Product Documentation

Integrating with NetScaler Gateway and NetScaler

Jan 12, 2017

When integrated with XenMobile, NetScaler Gateway provides an authentication mechanism for remote device access to the internal network for MAM devices. The integration enables XenMobile Apps to connect to corporate servers in the intranet through a micro VPN created from the apps on the mobile device to NetScaler Gateway.

NetScaler load balancing is required for all XenMobile server device modes if you have multiple XenMobile servers or if the XenMobile server is inside your DMZ or internal network (and therefore traffic flows from devices to NetScaler to XenMobile).

The following table summarizes NetScaler Gateway and NetScaler integration with XenMobile.

XenMobile
Server mode

NetScaler Gateway/NetScaler integration

Notes

MAM

NetScaler Gateway: Required

NetScaler: Recommended for load balancing

For MAM-only mode, you must use NetScaler Gateway, which provides a micro VPN path for access to all corporate resources and provides strong multi-factor authentication support.

Citrix recommends that you deploy XenMobile in a high availability configuration, which requires a load balancer in front of XenMobile. For details, see About MAM and Legacy MAM Modes.

MDM

NetScaler Gateway: Not required

NetScaler: Recommended for security and load balancing

For MDM deployments, Citrix recommends NetScaler Gateway for mobile device VPN.

Citrix recommends that you deploy a NetScaler appliance in front of XenMobile server, for security and load balancing. For standard deployments with XenMobile server in the DMZ, Citrix recommends the NetScaler for XenMobile wizard along with XenMobile server load balancing in SSL Bridge mode. You can also consider SSL Offload for deployments where XenMobile server resides in the internal network rather than the DMZ and/or where security requires such configurations.

While you might consider exposing XenMobile server to the Internet via NAT or existing third-party proxies or load-balancers for MDM provided that the SSL traffic terminates on XenMobile server (SSL Bridge), Citrix does not recommend that approach due to the potential security risk.

For high security environments, NetScaler with the default XenMobile configuration should meet or exceed security requirements.

For MDM environments with the highest security needs, SSL termination at the NetScaler provides the ability to inspect traffic at the perimeter, while maintaining end-to-end SSL encryption. For more information, see Security Requirements. NetScaler offers:

  • Options to define SSL/TLS ciphers
  • SSL FIPS NetScaler hardware

ENT

NetScaler Gateway: Required

NetScaler: Recommended for load balancing

When the XenMobile server mode is ENT and a user opts out of MDM enrollment, the device operates in the legacy MAM mode. In the legacy MAM mode, devices enroll using the NetScaler Gateway FQDN. For details, see About MAM and Legacy MAM Modes.

Citrix recommends that you deploy a NetScaler appliance in front of XenMobile server, for security and load balancing. For standard deployments with XenMobile server in the DMZ, Citrix recommends the NetScaler for XenMobile wizard along with XenMobile server load balancing in SSL Bridge mode. You can also consider SSL Offload for deployments where XenMobile server resides in the internal network rather than the DMZ and/or where security requires such configurations.

Although you might consider exposing XenMobile server to the Internet via NAT or existing third-party proxies or load-balancers for MDM provided that the SSL traffic terminates on XenMobile server (SSL Bridge), Citrix does not recommend that approach due to the potential security risk.

For high security environments, NetScaler with the default XenMobile configuration should meet or exceed security requirements.

For MDM environments with the highest security needs, SSL termination at the NetScaler provides the ability to inspect traffic at the perimeter, while maintaining end-to-end SSL encryption. For more information, see Security Requirements. NetScaler offers:

  • Options to define SSL/TLS ciphers
  • SSL FIPS NetScaler hardware

Important

Be aware that for initial enrollment, the traffic from user devices authenticates on the XenMobile server whether you configure load balancing virtual servers to SSL Offload or SSL Bridge. 

Design Decisions

The following table summarizes the many design decisions to consider when planning a NetScaler Gateway integration with XenMobile.

Design decision

Decision detail

Design guidance

Licensing and edition

What edition of NetScaler will you use?

Have you applied Platform licenses to NetScaler?

If you require MAM functionality, have you applied the NetScaler Universal Access Licenses?

Ensure that you apply the proper licenses to the NetScaler Gateway. If you are using XenMobile NetScaler Connector, integrated caching might be required; therefore, you must ensure that the appropriate NetScaler Edition is in place.

The license requirements to enable NetScaler features are as follows.

