Tag Archives: Cloud Gateway

XenMobile Enterprise 8.6

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile Enterprise 8.6 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE DEVICE MANAGER – xdm
CERTIFICATE SIGNING REQUEST – csr
APPLE PUSH NOTIFICATION SERVICE – apns
FULLY QUALIFIED DOMAIN NAME – fqdn
SECURE LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL – (s)ldap
SHAREFILE STORAGEZONE CONNECTOR – szc
XENMOBILE APPCONTROLLER – xac
RECEIVER FOR WEB – RfW
OUT OF OFFICE – ooo
GoToMeeting – gtm
VOLUME PURCHASE PROGRAM – vpp

What’s New The Highlights
0: XenMobile Datasheet by edition – http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-xenmobile-the-revolutionary-way-to-mobilize-your-business.pdf.
1: Single Agent for enrolment and MDM, MDX policy control.
2: WorxMail supports OOO, GoToMeeting Fast join with telephone number and pin auto-dialled from your calendar, Office 365 Exchange.
3: Additional support for Amazon KindleFire MDM API, Samsung KNOX API and iOS 7 MDM API’s.
4: Support for Kerberos authentication along with secure pin-based authentication to validate a user’s access to a organisation delivered, signed and secured MDX mobile app.
5: Support for Apples new VPP.
6: XenMobile Cloud based offering is available.
7: Uploading of native unsigned IPA, APK files to the XAC 2.9 along with Multi-domain support,
8: Redirection of HTTP, HTTPS network traffic from WorxWeb via a NSG to proxy servers within your organisation.
9: Auto-based discovery to enrol now supports email based discovery and UPN.
10: A full and complete list is available at http://support.citrix.com/proddocs/topic/xenmobile-understand/xmob-understand-whats-new-n-con.html, http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/whats-new-in-xenmobile-86.pdf.
11: NetScaler Gateway 10.1.120.1316.e is required – http://support.citrix.com/proddocs/topic/xenmobile-understand/xmob-understand-whats-new-n-con.html. You can find out more about this new enhanced release at – http://blogs.citrix.com/2013/11/28/whats-new-with-the-citrix-netscaler-gateway-release-10-1-120-1316-e/.

Single Agent for Enrolment, Self-serve Store and MDM, MDX Policy Enforcement
The latest release of Worx Home now provides organisations with much simplified approach to enrol and to manages employee BYO, Corporate smart phones and tablets. When users launch the app the either enter in the XDM server addr or enter in there organisations email addr which is simpler for the user and automatically resolves the organisations XDM servers addr either a IP addr or FQDN. Next they input there user credentials typically AD as there are alternative enrolment options check out – .

Once there access credentials are validated it will open up Safari (iOS) or Chrome (Andriod) and create a secure session back to the XDM server to download the company/organisational and MDM certificates. This process historically required the user to take steps 1 through 3 in the browser now it will automatically take the user between the Settings area and the browser to install the company/organisational and MDM certificates (NOTE: Above is based of an iOS device).

Once the user has completed the certificate installation on their smart phone, tablet is successfully. The final step will see the browser automatically re-directing the user to Worx Home to validate the enrolment and allow for any signed MDX or public apps to be prompted to the user to install.

The users device(s) have now been enrolled successfully and are being safely and securely managed by the organisations IT, Infrastructure or IS department.

Worx Home now manages the MDM certificates which can restrict the users ability to use Siri, Safari and it also managed MDX policies enforced against *.MDX files pushed from the XAC which can restrict the MDX mobile app from leveraging the iCloud API and restrict the copy and pasting of text outside of the MDX mobile app(s) to public delivered mobile apps e.g Facebook, LinkedIn, Twitter from iTunes.

How-to Deploy
MORE coming soon but take a look at these initial resources below in the coming soon section. There will more in-depth content for XDM 8.6, XAC 2.9 in separate blog articles. This entry will cover XenMobile Enterprise as a MDM, MAM and MIM solution for your organisation.

Coming Soon!
The mean time check out these links.
1: Getting started with XenMobile eDocs – http://support.citrix.com/proddocs/topic/cloudgateway/xmob-landing-con.html
2: What’s new with XenMobile Enterprise 8.6 Video and PDFed slide deck – http://www.citrix.com/products/xenmobile/whats-new.html
3: XenMobile Enterprise 8.6 Product Videos – http://support.citrix.com/proddocs/topic/xenmobile-understand/xmob-product-videos-con.html

XenMobile AppController 2.8

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile AppController 2.8 ( Previously Cloud Gateway) part of Citrix XenMobile Enterprise prior to deploying in a PoC, Pilot or Production environment by the author of this entry.

Shortened Names
XENMOBILE APPCONTROLLER – xac
FULLY QUALIFIED DOMAIN – fqdn
CLOUD GATEWAY – cg

XenMobile Is Federal Information Processing Standard (FIPS) 140 Compliant
Check out – http://support.citrix.com/proddocs/topic/apppreptool/clg-appwrap-fips-con.html.

