Integrating with NetScaler Gateway and NetScaler

When integrated with XenMobile, NetScaler Gateway provides an authentication mechanism for remote device access to the internal network for MAM devices. The integration enables mobile productivity apps to connect to corporate servers in the intranet through a micro VPN created from the apps on the mobile device to NetScaler Gateway.

NetScaler load balancing is required for all XenMobile server device modes if you have multiple XenMobile servers or if the XenMobile server is inside your DMZ or internal network (and therefore traffic flows from devices to NetScaler to XenMobile).

Integration requirements for XenMobile Server modes

The integration requirements for NetScaler Gateway and NetScaler differ based on the XenMobile Server modes: MAM, MDM, and ENT.

MAM

With XenMobile Server in MAM mode:

  • NetScaler Gateway is required. NetScaler Gateway provides a micro VPN path for access to all corporate resources and provides strong multi-factor authentication support.
  • NetScaler is recommended for load balancing.

    Citrix recommends that you deploy XenMobile in a high availability configuration, which requires a load balancer in front of XenMobile. For details, see About MAM and Legacy MAM Modes.

MDM

With XenMobile Server in MDM mode:

  • NetScaler Gateway isn’t required. For MDM deployments, Citrix recommends NetScaler Gateway for mobile device VPN.
  • NetScaler is recommended for security and load balancing.

    Citrix recommends that you deploy a NetScaler appliance in front of XenMobile server, for security and load balancing. For standard deployments with XenMobile server in the DMZ, Citrix recommends the NetScaler for XenMobile wizard along with XenMobile server load balancing in SSL Bridge mode. You can also consider SSL Offload for deployments where XenMobile server resides in the internal network rather than the DMZ and/or where security requires such configurations.

    While you might consider exposing XenMobile server to the Internet via NAT or existing third-party proxies or load-balancers for MDM provided that the SSL traffic terminates on XenMobile server (SSL Bridge), Citrix does not recommend that approach due to the potential security risk.

    For high security environments, NetScaler with the default XenMobile configuration should meet or exceed security requirements.

    For MDM environments with the highest security needs, SSL termination at the NetScaler provides the ability to inspect traffic at the perimeter, while maintaining end-to-end SSL encryption. For more information, see Security Requirements. NetScaler offers options to define SSL/TLS ciphers and SSL FIPS NetScaler hardware.

ENT (MAM+MDM)

With XenMobile Server in ENT mode:

  • NetScaler Gateway is required. NetScaler Gateway provides a micro VPN path for access to all corporate resources and provides strong multi-factor authentication support.

    When the XenMobile server mode is ENT and a user opts out of MDM enrollment, the device operates in the legacy MAM mode. In the legacy MAM mode, devices enroll using the NetScaler Gateway FQDN. For details, see About MAM and Legacy MAM Modes.

  • NetScaler is recommended for load balancing. For more information, see the NetScaler point above under “MDM.”

Important:

Be aware that for initial enrollment, the traffic from user devices authenticates on the XenMobile server whether you configure load balancing virtual servers to SSL Offload or SSL Bridge.

Design Decisions

The following sections summarize the many design decisions to consider when planning a NetScaler Gateway integration with XenMobile.

Licensing and edition

Decision detail:

  • What edition of NetScaler will you use?
  • Have you applied Platform licenses to NetScaler?
  • If you require MAM functionality, have you applied the NetScaler Universal Access Licenses?

Design guidance:

Ensure that you apply the proper licenses to the NetScaler Gateway. If you are using XenMobile NetScaler Connector, integrated caching might be required; therefore, you must ensure that the appropriate NetScaler Edition is in place.

The license requirements to enable NetScaler features are as follows.

  • XenMobile MDM load balancing requires a NetScaler standard platform license at a minimum.
  • ShareFile load balancing with StorageZones Controller requires a NetScaler standard platform license at a minimum.
  • The XenMobile Enterprise edition includes the required NetScaler Gateway Universal licenses for MAM.
  • Exchange load balancing requires a NetScaler Platinum platform license or a NetScaler Enterprise platform license with the addition of an Integrated Caching license.

NetScaler version for XenMobile

Decision detail:

  • What version is the NetScaler running in the XenMobile environment?
  • Will a separate instance be required?