  • XenMobile MDM load balancing requires a NetScaler standard platform license at a minimum.
  • ShareFile load balancing with StorageZones Controller requires a NetScaler standard platform license at a minimum.
  • The XenMobile Enterprise edition includes the required NetScaler Gateway Universal licenses for MAM.
  • Exchange load balancing requires a NetScaler Platinum platform license or a NetScaler Enterprise platform license with the addition of an Integrated Caching license.

NetScaler version for XenMobile

What version is the NetScaler running in the XenMobile environment?

Will a separate instance be required?

Citrix recommends using a dedicated instance of NetScaler for your NetScaler Gateway virtual server. Be sure that the minimum required NetScaler version and build is in use for the XenMobile environment. It is usually best to use the latest compatible NetScaler version and build for XenMobile. If upgrading NetScaler Gateway would affect your existing environments, a second dedicated instance for XenMobile might be appropriate.

If you plan to share a NetScaler instance for XenMobile and other apps that use VPN connections, be sure that you have enough VPN licenses for both. Keep in mind that XenMobile test and production environments cannot share a NetScaler instance.

Certificates

Do you require a higher degree of security for enrollments and access to the XenMobile environment?

Is LDAP not an option?

The default configuration for XenMobile is user name and password authentication. To add another layer of security for enrollment and access to XenMobile environment, consider using certificate-based authentication. You can use certificates with LDAP for two-factor authentication, providing a higher degree of security without needing an RSA server.

If you don't allow LDAP and use smart cards or similar methods, configuring certificates allows you to represent a smart card to XenMobile. Users then enroll using a unique PIN that XenMobile generates for them. After a user has access, XenMobile creates and deploys the certificate subsequently used to authenticate to the XenMobile environment.

XenMobile supports Certificate Revocation List (CRL) only for a third party Certificate Authority. If you have a Microsoft CA configured, XenMobile uses NetScaler to manage revocation. When you configure client certificate-based authentication, consider whether you need to configure the NetScaler Certificate Revocation List (CRL) setting, Enable CRL Auto Refresh. This step ensures that the user of a device in MAM-only mode can't authenticate using an existing certificate on the device; XenMobile re-issues a new certificate, because it doesn't restrict a user from generating a user certificate if one is revoked. This setting increases the security of PKI entities when the CRL checks for expired PKI entities.

Networking topology

What NetScaler topology is required?

Citrix recommends using a NetScaler instance for XenMobile. However, if you don't want traffic going from the inside network out to the DMZ, you might consider setting up an additional instance of NetScaler, so that you're using one NetScaler instance for internal users and one for external users. Be aware that when users switch between the internal and external networks, DNS record caching can result in an increase in logon prompts in Secure Hub.

Note that XenMobile does not currently support NetScaler Gateway double hop.

Dedicated or shared NetScaler Gateway VIPs

Do you currently use NetScaler Gateway for XenApp and XenDesktop?

Will XenMobile leverage the same NetScaler Gateway as XenApp and XenDesktop?

What are the authentication requirements for both traffic flows?

When your Citrix environment includes XenMobile, plus XenApp and XenDesktop, you can use the same NetScaler instance and NetScaler Gateway virtual server for both. Due to potential versioning conflicts and environment isolation, a dedicated NetScaler instance and NetScaler Gateway are recommend for each XenMobile environment. However, if a dedicated NetScaler instance is not an option, Citrix recommends using a dedicated NetScaler Gateway vServer rather than a vServer shared between XenMobile and XenApp and XenDesktop, to separate the traffic flows for Secure Hub.

If you use LDAP authentication, Receiver and Secure Hub can authenticate to the same NetScaler Gateway with no issues. If you use certificate-based authentication, XenMobile pushes a certificate in the MDX container and Secure Hub uses the certificate to authenticate with NetScaler Gateway. Receiver is separate from Secure Hub and can't use the same certificate as Secure Hub to authenticate to the same NetScaler Gateway.

You might consider this work around, which allows you to use the same FQDN for two NetScaler Gateway VIPs. You can create two NetScaler Gateway VIPs with the same IP address, but the one for Secure Hub uses the standard 443 port and the one for XenApp and XenDesktop (which deploy Receiver) uses port 444. Then, one FQDN resolves to the same IP address. For this work around, you might need to configure StoreFront to return an ICA file for port 444, instead of the default, port 443. This workaround doesn't require users to enter a port number.

