Creating and renewing an APNs Certificate for XenMobile

The following content is a brief and unofficial prerequisites guide to creating and renewing an Apple APNS certificate prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE – xm
XENMOBILE SERVER – xms
VIRTUAL APPLIANCE – v/a
NETSCALER GATEWAY – nsg
INTERNET INFORMATION SERVICES – iis
CERTIFICATE AUTHORITY – ca
APPLE PUSH NOTIFICATION SERVICE – apns
CERTIFICATE SERVICE REQUEST – csr

What is an Apple Push Notification service (APNs)Certificate and how does it work?
APNs certificates allow and enable for the safe, secure propagation of information/notifications to iOS and OS X devices with source of information/notifications originating from a XenMobile Server with a trusted and signed APNs certificate by Apple and Citrix. In this particular overview I am referring to MDM/Mobility vendor’s e.g Citrix, Airwatch by VMware, MobileIron etc.

APNs certificates allows any end-user to enroll his/her iOS device (iPhone, iPad) weather it be corporate or personally owned (BYO) against a XenMobile Server in order to obtain organisation specific configurations e.g Wi-Fi configurations and of course security leading best practise policies e.g the users PIN must be alphanumeric, 6 characters in length and must be changed once every 90 days to meet organisation password policy guidelines etc.

I wont attempt to explain how APNs certificates work technically I do understand it but I believe Apple’s documentation is simple very clear to understanding and provides a great overview of how APNS works and functions so please visit the following links – https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/Chapters/ApplePushService.html#//apple_ref/doc/uid/TP40008194-CH100-SW9.

Creating and renewing an APNS Certificate with IIS (SuGgEsTeD for PoC Environments + Draft)
0: You will require a valid Citrix partner account to access your Citix My Account – http://www.citrix.com/account.html and you will require a valid Apple ID to login into the APNs Portal to complete your APNs signing request and for on-going APNs maintenance i.e. renewing, revoking your APNs certs. If you do not have a valid Apple ID you can create one at the following link – https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/wa/createAppleId.
1: Prior to creating your APNs cert you should consider the following which is will your customers PoC ever move to a pilot or event to production? If it may then you/they should carefully consider exactly where you will generate your Certificate Signing Request (CSR) for your APNs certificate to be used with the XenMobile.
2: Open up IIS on your chosen Windows Server and click Server Certificates and select “Create Certificate Request” and enter in the following information when requested into the “Distinguished Name Properties” pop-up window which appears and once completed click next and on the “Cryptographic Service Provider Properties” window select the “Microsoft RSA SChannel Cryptographic Provider” from the Cryptographic service provider and the Bit length of”2048″ from the dropdown lists. Then save the CSR on your desktop providing it with a name e.g XM_APNS-CSR.txt

IIS Request Your Response
Common Name e.g myMDM-for-xm-anps.axendatacentre.com
Organization
Organizational Unit
City/locality
State/province
Country/region

3: Next navigate to https://xenmobiletools.citrix.com/ from the IIS Windows server that you generated this XenMobile APNs CSR from and sign-in with your Citrix partner access details.
4: Upload your CSR as described on-screen at https://xenmobiletools.citrix.com/ which then return a *.plist file to download (Save it).
5: Next navigate to Apple’s Push Certificates Portal at – https://identity.apple.com/pushcert/ and login with your Apple ID. Next click “Create a Certificate” and upload your *.plist file that you downloaded from the XenMobile Tools portal as per step 4 above where instructed following the on-screen instructions. It will then prompt you to download a *.pem file ignore the filename e.g MDM_Zenprise.pem.
6: Import the *.pem file from the download APNs portal from step 5 above into IIS using the complete a CSR response and specific a friendly name (use the same common name you specified in step 2 above. Optional if your cert import fails the be sure to import Apples intermediate and root certificates from – http://www.apple.com/certificateauthority/ and repeat the import process once more. Also check out – http://support.apple.com/kb/ht5012 entitled “Lists of available trusted root certificates in iOS” for further help & guidance.
7: Export the imported APNs certificate via IIS and specify the path to save the cert which will be in *.pfx format and also specific a strong password to protect your APNs cert and finally note to self DO NOT FORGET the password.
8: When prompted during the XMS Admin WebUI configuration post completing the XMS CLI setup, follow the below import process in table format.

