Integrating with Citrix Gateway and Citrix ADC

When integrated with Endpoint Management, Citrix Gateway provides an authentication mechanism for remote device access to the internal network for MAM devices. The integration enables Citrix mobile productivity apps to connect to corporate servers in the intranet through a micro VPN created from the apps on the mobile device to Citrix Gateway.

Citrix Cloud Operations manages Citrix ADC load balancing.

Integration requirements for Endpoint Management server modes

The integration requirements for Citrix Gateway and Citrix ADC differ based on the Endpoint Management server modes: MAM, MDM, and ENT.

MAM

With the Endpoint Management server in MAM mode:

  • Citrix Gateway is required. Citrix Gateway provides a micro VPN path for access to all corporate resources and provides strong multi-factor authentication support.

MDM

With the Endpoint Management server in MDM mode:

  • Citrix Gateway isn’t required. For MDM deployments, Citrix recommends Citrix Gateway for mobile device VPN.

ENT (MAM+MDM)

With the Endpoint Management server in ENT mode:

  • Citrix Gateway is required. Citrix Gateway provides a micro VPN path for access to all corporate resources and provides strong multi-factor authentication support.

  • When the Endpoint Management server mode is ENT and a user opts out of MDM enrollment, devices enroll using the Citrix Gateway FQDN.

Design Decisions

The following sections summarize the many design decisions to consider when planning a Citrix Gateway integration with Endpoint Management.

Certificates

Decision detail:

  • Do you require a higher degree of security for enrollments and access to the Endpoint Management environment?
  • Is LDAP not an option?

Design guidance:

The default configuration for Endpoint Management is user name and password authentication. To add another layer of security for enrollment and access to Endpoint Management environment, consider using certificate-based authentication. You can use certificates with LDAP for two-factor authentication, providing a higher degree of security without needing an RSA server.

If you don’t allow LDAP and use smart cards or similar methods, configuring certificates allows you to represent a smart card to Endpoint Management. Users then enroll using a unique PIN that Endpoint Management generates for them. After a user has access, Endpoint Management creates and deploys the certificate subsequently used to authenticate to the Endpoint Management environment.

Endpoint Management supports Certificate Revocation List (CRL) only for a third party Certificate Authority. If you have a Microsoft CA configured, Endpoint Management uses Citrix Gateway to manage revocation. When you configure client certificate-based authentication, consider whether you need to configure the Citrix Gateway Certificate Revocation List (CRL) setting, Enable CRL Auto Refresh. This step ensures that the user of a device in MAM-only mode can’t authenticate using an existing certificate on the device; Endpoint Management re-issues a new certificate, because it doesn’t restrict a user from generating a user certificate if one is revoked. This setting increases the security of PKI entities when the CRL checks for expired PKI entities.

Dedicated or shared Citrix Gateway VIPs

Decision detail:

  • Do you currently use Citrix Gateway for Citrix Virtual Apps and Desktops?
  • Will Endpoint Management leverage the same Citrix Gateway as Citrix Virtual Apps and Desktops?
  • What are the authentication requirements for both traffic flows?

Design guidance:

When your Citrix environment includes Endpoint Management, plus Virtual Apps and Desktops, you can use the same Citrix Gateway virtual server for both. Due to potential versioning conflicts and environment isolation, a dedicated Citrix Gateway is recommend for each Endpoint Management environment.

If you use LDAP authentication, Citrix Workspace and Secure Hub can authenticate to the same Citrix Gateway with no issues. If you use certificate-based authentication, Endpoint Management pushes a certificate in the MDX container and Secure Hub uses the certificate to authenticate with Citrix Gateway. The Workspace app is separate from Secure Hub and can’t use the same certificate as Secure Hub to authenticate to the same Citrix Gateway.

You might consider this work around, which allows you to use the same FQDN for two Citrix Gateway VIPs. You can create two Citrix Gateway VIPs with the same IP address, but the one for Secure Hub uses the standard 443 port and the one for Citrix Virtual Apps and Desktops (which deploys the Citrix Workspace app) uses port 444. Then, one FQDN resolves to the same IP address. For this work around, you might need to configure StoreFront to return an ICA file for port 444, instead of the default, port 443. This workaround doesn’t require users to enter a port number.

Citrix Gateway time-outs

Decision detail:

  • How do you want to configure the Citrix Gateway time-outs for Endpoint Management traffic?

Design guidance:

Citrix Gateway includes the settings Session time-out and Forced time-out. For details, see Recommended configurations. Keep in mind that there are different time-out values for background services, Citrix Gateway, and for accessing applications while offline.

Enrollment FQDN

Important:

To change the enrollment FQDN requires a new SQL Server database and Endpoint Management server re-build.

Secure Web traffic

Decision detail:

  • Will you restrict Secure Web to internal web browsing only?
  • Will you enable Secure Web for both internal and external web browsing?

Design guidance:

If you will use Secure Web for internal web browsing only, Citrix Gateway configuration is straightforward, assuming that Secure Web can reach all internal sites by default; you might need to configure firewalls and proxy servers.

If you will use Secure Web for both internal and external browsing, you must enable the SNIP to have outbound internet access. Because IT generally views enrolled devices (using the MDX container) as an extension of the corporate network, IT typically wants Secure Web connections to come back to Citrix Gateway, go through a proxy server, and then go out to Internet. By default, Secure Web access tunnels to the internal network, which means that Secure Web uses a per-application VPN tunnel back to the internal network for all network access and Citrix Gateway uses split tunnel settings.

