Tag Archives: Micro-VPN

Fronting XenMobile 10.x.n with NetScaler 10.5.x.n – 11.x.n

The following content is a brief and unofficial prerequisites guide to setup, configure and test a NetScaler Gateway 10.5.x.n or NetScaler Unified Gateway 11.x.n fronting a XenMobile 10.x.n XMS virtual appliance prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
XENMOBILE – xm
XENMOBILE SERVER – xms
VIRTUAL APPLIANCE – v/a
FEDERAL INFORMATION PROCESSING STANDARDs – fips
NETSCALER GATEWAY – nsg
NETSCALER UNIFIED GATEWAY – nug
VIRTUAL IP ADDRESS – vip
MOBILE APPLICATION MANAGEMENT – mam
MOBILE DEVICE MANAGEMENT -mdm
CERTIFICATE AUTHORITY – ca

Deployment Preparation Overview (DRAFT & MAY CONTAIN ERROR(S))
0. The section also contain the pre-requite, system requirements for each virtual appliance (V/A) for NetScaler and the XenMobile Server (XMS).
1. Review the XenMobile comparability matrix at – http://docs.citrix.com/en-us/xenmobile/10-1/xmob-system-requirements/xmob-10-understand-compatibilitymatrix-con.html to choose the correct NS build vs. XMS build.
2. Download the V/A’s for each at signing in with your Citrix partner access details.
3. You need an SSL certificate a wildcard is recommend for simplicity and this should be using at min a 2048-bit key for your CSR that you submit to your CA. If you are experiencing the following issue enrolment issue Profile Installation Failed “The server certificate for ‘https://’ is invalid“ the please review http://axendatacentre.com/blog/2015/03/29/xenmobile-10-0-poc-considerations/ to help resolve this issue.
4. Generate an APNS certificate following this process at http://docs.citrix.com/en-us/xenmobile/9/xmob-dm-config-requesting-apns-con.html and sign your APNS certificate with Citrix at – https://xenmobiletools.citrix.com/.
5. You need to be aware that the port communication between the different components has changed and also the placement of the XMS V/A in XenMobile 10. A network diagram can be viewed at – http://docs.citrix.com/en-us/xenmobile/10-1/xmob-arch-overview-con.html I would recommended that you please refer to the figure 4. MDM and MAM modes and also figure 5. Cluster deployments.
6. XenMobile 10 today as of writing this blog post requires the following FQDN and IP ADDR reservations to be made available when fronting a XMS V/A with NS appliance either virtual or physical 10.5.x.n and 11.x.n. Please note that for simplicity I will refer to a NetScaler Virtual Appliance V/A from here on in.

a – 1x Public routable FQDN for MDM e.g enroll.axendatacentre.com
b – 1x Public routable static IP addr that resolves to the MDM FQDN
c – 1x Public routable FQDN for MAM e.g apps.axendatacentre.com as Secure/Worx’s apps utilise a mVPN via WorxHome now SecureHub
d – 1x Public routable static IP addr that resolves to the public FQDN MAM
e – 1x DMZ private static IP addr for Gateway for your mVPN traffic
f – 1x DMZ private static IP addr for Load-balancing the MAM traffic
g – 1x DMZ private static IP addr for MDM traffic e.g enrolling and on-going device mgmt.
h – 1x DMZ private static IP addr for the actual XMS V/A

Sample PoC Diagram
* refers to the “.axendatacentre.com” ending the FQDN.

MDM (b) Firewall MDM (a/g) NetScaler Installation FQDN (h) XMS
enroll.*
81.xxx.nnn.100
enroll.*
192.168.2.30
enroll.enroll.axendatacentre.com
MAM (d) MAM (c/e/f)
apps.*
81.xxx.nnn.101
apps.*
192.168.2.31
192.168.2.33

7. NetScaler today as of writing this blog article requires the following IP ADDR reservations for NetScaler to allow you to front Citrix e.g “XenMobile”, ShareFile e.t.c and none-Citrix workloads e.g web services, exchange servers, application servers and much more.