Import Keystore
Keystore Type PKCS #12
Use as APNs
Keystore file The path to your completed XM APNs cert which will be in *.pfx
Password The password you typed in at step 7 above

Creating and renewing an APNS Certificate with NetScaler (SuGgEsTeD + Draft)
Coming soon…

What’s new with XenApp/XenDesktop 7.6 Feature Pack (FP3)

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenApp, XenDesktop FP3 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
EXPERIENCE 1st – x1
STOREFRONT SERVER – sfs
FEATURE PACK – fp
THINWIRE PLUS – thinwire +
THINWIRE COMPATIBLE – thinwire c
USER EXPERIENCE – ux

What is new in FP3?
0: ++An absolutely MUST read entitled “HDX Graphics Modes – Which Policies Apply to DCR/Thinwire/H.264 – An Overview for XenDesktop/XenApp 7.6 FP3” which is available at – http://support.citrix.com/article/CTX202687 prior to implementing any of the new graphics mode/encoder(s) within XAD 7.6 FP3.
1: Support for Windows 10 Enterprise Edition, in the Standard VDA for Windows Desktop OSes.
2: HDX Broadcast updates include the following:

Framehawk (Admin guide – http://docs.citrix.com/content/dam/docs/en-us/xenapp-xendesktop/xenapp-xendesktop-7-6/downloads/Framehawk%20Administration%20Guide.pdf) virtual display channel is integrated into the standalone VDA package.
Thinwire Compatible Modehttp://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-hdx-landing/thinwire-compatibility-mode.html also referred to as Thinwire +/Plus is the very latest encoder to deliver a fantastic and rich X1 UX for virtual apps and desktops delivered from Windows Server 2012 R2, Windows 8.1 and 10 powered by XAD 7.6 FP3. To learn more about check out – https://www.citrix.com/blogs/2015/10/09/a-big-leap-in-ica-protocol-innovation-for-citrix/. Set the “Use video codec for compression” to “Do not use” which will force the use of Thinwire Compatibility Mode by default for user ICA/HDX sessions on XAD 7.6 FP3.

HDX Framehawk Performance in XenApp and XenDesktop 7.6 FP3

3: ++Updated Studio built-in policies ref – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-policies-article/xad-policies-templates.html which include the following:

– Very High Definition User Experience+
– High Server Scalability *+
– High Server Scalability-Legacy OS **
– Optimized for WAN *+
– Optimized for WAN-Legacy OS **
– Security and Control

+ New or adjusted to meet today’s new requirements
* Windows 8.1-10, Windows Server 2012 R2
** Windows 7, Windows Server 2008 R2

4: Support for signature devices (Wacom) and drawing tablets which can be applied by adding the following USB device policy settings ref – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-policies-article/xad-policies-settings-wrapper/xad-policies-settings-ica/xad-policies-settings-usb.html.
5: The HDX 3D Pro VDA used to deliver HDX Rich Graphical apps now supports full-screen apps including 3D and gaming apps within single monitor for ICA sessions.
x: For a full and compete list with accurate descriptions and overviews please check out – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-whats-new.html.

What’s new with StoreFront 3.0.1?
This release contains a number of fixed issues ref – http://docs.citrix.com/en-us/storefront/3/sf-about-30/fixed-issues.html including support for TLS 1.0-1. Please beware that SSL 3.0 is NOT supported and Citrix strongly recommends that you do not use it.

StoreFront 3.0

The following content is a brief and unofficial prerequisites guide to setup, configure and test StoreFront 3.0 along XAD 7.6 FP2 or FP3 to deliver a X1 UX for the Citrix Receivers (X1)prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
STOREFRONT SERVICES – sfs
VIRTUAL MACHINE – vm
HIGH DEFINITION EXPERIENCE – hdx
X1 – Experience First
RECEIVER FOR WEB – rfw
USER EXPERIENCE – ux