Design guidance:

Citrix recommends using a dedicated instance of NetScaler for your NetScaler Gateway virtual server. Be sure that the minimum required NetScaler version and build is in use for the XenMobile environment. It is usually best to use the latest compatible NetScaler version and build for XenMobile. If upgrading NetScaler Gateway would affect your existing environments, a second dedicated instance for XenMobile might be appropriate.

If you plan to share a NetScaler instance for XenMobile and other apps that use VPN connections, be sure that you have enough VPN licenses for both. Keep in mind that XenMobile test and production environments cannot share a NetScaler instance.

Certificates

Decision detail:

  • Do you require a higher degree of security for enrollments and access to the XenMobile environment?
  • Is LDAP not an option?

Design guidance:

The default configuration for XenMobile is user name and password authentication. To add another layer of security for enrollment and access to XenMobile environment, consider using certificate-based authentication. You can use certificates with LDAP for two-factor authentication, providing a higher degree of security without needing an RSA server.

If you don’t allow LDAP and use smart cards or similar methods, configuring certificates allows you to represent a smart card to XenMobile. Users then enroll using a unique PIN that XenMobile generates for them. After a user has access, XenMobile creates and deploys the certificate subsequently used to authenticate to the XenMobile environment.

XenMobile supports Certificate Revocation List (CRL) only for a third party Certificate Authority. If you have a Microsoft CA configured, XenMobile uses NetScaler to manage revocation. When you configure client certificate-based authentication, consider whether you need to configure the NetScaler Certificate Revocation List (CRL) setting, Enable CRL Auto Refresh. This step ensures that the user of a device in MAM-only mode can’t authenticate using an existing certificate on the device; XenMobile re-issues a new certificate, because it doesn’t restrict a user from generating a user certificate if one is revoked. This setting increases the security of PKI entities when the CRL checks for expired PKI entities.

Networking topology

Decision detail:

  • What NetScaler topology is required?

Design guidance:

Citrix recommends using a NetScaler instance for XenMobile. However, if you don’t want traffic going from the inside network out to the DMZ, you might consider setting up an additional instance of NetScaler, so that you’re using one NetScaler instance for internal users and one for external users. Be aware that when users switch between the internal and external networks, DNS record caching can result in an increase in logon prompts in Secure Hub.

Note that XenMobile does not currently support NetScaler Gateway double hop.

Dedicated or shared NetScaler Gateway VIPs

Decision detail:

  • Do you currently use NetScaler Gateway for XenApp and XenDesktop?
  • Will XenMobile leverage the same NetScaler Gateway as XenApp and XenDesktop?
  • What are the authentication requirements for both traffic flows?

Design guidance:

When your Citrix environment includes XenMobile, plus XenApp and XenDesktop, you can use the same NetScaler instance and NetScaler Gateway virtual server for both. Due to potential versioning conflicts and environment isolation, a dedicated NetScaler instance and NetScaler Gateway are recommend for each XenMobile environment. However, if a dedicated NetScaler instance is not an option, Citrix recommends using a dedicated NetScaler Gateway vServer rather than a vServer shared between XenMobile and XenApp and XenDesktop, to separate the traffic flows for Secure Hub.

If you use LDAP authentication, Receiver and Secure Hub can authenticate to the same NetScaler Gateway with no issues. If you use certificate-based authentication, XenMobile pushes a certificate in the MDX container and Secure Hub uses the certificate to authenticate with NetScaler Gateway. Receiver is separate from Secure Hub and can’t use the same certificate as Secure Hub to authenticate to the same NetScaler Gateway.

You might consider this work around, which allows you to use the same FQDN for two NetScaler Gateway VIPs. You can create two NetScaler Gateway VIPs with the same IP address, but the one for Secure Hub uses the standard 443 port and the one for XenApp and XenDesktop (which deploy Receiver) uses port 444. Then, one FQDN resolves to the same IP address. For this work around, you might need to configure StoreFront to return an ICA file for port 444, instead of the default, port 443. This workaround doesn’t require users to enter a port number.

NetScaler Gateway time-outs

Decision detail:

  • How do you want to configure the NetScaler Gateway time-outs for XenMobile traffic?

Design guidance:

NetScaler Gateway includes the settings Session time-out and Forced time-out. For details, see Recommended Configurations. Keep in mind that there are different time-out values for background services, NetScaler, and for accessing applications while offline.