For a discussion of Secure Web connections, see Configuring User Connections.

Push Notifications for Secure Mail

Decision detail:

  • Will you use push notifications?

Design guidance for iOS:

If your Citrix Gateway configuration includes Secure Ticket Authority (STA) and split tunneling is off, Citrix Gateway must allow traffic from Secure Mail to the Citrix listener service URLs specified in Push Notifications for Secure Mail for iOS.

Design guidance for Android:

Use Firebase Cloud Messaging (FCM) to control how and when Android devices need to connect to Endpoint Management. With FCM configured, any security action or deploy command triggers a push notification to Secure Hub to prompt the user to reconnect to the Endpoint Management server.

HDX STAs

Decision detail:

  • What STAs to use if you will integrate HDX application access?

Design guidance:

HDX STAs must match the STAs in StoreFront and must be valid for the Virutal Apps and Desktops site.

Citrix Files and Citrix Content Collaboration

Decision detail:

  • Will you use StorageZone Controllers in the environment?
  • What Citrix Files VIP URL will you use?

Design guidance:

If you will include StorageZone Controllers in your environment, ensure that you correctly configure the following: Citrix Files Content Switch VIP (used by the Citrix Files Control Plane to communicate with the StorageZone Controller servers), Citrix Files Load Balancing VIPs, and all required policies and profiles. For information, see the Citrix StorageZones Controller documentation.

SAML IdP

Decision detail:

  • If SAML is required for Citrix Files, do you want to use Endpoint Management as the SAML IdP?

Design guidance:

The recommended best practice is to integrate Citrix Files with Endpoint Management Advanced Edition or Endpoint Management Enterprise Edition, a simpler alternative to configuring SAML-based federation. When you use Citrix Files with those Endpoint Management editions, Endpoint Management provides Citrix Files with single sign-on (SSO) authentication of Citrix mobile productivity apps users, user account provisioning based on Active Directory, and comprehensive access control policies. The Endpoint Management console enables you to perform Citrix Files configuration and to monitor service levels and license usage.

Note that there are two types of Citrix Files clients: Citrix Files for Endpoint Management (also referred to as wrapped Citrix Files) and Citrix Files mobile clients (also referred to as unwrapped Citrix Files). To understand the differences, see How Citrix Files for Endpoint Management Clients differ from Citrix Files mobile clients.

You can configure Endpoint Management and Citrix Files to use SAML to provide SSO access to Citrix Files mobile apps you wrap with the MDX Service, as well as to non-wrapped Citrix Files clients, such as the web site, Outlook plugin, or sync clients.

If you want to use Endpoint Management as the SAML IdP for Citrix Files, ensure that the proper configurations are in place. For details, see SAML for SSO with Citrix Files.

ShareConnect direct connections

Decision detail:

  • Will users access a host computer from a computer or mobile device running ShareConnect using direct connections?

Design guidance:

ShareConnect enables users to connect securely to their computers through iPads, Android tablets, and Android phones to access their files and applications. For direct connections, Endpoint Management uses Citrix Gateway to provide secure access to resources outside of the local network. For configuration details, see ShareConnect.

Enrollment FQDN for each deployment type

   
Deployment type Enrollment FQDN
Enterprise (MDM+MAM) with mandatory MDM enrollment Endpoint Management server FQDN
Enterprise (MDM+MAM) with optional MDM enrollment Endpoint Management server FQDN or Citrix Gateway FQDN
MDM only Endpoint Management server FQDN
MAM-only (legacy) Citrix Gateway FQDN
MAM-only Endpoint Management server FQDN

Deployment Summary

Citrix recommends that you use the NetScaler for XenMobile wizard to ensure proper configuration. Be aware that you can use the wizard only one time. If you have multiple Endpoint Management instances, such as for test, development, and production environments, you must configure Citrix Gateway for the additional environments manually. When you have a working environment, take note of the settings before attempting to configure Citrix Gateway manually for Endpoint Management.

The key decision you make when using the wizard is whether to use HTTPS or HTTP for communication to the Endpoint Management server. HTTPS provides secure back-end communication, as traffic between Citrix Gateway and Endpoint Management is encrypted; the re-encryption impacts Endpoint Management server performance. HTTP provides better Endpoint Management server performance; traffic between Citrix Gateway and Endpoint Management is not encrypted. The following tables show the HTTP and HTTPS port requirements for Citrix Gateway and Endpoint Management server.

HTTPS

Citrix typically recommends SSL Bridge for Citrix Gateway MDM virtual server configurations. For Citrix Gateway SSL Offload use with MDM virtual servers, Endpoint Management supports only port 80 as the backend service.

       
Deployment type Citrix Gateway load balancing method SSL re-encryption Endpoint Management server port
MDM SSL Bridge N/A 443, 8443
MAM SSL Offload Enabled 8443
Enterprise MDM: SSL Bridge N/A 443, 8443
Enterprise MAM: SSL Offload Enabled 8443

HTTP

       
Deployment type Citrix Gateway load balancing method SSL re-encryption Endpoint Management server port
MDM SSL Offload Not supported 80
MAM SSL Offload Enabled 8443
Enterprise MDM: SSL Offload Not supported 80
Enterprise MAM: SSL Offload Enabled 8443

For diagrams of Citrix Gateway in Endpoint Management deployments, see Architecture.

Integrating with Citrix Gateway and Citrix ADC