Integrating with NetScaler Gateway and NetScaler
When integrated with XenMobile, NetScaler Gateway provides an authentication mechanism for remote device access to the internal network for MAM devices. The integration enables mobile productivity apps to connect to corporate servers in the intranet through a micro VPN created from the apps on the mobile device to NetScaler Gateway.
NetScaler load balancing is required for all XenMobile server device modes if you have multiple XenMobile servers or if the XenMobile server is inside your DMZ or internal network (and therefore traffic flows from devices to NetScaler to XenMobile).
Integration requirements for XenMobile Server modes
The integration requirements for NetScaler Gateway and NetScaler differ based on the XenMobile Server modes: MAM, MDM, and ENT.
With XenMobile Server in MAM mode:
- NetScaler Gateway is required. NetScaler Gateway provides a micro VPN path for access to all corporate resources and provides strong multi-factor authentication support.
NetScaler is recommended for load balancing.
Citrix recommends that you deploy XenMobile in a high availability configuration, which requires a load balancer in front of XenMobile. For details, see About MAM and Legacy MAM Modes.
With XenMobile Server in MDM mode:
- NetScaler Gateway isn’t required. For MDM deployments, Citrix recommends NetScaler Gateway for mobile device VPN.
NetScaler is recommended for security and load balancing.
Citrix recommends that you deploy a NetScaler appliance in front of XenMobile server, for security and load balancing. For standard deployments with XenMobile server in the DMZ, Citrix recommends the NetScaler for XenMobile wizard along with XenMobile server load balancing in SSL Bridge mode. You can also consider SSL Offload for deployments where XenMobile server resides in the internal network rather than the DMZ and/or where security requires such configurations.
While you might consider exposing XenMobile server to the Internet via NAT or existing third-party proxies or load-balancers for MDM provided that the SSL traffic terminates on XenMobile server (SSL Bridge), Citrix does not recommend that approach due to the potential security risk.
For high security environments, NetScaler with the default XenMobile configuration should meet or exceed security requirements.
For MDM environments with the highest security needs, SSL termination at the NetScaler provides the ability to inspect traffic at the perimeter, while maintaining end-to-end SSL encryption. For more information, see Security Requirements. NetScaler offers options to define SSL/TLS ciphers and SSL FIPS NetScaler hardware.
With XenMobile Server in ENT mode:
NetScaler Gateway is required. NetScaler Gateway provides a micro VPN path for access to all corporate resources and provides strong multi-factor authentication support.
When the XenMobile server mode is ENT and a user opts out of MDM enrollment, the device operates in the legacy MAM mode. In the legacy MAM mode, devices enroll using the NetScaler Gateway FQDN. For details, see About MAM and Legacy MAM Modes.
NetScaler is recommended for load balancing. For more information, see the NetScaler point above under “MDM.”
Be aware that for initial enrollment, the traffic from user devices authenticates on the XenMobile server whether you configure load balancing virtual servers to SSL Offload or SSL Bridge.
The following sections summarize the many design decisions to consider when planning a NetScaler Gateway integration with XenMobile.
Licensing and edition
- What edition of NetScaler will you use?
- Have you applied Platform licenses to NetScaler?
- If you require MAM functionality, have you applied the NetScaler Universal Access Licenses?
Ensure that you apply the proper licenses to the NetScaler Gateway. If you are using Citrix Gateway connector for Exchange ActiveSync, integrated caching might be required; therefore, you must ensure that the appropriate NetScaler Edition is in place.
The license requirements to enable NetScaler features are as follows.
- XenMobile MDM load balancing requires a NetScaler standard platform license at a minimum.
- ShareFile load balancing with StorageZones Controller requires a NetScaler standard platform license at a minimum.
- The XenMobile Enterprise edition includes the required NetScaler Gateway Universal licenses for MAM.
- Exchange load balancing requires a NetScaler Platinum platform license or a NetScaler Enterprise platform license with the addition of an Integrated Caching license.
NetScaler version for XenMobile
- What version is the NetScaler running in the XenMobile environment?
- Will a separate instance be required?
