Product Documentation

Install and configure

Sep 06, 2017

Before you start:

You can use the following preinstallation checklist to note the prerequisites and settings for installing XenMobile. Each task or note includes a column indicating the component or function for which the requirement applies.

Planning a XenMobile deployment involves many considerations. For recommendations, common questions, and use cases for your end-to-end XenMobile environment, see the XenMobile Deployment Handbook.

For installation steps, see the Install XenMobile section later in this article.

Preinstallation checklist

Basic Network Connectivity

The following are the network settings you need for the XenMobile solution.

Prerequisite or setting Component or function Note the setting

Note the fully qualified domain name (FQDN) to which remote users connect.

XenMobile

NetScaler Gateway

Note the public and local IP address.

You need these IP addresses to configure the firewall to set up network address translation (NAT).

XenMobile

NetScaler Gateway

Note the subnet mask.

XenMobile

NetScaler Gateway

Note the DNS IP addresses.

XenMobile

NetScaler Gateway

Write down the WINS server IP addresses (if applicable).

NetScaler Gateway

Identify and write down the NetScaler Gateway host name.

Note: This is not the FQDN. The FQDN is contained in the signed server certificate that is bound to the virtual server and to which users connect. You can configure the host name by using the Setup Wizard in NetScaler Gateway.

NetScaler Gateway

Note the IP address of XenMobile.

Reserve one IP address if you install one instance of XenMobile.

If you configure a cluster, note all of the IP addresses you need.

XenMobile

  • One public IP address configured on NetScaler Gateway
  • One external DNS entry for NetScaler Gateway

NetScaler Gateway

Note the web proxy server IP address, port, proxy host list, and the administrator user name and password. These settings are optional if you deploy a proxy server in your network (if applicable).

Note: You can user either the sAMAccountName or the User Principal Name (UPN) when configuring the user name for the web proxy.

XenMobile

NetScaler Gateway

Note the default gateway IP address.

XenMobile

NetScaler Gateway

Note the system IP (NSIP) address and subnet mask.

NetScaler Gateway

Note the subnet IP (SNIP) address and subnet mask.

NetScaler Gateway

Note the NetScaler Gateway virtual server IP address and FQDN from the certificate.

If you need to configure multiple virtual servers, note all of the virtual IP addresses and FQDNs from the certificates.

NetScaler Gateway

Note the internal networks that users can access through NetScaler Gateway.

Example: 10.10.0.0/24

Enter all internal networks and network segments that users need access to when they connect with Secure Hub or the NetScaler Gateway Plug-in when split tunneling is set to On.

NetScaler Gateway

Make sure that the network connectivity between the XenMobile server, NetScaler Gateway, the external Microsoft SQL Server, and the DNS server are reachable. XenMobile

NetScaler Gateway

Licensing

XenMobile requires you to purchase licensing options for NetScaler Gateway and XenMobile. For more information about Citrix Licensing, see The Citrix Licensing System.

Prerequisite Component Note the location

Obtain Universal licenses from the Citrix web site. For details, see Licensing in the NetScaler Gateway documentation.

NetScaler Gateway

XenMobile

Citrix License Server

Certificates

XenMobile and NetScaler Gateway require certificates to enable connections with other Citrix products and app and from user devices. For details, see the Certificates and Authentication section in the XenMobile documentation.

Prerequisite Component Notes

Obtain and install required certificates.

XenMobile

NetScaler Gateway

Ports

You need to open ports to allow communication with the XenMobile components.

Prerequisite Component Notes

Open ports for XenMobile

XenMobile

NetScaler Gateway

Database

You need to configure a database connection. The XenMobile repository requires a Microsoft SQL Server database running on one of the following supported versions: Microsoft SQL Server 2014, SQL Server 2012, SQL Server 2008 R2, or SQL Server 2008. Citrix recommends using Microsoft SQL remotely. PostgreSQL is included with XenMobile and should be used locally or remotely only in test environments.

Prerequisite Component Note the setting

Microsoft SQL Server IP address and port.

Make sure the service account of the SQL Server to be used on XenMobile has the DBcreator role permission.

XenMobile

Active Directory Settings

Prerequisite Component Note the setting

Note the Active Directory IP address and port for the primary and secondary servers.

If you use port 636, install a root certificate from a CA on XenMobile, and change the Use secure connections option to Yes.