NetScaler Gateway time-outs

How do you want to configure the NetScaler Gateway time-outs for XenMobile traffic?

NetScaler Gateway includes the settings Session time-out and Forced time-out. For details, see Recommended Configurations in this handbook. Keep in mind that there are different time-out values for background services, NetScaler, and for accessing applications while offline.

XenMobile load balancer IP address for MAM

Are you using internal or external IP addresses for VIPs?

In environments where you can use public IP addresses for NetScaler Gateway VIPs, assigning the XenMobile load balancing VIP and address in this manner will cause enrollment failures.

Ensure that the load balancing VIP uses an internal IP to avoid enrollment failures in this scenario. This virtual IP address must follow the RFC 1918 standard of private IP addresses. If you use a non-private IP address for this virtual server, NetScaler will not be able to contact the XenMobile server successfully during the authentication process. For details, see http://support.citrix.com/article/CTX200430.

MDM load balancing mechanism

How will the XenMobile servers be load balanced by NetScaler Gateway?

Use SSL Bridge if XenMobile is in the DMZ. Use SSL Offload, if required to meet security standards, when XenMobile server is in the internal network.

  • When you load balance XenMobile server with NetScaler VIPs in SSL Bridge mode, Internet traffic flows directly to XenMobile server, where connections terminate. SSL Bridge mode is the simplest mode to set up and troubleshoot.
  • When you load balance XenMobile server with NetScaler VIPs in SSL Offload mode, Internet traffic flows directly to NetScaler, where connections terminate. NetScaler then establishes new sessions from NetScaler to XenMobile server. SSL Offload mode involves additional complexity during setup and troubleshooting.

Service port for MDM load balancing with SSL Offload

If you will use SSL Offload mode for Load Balancing, What port will the back-end service use?

For SSL Offload, choose port 80 or 8443 as follows:

Enrollment FQDN

What will be the FQDN for enrollment and XenMobile instance/load balancing VIP?

Initial configuration of the first XenMobile server in a cluster requires that you enter the XenMobile server FQDN. That FQDN must match your MDM VIP URL and your Internal MAM LB VIP URL. (An internal NetScaler address record resolves the MAM LB VIP.) For details, see Enrollment FQDN for each deployment type after this table.

In addition, you must use the same certificate as the XenMobile SSL listener certificate, Internal MAM LB VIP certificate, and MDM VIP certificate (if using SSL Offload for MDM VIP).

Important: After you configure the enrollment FQDN, you cannot change it. A new enrollment FQDN will require a new SQL Server database and XenMobile server re-build.

Secure Web traffic

Will you restrict Secure Web to internal web browsing only?

Will you enable Secure Web for both internal and external web browsing?

If you will use Secure Web for internal web browsing only, NetScaler Gateway configuration is straightforward, assuming that Secure Web can reach all internal sites by default; you might need to configure firewalls and proxy servers.

If you will use Secure Web for both internal and external browsing, you must enable the SNIP to have outbound internet access. Because IT generally views enrolled devices (using the MDX container) as an extension of the corporate network, IT typically wants Secure Web connections to come back to NetScaler, go through a proxy server, and then go out to Internet. By default, Secure Web access tunnels to the internal network, which means that Secure Web uses a per-application VPN tunnel back to the internal network for all network access and NetScaler uses split tunnel settings.

For a discussion of Secure Web connections, see Configuring User Connections in the XenMobile Apps documentation.

Push Notifications for Secure Mail

Will you use push notifications?

For iOS:

If your NetScaler Gateway configuration includes Secure Ticket Authority (STA) and split tunneling is off, NetScaler Gateway must allow traffic from Secure Mail to the Citrix listener service URLs specified in Push Notifications for Secure Mail for iOS.

For Android:

As an alternative to the MDX policy, Active poll period, you can use Google Cloud Messaging (GCM) to control how and when Android devices need to connect to XenMobile. With GCM configured, any security action or deploy command triggers a push notification to Secure Hub to prompt the user to reconnect to the XenMobile server.

HDX STAs

What STAs to use if you will integrate HDX application access?

HDX STAs must match the STAs in StoreFront and must be valid for the XenApp/XenDesktop farm.

ShareFile

Will you use ShareFile StorageZone Controllers in the environment?

What ShareFile VIP URL will you use?

