4. Zoom have published a VDI Backward Compatibility Matrix which is available at – https://support.zoom.us/hc/en-us/articles/360041602711.
— Lyndon-Jon Martin 👨🏻💻 (@lyndonjonmartin) May 7, 2020
Zoom VDI Optimisation Management I think its important to recognise, when rolling out the Citrix + Zoom “Optimisation” capability you need to include both the “Zoom Client for VDI” + “Zoom Media Plugin” as part of your internal and external software deployment strategy.
External Strategy Management of the “Zoom Media Plugin” is better controlled for security + avoid breaking the employee experience on supported endpoints – https://support.zoom.us/hc/en-us/articles/360031096531-Getting-Started-with-VDI by enrolling the endpoints into Citrix Endpoint Management (CEM). For Windows endpoints as the installers at *.MSI you can use the “Windows Agent” – https://docs.citrix.com/en-us/citrix-endpoint-management/policies/windows-agent-policy.html to deploy a script to update the “Zoom Media Plugin” and for iOS and Android you could send a push notification to employees to update to the latest Zoom app available in the public app store so that you have app versioning + device spectrum consistently re feature + security parity across the organisation.
-Leading practices when using a Zoom Personal Meeting IDs (PMI) -Lock meetings and require authentication -Scheduled security changes to come to FREE Zoom accounts -Zoom watermarks in two flavours
Final Thoughts Zoom continue to step up on security and privacy frontier, and the second round of tests continue to demonstrate a real WOW moment for me in how frictionless the experience has been as a IT Professional and as an consumer of Zoom meetings personally within my lab. I will time permitting continue with my full tests in the future expanding the device spectrum being inclusive of employee experience optimisation strategies.
The views expressed here are my own and do not necessarily reflect the views of Citrix.
Introduction Zoom developed a VDI optimisation solution that enables and allows for Audio and Video (A/V) processing similar to that of Microsoft Teams today and Skype for Business originally deploying and leveraging a client and backend service software components. Zoom refers to the backend as a “Zoom Client for VDI” and then the endpoint runs the “Zoom Media Plugin” processes and handles the A/V data traffic.
Citrix Pre-requisites & System Requirements You’ll need a CVAD UAT environment to deploy fresh VM to install the “”Zoom Client for VDI” and a test Windows endpoint to install the “Zoom Media Plugin” onto. In my initial testing I am running a freshly installed Citrix Virtual Apps & Desktops (CVAD) 1912 Long Term Service Release (LTSR) which is run in my own personal “cloud” home lab in AWS EC2 geographically located in N.Virgina, USA. Zoom is also listed within the Citrix Ready website at – https://citrixready.citrix.com/category-results.html?search=Zoom.
Deployment Overview The installation and configuration for Zoom Optimisation Meetings for VDI is incredible frictionless that it took me less than 5 minutes to complete the deployment, then test my first ever Zoom video conference call running in a Citrix Virtual Desktop. The following in order of events.
1.Download “ZoomInstallerVDI.msi” and install the “Zoom Client for VDI” within my PoV Citrix Virtual Desktop. 2.Download “ZoomCitrixHDXMediaPlugin.msi” and install the “Zoom Media Plugin” onto my Windows endpoint where I connect to my Citrix Virtual Desktop through Citrix Workspace app for Windows CR. 3. Downloaded the Zoom app from the Apple App store – https://apps.apple.com/gb/app/zoom-cloud-meetings/id546505307, please this link if for the UK Apple app store. I completed the first user experience and register myself a Zoom account. 4. I started Zoom instant meeting and then invited another participants using a meeting ID# and by default each room as a unique password to join, for more on the security of Zoom see towards the end. 5. I successfully logged into my Citrix Virtual Desktop and run “Task Manager” likewise I started “Task Manger” on my local Windows endpoint. 6. I clicked to start “Zoom VDI” app within my Citrix Virtual Desktop which there prompts you to enter in “Meeting ID” (preferred as it’s always a unique #) or “Personal Link Name”, select your preferences for audio and video upon joining. Next by default I expected to join the virtual meeting but was halted as I was required to enter in a passcode/password to actually “join” Zoom video conference call currently in progress. 6. Zoom video conference call started and immediately VDI optimised with the A/V traffic been processed locally on my local Windows endpoint.
Important Note: I only tested VDI Optimisation from within my AWS EC2 personal lab boundary as I don’t have a physical Windows endpoint at home to test it with so that will be included in part 2, my goal was to see how easy it was and if it worked a frictionless as I thought it might just by reading through Zooms online documentation.
Demonstration of Zoom A/V Offloading In the initial demo below for part 1, I connected to a Citrix virtual desktop running in AWS EC2 (N.Virginia) in a double hop scenario, as Zoom don’t currently support Apple Mac endpoints for any Zoom VDI offloading. The video of me you see in the demo video is from my personal iPhone (London, England) connected to the Citrix virtual desktop (N.Virginia, USA). Note I didn’t test bi-directional video and or audio communication, and a few other topics, which I will follow-up in the future time permitting, but as you can see the Zoom video conference call offloads the Zoom A/V traffic to the connected Windows endpoint effortlessly! Great work Zoom I am well impressed with my initial testing today.
Employee Experience VDI Limitations Zoom and provided a high level feature “comparison” matrix – https://support.zoom.us/hc/en-us/articles/360031441671-VDI-client-features-comparison#h_fceae51c-f385-4a20-bd54-c7c50f186c15 depicting the differences between the Zoom VDI client vs. the Desktop and Web clients. Its important to be mindful of these differences in order to properly educate your employees when dealing with service desk requests or better prior to rollout by posting an internal article on your companies intra or extranet. The following for me are important limitations to be aware of, when deploying and consuming Zoom through a Citrix Workspace lens.
– Maximum resolution of 1080p and up to 380p for thin client h/w. – No dual monitor support – Support for up to 9 visible video participants – No Apple Mac device support for HDX offloading of Zoom A/V data traffic
Security & Privacy Zoom has recently been in the press surrounding security and privacy practises “Google it”, with that been said its worth noting that Zoom as an organisation committed to a 90 day security plan centred on its platform + client security, today 22/04/2020 they published the following article on there corporate blog “Zoom Hits Milestone on 90-Day Security Plan, Releases Zoom 5.0” – https://blog.zoom.us/wordpress/2020/04/22/zoom-hits-milestone-on-90-day-security-plan-releases-zoom-5-0/, so be sure to read through it.
Final Thoughts I have alot more questions and tests to do the above is only the very beginning, next I’ll be evaluating fallback scenarios, more of a focus employee experience use-cases including unconsidered needs, tweaks of course and finally testing a 🙂 endpoints in London, England whilst my Citrix Virtual Desktop in N.Virgina, USA as this is how I have tested these types of Unified Communications (UC) or Video Conference platforms all the way back to Lync with the Citrix HDX Optimisation pack.
