Category Archives: Worx Home

NetScaler Gateway 10.1.120.1316.e

The following content is a brief and unofficial prerequisites guide to setup, configure and test NetScaler Gateway 10.1.120.1316.e to support a XenMobile Enterprise 8.6 deployment prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
NETSCALER GATEWAY – nsg
CERTIFICATE SIGNING REQUEST – csr
FULLY QUALIFIED DOMAIN NAME – fqdn
SECURE LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL – (s)ldap
CERTIFICATE – cert
REMOTE ACCESS – r/a
XENAPP – xa
XENDESKTOP – xd
XENMOBILE ENTERPRISE – xm
XENMOBILE APPCONTROLLER – xac
XENMOBILE DEVICE MANAGER – xdm

What Is A NetScaler Gateway
It allows you to safely, securely expose your organisations trusted network and resources to an end-point either via a MicroVPN (CVPN) – http://support.citrix.com/article/CTX136914 or a FULL VPN. The NSG provides and supports a simple yet secure R/A solution for Citrix XenDesktop, XenApp, XenMobile solutions. There have been recent updates to the NSG to incorporate setup wizards to enable organisations to more rapidly setup, configure and deploy a R/A solution without having to request a NetScaler Gateway expert to setup and configure the policies to enable R/A. What is a e release of a NSG check out – http://blogs.citrix.com/2013/03/29/citrix-access-gateway-demystifying-the-e-releases/.

Deploying & Configuring The NetScaler Gateway 10.1.120.1316.e For A XenMobile Enterprise 8.6 Solution
1: Physical or Virtual System requirements – http://support.citrix.com/proddocs/topic/xenmobile-prepare/xmob-deploy-netscaler-gateway-reqs-con.html, VPX – http://support.citrix.com/proddocs/topic/access-gateway-hig-appliances/ag-vpx-introduce-wrapper-con.html#ag-vpx-introduce-wrapper-con and MPX – http://support.citrix.com/proddocs/topic/access-gateway-hig-appliances/ag-model-MPX-spec-ref.html.
2: Pre-requites and checklist – http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-checklist-10-1-con.html, http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-deploy-xenmobile-con.html
3: Deploying the NSG and performing the initial configuration – http://support.citrix.com/proddocs/topic/xmob-deployment/xmob-deploy-install-ng-network-con.html.
4: Creating a certificate for NSG – http://support.citrix.com/proddocs/topic/xmob-deployment/xmob-deploy-create-csr-ng-tsk.html also watch the NSG certificate video at – http://support.citrix.com/proddocs/topic/xenmobile-understand/xmob-product-videos-con.html.
5: Uploading a license to the NSG – http://support.citrix.com/proddocs/topic/xmob-deployment/xmob-deploy-install-license-on-ng-tsk.html.
6: Configuring the NSG for XenMobile – http://support.citrix.com/proddocs/topic/xmob-deployment/xmob-deploy-config-ng-wizards-con.html.
7: Configure DNS suffixes – http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-connect-mobile-devices-android-split-dns-tsk.html#ng-connect-mobile-devices-android-split-dns-tsk or http://support.citrix.com/proddocs/topic/xmob-deployment/xmob-deploy-mobile-device-dns-suffix-tsk.html and if you will be supporting Android handsets within your organisation remember to configure DNS for Android devices – http://support.citrix.com/proddocs/topic/xmob-deployment/xmob-deploy-mobile-devices-android-split-dns-tsk.html.
8: Configuring the STA for WorxMail – http://www.citrix.com/tv/#videos/9210.
9: Testing your NSG – http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-test-ag-configuration-tsk.html.

Worx Mobile App Suite NSG Support Table Matrix
http://support.citrix.com/proddocs/topic/xenmobile-connect-users/xmob-worx-supported-platforms-con.html.

Coming Soon!
More coming soon in the inter in check out – http://support.citrix.com/proddocs/topic/xenmobile-understand/xmob-deploy-architect-netscaler-gateway-con.html.