Citrix recommends using a dedicated instance of NetScaler for your NetScaler Gateway virtual server. Be sure that the minimum required NetScaler version and build is in use for the XenMobile environment. It is usually best to use the latest compatible NetScaler version and build for XenMobile. If upgrading NetScaler Gateway would affect your existing environments, a second dedicated instance for XenMobile might be appropriate.
If you plan to share a NetScaler instance for XenMobile and other apps that use VPN connections, be sure that you have enough VPN licenses for both. Keep in mind that XenMobile test and production environments cannot share a NetScaler instance.
- Do you require a higher degree of security for enrollments and access to the XenMobile environment?
- Is LDAP not an option?
The default configuration for XenMobile is user name and password authentication. To add another layer of security for enrollment and access to XenMobile environment, consider using certificate-based authentication. You can use certificates with LDAP for two-factor authentication, providing a higher degree of security without needing an RSA server.
If you don’t allow LDAP and use smart cards or similar methods, configuring certificates allows you to represent a smart card to XenMobile. Users then enroll using a unique PIN that XenMobile generates for them. After a user has access, XenMobile creates and deploys the certificate subsequently used to authenticate to the XenMobile environment.
XenMobile supports Certificate Revocation List (CRL) only for a third party Certificate Authority. If you have a Microsoft CA configured, XenMobile uses NetScaler to manage revocation. When you configure client certificate-based authentication, consider whether you need to configure the NetScaler Certificate Revocation List (CRL) setting, Enable CRL Auto Refresh. This step ensures that the user of a device in MAM-only mode can’t authenticate using an existing certificate on the device; XenMobile re-issues a new certificate, because it doesn’t restrict a user from generating a user certificate if one is revoked. This setting increases the security of PKI entities when the CRL checks for expired PKI entities.
- What NetScaler topology is required?
Citrix recommends using a NetScaler instance for XenMobile. However, if you don’t want traffic going from the inside network out to the DMZ, you might consider setting up an additional instance of NetScaler, so that you’re using one NetScaler instance for internal users and one for external users. Be aware that when users switch between the internal and external networks, DNS record caching can result in an increase in logon prompts in Secure Hub.
Note that XenMobile does not support NetScaler Gateway double hop.
Dedicated or shared NetScaler Gateway VIPs
- Do you currently use NetScaler Gateway for Virtual Apps and Desktops?
- Will XenMobile leverage the same NetScaler Gateway as Virtual Apps and Desktops?
- What are the authentication requirements for both traffic flows?
When your Citrix environment includes XenMobile, plus Virtual Apps and Desktops, you can use the same NetScaler instance and NetScaler Gateway virtual server for both. Due to potential versioning conflicts and environment isolation, a dedicated NetScaler instance and NetScaler Gateway are recommend for each XenMobile environment. However, if a dedicated NetScaler instance is not an option, Citrix recommends using a dedicated NetScaler Gateway vServer rather than a vServer shared between XenMobile and Virtual Apps and Desktops, to separate the traffic flows for Secure Hub.
If you use LDAP authentication, Receiver and Secure Hub can authenticate to the same NetScaler Gateway with no issues. If you use certificate-based authentication, XenMobile pushes a certificate in the MDX container and Secure Hub uses the certificate to authenticate with NetScaler Gateway. Receiver is separate from Secure Hub and can’t use the same certificate as Secure Hub to authenticate to the same NetScaler Gateway.
You might consider this work around, which allows you to use the same FQDN for two NetScaler Gateway VIPs. You can create two NetScaler Gateway VIPs with the same IP address, but the one for Secure Hub uses the standard 443 port and the one for Virtual Apps and Desktops (which deploy Receiver) uses port 444. Then, one FQDN resolves to the same IP address. For this work around, you might need to configure StoreFront to return an ICA file for port 444, instead of the default, port 443. This workaround doesn’t require users to enter a port number.
NetScaler Gateway time-outs
- How do you want to configure the NetScaler Gateway time-outs for XenMobile traffic?
NetScaler Gateway includes the settings Session time-out and Forced time-out. For details, see Recommended Configurations. Keep in mind that there are different time-out values for background services, NetScaler, and for accessing applications while offline.
