Product Documentation

Configuring Settings for Your XenMobile Environment

The NetScaler for XenMobile wizard guides you through the configuration of NetScaler features for your XenMobile deployment. You can use the wizard to:

  • Set up a Micro VPN. In this scenario, remote users can access apps and desktops in the internal network.

    • For XenMobile MAM-only mode, you must use NetScaler Gateway for authentication.

    • For MDM deployments, Citrix recommends NetScaler Gateway for mobile device VPN.

    • For ENT deployments, if a user opts out of MDM enrollment, the device operates in the legacy MAM mode and enrolls using the NetScaler Gateway FQDN.

  • Configure certificate-based authentication. The default configuration for XenMobile is user name and password authentication. To add another layer of security for enrollment and access to XenMobile environment, consider using certificate-based authentication.
  • Load balance XenMobile servers. NetScaler load balancing is required for all XenMobile server device modes if you have multiple XenMobile servers or if the XenMobile server is inside your DMZ or internal network (and therefore traffic flows from devices to NetScaler to XenMobile). In this scenario, the NetScaler appliance resides in the DMZ between the user device and the XenMobile servers to load balance encrypted sent data from mobile devices to the XenMobile servers.
  • Load balance Microsoft Exchange servers with email filtering. In this scenario, the NetScaler appliance is between the user device and the XenMobile NetScaler Connector (XNC), and between the user device and the Microsoft Exchange CAS servers. All requests from user devices go to the NetScaler Gateway appliance, which then communicates with the XNC to retrieve information about the device. Depending on the response from the XNC, the NetScaler appliance either forwards the request from a whitelisted device to the server in the internal network, or drops the connection from a blacklisted device.
  • Load balance ShareFile StorageZones Connectors based on the type of content requested. This scenario prompts you for basic information about your StorageZones Controller environment and then generates a configuration that does the following:
    • Load balances traffic across StorageZones Controllers.
    • Provides user authentication for StorageZones Connectors.
    • Validates URI signatures for ShareFile uploads and downloads.
    • Terminates SSL connections at the NetScaler appliance.

For more information about configuring ShareFile, see Configure NetScaler for StorageZones Controller.

Important

Before you use the XenMobile wizard, be sure to refer to these XenMobile Deployment articles for design and deployment information and recommendations:

XenMobile Integration

Integrating with NetScaler Gateway and NetScaler

SSO and Proxy Considerations for MDX Apps

Authentication

You can use the NetScaler for XenMobile wizard only once. If you want multiple XenMobile instances, such as for test, development, and production environments, you must configure NetScaler for the additional environments manually. The following support articles list the commands run by the wizard and provides instructions for running them to create a new NetScaler instance:

Commands Generated by XenMobile Wizard on NetScaler - SSL Bridge

Commands Generated by XenMobile Wizard on NetScaler - SSL Offload

License Requirements for NetScaler Features

You must install licenses to enable the following NetScaler features:

  • XenMobile MDM load balancing requires a NetScaler standard license.
  • ShareFile load balancing with StorageZones requires a NetScaler standard license.
  • Exchange load balancing requires a NetScaler license or a Enterprise license with the addition of an Integrated Caching license.

NetScaler for XenMobile Wizard

This section provides an example of using the NetScaler for XenMobile wizard to:

  • Set up micro VPN access for remote user connections to XenMobile-managed resources in your internal network
  • Configure certificate-based authentication. For information about obtaining and installing a public SSL certificate, see Installing and Managing Certificates.
  • Configure load balancing for XenMobile servers.

To use the wizard:

  1. In the configuration utility, click the Configuration tab and then click XenMobile.

localized image

  1. Select your XenMobile version and then click Get Started.
  2. Select the checkboxes for the features you want to configure. Keep in mind that you can use this wizard only once, so you’ll need to perform subsequent configuration manually. These instructions assume that you select the following settings:

Access through NetScaler Gateway (for XenMobile Server running in ENT or MAM modes) Load Balance XenMobile Servers

localized image

4. On the NetScaler Gateway Settings page, enter values for the external facing NetScaler Gateway IP AddressPort, and Virtual Server Name.

localized image

  1. On the Server Certificate for NetScaler Gateway page, from the Certificate File drop-down menu, choose the certificate file from Local or Appliance.

If your certificate is on a local machine:

localized image

If your certificate is on the appliance:

localized image

  1. In the Authentication Settings page, in the Primary authentication method field, select Client Certificate.

This will automatically select Use existing certificate policy and Cert Auth in the next two fields. The following steps assume that you already have a certificate policy.

If you need to create a certificate policy, click Create certificate policy and complete the settings. On the XenMobile Server Certificate screen, choose an existing server certificate or install a new certificate. If you’re running multiple XenMobile servers, you will add a certificate for each one. For Server Logon Name Attribute, specify userPrincipalName or samAccountName, per your requirements.

localized image

a. Select Click here to change the CA certificate and then in the Browse list, navigate to the CA certificate you want.

localized image

b. With client certificate as your primary authentication type, you have the option of configuring LDPA (or RADIUS) as the secondary authentication type.

To use client certificate authentication only, leave Second authentication method as None and then click Continue.

To use client certificate + domain (LDAP) authentication, change Second authentication method to LDAP and configure the authentication server settings.

c. On the Device certificate screen, if the certificate is not already installed, you must export this certificate from the XenMobile console: From the console, click the gear icon in the upper-right corner to open the Settings screen.

d. Click Certificate and then choose the CA certificate from the list.

e. Click Export.

f. Return to the NetScaler wizard and select the certificate you exported (downloaded) to install it.

g. Click Continue.

The XenMobile server IP addresses that you’ve configured will appear.

7. Configure the XenMobile App Management Settings.

localized image

  • Enter the XenMobile Server FQDN. This is the load balancing FQDN for MAM.
  • Enter a MAM-only Internal Load Balancing IP Address for the virtual server that load balances XenMobile servers. NetScaler Gateway communicates with the XenMobile server through this MAM load balancing virtual IP.
  • This is an SSL offload deployment, so select HTTP in **Communication with XenMobile Server **.
  • The Split DNS mode for MicroVPN field automatically sets to BOTH.

If your deployment requires split tunneling, select Enable split tunneling. You must configure Intranet Application Binding, next, if you enable split tunneling.

By default, Secure Web access is tunneled to the internal network, which means that Secure Web uses a per-application VPN tunnel back to the internal network for all network access and the NetScaler appliance uses split tunnel settings.

localized image

8. To configure interception rules for user connections on NetScaler Gateway, you must configure Intranet Application Binding. Click + to add a binding.

localized image

  1. Complete the parameters for allowing network access and then click Create.

localized image

10. Add the XenMobile server certificate. This will be used for the MAM load balancing virtual server.

localized image

  1. Under XenMobile Servers, click Add Server to add the XenMobile Server IP Address to bind to the load balancing virtual IP.

localized image

12. On the NetScaler dashboard, confirm that NetScaler Gateway and XenMobile load balancing are configured as follows.

localized image

If you will use sAMAccount attributes in the user certificates as an alternative to User Principal Name (UPN), configure the certificate profile as described in Manually Configuring NetScaler Gateway for Client Certificate Authentication.

Configuring Settings for Your XenMobile Environment