What’s New
0: X1 is a Citrix project name.
1: Receiver for Web within StoreFront 3.x.n – http://docs.citrix.com/en-us/storefront/3/manage-citrix-receiver-for-web-site/sf-receiver.html powers the next generation of Citrix’s eXperience 1st (X1) User eXperience (UX) that provides end-users with a truly organisation branded UX (logo + colours, style, app bundles*) that is provides consistent and seamless UX across any device or form factor e.g smart phones, tablets, PC’s, Mac’s, HTML5 Internet Browsers etc. Citrix SysAdmins can also setup app bundles technically referred to as “Manage Featured App Groups” enabling users to subscribe faster to one or many published apps by resource type, role or application category check out – http://docs.citrix.com/en-us/storefront/3/manage-citrix-receiver-for-web-site/sf-manage-app-groups.html for how-to configure and set them up.
2: Citrix announced at Citrix Synergy 2015 the latest and next generation Citrix Receiver (Project X1) for desktops and mobile which provides that seamless and consistent UX that I just touched upon. To see it in action for the desktop Citrix Receivers there is a simple yet powerful demonstration from Synergy 2015 available below.

The new unified Receivers for Mobile will include a unified architecture that consists of HDX, MDX support with a new UX architecture powered by StoreFront 3.x.n Receiver for Web. To get a high level overview watch Mark Templeton’s overview of it at – https://www.youtube.com/watch?v=jkZh669DsvU during the Citrix Synergy 2015 Keynote but be sure to forward to circa 56 minutes. Finally watch the following Citrix SynergyTV session entitled “SYN321: Technical deep dive on Receiver” covering the off the architecture of the new project X1 Receivers, branding and customisations.

Branding Your Enterprise App Store
The following Blog articles from Citrite’s e.g Citrix employee’s provide and in-depth overview of how-to customise and brand you organisation’s enterprise app store to provide that seamless and consistent X1 UX. The review the following blog articles by Richard Hayton – https://www.citrix.com/blogs/author/richardha/ and also – http://blogs.citrix.com/2015/09/04/storefront-3-web-customization-branding-your-deployment/ entitled “Storefront 3 Web Customization: Branding Your Deployment”.

HDX Broadcast now with Framehawk

The following content is a brief and unofficial prerequisites guide to setup, configure and test HDX Broadcast now with Framehawk with XAD 7.6 FP2 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
UNIFIED COMMUNICATIONS – uc
MICROSOFT – ms
NETSCALER GATEWAY – ns(g)
INDEPENDENT COMPUTING ARCHITECTURE – ica
FEATURE PACK – fp
NETSCALER UNIFIED GATEWAY – nug
NETSCALER GATEWAY – nsg
EXPERIENCE 1st – x1
STOREFRONT SERVER – sfs

What is Framehawk?
It forms part of HDX Broadcast technologies within the High Definition eXperience (HDX) stack providing an enhanced X1 UX over broadband wireless, cellular connections where users experience the effects of packet loss, congestion, latency and jitter. The technology came from the Framehawk acquisition made by Citrix in 2014 ref – https://www.citrix.com/news/announcements/jan-2014/citrix-acquires-framehawk.html. Framehawk is defined as light weight frame buffer protocol (UDP based) and adds a new virtual channel to the ICA protocol. The initial release is targeted at users connected to XAD 7.6 FP2 via TRU networks however as of 14/08/2015 ref * Framehawk is now also available for users running the latest up to date iOS Receiver – http://blogs.citrix.com/2015/08/03/receiver-for-ios-6-0-now-available-with-framehawk-support/ utilising NetScaler Gateway 11.0 build 62.10 ref the following CTX blog which also includes details surrounding the initial Framehawk release within XAD 7.6 FP2 at – *http://blogs.citrix.com/2015/06/30/our-first-release-of-framehawk-technologies/.

New Use Cases for Framehawk
The following official Citrix blog articles provides insight into some of the use cases for Framehawk – http://blogs.citrix.com/2015/08/17/new-use-cases-for-framehawk/.