XenMobile load balancer IP address for MAM
- Are you using internal or external IP addresses for VIPs?
In environments where you can use public IP addresses for NetScaler Gateway VIPs, assigning the XenMobile load balancing VIP and address in this manner will cause enrollment failures.
Ensure that the load balancing VIP uses an internal IP to avoid enrollment failures in this scenario. This virtual IP address must follow the RFC 1918 standard of private IP addresses. If you use a non-private IP address for this virtual server, NetScaler will not be able to contact the XenMobile server successfully during the authentication process. For details, see https://support.citrix.com/article/CTX200430.
MDM load balancing mechanism
- How will the XenMobile servers be load balanced by NetScaler Gateway?
Use SSL Bridge if XenMobile is in the DMZ. Use SSL Offload, if required to meet security standards, when XenMobile server is in the internal network.
- When you load balance XenMobile server with NetScaler VIPs in SSL Bridge mode, Internet traffic flows directly to XenMobile server, where connections terminate. SSL Bridge mode is the simplest mode to set up and troubleshoot.
- When you load balance XenMobile server with NetScaler VIPs in SSL Offload mode, Internet traffic flows directly to NetScaler, where connections terminate. NetScaler then establishes new sessions from NetScaler to XenMobile server. SSL Offload mode involves additional complexity during setup and troubleshooting.
Service port for MDM load balancing with SSL Offload
- If you will use SSL Offload mode for Load Balancing, What port will the back-end service use?
For SSL Offload, choose port 80 or 8443 as follows:
- Leverage port 80 back to XenMobile server, for true offloading.
- End-to-end encryption, that is, re-encryption of traffic, isn’t supported. For details, see the Citrix support article, Supported Architectures Between NetScaler and XenMobile Server.
- What will be the FQDN for enrollment and XenMobile instance/load balancing VIP?
Initial configuration of the first XenMobile server in a cluster requires that you enter the XenMobile server FQDN. That FQDN must match your MDM VIP URL and your Internal MAM LB VIP URL. (An internal NetScaler address record resolves the MAM LB VIP.) For details, see “Enrollment FQDN for each deployment type” later in this article.
In addition, you must use the same certificate as the XenMobile SSL listener certificate, Internal MAM LB VIP certificate, and MDM VIP certificate (if using SSL Offload for MDM VIP).
After you configure the enrollment FQDN, you cannot change it. A new enrollment FQDN will require a new SQL Server database and XenMobile server re-build.
Secure Web traffic
- Will you restrict Secure Web to internal web browsing only?
- Will you enable Secure Web for both internal and external web browsing?
If you will use Secure Web for internal web browsing only, NetScaler Gateway configuration is straightforward, assuming that Secure Web can reach all internal sites by default; you might need to configure firewalls and proxy servers.
If you will use Secure Web for both internal and external browsing, you must enable the SNIP to have outbound internet access. Because IT generally views enrolled devices (using the MDX container) as an extension of the corporate network, IT typically wants Secure Web connections to come back to NetScaler, go through a proxy server, and then go out to Internet. By default, Secure Web access tunnels to the internal network, which means that Secure Web uses a per-application VPN tunnel back to the internal network for all network access and NetScaler uses split tunnel settings.
For a discussion of Secure Web connections, see Configuring User Connections.
Push Notifications for Secure Mail
- Will you use push notifications?
Design guidance for iOS:
If your NetScaler Gateway configuration includes Secure Ticket Authority (STA) and split tunneling is off, NetScaler Gateway must allow traffic from Secure Mail to the Citrix listener service URLs specified in Push Notifications for Secure Mail for iOS.
Design guidance for Android:
As an alternative to the MDX policy, Active poll period, you can use Firebase Cloud Messaging (FCM) to control how and when Android devices need to connect to XenMobile. With FCM configured, any security action or deploy command triggers a push notification to Secure Hub to prompt the user to reconnect to the XenMobile server.
- What STAs to use if you will integrate HDX application access?
HDX STAs must match the STAs in StoreFront and must be valid for the Virtual Apps and Desktops farm.
- Will you use ShareFile StorageZone Controllers in the environment?
- What ShareFile VIP URL will you use?