I honestly found the setup and deployment of Zoom’s VDI Optimisation ridiculously simple its incredibly frictionless! I guess thats why many folks are still continuing to consume and use Zoom for video conferencing.
The views expressed here are my own and do not necessarily reflect the views of Citrix.
Consider this an evergreen article with *pro-active adds/moves/changes inclusive of errors/mistakes until I remove this statement.
The following content is a brief and unofficial prerequisites guide to setup, configure and test delivering Microsoft teams within a Citrix virtual desktop powered by Citrix Virtual Apps & Desktops (CVAD) Service – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service.html in Citrix Cloud prior to deploying in a PoC, Pilot or Production environment. The views, opinions and concepts expressed here are those by the author only and do not necessarily conform to industry descriptions nor leading practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.
Shortened Names SKYPE FOR BUSINESS – skype4b CITRIX VIRTUAL DESKTOP – cvd CITRIX VIRTUAL APP & DESKTOP – cvad VIRTUAL DELIVERY AGENT – vda HIGH DEFINITION EXPERIENCE – hdx VIRTUAL DESKTOP – vd VIRTUAL APPS – va REALTIME MEDIA ENGINE – rtme CITRIX WORKSPACE APP – cwa MICROSOFT TEAMS – teams CURRENT RELEASE – cr LONG TERM SERVICE RELEASE – ltsr
Understanding a HDX Optimised vs. Non-Optimised CVAD Deployment The following HTML diagram depicts the differences between (un)optimised, I’ve also included a few suggested considerations as well.
Optimised for HDX Teams Offloading
Teams app 1.2.00.31357
End-point + Citrix Workspace app (CWa)
Windows OS VDA YYMM
ICA/HDX Virtual Channel*
Teams app 1.2.00.31357
HDX Teams Services
End-point + Citrix Workspace app (CWa) – Windows 1911*
A/V Traffic to other End-Point
HDX Embedded Media Engine
1. It’s very important to recognise that employees will find themselves in a situation where the connected end-point is unoptimised during work from home scenario e.g COVID-19 and therefore you should plan for these scenarios by implementing the right vs. relevant HDX policy strategy “Balanced” vs. “Preferred” see below guidance. 2. Educate employees when using a non corporate device e.g personal device at home during to COVID-19 they will likely be consuming an un-optimised version of Teams in CVAD, its important to set a exception to avoid unnecessary help desk tickets/calls. 3. Any and all exchanged IM’s and documents live within the CVAD lens meaning that your IP + Pii in any documents lives within the employees CVAD resource e.g Virtual Desktops when they exported it from a IM’s vs. channel(s) in Teams. It is also important to recognise that those same IMs’ vs. channel(s) originate and are available in Microsoft Teams on any device as the source, so if employees re-frame teams outside of your Citrix virtual desktop your IP + Pii in documents could be exfiltrated if the employee device(s) are not properly managed by IT e.g MEM, UEM, MAM, Secure SaaS check out – https://www.mycugc.org/blogs/lyndon-jon-martin/2020/03/27/secure-saas-on-zero-trusted-vs-earned-trusted-devi for more information.
LTSR vs. CR Strategy for HDX Offloading of Microsoft Teams? It’s worth understanding that if your CVAD deployment strategy is to use the Long Term Service Release (LTSR) then you will not receive any new features only bug fixes this thinking keeps inline with the current CVAD strategy between CR vs. LTSR (stability and long-term – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr.html) release cycles. Consuming a CR branch means that you can unlock new features as they become available by upgrading your CVAD on-premises of upgrade the CVAD Service components within your Resource Locations (RL).
1. You will require the following MSFT teams version “1.2.00.31357” in order to be able to take advantage off the HDX Offloading capabilities within a supported CVAD environment. The following Citrix Workspace app (CWa) versions are the suggested vs. minimal versions that will be required to HDX offload Teams A/V traffic onto the employees endpoint:
Suggested HDX Broadcast (Remote Graphics Mode) Policyfor 7.15 Long Term Service Release (LTSR) *Please be aware that Citrix eDocs is very clear when it states that Citrix does NOT support Teams HDX Offloading Optimisation for 7.15 Long Term Service Release (LTSR) as it is NOT listed as a supported CVAD platform, you still may wish however to test Microsoft Teams operationally e.g test out its impact on compute, I/O, user profile e.t.c and then purely for fallback failures aka NO HDX Offloading Optimisation BUT you will not be able to test the employee experience of HDX Offloading the audio/video traffic as it is NOT supported remember*). You’ll make use of your UAT 7.15 LTSR environment to be ready for a 2020-21 deployment on a supported CVAD release that supports HDX Offloading for Microsoft Teams, therefore use the built-in default HDX policy “Use video codec for compression” selecting “Use video codec when preferred” which means the following “This is the default setting. No additional configuration is required. Keeping this setting as the default ensures that Thinwire is selected for all Citrix connections, and is optimized for scalability, bandwidth, and superior image quality for typical desktop workloads.” reference the 7.15 LTSR documentation at – https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/graphics/thinwire.html which will probably be ok for testing under the current release that you are consuming. Final Remember: CVAD formerly XAD 7.15 LTSR platform is NOT supported for Teams Optimisation. TIP: Definitions can change between CR vs. LTSR within the HDX stack which is consistently improving and being updated to offer better employee experiences all the time e.g introduction of net new H.264 standards so always be sure to check the differences between CR vs. LTSR and CR vs. CR versions.
Transitioning from Skype for Business to Teams A number of few folks have asked the question can I mix and match Skype for Business and the Teams Optimisation Packs together? Its actually a complex answer but the immediate answer as of 03/08/2019 is below, BUT always be sure to circle back and review Citrix’s documentation for the latest supporting statements and interoperability at – https://docs.citrix.com around Teams Optimisation and when searching use “Teams Optimization”. Tip use American spelling for better results.
We only support windows CWA at the moment, which can coexist with RTME. A Mac CWA will be simply not load Teams in optimized VDI mode so we fall back to server side rendering.
The response is complex and is as follows, answers received vary dependant upon your role Citrix vs. Skpye4B/Teams SysAdmin or Consultant. As I work at Citrix today (Aug 2019) lets focus on a Citrix based role to Teams response:
1. Complete LOB app readiness of Teams including new HDX services/API’s to enable HDX Offloading within a the master image but hidden + unavailable using techniques like disabling the services for each (whatever you prefer), Citrix app layering, MSFT app masking e.t.c. TIP: Pay attention to understand the compute utilisation differences between Teams vs. Skype4B there is a difference.
2. I still need to push out the required RTME to all employee end-points so I don’t want to break the employee experience while we transition to Teams. It is expected to have backwards compatible within Citrix Workspace app for older Virtual Delivery Agent (VDA) versions check eDocs for the backwards compatibility.
3. I only want to transition employees by AD or Citrix Delivery group (department, trusted test groups e.t.c) to Teams based upon point 2 and perform a staggered canary rollout like Citrix Cloud does for each of its services.
