Product Documentation

Allowing Access from Mobile Devices with Citrix Mobile Productivity Apps

The Citrix ADC for XenMobile wizard configures the settings required to allow users to connect from supported devices through Citrix Gateway to mobile apps and resources in the internal network. Users connect by using Secure Hub (previously, Worx Home), which establishes a Micro VPN tunnel. When users connect, a VPN tunnel opens to Citrix Gateway and then is passed to XenMobile in the internal network. Users can then access their web, mobile, and SaaS apps from XenMobile.

To ensure that users consume a single Universal license when connecting to Citrix Gateway with multiple devices simultaneously, you can enable session transfer on the virtual server. For details, see Configuring Connection Types on the Virtual Server.

If you need to change your configuration after using the Citrix ADC for XenMobile wizard, use the sections in this article for guidance. Before changing settings, make sure that you understand the implications of your changes. For more information, refer to the XenMobile Deployment articles.

Configuring Secure Browse in Citrix Gateway

You can change Secure Browse as part of global settings or as part of a session profile. You can bind the session policy to users, groups, or virtual servers. When you configure Secure Browse, you must also enable clientless access. However, clientless access does not require you to enable Secure Browse. When you configure clientless access, set Clientless Access URL Encoding to Clear.

To configure Secure Browse globally:

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway and then click Global Settings.
  2. In the details pane, under Settings, click Change global settings.
  3. In the Global Citrix Gateway Settings dialog box, on the Security tab, click Secure Browse and then click OK.

To configure Secure Browse in a session policy and profile:

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway > Policies and then click Session.
  2. In the details pane, do one of the following:
    • If you are creating a new session policy, click Add.
    • If you are changing an existing policy, select a policy and then click Open.
  3. In the policy, create a new profile or modify an existing profile. To do so, do one of the following:
    • Next to Request Profile, click New.
    • Next to Request Profile, click Modify.
  4. On the Security tab, next to Secure Browse, click Override Global and then select Secure Browse.
  5. Do one of the following:
    • If you are creating a new profile, click Create, set the expression in the policy dialog box, click Create and then click Close.
    • If you are modifying an existing profile, after making the selection, click OK twice.

To configure traffic policies for Secure Web in Secure Browse mode:

Use the following steps to configure traffic policies to route Secure Web traffic through a proxy server in Secure Browse mode.

  1. In the configuration utility, on the Configuration tab, expand Citrix Gateway > Policies and then click Traffic.
  2. In the right pane, click the Traffic Profiles tab and then click Add.
  3. In Name, enter a name for the profile, select TCP as the Protocol, and leave the rest of the settings as-is.
  4. Click Create.
  5. Click the Traffic Profiles tab and then click Add.
  6. In Name, enter a name for the profile and then select HTTP as the Protocol. This Traffic Profile is for both HTTP and SSL. CVPN traffic is HTTP traffic by design, regardless of the destination port or service type. Thus, you specify both SSL and HTTP traffic as HTTP in the traffic profile.
  7. In Proxy, enter the IP address of the proxy server. In Port, enter the port number of the proxy server.
  8. Click Create.
  9. Click the Traffic Profiles tab and then click Add.
  10. Enter the Name of the traffic policy and, for Request Profile, select the Traffic Profile you created in Step 3. Enter the following Expression and then click Create:

    REQ.HTTP.HEADER HOST contains ActiveSyncServer   REQ.HTTP.HEADER User-Agent CONTAINS WorxMail   REQ.HTTP.HEADER User-Agent CONTAINS com.zenprise   REQ.HTTP.HEADER User-Agent CONTAINS WorxHome   REQ.HTTP.URL CONTAINS AGServices   REQ.HTTP.URL CONTAINS StoreWeb

    That rule performs a check based on the host header. To bypass the Activesync traffic from the proxy, replace ActiveSyncServer with the appropriate ActiveSync server name.

  11. Click the Traffic Profiles tab and then click Add. Enter the Name of the traffic policy and, for Request Profile, select the Traffic Profile created in Step 6. Enter the following Expression and then click Create:

    (REQ.HTTP.HEADER User-Agent CONTAINS Mozilla   REQ.HTTP.HEADER User-Agent CONTAINS com.citrix.browser   REQ.HTTP.HEADER User-Agent CONTAINS WorxWeb) && REQ.TCP.DESTPORT == 80
  12. Click the Traffic Profiles tab and then click Add. Enter the Name of the Traffic Policy and, for Request Profile, select the Traffic Profile created in Step 6. Enter the following Expression and then click Create:

    (REQ.HTTP.HEADER User-Agent CONTAINS Mozilla   REQ.HTTP.HEADER User-Agent CONTAINS com.citrix.browser   REQ.HTTP.HEADER User-Agent CONTAINS WorxWeb) && REQ.TCP.DESTPORT == 443
  13. Navigate to NetScaler Gateway > Virtual Servers, select the virtual server in the right pane, and then click Edit.
  14. On the Policies row, click +.
  15. From the Choose Policy menu, select Traffic.
  16. Click Continue.
  17. Under Policy Binding, across from Select Policy, click >.
  18. Select the Policy you created in Step 10 and then click OK.
  19. Click Bind.
  20. Under Policies, click Traffic Policy.
  21. Under VPN Virtual Server Traffic Policy Binding, click Add Binding.
  22. Under Policy Binding, next to the Select Policy menu, click > to view the policy list.
  23. Select the policy you created in Step 17 and then click OK.
  24. Click Bind.
  25. Under Policies, click Traffic Policies.
  26. Under VPN Virtual Server Traffic Policy Binding, click Add Binding.
  27. Under Policy Binding, next to the Select Policy menu, click > to view the policy list.
  28. Select the policy you created in Step 18 and then click OK.
  29. Click Bind.
  30. Click Close.
  31. Click Done.