If you will include ShareFile StorageZone Controllers in your environment, ensure that you correctly configure the following: ShareFile Content Switch VIP (used by the ShareFile Control Plane to communicate with the StorageZone Controller servers), ShareFile Load Balancing VIPs, and all required policies and profiles. For information, see the Citrix ShareFile StorageZones Controller documentation.
- If SAML is required for ShareFile, do you want to use XenMobile as the SAML IdP?
The recommended best practice is to integrate ShareFile with XenMobile Advanced Edition or XenMobile Enterprise Edition, a simpler alternative to configuring SAML-based federation. When you use ShareFile with those XenMobile editions, XenMobile provides ShareFile with single sign-on (SSO) authentication of mobile productivity apps users, user account provisioning based on Active Directory, and comprehensive access control policies. The XenMobile console enables you to perform ShareFile configuration and to monitor service levels and license usage.
Note that there are two types of ShareFile clients: ShareFile for XenMobile clients (also referred to as wrapped ShareFile) and ShareFile mobile clients (also referred to as unwrapped ShareFile). To understand the differences, see [How ShareFile for XenMobile Clients differ from ShareFile mobile clients](/en-us/mobile-productivity-apps/sharefile.html#how-citrix-files-for-endpoint-management-clients-differ-from-citrix-files-mobile-clients.
You can configure XenMobile and ShareFile to use SAML to provide SSO access to ShareFile mobile apps you wrap with the MDX toolkit, as well as to non-wrapped ShareFile clients, such as the web site, Outlook plugin, or sync clients.
If you want to use XenMobile as the SAML IdP for ShareFile, ensure that the proper configurations are in place. For details, see SAML for SSO with ShareFile.
ShareConnect direct connections
- Will users access a host computer from a computer or mobile device running ShareConnect using direct connections?
ShareConnect enables users to connect securely to their computers through iPads, Android tablets, and Android phones to access their files and applications. For direct connections, XenMobile uses NetScaler Gateway to provide secure access to resources outside of the local network. For configuration details, see ShareConnect.
Enrollment FQDN for each deployment type
|Deployment type||Enrollment FQDN|
|Enterprise (MDM+MAM) with mandatory MDM enrollment||XenMobile server FQDN|
|Enterprise (MDM+MAM) with optional MDM enrollment||XenMobile server FQDN or NetScaler Gateway FQDN|
|MDM only||XenMobile server FQDN|
|MAM-only (legacy)||NetScaler Gateway FQDN|
|MAM-only||XenMobile server FQDN|
Citrix recommends that you use the NetScaler for XenMobile wizard to ensure proper configuration. Be aware that you can use the wizard only one time. If you have multiple XenMobile instances, such as for test, development, and production environments, you must configure NetScaler for the additional environments manually. When you have a working environment, take note of the settings before attempting to configure NetScaler manually for XenMobile.
The key decision you make when using the wizard is whether to use HTTPS or HTTP for communication to the XenMobile server. HTTPS provides secure back-end communication, as traffic between NetScaler and XenMobile is encrypted; the re-encryption impacts XenMobile server performance. HTTP provides better XenMobile server performance; traffic between NetScaler and XenMobile is not encrypted. The following tables show the HTTP and HTTPS port requirements for NetScaler and XenMobile server.
Citrix typically recommends SSL Bridge for NetScaler MDM virtual server configurations. For NetScaler SSL Offload use with MDM virtual servers, XenMobile supports only port 80 as the backend service.
|Deployment type||NetScaler load balancing method||SSL re-encryption||XenMobile server port|
|MDM||SSL Bridge||N/A||443, 8443|
|Enterprise||MDM: SSL Bridge||N/A||443, 8443|
|Enterprise||MAM: SSL Offload||Enabled||8443|
|Deployment type||NetScaler load balancing method||SSL re-encryption||XenMobile server port|
|MDM||SSL Offload||Not supported||80|
|Enterprise||MDM: SSL Offload||Not supported||80|
|Enterprise||MAM: SSL Offload||Enabled||8443|
For diagrams of NetScaler Gateway in XenMobile deployments, see Reference Architecture for On-Premises Deployments.