XenMobile

NetScaler Gateway

Note the Active Directory domain name.

XenMobile

NetScaler Gateway

Note the Active Directory service account, which requires a user ID, password, and domain alias.

The Active Directory service account is the account that XenMobile uses to query Active Directory.

XenMobile

NetScaler Gateway

Note the User Base DN.

This is the directory level under which users are located; for example, cn=users,dc=ace,dc=com. NetScaler Gateway and XenMobile use this to query Active Directory.

XenMobile

NetScaler Gateway

Note the Group Base DN.

This is the directory level under which groups are located.

NetScaler Gateway and XenMobile use this to query Active Directory.

XenMobile

NetScaler Gateway

Connections between XenMobile and NetScaler Gateway

Prerequisite Component Note the setting

Note the XenMobile host name.

XenMobile

Note the FQDN or IP address of XenMobile.

XenMobile

Identify the apps users can access.

NetScaler Gateway

Note the Callback URL.

XenMobile

User Connections: Access to XenDesktop, XenApp, and Citrix Secure Hub

Citrix recommends that you use the Quick Configuration wizard in NetScaler to configure connection settings between XenMobile and NetScaler Gateway and between XenMobile and Secure Hub. You create a second virtual server to enable user connections from Citrix Receiver and web browsers to connect to Windows-based applications and virtual desktops in XenApp and XenDesktop. Citrix recommends that you use the Quick Configuration wizard in NetScaler to configure these settings as well.

Prerequisite Component Note the setting

Note the NetScaler Gateway host name and external URL.

The external URL is the web address with which users connect.

XenMobile

Note the NetScaler Gateway callback URL.

XenMobile

Note the IP addresses and subnets masks for the virtual server.

NetScaler Gateway

Note the path for Program Neighborhood Agent or a XenApp Services site.

NetScaler Gateway

XenMobile

Note the FQDN or IP address of the XenApp or XenDesktop server running the Secure Ticket Authority (STA) (for ICA connections only).

NetScaler Gateway

Note the public FQDN for XenMobile.

NetScaler Gateway

Note the public FQDN for Secure Hub.

NetScaler Gateway

Flowchart for XenMobile deployment

You can use this flowchart to guide you through the main steps for deploying XenMobile. Links to topics on each step follow the figure.

localized image

1: System requirements and compatibility

2: Install and configure

3 and 4: Preinstallation checklist (this article)

5: Configure XenMobile in the Command Prompt Window (this article)

6: Configure XenMobile in a web browser (this article)

7: Configuring Settings for Your XenMobile Environment

8: Port requirements

The flowchart is also available in PDF format.

Install XenMobile

The XenMobile virtual machine (VM) runs on Citrix XenServer, VMware ESXi, or Microsoft Hyper-V. You can use XenCenter or vSphere management consoles to install XenMobile.

Note

Ensure that the hypervisor is configured with the correct time – either using an NTP server or a manual configuration - because XenMobile uses that time.

XenServer or VMware ESXi prerequisites: Before installing XenMobile on XenServer or VMware ESXi, you must do the following. For details, refer to your XenServer or VMware documentation.
  • Install XenServer or VMware ESXi on a computer with adequate hardware resources.
  • Install XenCenter or vSphere on a separate computer. The computer that hosts XenCenter or vSphere connects to the XenServer or VMware ESXi host through the network.

Hyper-V prerequisites: Before installing XenMobile on Hyper-V, you must do the following. For details, refer to your Hyper-V documentation.

  • Install Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 with Hyper-V enabled, role enabled, on a computer with adequate system resources. While installing the Hyper-V role, be sure to specify the network interface cards (NICs) on the server that Hyper-V will use to create the virtual networks. You can reserve some NICs for the host.
    • Delete the file Virtual Machines/<build-specific UUID>.xml
    • Move the file Legacy/<build-specific UUID>.exp into Virtual Machines

If you install Windows Server 2008 R2 or Windows Server 2012, do the following:

These steps are necessary because there are two different versions of the Hyper-V manifest file representing the VM configuration (.exp and .xml). The Windows Server 2008 R2 and Windows Server 2012 releases support only .exp. For these releases, you must have only the .exp manifest file in place before installation.

Windows Server 2012 R2 does not require these extra steps.

FIPS 140-2 mode: If you plan to install XenMobile server in FIPS mode, you need to complete a set of prerequisites, as discussed in Configuring FIPs.