Be sure to configure the Secure Web (WorxWeb) app in the XenMobile console. Go to Configure > Apps, select the Secure Web app, click Edit, and then make these changes:

  • On the App information page, change Initial VPN Mode to Secure Browse.
  • On the iOS page, change Initial VPN Mode to Secure Browse.
  • On the Android page, change Preferred VPN Mode to Secure Browse.

Configuring Application and MDX Token Time-Outs

When users log on from an iOS or Android device, an application token or an MDX token is issued. The token is similar to the Secure Ticket Authority (STA).

You can set the number of seconds or minutes the tokens are active. If the token expires, users cannot access the requested resource, such as an application or a web page.

Token time-outs are global settings. When you configure the setting, it applies to all users who log on to Citrix Gateway.

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway and then click Global Settings.
  2. In the details pane, under Settings, click Change global settings.
  3. In the Global Citrix Gateway Settings dialog box, on the Client Experience tab, click Advanced Settings.
  4. On the General tab, in Application Token Timeout (sec) enter the number of seconds before the token expires. The default is 100 seconds.
  5. In MDX Token Timeout (mins), enter the number of minutes before the token expires and then click OK. The default is 10 minutes.

Disabling Endpoint Analysis for Mobile Devices

If you configure endpoint analysis, you need to configure the policy expressions so that the endpoint analysis scans do not run on Android or iOS mobile devices. Endpoint analysis scans are not supported on mobile devices.

If you bind an endpoint analysis policy to a virtual server, you must create a secondary virtual server for mobile devices. Do not bind preauthentication or post-authentication policies to the mobile device virtual server.

When you configure the policy expression in a preauthentication policy, you add the User-Agent string to exclude Android or iOS. When users log on from one of these devices and you exclude the device type, endpoint analysis does not run.

For example, you create the following policy expression to check if the User-Agent contains Android, if the application virus.exe does not exist, and to end the process keylogger.exe if it is running by using the preauthentication profile. The policy expression might look like this:

REQ.HTTP.HEADER User-Agent NOTCONTAINS Android && CLIENT.APPLICATION.PROCESS(keylogger.exe) contains   CLIENT.APPLICATION.PROCESS (virus.exe) contains

After you create the preauthentication policy and profile, bind the policy to the virtual server. When users log on from an Android or iOS device, the scan does not run. If users log on from a Windows-based device, the scan does run.

For more information about configuring preauthentication policies, see Configuring Endpoint Polices.

Supporting DNS Queries by Using DNS Suffixes for Android Devices

When users establish a Micro VPN connection from an Android device, Citrix Gateway sends split DNS settings to the user device. Citrix Gateway supports split DNS queries based on the split DNS settings you configure. Citrix Gateway can also support split DNS queries based on DNS suffixes you configure on the appliance. If users connect from an Android device, you must configure DNS settings on Citrix Gateway.

Split DNS works in the following manner:

  • If you set split DNS to Local, the Android device sends all DNS requests to the local DNS server.
  • If you set split DNS to either Remote or Both, the Android device sends the DNS request based on the DNS suffixes. The setting Both is the default setting. If the DNS request ends with one of the configured DNS suffixes, the request is sent to Citrix Gateway for resolution; otherwise, the request is sent to the local DNS server. For this reason, you must configure the DNS suffix when you set split DNS to Remote or Both.
  • If a DNS A record query matches the Citrix Gateway fully qualified domain name (FQDN) to which users connect with a VPN connection, the user device replies with a cached local DNS server response. For example, if users establish a VPN connection to mycompany.ng.com and if the user device makes a DNS request for mycompany.ng.com, the DNS response comes from the cached DNS response. This is true even if the Citrix Gateway FQDN matches the configured DNS suffix.

If the DNS query does not contain a domain name, DNS requests are sent to Citrix Gateway for resolution. For example, a user is connecting to an internal web site, such as mycompany and the DNS query is sent to Citrix Gateway for resolution. If you configure split DNS to either Both or Remote, if users enter the full FQDN, mycompany.nginternal.com, the DNS resolution occurs based on the DNS suffix.

  • If the DNS query is not a DNS A record, the DNS query strictly follows the Citrix Gateway split DNS setting.

To configure a DNS suffix:

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway > Policies and then click Session.
  2. In the details pane, on the Policies tab, select a session policy and then click Open.
  3. Next to Request Profile, click Modify.
  4. On the Network Configuration tab, click Advanced.
  5. Next to Intranet IP DNS Suffix, click Override Global, type the DNS suffix and then click OK three times.

To configure split DNS globally on Citrix Gateway:

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway and then click Global Settings.
  2. In the details pane, under Settings, click Change global settings.
  3. On the Client Experience tab, click Advanced Settings.
  4. On the General tab, in Split DNS, select Both, Remote, or Local and then click OK.

To configure split DNS in a session policy on Citrix Gateway:

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway > Policies and then click Session.
  2. In the details pane, on the Policies tab, click Add.
  3. In Name, type a name for the policy.
  4. Next to Request Profile, click New.
  5. In Name, type a name for the profile.
  6. On the Client Experience tab, click Advanced Settings.
  7. On the General tab, next to Split DNS, click Override Global, select Both, Remote, or Local and then click OK.
  8. In the Create Session Policy dialog box, next to Named Expressions, select General, select True, click Add Expression, click Create and then click Close.