Integrating with Citrix Gateway and Citrix ADC

When integrated with Endpoint Management, Citrix Gateway provides an authentication mechanism for remote device access to the internal network for MAM devices. The integration enables Citrix mobile productivity apps to connect to corporate servers in the intranet through a micro VPN. Endpoint Management creates a micro VPN from the apps on the device to Citrix Gateway.

Citrix Cloud Operations manages Citrix ADC load balancing.

Integration requirements for Endpoint Management server modes

The integration requirements for Citrix Gateway and Citrix ADC differ based on the Endpoint Management server modes: MAM and MDM+MAM, also called ENT (enterprise).

MAM

With the Endpoint Management server in MAM mode:

  • Citrix Gateway is required. Citrix Gateway provides a micro VPN path for access to all corporate resources and provides strong multifactor authentication support.

MDM+MAM (ENT)

With the Endpoint Management server in MDM+MAM mode:

  • Citrix Gateway is required. Citrix Gateway provides a micro VPN path for access to all corporate resources and provides strong multifactor authentication support.

  • When the Endpoint Management server mode is MDM+MAM and a user opts out of MDM enrollment, devices enroll using the Citrix Gateway FQDN.

Design Decisions

The following sections summarize the many design decisions to consider when planning a Citrix Gateway integration with Endpoint Management.

Certificates

Decision detail:

  • Do you require a higher degree of security for enrollments and access to the Endpoint Management environment?
  • Is LDAP not an option?

Design guidance:

The default configuration for Endpoint Management is user name and password authentication. To add another layer of security for enrollment and access to Endpoint Management environment, consider using certificate-based authentication. You can use certificates with LDAP for two-factor authentication, providing a higher degree of security without needing an RSA server.

If you don’t allow LDAP and use smart cards or similar methods, configuring certificates allows you to represent a smart card to Endpoint Management. Users then enroll using a unique PIN that Endpoint Management generates for them. After a user has access, Endpoint Management creates and deploys the certificate later used to authenticate to the Endpoint Management environment.

Endpoint Management supports Certificate Revocation List (CRL) only for a third party Certificate Authority. If you have a Microsoft CA configured, Endpoint Management uses Citrix Gateway to manage revocation. When you configure client certificate-based authentication, consider whether you need to configure the Citrix Gateway Certificate Revocation List (CRL) setting, Enable CRL Auto Refresh. This step ensures that the user of a device in MAM-only mode can’t authenticate using an existing certificate on the device. Endpoint Management reissues a new certificate, because it doesn’t restrict a user from generating a user certificate if one is revoked. This setting increases the security of PKI entities when the CRL checks for expired PKI entities.

Dedicated or shared Citrix Gateway VIPs

Decision detail:

  • Do you currently use Citrix Gateway for Citrix Virtual Apps and Desktops?
  • Will Endpoint Management use the same Citrix Gateway as Citrix Virtual Apps and Desktops?
  • What are the authentication requirements for both traffic flows?

Design guidance:

When your Citrix environment includes Endpoint Management, plus Virtual Apps and Desktops, you can use the same Citrix Gateway virtual server for both. Due to potential versioning conflicts and environment isolation, a dedicated Citrix Gateway is recommended for each Endpoint Management environment.

If you use LDAP authentication, Citrix Workspace and Secure Hub can authenticate to the same Citrix Gateway with no issues. If you use certificate-based authentication, Endpoint Management pushes a certificate in the MDX container and Secure Hub uses the certificate to authenticate with Citrix Gateway. The Workspace app is separate from Secure Hub and can’t use the same certificate as Secure Hub to authenticate to the same Citrix Gateway.

You might consider this work around, which allows you to use the same FQDN for two Citrix Gateway VIPs. You can create two Citrix Gateway VIPs with the same IP address. The one for Secure Hub uses the standard 443 port and the one for Citrix Virtual Apps and Desktops (which deploys the Citrix Workspace app) uses port 444. Then, one FQDN resolves to the same IP address. For this work around, you might need to configure StoreFront to return an ICA file for port 444, instead of the default, port 443. This workaround doesn’t require users to enter a port number.

Citrix Gateway time-outs

Decision detail:

  • How do you want to configure the Citrix Gateway time-outs for Endpoint Management traffic?

Design guidance:

Citrix Gateway includes the settings Session time-out and Forced time-out. For details, see Recommended configurations. Keep in mind that there are different time-out values for background services, Citrix Gateway, and for accessing applications while offline.

Enrollment FQDN

Important:

To change the enrollment FQDN requires a new SQL Server database and Endpoint Management server rebuild.

Secure Web traffic

Decision detail:

  • Will you restrict Secure Web to internal web browsing only?
  • Will you enable Secure Web for both internal and external web browsing?

Design guidance:

If you will use Secure Web for internal web browsing only, Citrix Gateway configuration is straightforward. However, if Secure Web can’t reach all internal sites by default, you might need to configure firewalls and proxy servers.

If you will use Secure Web for both internal and external browsing, you must enable the SNIP to have outbound internet access. IT generally views enrolled devices (using the MDX container) as an extension of the corporate network. Thus, IT typically wants Secure Web connections to come back to Citrix Gateway, go through a proxy server, and then go out to Internet. By default, Secure Web access tunnels to the internal network. Secure Web uses a per-application VPN tunnel back to the internal network for all network access and Citrix Gateway uses split tunnel settings.