Download XenMobile product software

You can download product software from the Citrix web site. You need to log on to the site first and then use the Downloads link on the Citrix web page to navigate to the page containing the software you want to download.

To download the software for XenMobile

  1. Go to the Citrix web site.
  2. Next to the Search box, click Log On and log on to your account.
  3. Click the Downloads tab.
  4. On the Downloads page, from the select product list, click XenMobile.

     


     

  5. Click Go. The XenMobile page appears.
  6. Expand XenMobile Server.
  7. Expand Product Software.
  8. Click XenMobile Server 10.
  9. On the XenMobile Server 10 page, click the Jump to Download menu and choose the appropriate virtual image to use to install XenMobile on XenServer, VMware, or Hyper-V. Alternatively, scroll down the page to locate the Download File button for the image you want to install.
  10. Follow the instructions on your screen to download the software.

To download the software for NetScaler Gateway

You can use this procedure to download the NetScaler Gateway virtual appliance or software upgrades to your existing NetScaler Gateway appliance.

  1. Go to the Citrix web site.
  2. If you are not already logged on to the Citrix web site, next to the Search box, click Log On and log on to your account.
  3. Click the Downloads tab.
  4. On the Downloads page, from the select product list, click NetScaler Gateway.
  5. Click Go. The NetScaler Gateway page appears.
  6. On the NetScaler Gateway page, expand the version of NetScaler Gateway you are running.
  7. Under Firmware, click the appliance software version you want to download.
    Note: You can also click Virtual Appliances to download NetScaler VPX. When you select this option, you receive a list of software for the virtual machine for each hypervisor.
  8. Click the appliance software version you want to download.
  9. On the appliance software page for the version you want to download, click Download for the appropriate virtual appliance.
  10. Follow the instructions on your screen to download the software.

Configure XenMobile for First-Time Use

1. Configure the IP address and subnet mask, default gateway, DNS servers, and so on for XenMobile by using the XenCenter or vSphere command-line console.

Note

When you use a vSphere web client, it is recommended that you do not configure networking properties during the time you deploy the OVF template on the Customize template page. By doing so, in a high availability configuration, you avoid an issue with the IP address that occurs when you clone and then restart the second XenMobile virtual machine.

2. Access the XenMobile management console only through the XenMobile Server fully qualified domain name or the IP addresses of the node.

3. Log on and then follow the steps in the initial logon screens.

Configure XenMobile in the Command Prompt Window

  1. Import the XenMobile virtual machine into Citrix XenServer, Microsoft Hyper-V, or VMware ESXi. For details, see XenServer, Hyper-V, or VMware documentation.
  2. In your hypervisor, select the imported XenMobile virtual machine and start the command prompt view. For details, see the documentation for your hypervisor.
  3. From the hypervisor's console page, create an administrator account for XenMobile in the command prompt window by typing the administrator user name and password.
    Important:
    When you create or changed passwords for the command prompt administrator account, Public Key Infrastructure (PKI) server certificates, and FIPS, XenMobile enforces the following rules for all users except Active Directory users whose passwords are managed outside of XenMobile:
    • The password must be at least 8 characters long and must meet at least three of the following complexity criteria:
      • Uppercase letters (A through Z)
      • Lowercase letters (a through z)
      • Numerals (0 through 9)
      • Special characters (such as, !, #, $, %)

    Note:
    No characters, such as asterisks, are shown when you type the new password. Nothing appears.

  4. Provide the following network information and then, type y to commit the settings:
    1. IP address of the XenMobile server
    2. Netmask
    3. Default gateway, which is the IP address of the default gateway in the DMZ
    4. Primary DNS server, which is the IP address of the DNS server
    5. Secondary DNS server (optional)


      Note: The addresses shown in this and following images are non-working and are provided as examples only.
  5. Type y to increase security by generating a random encryption passphrase or n to provide your own passphrase. Citrix recommends typing y to generate a random passphrase. The passphrase is used as part of the protection of the encryption keys used to secure your sensitive data. A hash of the passphrase, stored in the server file system, is used to retrieve the keys during the encryption and decryption of data. The passphrase cannot be viewed.

    Note: If you intend to extend your environment and configure additional servers, you should provide your own passphrase. There is no way to view the passphrase if you selected a random passphrase.