XenMobile load balancer IP address for MAM

Decision detail:

  • Are you using internal or external IP addresses for VIPs?

Design guidance:

In environments where you can use public IP addresses for NetScaler Gateway VIPs, assigning the XenMobile load balancing VIP and address in this manner will cause enrollment failures.

Ensure that the load balancing VIP uses an internal IP to avoid enrollment failures in this scenario. This virtual IP address must follow the RFC 1918 standard of private IP addresses. If you use a non-private IP address for this virtual server, NetScaler will not be able to contact the XenMobile server successfully during the authentication process. For details, see http://support.citrix.com/article/CTX200430.

MDM load balancing mechanism

Decision detail:

  • How will the XenMobile servers be load balanced by NetScaler Gateway?

Design guidance:

Use SSL Bridge if XenMobile is in the DMZ. Use SSL Offload, if required to meet security standards, when XenMobile server is in the internal network.

  • When you load balance XenMobile server with NetScaler VIPs in SSL Bridge mode, Internet traffic flows directly to XenMobile server, where connections terminate. SSL Bridge mode is the simplest mode to set up and troubleshoot.
  • When you load balance XenMobile server with NetScaler VIPs in SSL Offload mode, Internet traffic flows directly to NetScaler, where connections terminate. NetScaler then establishes new sessions from NetScaler to XenMobile server. SSL Offload mode involves additional complexity during setup and troubleshooting.

Service port for MDM load balancing with SSL Offload

Decision detail:

  • If you will use SSL Offload mode for Load Balancing, What port will the back-end service use?

Design guidance:

For SSL Offload, choose port 80 or 8443 as follows:

Enrollment FQDN

Decision detail:

  • What will be the FQDN for enrollment and XenMobile instance/load balancing VIP?

Design guidance:

Initial configuration of the first XenMobile server in a cluster requires that you enter the XenMobile server FQDN. That FQDN must match your MDM VIP URL and your Internal MAM LB VIP URL. (An internal NetScaler address record resolves the MAM LB VIP.) For details, see “Enrollment FQDN for each deployment type” later in this article.

In addition, you must use the same certificate as the XenMobile SSL listener certificate, Internal MAM LB VIP certificate, and MDM VIP certificate (if using SSL Offload for MDM VIP).

Important:

After you configure the enrollment FQDN, you cannot change it. A new enrollment FQDN will require a new SQL Server database and XenMobile server re-build.

Secure Web traffic

Decision detail:

  • Will you restrict Secure Web to internal web browsing only?
  • Will you enable Secure Web for both internal and external web browsing?

Design guidance:

If you will use Secure Web for internal web browsing only, NetScaler Gateway configuration is straightforward, assuming that Secure Web can reach all internal sites by default; you might need to configure firewalls and proxy servers.

If you will use Secure Web for both internal and external browsing, you must enable the SNIP to have outbound internet access. Because IT generally views enrolled devices (using the MDX container) as an extension of the corporate network, IT typically wants Secure Web connections to come back to NetScaler, go through a proxy server, and then go out to Internet. By default, Secure Web access tunnels to the internal network, which means that Secure Web uses a per-application VPN tunnel back to the internal network for all network access and NetScaler uses split tunnel settings.

For a discussion of Secure Web connections, see Configuring User Connections.

Push Notifications for Secure Mail

Decision detail:

  • Will you use push notifications?

Design guidance for iOS:

If your NetScaler Gateway configuration includes Secure Ticket Authority (STA) and split tunneling is off, NetScaler Gateway must allow traffic from Secure Mail to the Citrix listener service URLs specified in Push Notifications for Secure Mail for iOS.

Design guidance for Android:

As an alternative to the MDX policy, Active poll period, you can use Google Cloud Messaging (GCM) to control how and when Android devices need to connect to XenMobile. With GCM configured, any security action or deploy command triggers a push notification to Secure Hub to prompt the user to reconnect to the XenMobile server.

HDX STAs

Decision detail:

  • What STAs to use if you will integrate HDX application access?

Design guidance:

HDX STAs must match the STAs in StoreFront and must be valid for the XenApp/XenDesktop farm.

ShareFile

Decision detail:

  • Will you use ShareFile StorageZone Controllers in the environment?
  • What ShareFile VIP URL will you use?