HDX Framehawk Performance in XenApp and XenDesktop 7.6 FP3

Demonstration of Citrix (HDX Broadcast now with Framehawk) vs. VMware

Pre-requisites & System Requirements for Deploying HDX Broadcast now with Framehawk (Draft + The Basic’s Only)
0: The HDX Broadcast now with Framehawk admin guide is available at – http://docs.citrix.com/content/dam/docs/en-us/xenapp-xendesktop/xenapp-xendesktop-7-6/downloads/Framehawk%20Administration%20Guide.pdf which I would strongly suggest that you read through before undertaking any type of PoC or internal testing of Framehawk’s capabilities within your own home lab, organisation demo environment.
1: You need to download the XAD 7.6 FP2 components from http://www.citrix.com/downloads.html. Also download and the firmware update for NetScaler Unified Gateway 11.0 build 62.10** to upgrade your NUG V/A.Note: The current supported Citrix Receivers (update 22/08/2015) are the Windows Receiver 4.3 or iOS Receiver 6.0.
2: Download the DisplayStateGUI.exe * tool from http://blogs.citrix.com/2015/08/17/got-framehawk-weve-got-remote-access-tips-and-tricks/ its a good read by way so be sure to read through that official CTX blog articles aswell prior to deploying Framehawk in your Home/Test lab or for a customer PoC.
3: In your Citrix test or home lab environments snapshot all the relevant XAD 7.6 infrastructure components that requires which an update which is most rior to proceeding. This is typically a common leading best practise so that you revert back in the unlikely event of a failure or corruption of any components during the infrastructure update.
4: Once the updates have been completed successfully installed and you’ve rebooted your compoments seperately in an agreed maintenance window the launch Citrix Studio upon a successful reboot and create a new policy selecting the Framehawk policies and adding them to your test user(s) or group(s). It is not recommended to apply this HDX policy to all users within your Site but only those whom are experiencing high packet loss ref page 12 of the Framehawk Admin Guide. Also be sure to carefully review and understand the provided technical overview of each policy setting by reading the policy description.TIP: Type in frame in the search window to find the Framehawk policies in Studio quicker.
5: Also make sure that your install and update the server, desktop VDA’s within your template images or create a new set of template(s) for your desktop and server OSes. It’s your choice :-).
6: I’d suggest that you utilise a Windows end-point for your initial tests of Framehawk, so navigate to http://receiver.citrix.com which should auto detect your Windows endpoint and recommend that you download and install Citrix Receiver 4.3 for your Windows OS.
7: Once the Windows Citrix Receiver 4.3 has successfully installed and configure Receiver to point to your Citrix test or home lab environment and begin testing :-). TIP: Why not setup a DNS SRV record for e-mail based discovery check out – http://docs.citrix.com/en-us/storefront/3/sf-plan/sf-plan-user-access.html.
8: Once your have configured Receiver a lunch a destkop and run DisplayStateGUI.exe * and also login into the new and update Director to check that your launch ICA/HDX session is in fact utilising using Framehawk and not DRC or the SuperCodec.
9: Once your happy proceed to snapshotting your NUG V/A and begin the firmware upgrade from your exsiting NUG build to the current supported firmware version which is 11.0 build 62.10**.
10: Once your have upgrade your NUG V/A and it is functioning as expected then proceed with the following to enable delivery of HDX Broadcast now with Framehawk via your NetScaler (Unfied) Gateway.
11: Enable DTLS in the settings of the VPN virtual server, enable and open 443 on TCP/UDP and unbind and rebind the SSL cert-key pair this second part is mandatory for more detail ref 16 of the Framehawk admin guide.
12: Deploy XAD 7.6 FP2 as your typically would utilising either the built-in wizards, manually using AppExpert e.t.c
13: Once its is successfully configured navigate to your external gateway FQDN and login to ensure that you can successfully authenticate and access your RfW powered by StoreFront 3.0 with the unified experience enabled ref – http://docs.citrix.com/en-us/storefront/3/sf-manage/sf-receiver.html. Now logout and return to the NUG Admin WebUI.
14: Now complete the following steps within the NUG Web AdminUI to enable and allow Framehawk ICA/HDX sessions through your NetScaler Unified Gateway V/A:

– Click configuration tab -> NS Gateway -> Virtual Servers now click “Edit” then click “More”
– Select to enable DTLS then click “Ok”
– Now within the VPN Server screen click e.g “1 Server Certificate”
– Write down the name of the certificate
– Select your server cert and the click on Unbind above from the list of menu options and then save/close
– You be returned to the VPN Server screen and there will be NO certs that is normal. Now click on “No Server Certificate” to reopen it
– Click on the + sign
– Find your certificate within the list and click “Select” then when prompted click “Bind”.
– Ignore and click OK on the warning error message entitled “No usable ciphers configured on the SSL vserver/serivce

