Integrating with Citrix Gateway and Citrix ADC
When integrated with XenMobile, Citrix Gateway provides an authentication mechanism for remote device access to the internal network for MAM devices. The integration enables mobile productivity apps to connect to corporate servers in the intranet through a micro VPN. The micro VPN is created from the apps on the mobile device to Citrix Gateway. Citrix Gateway provides a micro VPN path for access to all corporate resources and provides strong multifactor authentication support.
Citrix ADC load balancing is required for all XenMobile Server device modes in these cases:
- If you have multiple XenMobile Servers
- Or if the XenMobile Server is inside your DMZ or internal network (and therefore traffic flows from devices to Citrix ADC to XenMobile)
Integration requirements for XenMobile Server modes
The integration requirements for Citrix Gateway and Citrix ADC differ based on the XenMobile Server modes: MAM, MDM, and ENT.
With XenMobile Server in MAM mode:
- Citrix Gateway is required. Citrix Gateway provides a micro VPN path for access to all corporate resources and provides strong multifactor authentication support.
Citrix ADC is recommended for load balancing.
Citrix recommends that you deploy XenMobile in a high availability configuration, which requires a load balancer in front of XenMobile. For details, see About MAM and Legacy MAM Modes.
With XenMobile Server in MDM mode:
- Citrix Gateway isn’t required. For MDM deployments, Citrix recommends Citrix Gateway for mobile device VPN.
Citrix ADC is recommended for security and load balancing.
Citrix recommends that you deploy a Citrix ADC appliance in front of the XenMobile Server, for security and load balancing. For standard deployments with XenMobile in the DMZ, Citrix recommends the Citrix ADC for XenMobile wizard along with XenMobile Server load balancing in SSL Bridge mode. You can also consider SSL Offload for deployments in which:
- The XenMobile Server resides in the internal network rather than the DMZ
- Or your security team requires an SSL Bridge configuration
Citrix does not recommend exposing the XenMobile Server to the Internet via NAT or existing third-party proxies or load-balancers for MDM. Those configurations pose a potential security risk, even if the SSL traffic terminates on the XenMobile Server (SSL Bridge).
For high security environments, Citrix ADC with the default XenMobile configuration meets or exceeds security requirements.
For MDM environments with the highest security needs, SSL termination at the Citrix ADC allows you to inspect traffic at the perimeter, while maintaining end-to-end SSL encryption. For more information, see Security Requirements. Citrix ADC offers options to define SSL/TLS ciphers and SSL FIPS Citrix ADC hardware.
With XenMobile Server in ENT mode:
Citrix Gateway is required. Citrix Gateway provides a micro VPN path for access to all corporate resources and provides strong multifactor authentication support.
When the XenMobile Server mode is ENT and a user opts out of MDM enrollment, the device operates in the legacy MAM mode. In the legacy MAM mode, devices enroll using the Citrix Gateway FQDN. For details, see About MAM and Legacy MAM Modes.
Citrix ADC is recommended for load balancing. For more information, see the Citrix ADC point earlier in this article under “MDM.”
For initial enrollment, the traffic from user devices authenticates on the XenMobile Server whether you configure load balancing virtual servers to SSL Offload or SSL Bridge.
The following sections summarize the many design decisions to consider when planning a Citrix Gateway integration with XenMobile.
- What edition of Citrix ADC do you plan to use?
- Have you applied Platform licenses to Citrix ADC?
- If you require MAM functionality, have you applied the Citrix ADC Universal Access Licenses?
Ensure that you apply the proper licenses to the Citrix Gateway. If you are using the Citrix Gateway connector for Exchange ActiveSync, integrated caching might be required. Therefore, you must ensure that the appropriate Citrix ADC Edition is in place.
The license requirements to enable Citrix ADC features are as follows.
- XenMobile MDM load balancing requires a Citrix ADC standard platform license at a minimum.
- ShareFile load balancing with storage zones controller requires a Citrix ADC standard platform license at a minimum.
- The XenMobile Advanced Edition (On-premises) or Citrix Endpoint Management (cloud) includes the required Citrix Gateway Universal licenses for MAM.