XenMobile Device Manager 8.6

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile Device Manager 8.6 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE DEVICE MANAGER – xdm
CERTIFICATE SIGNING REQUEST – csr
APPLE PUSH NOTIFICATION SERVICE – apns
FULLY QUALIFIED DOMAIN NAME – fqdn
SECURE LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL – (s)ldap
CERTIFICATE – cert
VOLUME PURCHASE PROGRAM – vpp
XENMOBILE APPCONTROLLER – xac

APNS IIS Chaining Error
If your experiencing a chaining error when completing your APNS cert response in IIS then please navigate to http://www.apple.com/certificateauthority/ and download the Apple Root Certificate + CRL and the Apple Integration Certificate + CRL and install these appropriately into trusted root ca authority, intermediate stores of the IIS server that you are intended to complete the APNS certificate response on.

You can register/create an Apple ID at – http://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/wa/createAppleId?localang=en_US and the APNS portal is available at – http://identity.apple.com/ to submit your signed APNS CSR to be signed.

Installing XDM 8.6 (DRAFT & MAY CONTAIN ERROR(S))
0: I would recommend downloading and reading through the current Citrix Reference Architecture for XenMobile 8.6 at –
http://support.citrix.com/article/CTX13981
1: Review the system requirements –
http://support.citrix.com/proddocs/topic/xenmobile-prepare/xmob-deploy-device-manager-sys-reqs-con.html and remember to consider if you are ever going to intend managing your mobile, smart devices inside and outside of your organisations trusted network. I use split DNS so the same FQDN is accessible both in/outside of my demo environment. I FQDN is typically best over a IP addr as you can always adjust the underlying IP Address of the XDM FQDN in DNS (Internal and Externally) to move it (a) from one subnet to another with different IP addressing (b) from ISP to ISP (You will always get a new allocated IP range as ISP are allocated IPv4, IPv6 address blocks) without having to reinstall the XDM. Your probably asking your why would I need to reinstall the XDM? When you install the XDM you will also configure a CA as the XDM will push certs to the devices being enrolled to restrict the devices capabilities based upon the MDM policies that you have applied within the XDM web UI so if the IP addr changes you need to reinstall and re-enrol every device so using a FQDN means that your adjust your DNS records both internally and externally with the new IP addr for your FQDN and there is no need to reinstall the XDM as the FQDN has not changed and devices will still be managed.
2: Network TCP Ports Source vs. Destination – http://support.citrix.com/proddocs/topic/xenmobile-prepare/xmob-deploy-component-port-reqs-n-con.html.
3: Generate an APNS certificate or use your existing APNS certificate – http://support.citrix.com/proddocs/topic/xenmobile-connect-users/xmob-dm-config-requesting-apns-con.html. If you have any chaining error(s) please refer to the APNS process in the beginning of this WordPress blog article/entry.
4: Download and install the latest STABLE versions of the Oracle Java JDK and JCE files at – http://www.oracle.com/technetwork/java/javase/downloads/index.html. You should never use BETA or builds known to be unstable or insecure. Remember to extract and copy the *.jar files to the following paths – once the Java JDK has been installed on the XDM 8.6 server.
5: Liaise with networking team(s) to ensure that your internal and external firewalls ACL are correctly configured for your XDM deployment. Take a look at the Architecture Diagram – http://www.citrix.com/content/dam/citrix/en_us/images/info-graphics/xenmobile_architecture_86.png and the read through the latest Reference Architecture documentation for XM8.6 – http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-reference-architecture-for-xenmobile-86.pdf.
6: I would once again recommended downloading and reading through the Deploying the XenMobile Solution ( Currently based off 8.5 at the time of writing this blog entry) – http://support.citrix.com/article/CTX139235, alternatively continue.
7: Navigate to this eDoc’s link to begin the installation of the XDM 8.6 – http://support.citrix.com/proddocs/topic/xmob-install-dm-86/xmob-deploy-device-manager-install-steps-tsk.html

Creating A Valid Chained Certificate For Your XDM’s FQDN
There are various different methods for achieving or generating a *.pfx12 certificate you can always choose to disagree with my approach and use your own method(s) and or approach(s).

