Product Documentation

Gathering Network Information

Oct 20, 2015

You need to identify the following network settings and configure appropriate server settings before you install the XenMobile components in your network:

  • IP addresses for each XenMobile component. For example, for NetScaler Gateway, you need the system IP (NSIP) and the subnet IP (SNIP) addresses.
  • Opening the appropriate ports in your firewall to allow network traffic to communicate with each component.
  • Domain Name Servers (DNS) for name resolution with users inside your network and users who connect from remote locations. You might need different IP addresses for each DNS server.
  • Network Time Protocol (NTP) server. The NTP server synchronizes the time between all of your network components. Citrix recommends that you use an NTP server for your XenMobile deployment.
  • SMTP server for email. When you configure an SMTP server, you need the fully qualified domain name (FQDN) of the email server, such as mail.mycompany.com. You also need to identify the port, the email addresses used for the send function, and user email addresses and passwords.

The XenMobile Pre-Installation checklist includes a section where you can write down all of your network settings. You might need to coordinate with other team members to configure the ports and servers you need for the XenMobile deployment. For more information about ports and to print the checklist, see:

Obtaining and Installing Certificates for XenMobile

Certificates are used to create secure connections and authenticate users.

XenMobile MDM requires a certificate from the Apple Push Notification Service (APNS). XenMobile MDM also uses its own PKI service or obtains certificates from the Microsoft Certificate Authority (CA) for client certificates.

All Citrix products support wildcard and SAN certificates. For most deployments, you only need two wildcard or SAN certificates. You can use the following formats:

  • External - *.example.com
  • Internal - *.myinternaldomain.net

The following table shows the certificate format and type for each XenMobile component:

XenMobile component Certificate format Required certificate type Location
NetScaler Gateway PEM (BASE64) Server, root External
App Controller PEM or

PFX (PKCS#12)

Server, SAML, root Internal
StoreFront PFX (PKCS#12) Server, root Internal
XenMobile MDM P12 format (PKCS#12) APNS, server

Device Manager creates its own PKI service or uses the Microsoft CA for client certificates

External

For NetScaler Gateway and App Controller, Citrix recommends obtaining server certificates from a public CA, such as Verisign, DigiCert, or Thawte. You can create a Certificate Signing Request (CSR) from the NetScaler Gateway configuration utility or the App Controller management console. After you create the CSR, submit it to the CA for signing. When the CA returns the signed certificate, you can install the certificate on NetScaler Gateway or App Controller.

For more information about installing certificates, see the following:

Configuring Client Certificates for Authentication

NetScaler Gateway supports the use of client certificates for authentication. Users logging on to a NetScaler Gateway virtual server can also be authenticated based on the attributes of the client certificate that is presented to the virtual server. Client certificate authentication can also be used with another authentication type, such as LDAP or RADIUS, to provide two-factor authentication.

To authenticate users based on the client-side certificate attributes, client authentication should be enabled on the virtual server and the client certificate should be requested. You must bind a root certificate to the virtual server on NetScaler Gateway.

When users log on to the NetScaler Gateway virtual server, after authentication, the user name information is extracted from the specified field of the certificate. Typically, this field is Subject:CN. If the user name is extracted successfully, the user is then authenticated. If the user does not provide a valid certificate during the Secure Sockets Layer (SSL) handshake or if the user name extraction fails, authentication fails.

You can authenticate users based on the client certificate by setting the default authentication type to use the client certificate. You can also create a certificate action that defines what is to be done during the authentication based on a client SSL certificate.

Obtaining and Installing Licenses

XenMobile MDM Edition and NetScaler Gateway require licenses. When you purchase a Citrix product, you receive an email that contains a link for your licenses. You obtain your licenses by logging on to the Citrix web site and then downloading your licenses.

Important: Citrix recommends that you retain a local copy of all license files you receive. When you save a backup copy of the configuration file, all uploaded licenses files are included in the backup. If you need to reinstall XenMobile MDM Edition or NetScaler Gateway appliance software and do not have a backup of the configuration, you will need the original license files.

For more information about NetScaler Gateway and Device Manager licenses, see XenMobile Licensing on the Citrix web site.