4. The person(s) within the Skype for Business/Teams based role(s) need to setup/conf and then test the audio/video codecs prior to enabling Teams at a company wide scale, for me personally this point is actually the most critical because as you offloading the audio/video to the end-point when using HDX Offloading the back-end compute + network resources low aka aren’t taken any much of a real hit HOWEVER if the HDX Offloading fails then you really, really need to understand the impact of processing of the A/V within the Citrix session and what affect it will have on the employees experience so when he/she is completed there final tests, you should prior to a final rollout perform a test side by side two identical end-points one optimised and the other un-optimised and be sure to capture the compute + network requirements client and server side, including the network traffic and score the experience out of 10 for voice and video, the test should be done with wired (where possible today), wireless (Wi-Fi) and 4G internet connectivity in two separate locations an Office (think QoS) and at home (no QoS).
5. Once you have the results from point 4 you may want to re-evaluate your existing HDX Broadcast policies (remote graphics mode e.t.c) and take into account a fall-back scenario if HDX Offloading fails whatever the reason, you may also prefer to leave it as is, however I would strongly suggest creating an emergency fallback HDX Broadcast policy stack but it should be DISABLED and only manually pushed out only if required. The fallback HDX Broadcast policy stack is to preserve the employee experience as best you can if something goes wrong and when I mean something goes wrong I mean a non-Citrix update breaks the optimisation somehow as in reality the Citrix components e.g VDA, HDX Services/API, RTME and Citrix Workspace app are less likely to change within a 12 month period.
Suggested “Balanced” HDX Broadcast (Remote Graphics Mode) Policy for Fallback In 2016 I proposed the following HDX policy for remote graphics “Use video codec for compression” to be set to “For actively changing regions” to preserve the employee experience in a fallback scenario, its now 2019 and my Suggested HDX policy remains unchanged as long as the key goal is to preserve the employee experience to meet that HD experience and it will come at a back-end compute + network traffic spike, including increased network traffic between server and client to process the video H.264/H.265 streams.
Once upon a time I was a SysAdmin and still am at my core so I’ll have an emergency HDX policy in place BUT disabled I call it “HDX Adaptive Display v2 (Balanced)” you configure it as follows selecting the following HDX policies in Studio:
1.”Use video codec for compression” then select “For actively changing regions“ 2. “Preferred color depth for simple graphics” then select “16 bits per pixel” and also try 24. 3. Select “Frames Per Second” and select the target FPS to circa 25 from the default which is 30.
I wrote a myCUGC article entitled “HDX Leading Best Practices for your Modern Secure Workspace” at – https://www.mycugc.org/blogs/cugc-blogs/2017/09/15/hdx-leading-best-practices-for-your-modern-secure which has some interesting thoughts and insights from nearly 2 years ago which you may find useful and yes I will write an updated article this year time permitting to complete my testing which requires extensive field testing with different devices I don’t just use a lab + network at home, I base 95% of all my article suggestions of what/how to configure settings vs. practises from my personal lab hosted in AWS EC2 in N.Virginia to delivered to end-points in the City of and Greater London, England so its not definitely poppy cop its real world + life scenarios and use cases that I test.
Suggested“Preferred”HDX Broadcast/RealTime/MediaStream (Remote Graphics Mode, Audio and Video) Policy inclusive of Fallback YES I am contradicting the above suggested HDX Broadcast fallback policy, which I have now renamed to “Balanced” from my initial post and why it still remains is that it will support organisations of any size vs. scale vs. deployment rollout vs. connected devices supporting a balance between video, audio and the remoted display so when an outage occurs and neither I nor will you know what its going to be impacted for example it could be 1x MPLS circuit failure (tip check out Citrix SD-WAN link bonding demo from Jan 2016 vs. case study vs. product page) vs. degradation of all internet circuits due to bad BGP route injections, you get the idea. I’m cautious being an ex-SysAdmin/Consultant and therefore I will summary the key differentiators from my own perspectives as follows in order:
1. How important is the employee experience? For me personally this is always #1 as today’s 2019 reality, employees want an HD 4K experience consistently therefore my personal advise is utilise the built-in default HDX policies within the Current Release (CR) typically minus 2/3 of current CVAD release with your desired HDX employee experience policy tweaks. 2. Once you understand how the humans (employees) within your organisation work using Skype for Business vs. Teams you will have better context as to the WHAT should be in your fallback policy for DR, business continuity or just individual employee devices going into fallback mode. For example understanding your employees is key lets take a look at a practical example by industry vertical, a call centre employee is more interested in better audio quality with customers vs. a clinician on a video call discussing a patients surgical/recovery plan looking at patient records. 3. Re-evaluate once every 3-4 months by asking, polling quick surveys and looking at the metrics made available in both Skype for Business vs. Teams as lets be honest its not a light switch its a journey from one to the other.
Now that you understand your humans (employees) keeping point 3 in mind and begin building out your HDX employee experience policy which most likely be the using the defaults in the 19XN releases as the HDX product management team have done an brilliant job working with engineering decreasing the amount of toggles and dials to tweak the HDX protocol and its now these days automatically adapting and adjusting to maintain the human (employee) experience.
1.”Use video codec for compression” then select “Use video codec when preferred“ 2. Select “Frames Per Second” use the default which is 30 or increase up to a maximum of 60. 3. Select “Visual quality” set to “High” going beyond this will incur high network bandwidth utilisation, but going beyond this is ok but remember if you are having continual networking performance issues unrelated to Citrix or the HDX offloading capability and employee experience has decreased overall think about a micro change for the current window and then revert. An example of using “Always lossless” is the clinician use case described above.
Tech Insight – Microsoft Teams Optimisation with Citrix
What Supported Hardware Can I Use With Microsoft Teams? Strongly suggested to only use Microsoft Teams certified headsets, speaker phones, conference phones, cameras e.t.c are listed and available at – https://products.office.com/en-us/microsoft-teams/across-devices/devices. Are my existing Citrix Ready thin clients, headsets, cameras e.t.c using with Skype for Business using Citrix’s HDX Offloading capability compatible? You will need to check with your vendor for there support status with the new optimisation pack for Teams and Microsoft Teams as there have been changes made from both Citrix + Microsoft.
How do you enable your own personal Avatar within your Citrix Workspace? I will be honest its not obvious and its driven by the Citrix Content Collaboration (ShareFile) platform.
1.Login into your Citrix Files (ShareFile) portal e.g https://axendatacentre.sharefile.eu or .com 2.Once you logged in you should be taken to “Dashboard” UI and in the middle of the web page at the top you’ll see your name e.g “Lyndon-Jon“ 3.Next to your name it will say “Add profile picture“ 4.It will then open up the “Edit Profile” web page and within the “Name and Company Details” area you’ll see parallel to your name “Profile picture” select “Upload” and browse to the picture that you will use and select it.? 5.Your picture will be upload and a green notification will appear above (right side) saying “Your profile picture has been updated.” which means your profile picture has been saved successfully. 6.Next login to your Citrix Workspace either the app or HTML5 portal and you’ll see your personalised Avatar appear instead of the standard initials Avatar. Note I did find that Citrix Workspace app across all my devices required either more than 1x refresh to propagate the new Avatar or sign-off/close Citrix Workspace app and re-login at the change propagated.