– 1x DMZ private static NetScaler IP addr
– 1x DMZ private static NetScaler Mgmt IP addr for mgmt. of your NS virtual or physical appliance
– 1x DMZ private static Subnet IP addr for the NetScaler to access resources within your TRU network

8. Once you have successfully deployed your XMS use the built-in 30 day licenses for the initial configuration then allocate some eval licenses against the XMS hostname. You can allocate XM 10 licenses by choosing the “MDM/Enterprise 99 User” from – http://store.citrix.com/store/citrix/en_US/pd/productID.306222300/ThemeID.33753000. Once you have licensed the XMS V/A then proceed to successfully deploy the NS V/A and login into the NS V/A mgmt. interface which will be the NS’s mgmt IP addr find the HostID or utilise the following CTX article entitled “How to Allocate NetScaler VPX Licenses” – http://support.citrix.com/article/CTX133147 which will be required to license your NS V/A. Once you have the HostID visiting the Citrix Evaluation Store at – http://store.citrix.com/store/citrix/en_US/cat/ThemeID.33753000/categoryID.63401700 and allocate as an eXaMpLe a 3000 VPX at platinum for 90 days at – http://store.citrix.com/store/citrix/en_US/pd/productID.278306700/ThemeID.33753000 and also allocate a “Universal 99 Concurrent User Connection” from – http://store.citrix.com/store/citrix/en_US/pd/productID.282559700/ThemeID.33753000 once again for 90 days.
9. Reboot both the NS, XMS V/A and validate that they are back up and running and functioning as expected using the CLI and or the Admin WebUI’s of each V/A.

Let’s Deploy XMS fronted by a NS (DRAFT & MAY CONTAIN ERROR(S))
1. Login into NS Admin WebUI and navigate to the licensing tab and validate that you have all green ticks and ensure that you have 99-104 Universal licenses if not please read step 8 above before proceeding.
2. In the bottom left-hand corner click on “XenMobile” and select “XenMobile 10” from the dropdown list on the XenMobile initial wizard welcome page.
3. Under the NetScaler for XenMobile section to the left-hand side select the following “Access through NetScaler Gateway” (MAM e.g Worx’s Apps) and “Load Balance XenMobile Servers” (MDM) and then click on Continue.
4. Enter in the IP addr e and leave the port as 443 and provide a Virtual Server Name then click Continue.
5. Select and existing wildcard card certificate or upload a new wildcard certificate then click Continue.
6. Select and existing LDAP binding or create a new LDAP binding and then click Continue. Example of a Base DN for the domain axendc.co.za with domain users residing with the default Users folder within AD would e.f “Cn=Users,dc=axenc,dc=co,dc=za“.
7. Under Load-Balancing FQDN for MAM enter in a for the FQDN and for the IP addr beneath is enter in IP addr f and then click Continue. Please leave the defaults as is for now BUT please be aware that we will are not be performing any SSL Offloading, split tunnelling.
8. Select the same SSL cert as per step 5 above unless its NOT a wild card certificate in-which case then please upload the SSL cert for the MDM FQDN before proceeding. Click Continue.
9. Click “Add Server” under the XenMobile Servers section and enter in IP addr h and the click Continue. Note: Port for communication is 8443!
10. Click “Load Balance Device Manager/XenMobile Servers“.
11. Enter in the IP addr g and alter or leave the default name of the Virtual Server and click Continue. Note: Communication is HTTPS or SSL_Bridge as we choose not to perform HTTP or SSL Offloading in step 7 above.
12. You’ll notice that your XenMobile Servers IP addr’s are already automatically inserted under the XenMobile Servers section click Continue. Note: The Ports for communication are 443, 8443!
13. Click Done!
14. You have now successfully deployed a single XMS V/A fronted by a NS V/A. Once the wizard has completed you can click Edit under the “NetScaler Gateway” section on the top right-hand side under the Test Connectivity button to back into the wizard and modify the split tunnelling options to meet your organisations needs and or requirements.