Design guidance:

If you will include ShareFile StorageZone Controllers in your environment, ensure that you correctly configure the following: ShareFile Content Switch VIP (used by the ShareFile Control Plane to communicate with the StorageZone Controller servers), ShareFile Load Balancing VIPs, and all required policies and profiles. For information, see the Citrix ShareFile StorageZones Controller documentation.

SAML IdP

Decision detail:

  • If SAML is required for ShareFile, do you want to use XenMobile as the SAML IdP?

Design guidance:

The recommended best practice is to integrate ShareFile with XenMobile Advanced Edition or XenMobile Enterprise Edition, a simpler alternative to configuring SAML-based federation. When you use ShareFile with those XenMobile editions, XenMobile provides ShareFile with single sign-on (SSO) authentication of mobile productivity apps users, user account provisioning based on Active Directory, and comprehensive access control policies. The XenMobile console enables you to perform ShareFile configuration and to monitor service levels and license usage.

Note that there are two types of ShareFile clients: ShareFile for XenMobile clients (also referred to as wrapped ShareFile) and ShareFile mobile clients (also referred to as unwrapped ShareFile). To understand the differences, see [How ShareFile for XenMobile Clients differ from ShareFile mobile clients](/en-us/mobile-productivity-apps/sharefile.html#how-citrix-files-for-endpoint-management-clients-differ-from-citrix-files-mobile-clients.

You can configure XenMobile and ShareFile to use SAML to provide SSO access to ShareFile mobile apps you wrap with the MDX toolkit, as well as to non-wrapped ShareFile clients, such as the web site, Outlook plugin, or sync clients.

If you want to use XenMobile as the SAML IdP for ShareFile, ensure that the proper configurations are in place. For details, see SAML for SSO with ShareFile.

ShareConnect direct connections

Decision detail:

  • Will users access a host computer from a computer or mobile device running ShareConnect using direct connections?

Design guidance:

ShareConnect enables users to connect securely to their computers through iPads, Android tablets, and Android phones to access their files and applications. For direct connections, XenMobile uses NetScaler Gateway to provide secure access to resources outside of the local network. For configuration details, see ShareConnect.

Enrollment FQDN for each deployment type

   
Deployment type Enrollment FQDN
Enterprise (MDM+MAM) with mandatory MDM enrollment XenMobile server FQDN
Enterprise (MDM+MAM) with optional MDM enrollment XenMobile server FQDN or NetScaler Gateway FQDN
MDM only XenMobile server FQDN
MAM-only (legacy) NetScaler Gateway FQDN
MAM-only XenMobile server FQDN

Deployment Summary

Citrix recommends that you use the NetScaler for XenMobile wizard to ensure proper configuration. Be aware that you can use the wizard only one time. If you have multiple XenMobile instances, such as for test, development, and production environments, you must configure NetScaler for the additional environments manually. When you have a working environment, take note of the settings before attempting to configure NetScaler manually for XenMobile.

The key decision you make when using the wizard is whether to use HTTPS or HTTP for communication to the XenMobile server. HTTPS provides secure back-end communication, as traffic between NetScaler and XenMobile is encrypted; the re-encryption impacts XenMobile server performance. HTTP provides better XenMobile server performance; traffic between NetScaler and XenMobile is not encrypted. The following tables show the HTTP and HTTPS port requirements for NetScaler and XenMobile server.

HTTPS

Citrix typically recommends SSL Bridge for NetScaler MDM virtual server configurations. For NetScaler SSL Offload use with MDM virtual servers, XenMobile supports only port 80 as the backend service.

       
Deployment type NetScaler load balancing method SSL re-encryption XenMobile server port
MDM SSL Bridge N/A 443, 8443
MAM SSL Offload Enabled 8443
Enterprise MDM: SSL Bridge N/A 443, 8443
Enterprise MAM: SSL Offload Enabled 8443

HTTP

       
Deployment type NetScaler load balancing method SSL re-encryption XenMobile server port
MDM SSL Offload Not supported 80
MAM SSL Offload Enabled 8443
Enterprise MDM: SSL Offload Not supported 80
Enterprise MAM: SSL Offload Enabled 8443

For diagrams of NetScaler Gateway in XenMobile deployments, see Reference Architecture for On-Premises Deployments.

Integrating with NetScaler Gateway and NetScaler