Certificates
1: By default the following two types of self-assigned certificates are issued to your XenMobile AppController upon initial deployment which are a Server, SAML certificates issued to the FQDN AppController.example.com.
2: It is safe to perform the initial xac with the default certificates thereafter I would recommend generating a CSR and signing with your Enterprise CA vs. self-assigned to the host name.

Self Assigned Certificate
1: To create a self assigned certificate directly on XenMobile AppController login to the admin console at – https://FQDN:4443 using your access details and once authenticated
2: Click Settings
3: Click Certificates
4: Click New and complete onscreen input fields the primary fields are to select certificate cipher encryption strength to be 2048 nothing less, then enter in the common name for cert e.g appcontroller.yourorganisation.net or xac.natal-sharks.local and select the correct country.
5: Click Save
6: Next the Certificate Signing Request will appear click Close
7: Click to highlight the certificate with common name entered in above
8: Click Self-Signed
9: Enter in a value for which the certificate will be valid in number of days e.g 365 for a full calendar year and click Save.
10: Your CSR has now been self assigned.
11: Click to highlight it again and click Make Active
12: Click Yes and the newly self-assigned certificate will be bound to HTTPS and log you out which is normal.
13: Clear your internet browsers cache on IE as an example and restart the browser and navigate back to xac admin console and you should notice that there is no SSL certificate errors and the lock icon has a blue background. You have successfully created and bound a self assigned certificate to your xac.
14: For further information please read the following – eDocs Certificate Signing Request for the XenMobile AppController 2.8 .

Enterprise CA signed Certificate
1: Complete steps 1 through 5 under the self-assigned certificates.
2: When the Certificate Signing Request box appear’s copy the CSR response generated into a text file and save to your desktop and click Close.
3: Navigate to your Enterprise CA’s FQDN and follow the onscreen instructions and complete the CSR and ensure that you download the certificate response in Base64 format.
4: Navigate back to the XAC Click Import and select Server (.pem) and select your certificate and Click import.
5: If your certificate has a public and private key (*.pfx12) enter in the password in the password fields or leave blank and the Click Ok.
6: Your signed certificate is now imported successfully.
7: Click to highlight your newly import server certificates and click Make Active.
12: Click Yes and the newly signed certificate will be bound to HTTPS and you be logged out which is normal.
13: Clear your internet browsers cache on IE as an example and restart the browser and navigate back to xac admin console and you should notice that there is no SSL certificate errors and the lock icon has a blue background. You have successfully created and bound a self assigned certificate to your xac.

XenMobile AppController 2.8
1: Download the virtual appliance for your platform at – https://www.citrix.com/downloads/xenmobile.html .The supported hypervisors include XenServer, Hyper-V, ESXi
2: Designate and document a FQDN (Optionally create either an Internal or External), IP address, subnet netmask, default gateway, DNS, NTP, AD including a domain services account + e-mail address and strong admin password.
3: Deploy the xac virtual appliance and access the xac console and login using the default access details which are username: admin and password: password.
4: Click 0 and press return/enter to enter the Express Setup mode and complete the required configuration steps onscreen and then Click 5 and press return/enter to reboot the xac.
6: Once the xac reboots open up your internet browser and navigate to the designated https://FQDN:4443 and login using default access details mentioned above.
7: Upon login complete the onscreen wizard. Please note that some of the configuration options will already be prep-populated from your entries entered in at the xac console in Step 4 above. Once completed you will be logged out which is normal.
8: Relogin to the xac and complete either the self-assigned or Enterprise CA signed certificate process.

Multi-Domain Support
Currently the XenMobile AppController 2.8 doesn’t support multi-domain domains e.g multiple LDAP(S) bindings to more than one domain. The following Citrix Blog article is however quiet a useful when leveraging a NetScaler Gateway “Implementing cascading LDAP policies along with universal domain groups” Text in brackets credit of the author of the Citrix Blog Entry –

XenMobile Enterprise (XAC 2.8, XDM 8.5, SCZ 2.0) Reference Architecture
http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/reference-architecture-for-mobile-device-and-app-management.pdf

Coming soon!
In the mean time check out the eDocs supporting documentation re XenMobile
AppController 2.8 edocs.citrix.com, WorxMail and WorxWeb.