- Exchange load balancing requires a Citrix ADC Platinum platform license or a Citrix ADC Enterprise platform license with the addition of an Integrated Caching license.
- What version is the Citrix ADC running in the XenMobile environment?
- Do you require a separate instance?
Citrix recommends using a dedicated instance of Citrix ADC for your Citrix Gateway virtual server. Be sure that the minimum required Citrix ADC version and build is in use for the XenMobile environment. Typically, it is best to use the latest compatible Citrix ADC version and build for XenMobile. If upgrading Citrix Gateway would affect your existing environments, a second dedicated instance for XenMobile might be appropriate.
If you plan to share a Citrix ADC instance for XenMobile and other apps that use VPN connections, be sure that you have enough VPN licenses for both. Keep in mind that XenMobile test and production environments cannot share a Citrix ADC instance.
- Do you require a higher degree of security for enrollments and access to the XenMobile environment?
- Is LDAP not an option?
The default configuration for XenMobile is user name and password authentication. To add another layer of security for enrollment and access to the XenMobile environment, consider using certificate-based authentication. You can use certificates with LDAP for two-factor authentication, providing a higher degree of security without needing an RSA server.
If you don’t allow LDAP and use smart cards or similar methods, configuring certificates allows you to represent a smart card to XenMobile. Users then enroll using a unique PIN that XenMobile generates for them. After a user has access, XenMobile creates and deploys the certificate used to authenticate to the XenMobile environment.
XenMobile supports Certificate Revocation List (CRL) only for a third party Certificate Authority. If you have a Microsoft CA configured, XenMobile uses Citrix ADC to manage revocation. When you configure client certificate-based authentication, consider whether you need to configure the Citrix ADC Certificate Revocation List (CRL) setting, Enable CRL Auto Refresh. This step ensures that the user of a device enrolled in MAM only can’t authenticate using an existing certificate on the device. XenMobile reissues a new certificate, because it doesn’t restrict a user from generating a user certificate if one is revoked. This setting increases the security of PKI entities when the CRL checks for expired PKI entities.
- What Citrix ADC topology is required?
Citrix recommends using a Citrix ADC instance for XenMobile. However, you might not want traffic going from the inside network out to the DMZ. In that case, consider setting up an extra instance of Citrix ADC. Use one Citrix ADC instance for internal users and one for external users. When users switch between the internal and external networks, DNS record caching can result in an increase in Secure Hub logon prompts.
XenMobile does not support Citrix Gateway double hop.
- Do you currently use Citrix Gateway for Virtual Apps and Desktops?
- Do you plan for XenMobile to use the same Citrix Gateway as Virtual Apps and Desktops?
- What are the authentication requirements for both traffic flows?
When your Citrix environment includes XenMobile, plus Virtual Apps and Desktops, you can use the same Citrix ADC instance and Citrix Gateway virtual server for both. Due to potential versioning conflicts and environment isolation, a dedicated Citrix ADC instance and Citrix Gateway are recommended for each XenMobile environment. However, if a dedicated Citrix ADC instance is not an option, Citrix recommends using a dedicated Citrix Gateway virtual server to separate the traffic flows for Secure Hub. That configuration is instead of a virtual server shared between XenMobile and Virtual Apps and Desktops.
If you use LDAP authentication, Receiver and Secure Hub can authenticate to the same Citrix Gateway with no issues. If you use certificate-based authentication, XenMobile pushes a certificate in the MDX container and Secure Hub uses the certificate to authenticate with Citrix Gateway. Receiver is separate from Secure Hub and can’t use the same certificate as Secure Hub to authenticate to the same Citrix Gateway.
You might consider the following work-around, which allows you to use the same FQDN for two Citrix Gateway VIPs.
- Create two Citrix Gateway VIPs with the same IP address. The VIP for Secure Hub uses the standard 443 port and the VIP for Virtual Apps and Desktops (which deploy Receiver) uses port 444.
- As a result, one FQDN resolves to the same IP address.
- For this work around, you might configure StoreFront to return an ICA file for port 444, instead of the default, port 443. This workaround doesn’t require users to enter a port number.