XenMobile AppController 9.0

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile AppController 9.0 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE APPCONTROLLER – xac
CERTIFICATE SIGNING REQUEST – csr
FULLY QUALIFIED DOMAIN NAME – fqdn
RECEIVER FOR WEB – rfw
CERTIFICATE AUTHORITY – ca
STOREFRONT SERVICES – sfs
PUBLIC KEY INFRASTRUCTURE – pki
NETSCALER GATEWAY – nsg
XENMOBILE DEVICE MANAGER – xdm
XENMOBILE NETSCALER CONNECTOR – xnc
SECURE TICKET AUTHORITY – sta
DOMAIN NAME SERVER – dns

New & Existing XenMobile AppController (XAC) Admin & User Consoles
1: The NEWEST console is a troubleshooting one which is accessible at https://XAC-FQDN:4443/ControlPoint/support which allows troubleshooting of NetScaler Gateway, XenMobile Device Manager
2: Control Point Admin console – https://XAC-FQDN:4443/ControlPoint/
3: Hidden Admin console – https://XAC-FQDN:4443/admin.
4: Receiver for Web (RfW) provides user access to SaaS, Web-links – https://XAC-FQDN:4443/Citrix/StoreWeb/ natively. You can integrate XAC with StoreFront to enumerate published Windows apps, Sever and Desktop VDI’s from XenApp, XenDesktop 7.x.

What’s New
0: XenMobile Security PDF document – http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/xenmobile-security.pdf and XenMobile security microsite is also available at – http://www.citrix.com/products/xenmobile/tech-info/mobile-security.html.
1: Support for Windows Phone 8.1 MDX Policy’s for WorxMail and WorxWeb only – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-worx-about-wrapper.html. You can learn how to wrap Worx apps for Windows Phone 8.1 using this useful CTX article entitled “FAQ: Windows Phone 8.1 and XenMobile 9” – http://support.citrix.com/article/CTX200105 and also watching the following video below from Citrix TV.

2: New troubleshooting and support console that can download logs, perform connectivity tests and upload logs to http://taas.citrix.com. The console is available at – https://XAC-FQDN:4443/ControlPoint/support once you have successful authenticated at https://XAC-FQDN:4443/ControlPoint/. You will need to know the admin access details for NSG, XAC and XDM in order to effectively use this console.

3: Wrapping iOS Worx Apps Video.

4: Wrapping Andriod Worx Apps including covering off how-to sign multiple *.APK files using a BASH script. Refer to the XenMobile 9.0 MDX Toolkit Documentation
– http://support.citrix.com/article/CTX140458 for more information once you have watched this video.

5: XenMobile 9.0 MDX Toolkit Documentation – http://support.citrix.com/article/CTX140458

Installing & Deploying XAC 9.0
1: Review and understand the systems & networking pre-requites of the XAC virtual appliance at – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-sysreqs-wrapper-con.html and http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-prepare-xenmobile-checklist-con.html.
2: Deploy the XAC virtual appliance on your chosen hypervisor and boot it and follow the onscreen instructions to apply the IP addr, DNS e.t.c and reboot upon completion connect to the Web Admin UI to compete the initialisation wizard thereafter you can begin to setup and configure your XAC virtual appliance and upload your MDX signed Worx apps and configure the MDX policies as required per app per supported platform. Don’t forget to generate and sign a CSR for the XAC and optionally sign it with your Enterprise CA (PoC/Demo environments) or a Public CA (PROD environments) and apply your own SSL certificate(s) to the XAC refer to – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-deploy-appc-cert-install-con.html or for a video demonstration watch – http://www.citrix.com/tv/#videos/9501.
3: Configuring MDX policies for Windows Phone 8.1 – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-mobile-apps-policies-wp81.html, iOS – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-mobile-apps-policies-ios-con-nike.html and Android – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-mobile-apps-policies-andr-con-1.html. Finally checkout how-to configure encryption policies – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-mobile-apps-encryption-con.html.
5: Once you have setup and configured your XAC appliance you can setup high-availability – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-appc-ha-wrapper-con.html.
6: If you are looking for the XenMobile Reference Architecture please refer to http://support.citrix.com/article/CTX140433.