In closing you now have a personalised avatar within your Citrix Workspace available across all your devices as seen below, although I primarily use Apple devices you can see the experience persists from a HTML5 browser to the mobile and desktop apps for Citrix Workspace.
I have not checked what feature entitlement is required but considering that you personalise your Avatar in Content Collaboration its a little obvious at a glance, I will update this article in the future once I have fully investigate the entitlement required. This feature had positive impact on me that I believed a brief post about setting it up was a priority for me to share with the Citrix community.
The views expressed here are my own and do not necessarily reflect the views of Citrix.
This is paramount to my productivity as I can get context externally from Citrix customers/partners and internally switch an email thread to a slack conversation(s) that are far more memorable and collaborative and if I or the other person is miss understood in anyway we can switch to a #SlackCall at the tap or click of a button and if necessary I can share my local vs. #virtualdesktop screen or view theres to get 360 degree feedback on a presentation, proposal e.t.c Check out – https://slack.com/apps/AAGN5FH9C-citrix-secure-mail to learn more today.
I’m often asked why Citrix? The answer can be a simple vs. complex one, therefore I choose to demonstrate why Citrix through proactive evangelism by recording myself using my Citrix Workspace actively through-out the year, which initially began in 2016 and lead to the original How vs. where I worked from in 2017 video available at – https://twitter.com/lyndonjonmartin/status/949316537021812736.
The views expressed here are my own and do not necessarily reflect the views of Citrix.
The views expressed here are my own and do not necessarily reflect the views of Citrix.
What is Citrix Workspace app? It brings together all your LOB tools which in todays modern world consists of (virtual/micro/installed/mobile) apps, SaaS, desktops & content. I’ve embedded a sample of what this actually looks like below.
The new Citrix Workspace app way more than purely an upgrade of Citrix Receiver e.g grey to blue icon and a skin change, this NEW Citrix client app release is simply extraordinary, working for Citrix I can be considered bias however once you actually begin to consume the Citrix Workspace app you’ll understand exactly what I mean. Citrix Workspace app is for me all about an experience, and that experience is extraordinarily AWESOME! As I begin consuming my LOB (Line of Business) tools wherever I am + want and in a setting/context that suites me (home, Paddington vs. partner offices, trains, taxi e.t.c) the chosen LOB tool delivered context can change dependant upon criteria (I won’t be covering this today) or how IT (say YES!) has chosen to deliver the LOB tool through Citrix Access Control Service – https://docs.citrix.com/en-us/citrix-cloud/access-control/get-started.html.
I now have all my content available all in the same AWESOME app thank you Citrix Content & Collaboration aka ShareFile. I can upload, download and even favourite particular content e.g “L-J’s H1/2 Citrix Partner Tech Super Deck” which is then available directly from the home view/tab. In the below example I am uploading the LeasePlan Citrix SD-WAN case study – https://www.citrix.co.uk/customers/leaseplan-en.html and the actual video is available at – https://www.youtube.com/watch?v=4Hq-yryxfS0 take a look and remember to listen to the outcomes Citrix SD-WAN provides LeasePlan.
How do I get started today?
Firstly I will do a more detail blog post on getting it all up and running with use cases time dependant of course.
1.Start by navigating to https://docs.citrix.com/en-us/citrix-workspace-app.html and then goto Citrix.com and login with your access details, next navigate to https://www.citrix.com/downloads/workspace-app/ and download Citrix Workspace app for your chosen end-point. If you are running a TP of Citrix Workspace app code base please UNINSTALL it prior to installing the GA production code base as a few community individuals I know had issues upgrading from TP code base. I would like to state for the record I upgraded from PRODUCTION Citrix Receiver to the Citrix Workspace app for Mac 1808 on my Mac without ANY issues see below tweet.
5. Sign-up vs. Login to Citrix Cloud today and trial vs. acquire a Citrix Cloud service e.g ShareFile Service or the XAD Service and if you want to aggregate on-premises LOB apps into the new Citrix Workspace experience then setup “Site Aggregation” today. To learn how please read this CTXS blog post and watch the embedded YouTUBE video which provides a how-to overview at – https://www.citrix.com/blogs/2018/08/03/site-aggregation-for-citrix-workspace-is-now-ga/.
Thats all folks for now on the technical overview its brief I know so I will follow-up in future with more detailed overview + how-to e.t.c either here or on the https://www.mycugc.org website in the experts area.
Upgrading to Citrix Workspace from Citrix Receiver for smart devices
I work for Citrix, I have been a Citrix + IaaS advocate for well over a decade (now SD-WAN swell) so I am mostly likely bias you’ll think however Citrix Workspace app is truly AWESOME and way more than what you see at a glance, I encourage you all to begin consuming it today to see for yourself just what I am talking about and why I personally say its “AWESOME“.
Its that time of the year where you Citrix customers, partners can vote for your favourite Citrix Innovation Award Finalist.
This year see’s a great mixture of customers in different markets all leveraging Citrix technologies as the enabler for transformation within there organisations to embrace a new way of working or #ThisIsHowTheFutureWorks powered by Citrix Networking, Workspace and Security & Platform Analytics from https://www.cloud.com/.
I would encourage you to watch all three videos describing there journey before casting your vote as there is some really great innovation happening within these Citrix customers and if you want to get started visit https://www.citrix.com or https://www.cloud.com/ today.
Beazley from the UK – Insurance
Quote “A new mindset to work wherever I am, because I have the tools that Citrix provides and Beazley…” – @dalesteggles
Health Choice Network, US – Healthcare
WAGO, Germany – Engineering
All the very best to this years Finalists.
The views expressed here are my own and do not necessarily reflect the views of Citrix.
The following content is a brief and unofficial prerequisites guide to setup, configure and deploy Session Watermark policy feature with the XenApp & XenDesktop Service (April 2018) or XenApp & XenDesktop 7.17 on-premises prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or leading best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.
SECURITY – sec
NETSCALER – ns
NETSCALER GATEWAY SERVICE – nsg service
WINDOWS – win
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
Introduction to “Session Watermark”
The latest release of the XenApp & XenDesktop Service powered by Citrix Cloud or if you are performing a private cloud (on-premises) upgrade or net new installation of XenApp & XenDesktop 7.17 has some NEW features (another post brewing) and one that I have been waiting on for quiet sometime now has not finally arrived (WAHOO!) and its VERY VERY simple to configure and aids in improving your security posture (I believe) for delivery of apps & desktops powered by Citrix against e.g IP theft. In the below tweet can you see it?
