Configuring Settings for Your XenMobile Environment

January 6, 2019

Contributed by: C

The Citrix ADC for XenMobile wizard guides you through the configuration of Citrix ADC features for your XenMobile deployment. You can use the wizard to:

Set up a Micro VPN. In this scenario, remote users can access apps and desktops in the internal network.
- For XenMobile MAM-only mode, you must use Citrix Gateway for authentication.
- For MDM deployments, Citrix recommends Citrix Gateway for mobile device VPN.
- For ENT deployments, if a user opts out of MDM enrollment, the device operates in the legacy MAM mode and enrolls using the Citrix Gateway FQDN.
Configure certificate-based authentication. The default configuration for XenMobile is user name and password authentication. To add another layer of security for enrollment and access to XenMobile environment, consider using certificate-based authentication.
Load balance XenMobile servers. Citrix ADC load balancing is required for all XenMobile device modes if you have multiple XenMobile servers or if the XenMobile is inside your DMZ or internal network (and therefore traffic flows from devices to Citrix ADC to XenMobile). In this scenario, the Citrix ADC appliance resides in the DMZ between the user device and the XenMobile servers to load balance encrypted sent data from mobile devices to the XenMobile servers.
Load balance Microsoft Exchange servers with email filtering. In this scenario, the Citrix ADC appliance is between the user device and the XenMobile Citrix ADC Connector (XNC), and between the user device and the Microsoft Exchange CAS servers. All requests from user devices go to the Citrix Gateway appliance, which then communicates with the XNC to retrieve information about the device. Depending on the response from the XNC, the Citrix ADC appliance either forwards the request from a whitelisted device to the server in the internal network, or drops the connection from a blacklisted device.
Load balance ShareFile StorageZones Connectors based on the type of content requested. This scenario prompts you for basic information about your StorageZones Controller environment and then generates a configuration that does the following:
- Load balances traffic across StorageZones Controllers.
- Provides user authentication for StorageZones Connectors.
- Validates URI signatures for ShareFile uploads and downloads.
- Terminates SSL connections at the Citrix ADC appliance.

For more information about configuring ShareFile, see Configure Citrix ADC for StorageZones Controller.

Important

Before you use the XenMobile wizard, be sure to refer to these XenMobile Deployment articles for design and deployment information and recommendations:

XenMobile Integration

Integrating with Citrix Gateway and Citrix ADC

SSO and Proxy Considerations for MDX Apps

Authentication

You can use the Citrix ADC for XenMobile wizard only once. If you want multiple XenMobile instances, such as for test, development, and production environments, you must configure Citrix ADC for the additional environments manually. The following support articles list the commands run by the wizard and provides instructions for running them to create a new Citrix ADC instance:

Commands Generated by XenMobile Wizard on Citrix ADC - SSL Bridge

Commands Generated by XenMobile Wizard on Citrix ADC - SSL Offload

License Requirements for Citrix ADC Features

You must install licenses to enable the following Citrix ADC features:

XenMobile MDM load balancing requires a Citrix ADC standard license.
ShareFile load balancing with StorageZones requires a Citrix ADC standard license.
Exchange load balancing requires a Citrix ADC license or a Enterprise license with the addition of an Integrated Caching license.

Citrix ADC for XenMobile Wizard

This section provides an example of using the Citrix ADC for XenMobile wizard to:

Set up micro VPN access for remote user connections to XenMobile-managed resources in your internal network
Configure certificate-based authentication. For information about obtaining and installing a public SSL certificate, see Installing and Managing Certificates.
Configure load balancing for XenMobile servers.

To use the wizard:

In the configuration utility, click the Configuration tab and then click XenMobile.
Select your XenMobile version and then click Get Started.
Select the checkboxes for the features you want to configure. Keep in mind that you can use this wizard only once, so you’ll need to perform subsequent configuration manually. These instructions assume that you select the following settings: Access through Citrix Gateway (for XenMobile running in ENT or MAM modes) Load Balance XenMobile Servers
On the Citrix Gateway Settings page, enter values for the external facing Citrix Gateway IP Address, Port, and Virtual Server Name.
On the Server Certificate for Citrix Gateway page, from the Certificate File drop-down menu, choose the certificate file from Local or Appliance. If your certificate is on a local machine:

If your certificate is on the appliance:
In the Authentication Settings page, in the Primary authentication method field, select Client Certificate.

This will automatically select Use existing certificate policy and Cert Auth in the next two fields. The following steps assume that you already have a certificate policy.

If you need to create a certificate policy, click Create certificate policy and complete the settings. On the XenMobile Certificate screen, choose an existing server certificate or install a new certificate. If you’re running multiple XenMobile servers, you will add a certificate for each one. For Server Logon Name Attribute, specify userPrincipalName or samAccountName, per your requirements.
- a. Select Click here to change the CA certificate and then in the Browse list, navigate to the CA certificate you want.
- b. With client certificate as your primary authentication type, you have the option of configuring LDPA (or RADIUS) as the secondary authentication type.
  
  To use client certificate authentication only, leave Second authentication method as None and then click Continue.
  
  To use client certificate + domain (LDAP) authentication, change Second authentication method to LDAP and configure the authentication server settings.
- c. On the Device certificate screen, if the certificate is not already installed, you must export this certificate from the XenMobile console: From the console, click the gear icon in the upper-right corner to open the Settings screen.
- d. Click Certificate and then choose the CA certificate from the list.
- e. Click Export.
- f. Return to the Citrix ADC wizard and select the certificate you exported (downloaded) to install it.
- g. Click Continue.
The XenMobile IP addresses that you’ve configured will appear.
Configure the XenMobile App Management Settings.
- Enter the XenMobile FQDN. This is the load balancing FQDN for MAM.
- Enter a MAM-only Internal Load Balancing IP Address for the virtual server that load balances XenMobile servers. Citrix Gateway communicates with the XenMobile through this MAM load balancing virtual IP.
- This is an SSL offload deployment, so select HTTP in Communication with XenMobile Server.
- The Split DNS mode for MicroVPN field automatically sets to BOTH.
If your deployment requires split tunneling, select Enable split tunneling. You must configure Intranet Application Binding, next, if you enable split tunneling.

By default, Secure Web access is tunneled to the internal network, which means that Secure Web uses a per-application VPN tunnel back to the internal network for all network access and the Citrix ADC appliance uses split tunnel settings.
To configure interception rules for user connections on Citrix Gateway, you must configure Intranet Application Binding. Click + to add a binding.
Complete the parameters for allowing network access and then click Create.
Add the XenMobile certificate. This will be used for the MAM load balancing virtual server.
Under XenMobile Servers, click Add Server to add the XenMobile IP Address to bind to the load balancing virtual IP.
On the Citrix ADC dashboard, confirm that Citrix Gateway and XenMobile load balancing are configured as follows.

If you will use sAMAccount attributes in the user certificates as an alternative to User Principal Name (UPN), configure the certificate profile as described in Manually Configuring Citrix Gateway for Client Certificate Authentication.

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

Configuring Settings for Your XenMobile Environment

January 6, 2019

Contributed by: C

Configuring Settings for Your XenMobile Environment

License Requirements for Citrix ADC Features

Citrix ADC for XenMobile Wizard

Configuring Settings for Your XenMobile Environment

In this article