15: Begin testing using Windows Receiver 4.3 from any supported Windows end-point.
16: If you wanted to enable and allow Framehawk access from iOS devices running Receiver 6.0 then please complete the following:

– On your SFS access App_Data dir of your Store in C:\inetpub\wwwroot\Citrix\Store\App_Data\
– Open the file entitled default.ica
– Under the [WFClient] section within the file add the following line of code Framehawk=On which should be under ProxyUseFQDN=Off
– Click “Save”

17: Begin testing using Citrix Receiver iOS 6 on an iOS device.
18: If you have downloaded the initial Framehawk Admin Guide is doesn’t including the remote access setup and configuration so please re-download the admin guide at – http://blogs.citrix.com/2015/08/17/got-framehawk-weve-got-remote-access-tips-and-tricks/. It well worth a re-read in my view to better understand Framehawk.

SYN230: HDX update: What’s new
If you want to learn what’s new and all the updates to Citrix HDX i’d suggest that you watch the following Citrix Synergy 2015 session entitled “SYN230: HDX update: What’s new”.

Supported Citrix Receivers
1: The current supported Citrix Receivers for Framehawk are the Windows Receiver 4.3+ and the iOS Receiver.
2: You can download either Receiver by visiting your OSes app store of by navigating to – http://receiver.citrix.com.
3: The current up to date Citrix Receiver feature matrix is available at – https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-receiver-feature-matrix.pdf.

Upgrading a NetScaler 10.5.x.n Virtual Appliance to NetScaler Unified Gateway 11.x.n

The following content is a brief and unofficial prerequisites guide to upgrade from NetScaler Gateway 10.5.x.n to NetScaler Unified Gateway 11.x.n prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
VIRTUAL APPLIANCE – v/a
NETSCALER GATEWAY – nsg
NETSCALER UNIFIED GATEWAY – nug
VIRTUAL IP ADDRESS – vip

Deployment Preparation Overview (DRAFT & MAY CONTAIN ERROR(S))
The following is an upgrade process that I utilise within my own home lab. Please ref to http://docs.citrix.com/en-us/netscaler/11/license-upgrade-downgrade/upgrade-downgrade-the-system-software.html for an accurate and official upgrade process.

1: Download the firmware of your choice if more than one is available at – http://www.citrix.com/downloads/netscaler-adc.html. Please note that your will require either a valid Citrix account to download the firmware.
2: Upload the *.tgz file you downloaded to the following location on your NS V/A “/var/install“. Once you have confirmed its successfully uploaded disconnect and close your (s)FTP application. I use WinSCP myself which can be downloaded at – https://winscp.net/ as my (s)FTP client.
3: Open a Secure Shell (SSH) connection to the NS V/A and enter in the username and password access details where prompted. Once your have successfully logged in type “shell” then type “cd /var/nsinstall” to change to the nsinstall directory and then type “ls” to confirm the uploaded file is there.
4: Now to unpack the tarball package by typing in “tar –xvzf build_X_XX.tgz”, where build_X_XX.tgz (TIP: Enter in B and press TAB to complete typing the name of the file) is the name of the NS firmware build that we will be upgrading to. Once the tarball is successfully unpacked type in “ls” verifying that you can see the extracted files from the tarball.
5: Now type in “./installns” to begin the upgrade process and where prompted type in “Y” to reboot the NS V/A
6: Move to your hypervisors mgmt. console and watch the NS CLI reboot and once you can see the NS login prompt within the CLI navigate to the NS mgmt. IP addr and login using your NS access details and verify that the NS V/A has been successfully upgrade to your firmware of choice by looking at the firmware version in the top right-hand corner of the WebUI.