The above is from my initial tests using a Windows Server 2016 VM hosted in Azure Northern Europe region running the 7.17 VDA configured to my Citrite #CitrixCloud XenApp & XenDesktop Service so I did not need to upgrade anything to get this new SHINY cool feature yes I said it SHINY. All I was required to do was deploy a new Windows Server 2016 VM from the Azure marketplace, domain join it, install the VDA and connect it to my Cloud Connector and I was ready in less than 25 minutes from initially deploying the VM from the marketplace.
Finally on a personal note for me Citrix SysAdmins enabling the “Session Watermark” feature obviously initally tested in a safe environment e.g UAT with a few users from a couple of departments and then rolling it out into production (as when/how your ready) will be making IT the modern “App & Desktop Security Heroes“. IT can apply and configure these new policies to be the most right vs. relevant for your organisations security needs while not hindering the end-users Rich HD eXperience.
Before we get started it is worth mentioning that this feature does add an overhead to the compute on the backend (VDA side) and therefore it is suggested to enable up to two water marking features or items. In my overview of this feature I will wont cover off the cost of implementing this security policy as there are multiple variables to consider e.g HDX Graphics Mode and associated policies to provide the right vs. relevant end-user experience vs. how many watermark items do I apply? I have begun testing so bare with me and I’ll publish my findings either on my personal blog here or on https://www.mycugc.org under the “Expert Insights” area.
“Enable session watermark”
By default this feature is DISABLED as the default behaviour which I believe is the right approach considering its Citrix’s initial release of this #security feature (in my personal view) and secondly online documentation at eDocs suggested recommendations it to enable NOT more than two watermark text items. Finally * indicates that this policy is DISABLED by default when Session Watermark is enabled.
Include client IP address
* This is the IP addr of the device connecting to the virtual app & desktop.
Include connection time
* Utilises the following format yyyy/mm/dd hh:mm to display the users initial connection time to there virtual app or desktop.
Include logon user name
ENABLED by default when you enable Session Watermark as a policy and uses the following format USERNAME@DOMAINNAME is most optimise for 20 characters or less otherwise truncation might occur of the users logon username.
Include VDA host name
ENABLED by default when you enable Session Watermark as a policy and provides the VDA hostname e.g ne1vad01
Include VDA IP address
* Provides the internal IP addr that corresponding the VDA’s hostname e.g ne1vad01 = 10.1.0.7
Session watermark style
ENABLED by default using “Multiple e.g displays five watermark labels” when you enable Session Watermark as a policy or you can configure “Single e.g displays a single watermark label in the centre of the session“. TIP switching to SINGLE and sticking to two watermark text items for me in my initial tests is a good starting policy however time will tell as I continue to test out this new feature and its capabilities with different HDX Graphics Modes and associated tweaks.
Watermark custom text
* A unicode maximum of 25 characters is supported if you exceed this limit it will be truncated.
ENABLED by default set to “17 out of 100” when you enable Session Watermark as a policy, personally I think setting it to just 1 is fine in my initial tests as you want it to be not so in your face to the end-users to be bluntly honest.
The following content is a brief and unofficial prerequisites guide to setup, configure and deploy Citrix XenMobile Server (XMS) 10.7 on-premises prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or leading best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.
XENMOBILE – xm
XENMOBILE SERVER – xms
VIRTUAL APPLIANCE – v/a
NETSCALER – ns
XENMOBILE DEVICE MANAGER – xdm
XENMOBILR APPCONTROLLER – xac
XENMOBILE NETSCALER CONNECTOR – xnc
XENMOBILE MAIL MANAGER – xmm
WINDOWS – win
MOBILE DEVICE EXPERIENCE – mdx
REAL-TIME – r-t
MICRO VIRTUAL PRIVATE NETWORK – mvpn
FIREWALL – f/w
ACCESS CONTROL LISTS – acl
APPLE PUSH NOTIFICATION SERVICE – apns
UNIFIED ENDPOINT MANAGEMEMNT – uem
MOBILE DEVICE MANAGEMENT – mdm
MOBILE APPLICATION MANAGEMENT – mam
MOBILE CONTENT MANAGEMENT – mcm
CUSTOMER EXPERIENCE IMPROVEMENT PROGRAM – ceip
ACTIVE DIRECTORY – ad
TRUSTED NETWORK – tru
FIRST TIME USER EXPERIENCE – FTU
Please be aware that I published this article today 19/02/2018 but it should be considered evergreen until I remove this section thank you.
This is going to be one of the longest posts that I am about to write so come back from the moment its published over Feb/March/April 2018 as I will most likely be making adds/moves/changes. This blog post serves to provide the most right vs. relevant information to help you better understand how-to deploy the current Citrix XenMobile on-premises server which is 10.7.x.n as of February 2018. I will be writing a follow-up blog post on deploying the XenMobile Service powered by Citrix Cloud – https://citrix.cloud.com/ in due course.
What is XenMobile?
XenMobile is a complete UEM or MEM via https://twitter.com/JJVLebon (mobility) solution for managing apps, data, and devices from a single unified platform with MDM & MAM (mobile apps cut, copy & paste) policies, automated actions for enrolled (supported platforms) devices that will keep employees safe, secure and productive on vs. offline enabling them to work on there own terms.
Preparation & Initial Guidance
I was one of the first set of individuals to pass the very first Citrix Certified Professional – Mobility (CCP-M) exam for XenMobile 9.x.n while at Citrix Summit in Jan 2014. Now that was one very tough exam as you needed to know Citrix NetScaler, XenMobile NetScaler Connector, (ZenPrise) XenMobile Device Manager, StoreFront, Citrix Mail Manager, Citrix AppController, ShareFile Control Plane and of course StorageZones. Its Fen 2018 and its still equally a tough exam to pass even though the XDM + XAC where merged into a virtual appliance now called the XenMobile Server (XMS).
If you have not deployed a mobility solution in the past or your an expert you’ll agree most likely that mobility or UEM/MEM is complex and is consistency changing with new devices, OS upgrades along with new vs. deprecated vs. behavioural changes to MDM APIs, app updates, push API’s vs. MDM platform + vendor signing of certificates and finally oh yes all those MDM ports that you need configured correctly through-out your organisations Wi-Fi network and so the list continues on and on….
In principle when preparing to deploy any mobility solution regardless of vendor, preparation is of paramount important to be successfully. The below is list of how I personally prepare for a mobility PoC for XenMobile on-premises (yes we at Citrix are cloud first and I live IaaS so I’ll be writing another post on deploy a XenMobile Service PoC in the future):
– Start by reading the XenMobile Security Whitepaper – https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/xenmobile-security-understanding-the-technology-used-by-xenmobile.pdf. This will provide a great insight into our XenMobile, FIPS compliance, how SSL VPN or mVPN for MDX enabled apps behaviour and so much more, that is definitely worth your time!
– Configure the XMS with a public routable FQDNand NOT an IP addr if you intend to manage devices externally via the internet vs. internally over corporate Wi-Fi and if your enabling the self-help portal for personal management.