If you will include ShareFile StorageZone Controllers in your environment, ensure that you correctly configure the following: ShareFile Content Switch VIP (used by the ShareFile Control Plane to communicate with the StorageZone Controller servers), ShareFile Load Balancing VIPs, and all required policies and profiles. For information, see Configure NetScaler for StorageZones Controller in the Citrix StorageZones documentation.

SAML IDP

If SAML is required for ShareFile, do you want to use XenMobile as the SAML IdP?

The recommended best practice is to integrate ShareFile with XenMobile Advanced Edition or XenMobile Enterprise Edition, a simpler alternative to configuring SAML-based federation. When you use ShareFile with those XenMobile editions, XenMobile provides ShareFile with single sign-on (SSO) authentication of XenMobile Apps users, user account provisioning based on Active Directory, and comprehensive access control policies. The XenMobile console enables you to perform ShareFile configuration and to monitor service levels and license usage.

Note that there are two types of ShareFile clients: ShareFile Worx clients (also referred to as wrapped ShareFile) and ShareFile mobile clients (also referred to as unwrapped ShareFile). To understand the differences, see How ShareFile Worx Clients Differ from ShareFile Mobile Clients in the XenMobile documentation.

You can configure XenMobile and ShareFile to use SAML to provide SSO access to ShareFile mobile apps you wrap with the MDX toolkit, as well as to non-wrapped ShareFile clients, such as the web site, Outlook plugin, or sync clients.

If you want to use XenMobile as the SAML IdP for ShareFile, ensure that the proper configurations are in place. For details, see SAML for SSO with ShareFile in the XenMobile documentation.

ShareConnect direct connections

Will users access a host computer from a computer or mobile device running ShareConnect using direct connections?

ShareConnect enables users to connect securely to their computers through iPads, Android tablets, and Android phones to access their files and applications. For direct connections, XenMobile uses NetScaler Gateway to provide secure access to resources outside of the local network. For configuration details, see ShareConnect in the XenMobile documentation.

Enrollment FQDN for each deployment type

Deployment type

Enrollment FQDN

Enterprise (MDM+MAM) with mandatory MDM enrollment

XenMobile server FQDN

Enterprise (MDM+MAM) with optional MDM enrollment

XenMobile server FQDN or NetScaler Gateway FQDN

MDM only

XenMobile server FQDN

MAM-only (legacy)

NetScaler Gateway FQDN

MAM-only (for XenMobile 10.3.5 and higher)

XenMobile server FQDN

Deployment Summary

The XenMobile product documentation includes a Flowchart for Deploying XenMobile with NetScaler Gateway along with links to related articles, such as system requirements, gathering required information, configuring XenMobile for NetScaler Gateway, and using the NetScaler for XenMobile wizard to configure XenMobile connections.

Citrix recommends that you use the NetScaler for XenMobile wizard to ensure proper configuration. Be aware that you can use the wizard only one time. If you have multiple XenMobile instances, such as for test, development, and production environments, you must configure NetScaler for the additional environments manually. When you have a working environment, take note of the settings before attempting to configure NetScaler manually for XenMobile.

The key decision you make when using the wizard is whether to use HTTPS or HTTP for communication to the XenMobile server. HTTPS provides secure back-end communication, as traffic between NetScaler and XenMobile is encrypted; the re-encryption impacts XenMobile server performance. HTTP provides better XenMobile server performance; traffic between NetScaler and XenMobile is not encrypted. The following tables show the HTTP and HTTPS port requirements for NetScaler and XenMobile server.

HTTPS

Citrix typically recommends SSL Bridge for NetScaler MDM virtual server configurations. For NetScaler SSL Offload use with MDM virtual servers, XenMobile supports only port 80 as the backend service.

Deployment type

NetScaler load balancing method

SSL re-encryption

XenMobile server port

MDM

SSL Bridge

N/A

443, 8443

MAM

SSL Offload

Enabled

8443

Enterprise

MDM: SSL Bridge

N/A

443, 8443

MAM: SSL Offload

Enabled

8443


HTTP

Deployment type

NetScaler load balancing method

SSL re-encryption

XenMobile server port

MDM

SSL Offload

Not supported

80

MAM

SSL Offload

Enabled

8443

Enterprise

MDM: SSL Bridge

Not supported

80

MAM: SSL Offload

Enabled

8443


For diagrams of NetScaler Gateway in XenMobile deployments, see Reference Architecture for On-Premises Deployments and Reference Architecture for Cloud Deployments.