For a discussion of Secure Web connections, see Configuring User Connections.

Push Notifications for Secure Mail

Decision detail:

  • Will you use push notifications?

Design guidance for iOS:

If your Citrix Gateway configuration includes Secure Ticket Authority (STA) and split tunneling is off: Citrix Gateway must allow traffic from Secure Mail to the Citrix listener service URLs. Those URLs are specified in push notifications for Secure Mail for iOS.

Design guidance for Android:

Use Firebase Cloud Messaging (FCM) to control how and when Android devices need to connect to Endpoint Management. With FCM configured, any security action or deploy command triggers a push notification to Secure Hub to prompt the user to reconnect to the Endpoint Management server.

HDX STAs

Decision detail:

  • What STAs to use if you will integrate HDX application access?

Design guidance:

HDX STAs must match the STAs in StoreFront and must be valid for the Virtual Apps and Desktops site.

Citrix Files and Citrix Content Collaboration

Decision detail:

  • Will you use storage zones controller in the environment?
  • What Citrix Files VIP URL will you use?

Design guidance:

If you will include storage zones controller in your environment, ensure that you correctly configure the following:

  • Citrix Files Content Switch VIP (used by the Citrix Files Control Plane to communicate with the storage zones controller servers)
  • Citrix Files Load Balancing VIPs
  • All required policies and profiles

For information, see the documentation for Storage zones controller.

SAML IdP

Decision detail:

  • If SAML is required for Citrix Files, do you want to use Endpoint Management as the SAML IdP?

Design guidance:

The recommended best practice is to integrate Citrix Files with Endpoint Management, a simpler alternative to configuring SAML-based federation. Endpoint Management provides Citrix Files with:

  • Single sign-on (SSO) authentication of Citrix mobile productivity apps users
  • User account provisioning based on Active Directory
  • Comprehensive access control policies.

The Endpoint Management console enables you to perform Citrix Files configuration and to monitor service levels and license usage.

There are two types of Citrix Files clients: Citrix Files for Endpoint Management (also known as wrapped Citrix Files) and Citrix Files mobile clients (also known as unwrapped Citrix Files). To understand the differences, see How Citrix Files for Endpoint Management Clients differ from Citrix Files mobile clients.

You can configure Endpoint Management and Citrix Files to use SAML to provide SSO access to:

  • Citrix Files mobile apps you wrap with the MDX Service
  • Non-wrapped Citrix Files clients, such as the website, Outlook plug-in, or sync clients

If you want to use Endpoint Management as the SAML IdP for Citrix Files, ensure that the proper configurations are in place. For details, see SAML for SSO with Citrix Files.

ShareConnect direct connections

Decision detail:

  • Will users access a host computer from a computer or mobile device running ShareConnect using direct connections?

Design guidance:

ShareConnect enables users to connect securely to their computers through iPads, Android tablets, and Android phones to access their files and applications. For direct connections, Endpoint Management uses Citrix Gateway to provide secure access to resources outside of the local network. For configuration details, see ShareConnect.

Enrollment FQDN for each deployment type

Deployment type Enrollment FQDN
MDM+MAM with mandatory MDM enrollment Endpoint Management server FQDN
MDM+MAM with optional MDM enrollment Endpoint Management server FQDN or Citrix Gateway FQDN
MAM-only Endpoint Management server FQDN
MAM-only (legacy) Citrix Gateway FQDN

Deployment Summary

Citrix recommends that you use the NetScaler for XenMobile wizard to ensure proper configuration. Be aware that you can use the wizard only one time. If you have multiple Endpoint Management instances, such as for test, development, and production environments, you must configure Citrix Gateway for the additional environments manually. When you have a working environment, take note of the settings before attempting to configure Citrix Gateway manually for Endpoint Management.

The key decision you make when using the wizard is whether to use HTTPS or HTTP for communication to the Endpoint Management server. HTTPS provides secure back-end communication, as traffic between Citrix Gateway and Endpoint Management is encrypted. The re-encryption impacts Endpoint Management server performance. HTTP provides better Endpoint Management server performance. Traffic between Citrix Gateway and Endpoint Management is not encrypted. The following tables show the HTTP and HTTPS port requirements for Citrix Gateway and Endpoint Management server.

HTTPS

Citrix typically recommends SSL Bridge for Citrix Gateway MDM virtual server configurations. For Citrix Gateway SSL Offload use with MDM virtual servers, Endpoint Management supports only port 80 as the back-end service.

Deployment type Citrix Gateway load balancing method SSL re-encryption Endpoint Management server port
MAM SSL Offload Enabled 8443
MDM+MAM MDM: SSL Bridge N/A 443, 8443
MDM+MAM MAM: SSL Offload Enabled 8443

HTTP

Deployment type Citrix Gateway load balancing method SSL re-encryption Endpoint Management server port
MAM SSL Offload Enabled 8443
MDM+MAM MDM: SSL Offload Not supported 80
MDM+MAM MAM: SSL Offload Enabled 8443

For diagrams of Citrix Gateway in Endpoint Management deployments, see Architecture.