– Utilise the PostgreSQL database option for a PoC’s (up to 100 devices) however this will mean that you need to redeploy the XMS using a remote SQL database for PROD environments as you’ll most likely want to have your XMS v/a in a cluster for high-avaiability. NOTE: Do not pre-create a MS SQL database allow the XMS v/a to create your MS SQL database against the SQL server during the initial setup process when performing the initial FTU within the XMS CLI.
– Utilise local v6 licensing on the XMS v/a for a PoC’s but again for PROD utilise a remote Citrix licensing server which is 100% required to support a XMS Cluster as the XMS v/a are stateless with all the configuration held within the remote Microsoft SQL database.
TIP: You’ll need to active your XenMobile licenses from the available list when configuring the remote v6 license server prior to continuing!
– Create separate mobility admin mailboxes to then be used to create accounts with Apple, Google & Microsoft so that everyone has access to create, sign and revoke MDM push certificates vs. push API’s like FireBase.
– Deciding where to generate all of CSRs for all of your mobility + XMS + NS certs is quiet important not just for the initial PoC but thinking 12 months out when the cert begin to expire where did I generate those certs from now to begin the re-signing process hmmm….??? I prefer in my home lab to generate and renew all my certs on WDC but many SE’s I know will use NetScaler for this and the point I am making is that it does not matter BUT centralise and document the process, passwords e.t.c
– Setup a calendar invite vs. trigger in your choosen support platform to notify the mobility admin mailbox to alert you every 11 months to renew all your certs otherwise you’ll break your MDM deployment e.g no devices under mgmt anymore this applies to ANY MDM vendor to be 100% clear!
– Dont assume that one individual should be deploying the XenMobile (any mobility) PoC themselves as in my experience unless your 100% comfortable with networking, ACLs, SQL DBs, gateways. To be honest most often its 3 people from within the IT team for high security organisation its double I find. Typically the 3 people are the Citrix Admin whom will require help & support from a networking (f/w dude:-)) or netscaler admin and then the SQL guru.
– I typically advise partners and customers to focus and agree on 2x mobile devices and a defined list of UEM policies to configure for testing in the PoC against there use case(s).
– Ensure that all your required ports are opened up correctly in vs. outbound (internet <-> edge <-> dmx <-> tru).
– DO NOT USE A PROD NetScaler deploy a new and fresh NetScaler VPX for your XenMobile (Service) PoC on-premsies vs. your chosen resource location.
– If you are intending to MDX wrap or enlighten your iOS – https://developer.apple.com/programs/enterprise/ and Android mobile apps then I’d suggest that you sign-up for the required developer accounts well in advance as some customers & partners have experienced delays up to 1-8 weeks. You have been warned and also ensure that you understand the rules around these dev accounts!
– Disable the ability to perform a Full Wipe of the enrolled devices (in particular for BYO scenarios you don’t want a lawsuit!) or if your not bothered and you would like to test this capability then I’d suggest that you only use new mobile devices that contain no corporate vs. personal content + data during the PoC. Finally my own personal leading best practise is to setup RBAC for mobility admins and remove the full wipe capability completely! 🙂
– Screen record the PoC deployment e.g GoToMeeting so if you make a mistake you can review the recording to understand what you misconfigured and most importantly where on the NetScaler vs. XMS e.t.c is was that the mistake occurred.
– If your not going to utilise a public CA signed certificates (Strongly Preferred) as your deploying the XMS v/a in your home lab only, then when exporting your cert from your Enterprise CA export using the Base64 format and then export as a full chained PFX format cert.
– Deploy the XMS v/a first and attempt to enrol your chosen mobile device(s) and remember those MDM ports you’ll need to make sure they are available over your corporate wifi including the over air enrolment port especially for Apple iOS devices otherwise your MDM enrolment will fail so you’ll be defaulted to only been able to enrol your device for MAM only e.g Secure MDX enlighten mobile apps
– The XMS mgmt. Web UI for administration is restricted from the internet as the mgmt. web UI is only accessible over https://XMS:4443 which is not part of the XM 10 wizard as of e.g NSG 10.5-55.8+ for security harden purposes (double check eDocs to be safe!). This often leads to Mobility/Citrix Admins thinking that they have misconfigured the wizard on the NetScaler when in fact it most likely is your connecting connection on https://XMS-vip:4443 via the VIP owned by the NetScaler but if you connect directly to the XMS’s configured IP addr via https://XMS-direct:4443 you’ll be able to access the XMS Admin Web UI.
– SuGgEsTeD personal tip utilise Mozilla Firefox for configuring and managing your XMS v/a for me it works the best!
– Ensure that all users/admins have first, last name & e-mail addr fields populated in AD prior to any enrolment otherwise they will receive an error e.g “Invalid user for SSO” when users attempt to sign-on.
– APNs see below
– SSL Listener used for HTTPS traffic communication e.g like securing your web server with https
– Open up 389 between the XMS v/a(s) and your AD server in your trusted network, you can optionally configure secure AD/LDAP on 636 but you will required extra certs for this configuration and its well documented in Citrix eDocs vs. obviously I believe.
– Windows service account for XMS v/a(s) to query AD/LDAP
NetScaler (Unified) Gateway
– Versions 10.5.x.n, 11.0.x.n, 11.1.x.n and 12.x.n (My current preferred firmware release now)
– 2vGPU, 4GB of RAM and 20GB available storage for HDD
– On-premises Hypervisors include XenServer 6.5 or 7.x.n; VMware ESXi 4.1, ESXi 5.1, ESXi 5.5, ESXi 6.0; Hyper-V Windows Server 2008 R2/2012/2012 R2
– Cloud Hypervisors include Azure (ARM is preferred); AWS EC2 not supported for XenMobile.
– NetScaler service account I’d advise against the default which is nsroot:nsroot slightly obvious but I see this time and again can you believe it!!!!
– AD/LDAP service account that is utilised to check validate and authenticate users against your organisations AD/LDAP.
– IP addressing (Please please please pay attention)
1x private static IP addr that is used for the NetScalers IP Addr (NSIP)
1x private static routable IP addr between your DMZ <-> TRU which is referred to a the NetScalers Subnet IP Addr (SNIP)
1x private static IP addr that is used for the XMS
1x public internet routable FQDN e.g uem.axendatacentre.com with 1x public static internet routable IP addr that resolves to 1x private static IP addr in your DMZ that are owned by the NetScaler.
1x public internet routable FQDN e.g mam.axendatacentre.com with 1x public static internet routable IP addr that resolves to 2x private static IP addrs in your DMZ that are owned by the NetScaler one for direct NAT and the other one is for *L/B of the MAM traffic.
1. Create an organisation Apple ID at – https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/wa/createAppleId
2. Generate your a CSR on NetScaler – https://support.citrix.com/article/CTX211887 or on a Windows Server e.g WDC using e.g IIS NOTE: Please use 2048 cipher encryption for the cert.
3. Navigate to https://xenmobiletools.citrix.com/ and sign in where prompted with your Citrix.com partner access details.