XenMobile AppController 2.6

The following content is a brief and unofficial prerequisites guide to setup, configure and test AppController 2.6 (Previously Cloud Gateway) part of the Mobile Solutions Bundle prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE APPCONTROLLER – xac
FULLY QUALIFIED DOMAIN NAME – fqdn
ACTIVE DIRECTORY – ad
STOREFRONT SERVER – sfs
HIGHLY-AVAILABLE – h/a
XENAPP – xa
XENDESKTOP -xd
NETSCALER GATEWAY – nsg
SOFTWARE-AS-A-SERVICE – SaaS
REMOTE ACCESS – r/a

Apple iOS Developer Account
1: Register for an Apple Enterprise iOS Developer Account and NOT Standard – bit.ly link to https://developer.apple.com/programs/ios/enterprise/. Why your probably asking? The enterprise account is designed to allow you to deliver your digitally signed wrapped apps e.g Worx Home, WorxWeb and WorxMail to an unlimited number of iOS devices from your enterprise app store e.g XAC. The standard account is designed for you to develop and then test your app to a fair number of iOS devices (iPad mini, iPhone) and then publish your app to the iTune’s AppStore.
2: Download the Citrix App Preparation Tool for iOS – http://www.citrix.com/downloads/
3: Prior to continuing please review review the following Citrix eDocs article – http://support.citrix.com/proddocs/topic/cloudgateway/clg-appwrap-landing-page-con.html
4: Following the instructions for digitally signing your iOS app using the Citrix App Preparation Tool for iOS

Certificates
1: By default the following two types of self-assigned certificates are issued to your XenMobile AppController upon initial deployment which are a Server, SAML certificates issued to the FQDN AppController.example.com.
2: It is safe to perform the initial xac with the default certificates thereafter I would recommend generating a CSR and signing with your Enterprise CA vs. self-assigned to the host name.

Uploading & Configuring Wrapped iOS Apps
1: Once the app has been digitally signed with your iOS Enterprise developer account please navigate to your AppControllers Mgmt. FQDN e.g yourdomain.co.uk:4443 and login with your administrative credentials.
2: Navigate to Apps & Docs tab select iOS then upload and locate the signed iOS app and follow the onscreen instructions – http://support.citrix.com/proddocs/topic/appcontroller-26/clg-appc-mobile-apps-wrapper-d-con.html.
3: To configure any of the MDX policies i.e MDX Access, InterApp, Vault for your iOS app – http://support.citrix.com/proddocs/topic/appcontroller-26/clg-appc-mobile-apps-policies-d-con.html
4: The iOS app is now available and ready to be selected and downloaded onto the users end-point mobile device via StoreFront.

Deployment Modes
1: There are two types of deployment modes for the XenMobile AppController which is either direct or integrated. It is important to understand that this is NOT h/a.
2: Direct mode is where users connect directly to the XenMobile AppController bypassing StoreFront. In this deployment scenario the xac can only service and deliver Mobile apps, SaaS and web links to users. If you would like to test this mode deploy and configure your xac with mobile apps, web links within your environment and connect to the xac’s https://FQDN/ either internal or external using a internet browser on an iOS device as an example and it will redirect you to https://FQDN/Citrix/StoreWeb where you will be able to login using your AD credentials thereafter you’ll be able to select and launch a web link or click and install a Mobile app.
4: Integrated mode is where all the requests for mobile apps, SaaS, web links are aggregated through to the sfs over a HTTPS connection. ( xac <-- HTTPS 443 -->sfs ). The xac is setup as a delivery controller within StoreFront must the same a XA, XD. TIP: Prior to setting this configuration connect to the xac admin console from the sfs to ensure there is no SSL mismatch issues or errors with the certificate (Using IE you’ll receive a blue bar + background around the lock icon). If you would like to test this mode deploy and configure your xac with mobile apps, web links and configure the trust setting to point to your sfs e.g. https://sfs.local/ from the xac. Now attempt to connect to the xac’s https://FQDN/ either internal or external using a internet browser on an iOS device as an example and it will redirect you to https://FQDN/Citrix/StoreWeb but you will NOT be able to complete the request! Why? The xac disables its local StoreWeb as another trust setting has been configured i.e https://sfs.local. Now connect to your sfs FQDN and login using your AD credentials thereafter you’ll be able to select and launch a web link, published windows application e.g Notepad, Windows 7 desktop and select and click to install a Mobile app. How? As long as you have a setup the following delivery controllers servers in StoreFront xac, xa, xd and published the resources you can tap to select and launch any of the described resources. TIP: Allows ensure that if you have configured your delivery controllers to use HTTPS (443) there are no SSL mismatch errors with the FQDN as this is the most common error causing SysAdmins alot of headaches in troubleshooting where the issue lies.

Users
1: Users are provisioned using your organisations AD but first ensure that all users you attempt to provision have a first, last name and email fields populated even if you don’t have a mail server within your domain populate the e-mail address field as are a mandatory requirement for the xac.

Troubleshooting Tips
1: Setup a reoccurring calendar invite using your support ticketing system or group exchange invite to renew your iOS Enterprise Developer Account which expires annually and needs to be renewed.
2: Use a Enterprise CA to sign your CSR’s for your xac, sfs instead of using self-assigned certificates but use a publicly signed SSL certificate for R/A using a NetScaler Gateway.
3: Read through the Citrix Reference Architecture for MDM and MAM.