Product Documentation

Deploying XenMobile NetScaler Connector

Mar 27, 2015
XenMobile NetScaler Connector allows you to use NetScaler to proxy and load balance Device Manager communication with a XenMobile managed devices. XenMobile NetScaler Connector communicates periodically with Device Manager to synchronize policies. XenMobile NetScaler Connector and Device Manager may be clustered, together or independently, and load balanced by NetScaler.
Figure 1. XenMobile NetScaler Connector Deployment

XenMobile NetScaler Connector Components

XenMobile NetScaler Connector consists of the following four components:
  • XenMobile NetScaler Connector Service. This provides a REST web service interface that can be invoked by NetScaler to determine if an ActiveSync request from a device is authorized.
  • XenMobile Configuration Service. This service communicates with Device Manager to synchronize Device Manager policy changes with XenMobile NetScaler Connector.
  • XenMobile Notification Service. This service sends notifications of unauthorized device access to Device Manager so that Device Manager can take appropriate measures such as notifying the user why the device was blocked
  • XenMobile NetScaler Configuration. This application allows the administrator to configure and monitor XenMobile NetScaler Connector.
Figure 2. XenMobile NetScaler Connector Components

Setting up listening addresses for the XNC web service

In order for the XenMobile NetScaler Connector to be able to receive requests from NetScaler to authorize ActiveSync traffic, you need to specify the port on which the XenMobile NetScaler Connector will listen to NetScaler web service calls.
  1. From the Start menu, select the XenMobile NetScaler Configuration utility.
  2. Select the Web Service tab and type the listening addresses for the XenMobile NetScaler Connector web service. You may select HTTP and/or HTTPS. If XenMobile NetScaler Connector is co-resident with Device Manager (installed on the same server), select port values that do not conflict with Device Manager.
  3. Once the values are configured click Save, then click Start Service to start the web service.

Configuring device access control policies

In this task, you will configure the access control policy you want to apply to your managed devices.

  1. In the XenMobile NetScaler Configuration utility, select the Path Filters tab.
  2. Select the first row (“Microsoft-Server-ActiveSync” is for ActiveSync) and Click Edit.
  3. From the Policy list, select the desired policy. For a policy that is inclusive of Device Manager policies, select “Static + ZDM: Permit Mode” or “Static + ZDM: Block Mode”. These policies combine local (aka static) rules with those from Device Manager. Permit Mode means that all devices not explicitly identified by the rules will be permitted access to ActiveSync. Block Mode means that such devices will be blocked.
  4. When you have set the pollicies, click Save.

Configuring communication with the Device Manager server

In this task, you will specify the name and properties of the XenMobile Device Manager server (also known as a 'Config Provider') which you want to use with XenMobile NetScaler Connector and NetScaler.
Note: This deployment tasks assumes you have already installed and configured the Device Manager server.
  1. In the XenMobile NetScaler Configuration utility, select the Config Providers tab.
  2. Click Add.
  3. Enter the name and URL to the Device Manager server you are using in this deployment. If you have multiple XenMobile Device Manager servers deployed in a Multi-Tenant deployment, this this Name must be unique for each server instance. For example, for Name, you could type XDM.
  4. In Url, enter the Web address of the Device Manager GCP (GlobalConfig Provider), typically in the format https://DeviceManagerHost/zdm/services/MagConfigService. The MagConfigService name is case sensitive.
  5. In Password, enter the password that will be used for basic HTTP authorization with the Device Manager web server.
  6. In Managing Host, enter the server name where you installed the XenMobile NetScaler Connector.
  7. In Baseline Interval, specify a time period for when a new refreshed dynamic ruleset is pulled from Device Manager.
  8. In Request Timeout, specify the server request timeout interval.
  9. In Config Provider, select if the config provider server instance is providing the policy configuration.
  10. In Events Enabled, enable this option if you want Secure Mobile Gateway to notify Device Manager when a device is blocked. This option is required if you are using Secure Mobile Gateway rules in any of your Device Manager Automated Actions.
  11. Once the server is configured, click Test Connectivity to test the connection to the Device Manager server.
  12. When Connectivity has been established, click Save.

Deploying XNC for Redundancy and Scalability

If you want to scale your XNC and Device Manager deployment, you can install XNC instances on multiple Windows servers, all pointing to the same XDM instance, and then load balance them using Citrix NetScaler.

There are two modes for XNC configuration: non-shared and shared.
  • In non-shared mode, each XNC instance communicates with an XDM server and keeps its own private copy of the resulting policy. For example, if you had a cluster of Device Manager servers, you could run an XNC instance on each XDM server and XNC would get policy from the local XDM.
  • In shared mode, one XNC node is designated the master and it communicates with Device Manager. The resulting configuration is shared among the other nodes either by Windows network share or by Windows (or 3rdparty) replication.

The entire XNC configuration is in a single folder (a few XML files). The XNC Connector process detects changes to any file in this folder and automatically reloads the configuration. There is no failover for the master in shared mode. But the system can tolerate the master being down for minutes (for example, to reboot) because the last known good config is cached in the XNC Connector process.