- How do you want to configure the Citrix Gateway time-outs for XenMobile traffic?
Citrix Gateway includes the settings Session time-out and Forced time-out. For details, see Recommended Configurations. Keep in mind that there are different time-out values for background services, Citrix ADC, and for accessing applications while offline.
- Are you using internal or external IP addresses for VIPs?
In environments where you can use public IP addresses for Citrix Gateway VIPs, assigning the XenMobile load balancing VIP and address in this manner causes enrollment failures.
Ensure that the load balancing VIP uses an internal IP to avoid enrollment failures in this scenario. This virtual IP address must follow the RFC 1918 standard of private IP addresses. If you use a non-private IP address for this virtual server, Citrix ADC can’t contact the XenMobile Server successfully during the authentication process. For details, see https://support.citrix.com/article/CTX200430.
- How will Citrix Gateway load balance the XenMobile Servers?
Use SSL Bridge if XenMobile is in the DMZ. Use SSL Offload, if necessary to meet security standards, when XenMobile is in the internal network.
- When you load balance XenMobile Server with Citrix ADC VIPs in SSL Bridge mode, Internet traffic flows directly to XenMobile Server, where connections terminate. SSL Bridge mode is the simplest mode to set up and troubleshoot.
- When you load balance XenMobile Server with Citrix ADC VIPs in SSL Offload mode, Internet traffic flows directly to Citrix ADC, where connections terminate. Citrix ADC then establishes new sessions from Citrix ADC to XenMobile Server. SSL Offload mode involves extra complexity during setup and troubleshooting.
- If you plan to use SSL Offload mode for Load Balancing, what port will the back-end service use?
For SSL Offload, choose port 80 or 8443 as follows:
- Use port 80 back to XenMobile Server, for true offloading.
- End-to-end encryption, that is, re-encryption of traffic, isn’t supported. For details, see the Citrix support article, Supported Architectures Between NetScaler and XenMobile Server.
- What do you plan to use as the FQDN for enrollment and XenMobile instance/load balancing VIP?
Initial configuration of the first XenMobile Server in a cluster requires that you provide the XenMobile Server FQDN. That FQDN must match your MDM VIP URL and your Internal MAM LB VIP URL. (An internal Citrix ADC address record resolves the MAM LB VIP.) For details, see “Enrollment FQDN for each management mode” later in this article.
In addition, you must use the same certificate as the following:
- XenMobile SSL listener certificate
- Internal MAM LB VIP certificate
- MDM VIP certificate (if using SSL Offload for MDM VIP)
After you configure the enrollment FQDN, you cannot change it. A new enrollment FQDN requires a new SQL Server database and XenMobile Server rebuild.
- Do you plan to restrict Secure Web to internal web browsing only?
- Do you plan to enable Secure Web for both internal and external web browsing?
If you plan to use Secure Web for internal web browsing only, the Citrix Gateway configuration is straightforward. Secure Web must reach all internal sites by default. You might need to configure firewalls and proxy servers.
If you plan to use Secure Web for both internal and external browsing, you must enable the SNIP to have outbound internet access. IT generally views enrolled devices (using the MDX container) as an extension of the corporate network. Thus IT typically wants Secure Web connections to come back to Citrix ADC, go through a proxy server, and then go out to the Internet. By default, Secure Web uses a per-application VPN tunnel back to the internal network for all network access. Citrix ADC uses split tunnel settings.
For a discussion of Secure Web connections, see Configuring User Connections.
- Do you plan to use push notifications?
Design guidance for iOS:
Your Citrix Gateway configuration might include Secure Ticket Authority (STA), with split tunneling off. Citrix Gateway must allow traffic from Secure Mail to the Citrix listener service URLs specified in Push Notifications for Secure Mail for iOS.
Design guidance for Android:
Use Firebase Cloud Messaging (FCM) to control how and when Android devices need to connect to XenMobile. With FCM configured, any security action or deploy command triggers a push notification to Secure Hub to prompt the user to reconnect to the XenMobile Server.
- What STAs to use if you plan to integrate HDX application access?
HDX STAs must match the STAs in StoreFront and must be valid for the Virtual Apps and Desktops farm.