Fronting XenMobile 10.x.n with NetScaler 10.5.x.n – 11.x.n

The following content is a brief and unofficial prerequisites guide to setup, configure and test a NetScaler Gateway 10.5.x.n or NetScaler Unified Gateway 11.x.n fronting a XenMobile 10.x.n XMS virtual appliance prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
XENMOBILE – xm
XENMOBILE SERVER – xms
VIRTUAL APPLIANCE – v/a
FEDERAL INFORMATION PROCESSING STANDARDs – fips
NETSCALER GATEWAY – nsg
NETSCALER UNIFIED GATEWAY – nug
VIRTUAL IP ADDRESS – vip
MOBILE APPLICATION MANAGEMENT – mam
MOBILE DEVICE MANAGEMENT -mdm
CERTIFICATE AUTHORITY – ca

Deployment Preparation Overview (DRAFT & MAY CONTAIN ERROR(S))
0. The section also contain the pre-requite, system requirements for each virtual appliance (V/A) for NetScaler and the XenMobile Server (XMS).
1. Review the XenMobile comparability matrix at – http://docs.citrix.com/en-us/xenmobile/10-1/xmob-system-requirements/xmob-10-understand-compatibilitymatrix-con.html to choose the correct NS build vs. XMS build.
2. Download the V/A’s for each at signing in with your Citrix partner access details.
3. You need an SSL certificate a wildcard is recommend for simplicity and this should be using at min a 2048-bit key for your CSR that you submit to your CA. If you are experiencing the following issue enrolment issue Profile Installation Failed “The server certificate for ‘https://’ is invalid“ the please review http://axendatacentre.com/blog/2015/03/29/xenmobile-10-0-poc-considerations/ to help resolve this issue.
4. Generate an APNS certificate following this process at http://docs.citrix.com/en-us/xenmobile/9/xmob-dm-config-requesting-apns-con.html and sign your APNS certificate with Citrix at – https://xenmobiletools.citrix.com/.
5. You need to be aware that the port communication between the different components has changed and also the placement of the XMS V/A in XenMobile 10. A network diagram can be viewed at – http://docs.citrix.com/en-us/xenmobile/10-1/xmob-arch-overview-con.html I would recommended that you please refer to the figure 4. MDM and MAM modes and also figure 5. Cluster deployments.
6. XenMobile 10 today as of writing this blog post requires the following FQDN and IP ADDR reservations to be made available when fronting a XMS V/A with NS appliance either virtual or physical 10.5.x.n and 11.x.n. Please note that for simplicity I will refer to a NetScaler Virtual Appliance V/A from here on in.

a – 1x Public routable FQDN for MDM e.g enroll.axendatacentre.com
b – 1x Public routable static IP addr that resolves to the MDM FQDN
c – 1x Public routable FQDN for MAM e.g apps.axendatacentre.com as Secure/Worx’s apps utilise a mVPN via WorxHome now SecureHub
d – 1x Public routable static IP addr that resolves to the public FQDN MAM
e – 1x DMZ private static IP addr for Gateway for your mVPN traffic
f – 1x DMZ private static IP addr for Load-balancing the MAM traffic
g – 1x DMZ private static IP addr for MDM traffic e.g enrolling and on-going device mgmt.
h – 1x DMZ private static IP addr for the actual XMS V/A

Sample PoC Diagram
* refers to the “.axendatacentre.com” ending the FQDN.

MDM (b) Firewall MDM (a/g) NetScaler Installation FQDN (h) XMS
enroll.*
81.xxx.nnn.100
enroll.*
192.168.2.30
enroll.enroll.axendatacentre.com
MAM (d) MAM (c/e/f)
apps.*
81.xxx.nnn.101
apps.*
192.168.2.31
192.168.2.33

7. NetScaler today as of writing this blog article requires the following IP ADDR reservations for NetScaler to allow you to front Citrix e.g “XenMobile”, ShareFile e.t.c and none-Citrix workloads e.g web services, exchange servers, application servers and much more.

– 1x DMZ private static NetScaler IP addr
– 1x DMZ private static NetScaler Mgmt IP addr for mgmt. of your NS virtual or physical appliance
– 1x DMZ private static Subnet IP addr for the NetScaler to access resources within your TRU network