  6. Optionally, enable Federal Information Processing Standard (FIPS). For details about FIPS, see FIPS. Also, be sure to complete a set of prerequisites, as discussed in Configuring FIPs.


  7. Provide the following information to configure the database connection.


    1. Your database can be local or remote. Type l for local or r for remote.
    2. Select the database type. Type mi for Microsoft SQL or type p for PostgreSQL.
      Important:
      • Citrix recommends using Microsoft SQL remotely. PostgreSQL is included with XenMobile and should be used locally or remotely only in test environments.
      • Database migration is not supported. Databases created in a test environment cannot be moved to a production environment.
    3. Optionally, type y to use SSL authentication for your database.
    4. Provide the fully qualified domain name (FQDN) for the server hosting XenMobile. This one host server provides both device management and app management services.
    5. Type your database port number if it is different from the default port number. The default port for Microsoft SQL is 1433 and the default port for PostgreSQL is 5432.
    6. Type your database administrator user name.
    7. Type your database administrator password.
    8. Type the database name.
    9. Press Enter to commit the database settings.
  8. Optionally, type y to enable clustering XenMobile nodes, or instances.
    Important: If you enable a XenMobile cluster, after system configuration is complete, be sure to open port 80 to enable real time communication between cluster members. This must be completed on all cluster nodes.
  9. Type the XenMobile server fully qualified domain name (FQDN).


  10. Press Enter to commit the settings.
  11. Identify the communication ports. For details on ports and their uses, see Port Requirements.
    Note: Accept the default ports by pressing Enter (Return on a Mac).


  12. Skip the next question about upgrading from a previous XenMobile release because you are installing XenMobile for the first time.
  13. Type y if you want to use the same password for each Public Key Infrastructure (PKI) certificate. For details on the XenMobile PKI feature, see Uploading Certificates.


    Important:
    If you intend to cluster nodes, or instances, of XenMobile together, you must provide the identical passwords for subsequent nodes.
  14. Type the new password and then, re-enter the new password to confirm it.
    Note: No characters, such as asterisks, are shown when you type the new password. Nothing appears.
  15. Press Enter to commit the settings.
  16. Create an administrator account for logging on to the XenMobile console with a web browser. Be sure to remember these credentials for later use.


    Note: No characters, such as asterisks, are shown when you type the new password. Nothing appears.
  17. Press Enter to commit the settings. The initial system configuration is saved.
  18. When asked if this is an upgrade, type n because it is a new installation.
  19. Copy the complete URL that appears on the screen and continue this initial XenMobile configuration in your web browser.


Configure XenMobile in a web browser

After completing the initial portion of the XenMobile configuration in your hypervisor command prompt window, complete the process in your web browser.

1. In your web browser, navigate to the location provided at the conclusion of the command prompt window configuration.

2. Type the XenMobile console administrator account user name and password you created in the command prompt window.

localized image
3. On the Get Started page, click Start. The Licensing page appears.

4. Configure the license. If you don't upload a license, you use an evaluation license valid for 30 days. For details on adding and configuring licenses and configuring expiration notifications, see Licensing.

Important: If you intend to use XenMobile clustering by adding cluster nodes, or instances, of XenMobile, you need to use the Citrix Licensing on a remote server.

5. On the Certificate page, click Import. The Import dialog box appears.

6. Import your APNs and SSL Listener certificate. If you manage iOS devices, you need an APNs certificate. For details on working with certificates, see Certificates.

Note: This step requires restarting the server.

7. If appropriate to the environment, configure NetScaler Gateway. For details on configuring NetScaler Gateway, see NetScaler Gateway and XenMobile and Configuring Settings for Your XenMobile Environment.

Note:
  • You can deploy NetScaler Gateway at the perimeter of your organization's internal network (or intranet) to provide a secure single point of access to the servers, applications, and other network resources that reside in the internal network. In this deployment, all remote users must connect to NetScaler Gateway before they can access any resources in the internal network.
  • Although NetScaler Gateway is an optional setting, after you enter data on the page, you must clear or complete the required fields before you can leave the page.

8. Complete the LDAP configuration to access users and groups from Active Directory. For details on configuring the LDAP connection, see LDAP Configuration.

9. Configure the notification server to be able to send messages to users. For details on notification server configuration, see Notifications.

Post-requisite: Restart the XenMobile server to activate your certificates.