Microsoft Enterprise CA ( WaRniNg – (DRAFT & MAY CONTAIN ERROR(S)) )
1: Create a CSR for your XDM FQDN on your Enterprise CA or another server that is domain joined and has the Enterprise CA root certificate installed and valid. Please also be sure to ensure your select 2048Bit encryption when competing the wizard and save the CSR request to your desktop for convenience.
2: Open up the text document to retrieve CSR code by selecting all and copying.
3: Navigate to your Microsoft Enterprise CA CSR signing website e.g http://FQDN/certsrv
4: Request a certificate
5: Click Or, submit an advanced certificate request
6: Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
7: Enter in the CSR generated code from the XAC or XDM into the Saved Request input box then change the “Certificate Template” to Web Server
8: Click Submit
9: Download the certificate response in Base 64 format and save as certname-base64.* and then prior to closing the web page save the cert in DER format if required in the following format certname-DER.*. Tip download the *.p7b formats for each aswell. NOTE: Upon completion of importing and activating your cert on the XDM server(s) you should delete any unsecured or unused XDM certs on your file servers and desktop for security purposes.
10: Now complete the SSL signing request certificate in IIS on the Enterprise CA using the Base64 format signed SSL certificate and then export the cert and enter in a strong password and please do not forget the password. Save the exported cert on your desktop and copy onto a file share or to your file server and then copy the *.pfx12 cert you’ve just generated on your XDM’s desktop for simplicity as the next steps will require you to edit two files in notepad and create directory to put the the SSL certificate in.
10: Follow the steps in the following CTX article at – http://support.citrix.com/article/CTX136952 or http://support.citrix.com/proddocs/topic/xmob-dm-8/xmob-dm-manage-securityid-configcert-ssl-tsk.html to apply your Enterprise CA signed *.pfx12 SSL certificate to your XDM’s FQDN.

Checkout these Microsoft certificates resources for further help and guidance.

1: http://support.microsoft.com/kb/295281 – How To Renew or Create New Certificate Signing Request While Another Certificate Is Currently Installed
2: http://technet.microsoft.com/en-us/library/cc754490.aspx – Request Certificates by Using the Certificate Request Wizard
3: http://technet.microsoft.com/en-us/library/bb727098.aspx – Chapter 6 – Managing Microsoft Certificate Services and SSL

OpenSSL
1: You will require a clean, fresh installation of XDM without any devices enrolled as I have not tested this process POST devices being enrolled.
2: Download OpenSSL for Windows at – http://www.openssl.org/related/binaries.html, alternatively if the link is dead or moved locate the download at – http://www.openssl.org/.
3: Install OpenSSL by following the onscreen instructions and remember to check the pre-requites prior to installation of OpenSSL.
4: Now that you have installed OpenSSL following the steps in this Citrix blog article at – http://blogs.citrix.com/2013/11/05/creating-a-private-key-and-csr-for-xdm/.

Deploying and Load Balancing a XDM cluster
1: These two videos available on the Citrix Blog available at – http://blogs.citrix.com/2014/03/05/configuring-xenmobile-device-manager-ha-clustering-in-less-than-15-minutes-part-1/, http://blogs.citrix.com/2014/03/05/configuring-xenmobile-device-manager-ha-clustering-in-less-than-15-minutes-part-2/ that show you how to implement a XDM cluster for high availability referenced from the following eDocs node – http://support.citrix.com/proddocs/topic/xmob-dm-config-86/xmob-dm-manage-ha-wrapper-con.html.
2: Once your NetScaler (Gateway) has been deployed and the initial configuration completed and the appropriate NS(G) licenses uploaded then please watch this video on Citrix TV – http://www.citrix.com/tv/#videos/9294 which shows you how-to L/B the XDM using the XenMobile wizard in the NS(G).

Deploying Strong Authentication
1: Client Certificate Authentication in XenMobile 8.6 – http://support.citrix.com/article/CTX139857.