4. Follow the onscreen process for signing your XenMobile APNS CSR which will return a *.plist file.
5. Login to and upload your CSR to the APNS portal at – https://identity.apple.com/pushcert/ by following the onscreen process.
6. Download the generated *.pem file from the APNS portal to the Windows server that you initially created the CSR on.
7. Import the *.pem file into IIS using the complete a CSR response and specfic a friendly name. NOTE: Optional Import Apples Certificates (*.cer, *.crl) from – http://www.apple.com/certificateauthority/ also see http://support.apple.com/kb/ht5012
8. Export the imported certifcate as a *.pfx and specifiying a password. Note: DO NOT FORGET the password.
9. When prompted during the XMS configuration of the WebUI rememeber to enter the your chosen password and import it’s a keystore -> pfx format and select aPNS as the cert type.
Firebase Cloud Messaging (FCM)
Google or FireBase Cloud Messaging (GCM or FCM) enables push capabilities for Android vs. implement during enrolment an “Active poll period policy” for the Android handset to check back into the XMS to receive new policies, apps, check compliance e.t.c. Finally note that if you do any research FCM https://firebase.google.com/docs/cloud-messaging/ is the natural evolution of GCM platform, so think FireBase first for Android :-).
1. Create a organisation Google Developer account at – https://console.firebase.google.com/?pli=1, if your keen to understand how it works visit the XenMobile eDocs web page for Firebase at – https://docs.citrix.com/en-us/xenmobile/server/provision-devices/google-cloud-messaging.html.
2. The process to create the push capabilities is in my personal view way easier than APNs as all you need to do is generate an “API Key” and “Sender ID” which is then stored on the XMS at “Settings – > Google Cloud Messaging“. Visit the above URL to learn how to implement Firebase.
3. Please pay attention to the Firebase XenMobile diagram in the above eDocs link which includes the following Firebase ports 5228, 5229 and 5230 between the enrolled XenMobile handset and the GCM platform. Why is this important well these ports will beed to made available from the corporate network outbound like APNs to enable enrolment from within the corporate enterprise or high security environments otherwise you will need to enrol over 3/4G or via home/guest Wi-Fi.
Deploying the XMS v/a
Before you even attempt to begin I’d strongly advise you to read and or print out the following webpage via Citrix eDocs – *https://docs.citrix.com/en-us/xenmobile/server/install-configure.html which contains a Preinstallation checklist and deployment flowchart. My goal in this section to provide some context with some of the deployment options during the initial configuration of the XMS v/a, you can refer to * for full installation instructions.
1. Download the current XMS 10.7.x.n+ v/a from – https://www.citrix.com/downloads/.
2. Unzip the v/a and upload it to e.g Citrix XenServer 7.1 LTSR via XenCenter or you could use any other Citrix supported on-premises hypervisor. Once successfully uploaded check that your v/a has the minimum required computed requirements 2-4vCPU and 4-8GB of RAM assigned (increase to MAX if 10 or more users in the PoC as its all about the experience but for home lab purposes I utilise 2vCPU and 4GB of RAM as I only have 3 devices connected.
3. Start the XMS v/a via XenCenter it will take longer to boot-up if you have assigned the bare min compute resources and if your underlying storage is (shared) HDD based.
4. Once the XMS v/a has started decide if you are intending to create a XMS h/a cluster this is so that you select the correct options during there FTU, otherwise you will need to redeploy the XMS v/a and start all over. Notes:
4.1 – The CLI uses admin while the Admin account used for the Web UI uses administrator, also be aware they are LOWER CASE!
4.2 – Nothing appears when typing in select inputs.
5. Enter in a strong suitable passwd
6. Next you are promoted for network settings the IP addr will be e.g 10.1.0.99 as per my text diagram above.
7. Next your asked about an “Encrypting Phrase” most people select “y” to randomise it however you’ll never know what it is, nor can you obtain file to read it! If you are considering deploying a cluster of XMS v/a for H/A then most individuals will select “n” and create there own “encryption passphrase“.
8. I currently at the moment will not provide any context on FIPS so I will differ to https://docs.citrix.com/en-us/xenmobile/server/install-configure/fips.html#par_anchortitle_8dcb for configuration options otherwise this blog will get out of hand. I will do a follow-up or adjustment to this post in the future to cover FIPS in greater detail.
9. Next your asked about configuring a database for the v/a to store configuration information. The “l – Local” option will enable PostgreSQL which is now only supported for customer PoC’s while historically prior to Citrix acquiring ZenPrise is was a supported configuration but that was 5+ years ago under XDM, so be 100% clear PostgreSQL is for PoCs ONLY with a XMS v/a! It is also NOT supported with XMS clusters as the v/a’s are stateless relying on the SQL database for configuration information e.g users, policies, delivery groups e.t.c so you require a “r – Remote” SQL database.
9.1 – Let the first XMS v/a that you configure as part of the your XMS cluster create the required XM database itself DO NOT pre-populate a database name on your MS SQL database cluster vs. server!
9.2 – If you select to enable XMS clustering you will need to enable port 80 within the XMS f/w ACL and do this BEFORE performing a clone to create your XMS cluster. Also in high security environments remember to include in your submitted ACL to allow the XMS v/a’s to communicate over TCP port 80 to enable R-T comms between all v/a members within the cluster.
9.3 – Finally Citrix does NOT support DB migration e.g PoC to UAT-PROD environments.
10. The most important step that I often see vs. hear vs. receive requests about is what do I type in for the “XenMobile hostname”? Please type in the fully qualified and internet routable FQDN e.g uem.axendatacentre.com, what does this mean? It means that if your where to type in uem.axendatacentre.com on your device that you reading this blog post inside the corporate file or at home it is reachable. Please do not type in e.g xms01 and then internal vs. external DNS entries are entered in for uem.axendatacentre.com to xms01 this will NOT work properly and devices will NOT enrolling you have been warned! If you do this you will beed to START all over with a fresh XMS v/a!
11. For the XMS comm port requirements i.e the v/a communicates with the users (SHP) and devices (UEM or MDM/MAM) it is perfecting fine to accept the defaults ports here unless you a high security organisation + e.g Bank, Government agency e.t.c and want to further harden yourself however remember the most complexity you add e.g changing ports here will mean that you will need to adjust the auto defined ports on the NetScaler if you do the XenMobile Wizard on the NetScaler v/a.
12. Skip the upgrading from a previous XMS version as its a PoC
13. Next we get to the Public Key Infrastructure (PKI) which I’d prefer to configure configure all the certs with the same passwd or pass phrase or you can define a different passwd or pass phrase for each of the four certs (root, intermediate for device enrolment, intermediate for SSL cert and finally an SSL for your connectors +. Finally you’ll require the eXaCt passwd(s) for an XMS v/a within your h/a cluster.