NetScaler Gateway 10.1.120.1316.e

The following content is a brief and unofficial prerequisites guide to setup, configure and test NetScaler Gateway 10.1.120.1316.e to support a XenMobile Enterprise 8.6 deployment prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
NETSCALER GATEWAY – nsg
CERTIFICATE SIGNING REQUEST – csr
FULLY QUALIFIED DOMAIN NAME – fqdn
SECURE LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL – (s)ldap
CERTIFICATE – cert
REMOTE ACCESS – r/a
XENAPP – xa
XENDESKTOP – xd
XENMOBILE ENTERPRISE – xm
XENMOBILE APPCONTROLLER – xac
XENMOBILE DEVICE MANAGER – xdm

What Is A NetScaler Gateway
It allows you to safely, securely expose your organisations trusted network and resources to an end-point either via a MicroVPN (CVPN) – http://support.citrix.com/article/CTX136914 or a FULL VPN. The NSG provides and supports a simple yet secure R/A solution for Citrix XenDesktop, XenApp, XenMobile solutions. There have been recent updates to the NSG to incorporate setup wizards to enable organisations to more rapidly setup, configure and deploy a R/A solution without having to request a NetScaler Gateway expert to setup and configure the policies to enable R/A. What is a e release of a NSG check out – http://blogs.citrix.com/2013/03/29/citrix-access-gateway-demystifying-the-e-releases/.

Deploying & Configuring The NetScaler Gateway 10.1.120.1316.e For A XenMobile Enterprise 8.6 Solution
1: Physical or Virtual System requirements – http://support.citrix.com/proddocs/topic/xenmobile-prepare/xmob-deploy-netscaler-gateway-reqs-con.html, VPX – http://support.citrix.com/proddocs/topic/access-gateway-hig-appliances/ag-vpx-introduce-wrapper-con.html#ag-vpx-introduce-wrapper-con and MPX – http://support.citrix.com/proddocs/topic/access-gateway-hig-appliances/ag-model-MPX-spec-ref.html.
2: Pre-requites and checklist – http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-checklist-10-1-con.html, http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-deploy-xenmobile-con.html
3: Deploying the NSG and performing the initial configuration – http://support.citrix.com/proddocs/topic/xmob-deployment/xmob-deploy-install-ng-network-con.html.
4: Creating a certificate for NSG – http://support.citrix.com/proddocs/topic/xmob-deployment/xmob-deploy-create-csr-ng-tsk.html also watch the NSG certificate video at – http://support.citrix.com/proddocs/topic/xenmobile-understand/xmob-product-videos-con.html.
5: Uploading a license to the NSG – http://support.citrix.com/proddocs/topic/xmob-deployment/xmob-deploy-install-license-on-ng-tsk.html.
6: Configuring the NSG for XenMobile – http://support.citrix.com/proddocs/topic/xmob-deployment/xmob-deploy-config-ng-wizards-con.html.
7: Configure DNS suffixes – http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-connect-mobile-devices-android-split-dns-tsk.html#ng-connect-mobile-devices-android-split-dns-tsk or http://support.citrix.com/proddocs/topic/xmob-deployment/xmob-deploy-mobile-device-dns-suffix-tsk.html and if you will be supporting Android handsets within your organisation remember to configure DNS for Android devices – http://support.citrix.com/proddocs/topic/xmob-deployment/xmob-deploy-mobile-devices-android-split-dns-tsk.html.
8: Configuring the STA for WorxMail – http://www.citrix.com/tv/#videos/9210.
9: Testing your NSG – http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-test-ag-configuration-tsk.html.

Worx Mobile App Suite NSG Support Table Matrix
http://support.citrix.com/proddocs/topic/xenmobile-connect-users/xmob-worx-supported-platforms-con.html.

Coming Soon!
More coming soon in the inter in check out – http://support.citrix.com/proddocs/topic/xenmobile-understand/xmob-deploy-architect-netscaler-gateway-con.html.