8. Once you have successfully deployed your XMS use the built-in 30 day licenses for the initial configuration then allocate some eval licenses against the XMS hostname. You can allocate XM 10 licenses by choosing the “MDM/Enterprise 99 User” from – http://store.citrix.com/store/citrix/en_US/pd/productID.306222300/ThemeID.33753000. Once you have licensed the XMS V/A then proceed to successfully deploy the NS V/A and login into the NS V/A mgmt. interface which will be the NS’s mgmt IP addr find the HostID or utilise the following CTX article entitled “How to Allocate NetScaler VPX Licenses” – http://support.citrix.com/article/CTX133147 which will be required to license your NS V/A. Once you have the HostID visiting the Citrix Evaluation Store at – http://store.citrix.com/store/citrix/en_US/cat/ThemeID.33753000/categoryID.63401700 and allocate as an eXaMpLe a 3000 VPX at platinum for 90 days at – http://store.citrix.com/store/citrix/en_US/pd/productID.278306700/ThemeID.33753000 and also allocate a “Universal 99 Concurrent User Connection” from – http://store.citrix.com/store/citrix/en_US/pd/productID.282559700/ThemeID.33753000 once again for 90 days.
9. Reboot both the NS, XMS V/A and validate that they are back up and running and functioning as expected using the CLI and or the Admin WebUI’s of each V/A.

Let’s Deploy XMS fronted by a NS (DRAFT & MAY CONTAIN ERROR(S))
1. Login into NS Admin WebUI and navigate to the licensing tab and validate that you have all green ticks and ensure that you have 99-104 Universal licenses if not please read step 8 above before proceeding.
2. In the bottom left-hand corner click on “XenMobile” and select “XenMobile 10” from the dropdown list on the XenMobile initial wizard welcome page.
3. Under the NetScaler for XenMobile section to the left-hand side select the following “Access through NetScaler Gateway” (MAM e.g Worx’s Apps) and “Load Balance XenMobile Servers” (MDM) and then click on Continue.
4. Enter in the IP addr e and leave the port as 443 and provide a Virtual Server Name then click Continue.
5. Select and existing wildcard card certificate or upload a new wildcard certificate then click Continue.
6. Select and existing LDAP binding or create a new LDAP binding and then click Continue. Example of a Base DN for the domain axendc.co.za with domain users residing with the default Users folder within AD would e.f “Cn=Users,dc=axenc,dc=co,dc=za“.
7. Under Load-Balancing FQDN for MAM enter in a for the FQDN and for the IP addr beneath is enter in IP addr f and then click Continue. Please leave the defaults as is for now BUT please be aware that we will are not be performing any SSL Offloading, split tunnelling.
8. Select the same SSL cert as per step 5 above unless its NOT a wild card certificate in-which case then please upload the SSL cert for the MDM FQDN before proceeding. Click Continue.
9. Click “Add Server” under the XenMobile Servers section and enter in IP addr h and the click Continue. Note: Port for communication is 8443!
10. Click “Load Balance Device Manager/XenMobile Servers“.
11. Enter in the IP addr g and alter or leave the default name of the Virtual Server and click Continue. Note: Communication is HTTPS or SSL_Bridge as we choose not to perform HTTP or SSL Offloading in step 7 above.
12. You’ll notice that your XenMobile Servers IP addr’s are already automatically inserted under the XenMobile Servers section click Continue. Note: The Ports for communication are 443, 8443!
13. Click Done!
14. You have now successfully deployed a single XMS V/A fronted by a NS V/A. Once the wizard has completed you can click Edit under the “NetScaler Gateway” section on the top right-hand side under the Test Connectivity button to back into the wizard and modify the split tunnelling options to meet your organisations needs and or requirements.

HDX Realtime and Microsoft Lync 2013

The following content is a brief and unofficial prerequisites guide to setup, configure and test Lync 2013 with XAD 7.6 and the HDX RealTime Optimization Pack 1.7-8.x.n for Microsoft Lync prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
UNIFIED COMMUNICATIONS – uc
MICROSOFT – ms
NETSCALER GATEWAY – NS(G)
ACCESS GATEWAY – AG

Summarising your Lync 2010, 2013 Deployment Options on Citrix XenApp/XenDesktop 7.x
The following Lync deployment methods are supported by Citrix including utilising Lync Online and Office 365 ref – http://blogs.citrix.com/2015/04/03/deployment-guide-for-microsoft-lync-2013-in-vdi-environment/.

Generic HDX Realtime *
Pure ICA/HDX between two end-points and the infrastructure.

HDX RealTime Optimization Pack for Lync® *
Optimised softphone with offloading of the media engine by Citrix Receiver at end-points.