14. Finally now create a passwd for the default “administrator” account. I would personally as my own leading best practise make the CLI admin vs. Web UI administrator passwords different for security purposes as one member of the team maybe the hypervisor admin whom does all the CLI stuff aswell while the Mobility admin handles all the logical configuration via the Web UI administrator account.
15. Once you select “Return” to above set the initial configuration is stored and you are prompted to upgrade from a previous release please select “n” which is also the default! The XMS v/a will stop and start the app and once its completed the you see a FQDN e.g https://10.1.0.99:4443/ this now indicates that you can complete the Web UI part of the XMS v/a setup and configuration. Note this can take up to 5-7 mins dependant upon how much vCPU, RAM that you assigned to the v/a and if your on SSD vs. HDD storage this will speed up the process naturally.
16. The biggest mistake Mobility/Citrix Admins makes with XenMobile is that when they attempt to access and configure the Web UI part of the setup they will typically access it via the NetScaler owned VIP for uem.axendatacentre.com <-> 81.x.x.1 <-> 10.1.0.20 when they should be accessing the direct IP addr of the XMS v/a <-> 10.1.0.99. Most individual do this to test there NetScaler setup, please DO NOT setup the NetScaler do it after you have setup the XMS v/a. Finally the reason you can’t connect to the Web Admin UI via the NS VIP e.g https://uem.axendatacentre.com:4443 either internally or externally is that the NS disables 4443 via the VIP to harden and protect the Web Admin UI from the Internet so you’ll need to connect to the direct XMS v/a <-> 10.1.0.99 IP addr on https://10.1.0.9:4443. Once your at the login prompt of the Web UI type username “administrator” and your chosen passwd and “Sign-in” and the “Get Started page” appears only once to complete the Admin Web UI part of the XMS v/a setup and configuration.
17. The first web page provides an overview of the available licensing configuration options, for a PoC or if its your first time using XenMobile then I’d suggest that you utilise the built-in 30 day evaluation license to give you time better understand how to configure XenMobile so that you can enforce the required UEM policies against devices vs. (MDX) apps. If you intend to deploy a XMS h/a cluster then like the XMS database you’ll need to setup or make use of your existing remote v6 Citrix licensing server however IMPORTANT make sure that this lic server version meets the minimum release requirements of 11.12 for 10.7.x.n XMS firmware/release version. If you choose to use the 30 day trial LOCAL license servers on XMS and now wish to use a REMOTE lic server then please refer to https://docs.citrix.com/en-us/xenmobile/server/system-requirements/licensing.html. I would also suggest to test from each XMS v/a(s) within your cluster that you can successful connect to the remote v6 lic server which is available under the Wrench icon -> Licensing. 18. Next its cert mgmt. and a word of caution as this catches everyone out is that after uploading any certs reboot the XMS v/a(s) is required in order for the new certs to bound to the SSL listener interfaces and the existing ones to be unbind! You’ll need at this point your APNs and SSL certs for e.g uem.axendatacentre.com to upload the XMS v/a when importing your certs follow:
Keystore Type: PKCS#12
Use as: APNs and or SSL Listener
Description: Date uploaded and what is it? APNs vs. SSL listener?
Wrench icon -> NetScaler Gateway
Authentication: ON (default)
Deliver user certificate for authentication: OFF (default)
Credential Provider: (default)
External URL: https://mam.axendatacentre.com
Logon Type: Domain only (default)
Password Required: OFF (default)
Export Configuration Script: Allows you to download conf bundle to upload to NUG to configure XenMobile. I prefer to do this manually myself.
Next add the following to your NetScaler Gateway configuration on the XMS.
^Callback URL: FQDN to verify that the request originated from NetScaler Gateway BUT make sure the callback URL resolves to an IP addr that is reachable by the XMS v/a(s)
^Virtual IP: 10.1.0.21 (See text diagram above in HTML table format)
^ These settings are optional.
20. Next your promoted to setup your AD binding I always prefer using an FQDN vs. IP Addr here as IP addr’s can change however FQDN’s typically don’t otherwise a lot of things in your environment will break.
Port: 389 (Leave defaults unless changed within high security environments)
Domain name: axendatacentre.com
User Base DN: ou=Users,dc=axendatacentre,dc=com (I am just using the AD default location of the Users OU here when you would have setup AD so configure to meet your organisations default OU location of Users)
Group Base DN: cn=Users,dc=axendatacentre,dc=com
User ID: XMS AD service account used to query your AD e.g firstname.lastname@example.org
Domain Alias: axendatacentre.com (yours maybe different)
XenMobile Lockout Limit: 0 (default)
XenMobile Lockout Time: 1 (default)
Global Catalog TCP Port: 3268 (default)
Global Catalog Root Context: (default)
User search by: userPrincipalName (preferred for the modern world)
Use secure connection: (default)
21. Final configuration you’ll need to do is to setup XMS notifications – https://docs.citrix.com/en-us/xenmobile/server/users/notifications.html which is required for things like bulk enrolment (users e-mail addr must be in AD field), communicating with users when automated actions are configured and users have violated your organisations UEM strategy.
22. Now please logout of the Web Admin UI and log back into the XMS CLI via your chosen hypervisor and follow the below instructions to reboot your XMS v/a
Your XMS v/a will begin to restart and once it is successfully rebooted navigate to the XMS v/a direct FQDN https://uem.axendatacentre.com or IP addr and check that the HTTPS cert status in your internet browser to ensure that it is no longer self-assigned by the XMS v/a but matches your uploaded SSL cert bound the SSL Listener.
Troubleshooting & Leading Best Practises
1. Citrix provides a XenMobile tools platform available at – https://xenmobiletools.citrix.com and also be sure to please refer to XenMobile compatibility documentation – https://docs.citrix.com/en-us/xenmobile/server/system-requirements/compatibility.html for compatibility of devices vs. MDX apps + release versions.
2. Users receive Profile Installation Failed The server certificate for “https://XM-FQDN:8443” is invalid when enrolling a device against XenMobile when using iOS devices. I have personally have not seen this issue occur again for quiet some time but I thought its worth including encase it reappears in the future. So what causes this issue? It is to do with the private key of your *.p12 or *.pfx full chained SSL/TLS cert and appears to only occur when exporting your cert from a new CSR on a Windows OS. To resolve the issue I’d suggest that you download, extract and run the DigiCert Certificate Utility available at – https://www.digicert.com/util/ on the originating windows server that you generated your CSR on for tier XMS v/a for your SSL Listener cert e.g HTTPS. Next follow the guide available from Digicert at – https://www.digicert.com/util/pfx-certificate-management-utility-import-export-instructions.htm to help you find and export your XMS v/a HTTPS cert correctly (advise to use TEST feature button before export) and re-upload it to the XMS v/a and remember to REBOOT the XMS v/a(s) when you change any certs on the XMS v/a(s)!!! You should now be able to begin re-enrolling your devices BUT I would strongly advise to remove any MDM certs via Settings in iOS and then delete SecureHub and re-download it and now the enrolment error messages should no longer appear to your users while enrolling there iOS devices.