Mobile Device, Application and Information Management

The following content is a brief and unofficial article about Mobile Device, Application and Information Management. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
MOBILE DEVICE MANAGEMENT – mdm
MOBILE APPLICATION MANAGEMENT – mam
MOBILE INFORMATION MANAGEMENT – mim
MOBILE APPLICATION PERFORMANCE MANAGEMENT – mapn
ACTIVE DIRECTORY – ad

What is MDM?
It’s the capability to restrict the services and mobile applications provided by a mobile platform only e.g disabling of Siri on iOS, Chrome on Android via MDM API’s provided by the mobile OS. To achieve these capabilities and many more a MDM server e.g XenMobile Device Manager will request a mobile device to securely authenticate via a agent installed on the mobile OS e.g Citrix Enrol with a users organisational access details which will then present or rather enable the user to proceed with the MDM enrolment process i.e securely
downloading (HTTPS) and installing a secure organisation profile and MDM policies enforced by IT which effectively will restrict the devices capabilities to access mobile applications of the mobile OS or disable services e.g Disable Siri from been available when a iPhone or iPad is locked but when the user of the iOS device safely unlocks the iPhone or iPad with a pin code they can use Siri.

What is MAM?
It allows and enables your organisation to deliver safe and secure applications from your organisations data centre. This applications can be native mobile apps (iOS, Android), SaaS and Windows published applications which can now be repurposed with the Windows Mobile SDK – https://www.citrix.com/go/mobile-sdk-for-windows-apps.html and http://www.citrix.com/mobilitysdk/docs/videos/RapidStarts.htm to improve the users experience on a mobile device (iOS). As these are logical resources published or delivered and installed on an mobile device you can only lock the resources, perform a selective wipe or perform an erase of the data within the mobile apps (Published apps you simple disable that surest access via AD).

What is MApM?
It’s an acronym for essentially describing the ability to provide intelligent reporting against mobile apps via an agent on smart devices.

What is MIM?
It provides organisations the ability to take their trusted data held within internally only accessed Shared Areas, SharePoint sites e.t.c and allows organisational employees or 3rd parties i.e contractors the ability to download and potential edit office based documents, watch videos on corporate issued or BYO devices on or offline in a safe and secured environment with the ability to perform a wipe, lock or configure a poison pill against the organisational trusted data that is stored on the users device(s).

Citrix MDX Technologies

The following content is a brief and unofficial article about Citrix’s MDX Technology. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE APPCONTROLLER – xac
FULLY QUALIFIED DOMAIN NAME – fqdn
XENMOBILE DEVICE MANAGER – xdm

What is and does Citrix MDX mean for wrapped iOS, Android mobile apps

Digital Signing (Wrapping) *.IPA, *.APK App Binaries To Become MDX Enabled
Coming soon! In the mean time check out Signing Android mobile apps – http://support.citrix.com/proddocs/topic/apppreptool/clg-appwrap-android-wrap-app-tsk.html, iOS mobile apps – http://support.citrix.com/proddocs/topic/apppreptool/clg-appwrap-ios-wrap-app-tsk.html.

MDX Vault
The MDX Vault technology essential provides a logical safe and secure sandboxed container within an iOS, Android platform on a device.

MDX InterApp
The MDX InterApp technology essential allows or denies other public delivered mobile apps (iTunes, Google Play) on a device access to communicate with a MDX digitally signed mobile only if allowed e.g communication for the signed MDX mobile app is set to unrestricted. How if the MDX mobile
app delivered from the XenMobile AppController is set to restricted the SysAdmin or MobilityAdmin would need to specific what mobile apps the MDX mobile app is able to communicate and share information with on the mobile device.

MDX Access
The MDX Access technology essential provides safe, secure access to internal intranet resources within your trusted network from any where in the world connected via optionally 3G, 4G & Edge mobile or wired/wireless public and untrusted networks. The technology requires a Citrix NetScaler Gateway if want to know how it works check out – http://www.citrix.com/products/netscaler-gateway/how-it-works.html. You can easily deploy a NetScaler Gateway solution utilising release 10.1+ which includes wizards – http://blogs.citrix.com/2013/07/03/citrix-netscaler-gateway-10-1-118-7-quick-configuration-wizard/.

XenMobile FIPS 140 Compliance
http://support.citrix.com/proddocs/topic/apppreptool/nl/ru/clg-appwrap-fips-con.html?locale=en