- Do you plan to use storage zone controllers in the environment?
- What Citrix Files VIP URL do you plan to use?
If you include storage zone controllers in your environment, ensure that you correctly configure the following:
- Citrix Files Switch VIP (used by the Citrix Files Control Plane to communicate with the storage zone Controller servers)
- Citrix Files Load Balancing VIPs
- All required policies and profiles
For information, see the storage zones controller documentation.
- If SAML is required for Citrix Files, do you want to use XenMobile as the SAML IdP?
The recommended best practice is to integrate Citrix Files with XenMobile Advanced Edition or XenMobile Advanced Edition (On-premises) or Citrix Endpoint Management (cloud), a simpler alternative to configuring SAML-based federation. When you use Citrix Files with those XenMobile editions, XenMobile provides Citrix Files with:
- Single sign-on (SSO) authentication of mobile productivity apps users
- User account provisioning based on Active Directory
- Comprehensive access control policies
The XenMobile console enables you to perform Citrix Files configuration and to monitor service levels and license usage.
There are two types of Citrix Files clients: Citrix Files for XenMobile clients (also referred to as wrapped Citrix Files) and Citrix Files mobile clients (also referred to as unwrapped Citrix Files). To understand the differences, see How Citrix Files for XenMobile Clients differ from Citrix Files mobile clients.
You can configure XenMobile and ShareFile to use SAML to provide SSO access to:
- Citrix Files mobile apps
- Non-wrapped Citrix Files clients, such as the website, Outlook plug-in, or sync clients
To use XenMobile as the SAML IdP for Citrix Files, ensure that the proper configurations are in place. For details, see SAML for SSO with Citrix Files.
- Must users access a host computer from a computer or mobile device running ShareConnect using direct connections?
ShareConnect enables users to connect securely to their computers through iPads, Android tablets, and Android phones to access their files and applications. For direct connections, XenMobile uses Citrix Gateway to provide secure access to resources outside of the local network. For configuration details, see ShareConnect.
|Management mode||Enrollment FQDN|
|Enterprise (MDM+MAM) with mandatory MDM enrollment||XenMobile Server FQDN|
|Enterprise (MDM+MAM) with optional MDM enrollment||XenMobile Server FQDN or Citrix Gateway FQDN|
|MDM only||XenMobile Server FQDN|
|MAM-only (legacy)||Citrix Gateway FQDN|
|MAM-only||XenMobile Server FQDN|
Citrix recommends that you use the Citrix ADC for XenMobile wizard to ensure proper configuration. You can use the wizard only one time. If you have multiple XenMobile instances, such as for test, development, and production environments, you must configure Citrix ADC for the additional environments manually. When you have a working environment, take note of the settings before attempting to configure Citrix ADC manually for XenMobile.
The key decision you make when using the wizard is whether to use HTTPS or HTTP for communication to the XenMobile Server. HTTPS provides secure back-end communication, as traffic between Citrix ADC and XenMobile is encrypted. The re-encryption impacts XenMobile Server performance. HTTP provides better XenMobile Server performance. Traffic between Citrix ADC and XenMobile is not encrypted. The following tables show the HTTP and HTTPS port requirements for Citrix ADC and XenMobile Server.
Citrix typically recommends SSL Bridge for Citrix ADC MDM virtual server configurations. For Citrix ADC SSL Offload use with MDM virtual servers, XenMobile supports only port 80 as the back-end service.
|Management mode||Citrix ADC load balancing method||SSL re-encryption||XenMobile server port|
|MDM||SSL Bridge||N/A||443, 8443|
|Enterprise||MDM: SSL Bridge||N/A||443, 8443|
|Enterprise||MAM: SSL Offload||Enabled||8443|
|Management mode||Citrix ADC load balancing method||SSL re-encryption||XenMobile server port|
|MDM||SSL Offload||Not supported||80|
|Enterprise||MDM: SSL Offload||Not supported||80|
|Enterprise||MAM: SSL Offload||Enabled||8443|
For diagrams of Citrix Gateway in XenMobile deployments, see Reference Architecture for On-Premises Deployments.