Microsoft® Lync® VDI Plug-in
Optimised softphone with offloading of the media engine by Microsoft however this approach does require Windows end-points.

Local App Access *
XAD policy applied to utilise (preferred) the locally installed Lync app over delivered Lync app.

* Please refer to eDocs or CTX200279 for the Lync Delivery Feature Matrix http://support.citrix.com/article/CTX200279. For HDX Realtime Licensing Q&A please check out – http://www.citrix.com/go/products/xendesktop/feature-matrix.html.

Deployment Guides
1: Delivering Microsoft Lync to XenApp and XenDesktop Users – https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/delivering-microsoft-lync-to-xenapp-and-xendesktop-users.pdf
2: Microsoft Office 365 for Citrix XenApp and XenDesktop 7.x – http://www.citrixandmicrosoft.com/Documents/Deployment%20Guide%20-%20Office%20365%20for%20XenApp%20and%20XenDesktop.pdf

HDX RealTime Optimization Pack 1.8
The latest released optimisation pack 1.8 supports the Lync Server 2013 Autodiscover Service and Microsoft Skype for Business client in Lync UI mode, the Microsoft Lync 2013 client, and the Microsoft Lync 2010 client (Call Park, Call Pick Up & Call forwarding and simultaneous ringing controls). There is also now support for Mac with support for the Microsoft Windows 10 technical preview, for more information check out the official documentation at – http://docs.citrix.com/en-us/hdx-optimization/1-8.html and what’s new in XAD FP2 – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-whats-new.html.

HDX RealTime Optimization Pack 1.7
HDX RealTime Optimization Pack consists of two component’s the client (media engine is integrated into Citrix Receiver) and server (HDX Realtime connector). A technical overview of how the optimisation pack works and helps to improve the users over all experience with Lync 2013 can be found at – http://support.citrix.com/proddocs/topic/hdx-realtime-optimization-pack-17/hdx-realtime-optimization-pack-about-17.html including a network diagram. Citrix have also recently released at the time of writing this blog article a great CTX article entitled “Remote Access with Citrix HDX RealTime Optimization Pack” available at – http://support.citrix.com/article/CTX201116 explaining how-to and where to deploy NS(G) for Lync 2013.

The below is an embedded Citrix TV video entitled – Ask the Architect “Citrix Optimisation Pack for Microsoft Lync”:

Microsoft Lync 2013 VDI Plug-in
As stated at – http://support.citrix.com/proddocs/topic/hdx-realtime-optimization-pack-17/lync-realtime-optimization-pack-17.html Citrix recommends the Microsoft Lync 2013 VDI Plug-in for customers using Lync 2013 with Windows devices. For information about this solution, see http://technet.microsoft.com/en-us/library/jj204683.aspx and http://support.citrix.com/article/CTX138408.

Citrix X1 Mouse

The views, opinions expressed are those by the author of this entry only.

What is a X1 Mouse?
Its a special mouse that allows you to interact with HDX published resources form XenApp or XenDesktop using Citrix Receiver on iOS or Android –http://www.citrix.com/products/mouse/overview.html. In plain English it allows you utilise the X1 Mouse with Windows apps & desktops using the Citrix Receiver on any iOS device that supports the Citrix Receiver which can be downloaded from the UK Apple app store at – https://itunes.apple.com/gb/app/citrix-receiver/id363501921?mt=8.*

The X1 Mouse is compatible with Citrix Receiver 5.9.5+ and as of 15/05/2015 the following OSes are supported iOS 8.3+, iPad 3+, iPhone 5+, Windows PC (with Bluetooth 4.0), Windows 7,8 and Android 4+. For more technical information please check out the datasheet is available at – https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-x1-mouse-datasheet.pdf.

The X1 Mouse is also compatible with the following with iOS apps GoToMyPC, ShareConnect and WorxDesktop reference the support page at – http://www.citrix.com/products/mouse/support.html and the datasheet as of 15/05/2015.

* Please do not use this link unless your app store on your iOS device(s) is configured to the UK. If your in another country please from your iOS device open the Apple app store and search for Citrix Receiver and tap to install it.

Buy Now
You can acquire the X1 Mouse online at – http://www.citrix.com/products/mouse/buy.html.