This article covers what to consider when planning how XenMobile is to integrate with your existing network and solutions. For example, if you’re already using Citrix ADC for Virtual Apps and Desktops:
- Should you use the existing Citrix ADC instance or a new, dedicated instance?
- Do you want to integrate with XenMobile the HDX apps that are published using StoreFront?
- Do you plan to use Citrix Files with XenMobile?
- Do you have a Network Access Control solution that you want to integrate into XenMobile?
- Do you deploy web proxies for all outbound traffic from your network?
Citrix ADC and Citrix Gateway
Citrix Gateway required mandatory for XenMobile ENT and MAM modes. Citrix Gateway provides a micro VPN path for access to all corporate resources and provides strong multifactor authentication support. Citrix ADC load balancing is required for all XenMobile Server device modes:
- If you have multiple XenMobile Servers
- Or, if the XenMobile Server is inside your DMZ or internal network (and therefore traffic flows from devices to Citrix ADC to XenMobile)
You can use existing Citrix ADC instances or set up new ones for XenMobile. The following sections note the advantages and disadvantages of using existing or new, dedicated Citrix ADC instances.
- Uses a common Citrix ADC instance for all Citrix remote connections: Citrix Virtual Apps and Desktops, full VPN, and clientless VPN.
- Uses the existing Citrix ADC configurations, such as for certificate authentication and for accessing services like DNS, LDAP, and NTP.
- Uses a single Citrix ADC platform license.
- It is more difficult to plan for scale when you handle two different use cases on the same Citrix ADC.
- Sometimes you need a specific Citrix ADC version for a Citrix Virtual Apps and Desktops use case. That same version might have known issues for XenMobile. Or XenMobile might have known issues for the Citrix ADC version.
- If a Citrix Gateway exists, you cannot run the Citrix ADC for XenMobile wizard a second time to create the Citrix ADC configuration for XenMobile.
- Except when Platinum licenses are used for Citrix Gateway 11.1 or later: User access licenses installed on Citrix ADC and required for VPN connectivity are pooled. Because those licenses are available to all Citrix ADC virtual servers, services other than XenMobile can potentially consume them.
Citrix recommends using a dedicated instance of Citrix ADC.
- Easier to plan for scale and separates XenMobile traffic from a Citrix ADC instance that might already be resource constrained.
- Avoids issues when XenMobile and Citrix Virtual Apps and Desktops need different Citrix ADC software versions. The recommendation generally is to use the latest compatible Citrix ADC version and build for XenMobile.
- Allows XenMobile configuration of Citrix ADC through the built-in Citrix ADC for XenMobile wizard.
- Virtual and physical separation of services.
- Except when Platinum licenses are used for Citrix Gateway 11.1 or later: The user access licenses required for XenMobile are only available to XenMobile services on the Citrix ADC.
- Requires setup of extra services on Citrix ADC to support XenMobile configuration.
- Requires another Citrix ADC platform license. License each Citrix ADC instance for Citrix Gateway.
For information about what to consider when integrating Citrix ADC and Citrix Gateway with each XenMobile server mode, see Integrating with Citrix ADC and Citrix Gateway.
If you have a Citrix Virtual Apps and Desktops environment, you can integrate HDX applications with XenMobile using StoreFront. When you integrate HDX apps with XenMobile:
- The apps are available to users who are enrolled with XenMobile.
- The apps display in the XenMobile Store along with other mobile apps.
- XenMobile uses the legacy PNAgent (services) site on StoreFront.
- When Citrix Receiver is installed on a device, HDX apps start using the Receiver.
StoreFront has a limitation of one services site per StoreFront instance. Suppose that you have multiple stores and want to segment it from other production usage. In that case, Citrix generally recommends that you consider a new StoreFront Instance and services site for XenMobile.
- Are there any different authentication requirements for StoreFront? The StoreFront services site requires Active Directory credentials for logon. Customers only using certificate-based authentication cannot enumerate applications through XenMobile using the same Citrix Gateway.
- Use the same store or create a new one?
- Use the same or a different StoreFront server?
The following sections note the advantages and disadvantages of using separate or combined storefronts for Receiver and mobile productivity apps.
- Same store: No additional configuration of StoreFront is required for XenMobile, assuming that you use the same Citrix ADC VIP for HDX access. Suppose that you choose to use the same store and want to direct Receiver access to a new Citrix ADC VIP. In that case, add the appropriate Citrix Gateway configuration to StoreFront.
- Same StoreFront server: Uses the existing StoreFront installation and configuration.
- Same store: Any reconfiguration of StoreFront to support Virtual Apps and Desktops workloads may adversely affect XenMobile as well.
- Same StoreFront server: In large environments, consider the additional load from XenMobile usage of PNAgent for app enumeration and start-up.
- New store: Any configuration changes of the StoreFront store for XenMobile should not affect existing Virtual Apps and Desktops workloads.
- New StoreFront server: Server configuration changes should not affect Virtual Apps and Desktops workflow. Additionally, load outside of XenMobile usage of PNAgent for app enumeration and launch should not affect scalability.
- New store: StoreFront store configuration.
- New StoreFront server: Requires new StoreFront installation and configuration.
For more information, see Virtual Apps and Desktops through Citrix Secure Hub in the XenMobile documentation.
ShareFile and Citrix Files
Citrix Files enables users to access and sync all of their data from any device. With Citrix Files, users can securely share data with people both inside and outside the organization. If you integrate ShareFile with XenMobile Advanced Edition or Enterprise Edition, XenMobile can provide Citrix Files with:
- Single sign-on authentication for XenMobile App users.
- Active Directory-based user account provisioning.
- Comprehensive access control policies.
Mobile users can benefit from the full Enterprise account feature set.
Alternatively, you can configure XenMobile to integrate only with storage zone connectors. Through storage zone connectors, Citrix Files provides access to:
- Documents and folders
- Network file shares
- In SharePoint sites: Site collections and document libraries.
Connected file shares can include the same network home drives used in Citrix Virtual Apps and Desktops environments. You use the XenMobile console to configure the integration with Citrix Files or storage zones connectors. For more information, see Citrix Files use with XenMobile.
The following sections note the questions to ask when making design decisions for Citrix Files.
Questions to ask:
- Do you need to store data in Citrix-managed storage zones?
- Do you want to provide users with file sharing and sync capabilities?
- Do you want to enable users to access files on the Citrix Files website? Or to access Office 365 content and Personal Cloud connectors from mobile devices?
- If the answer to any of those questions is “yes,” integrate with Citrix Files.
- An integration with only storage zone connectors gives iOS users secure mobile access to existing on-premises storage repositories, such as SharePoint sites and network file shares. In this configuration, you don’t set up a ShareFile subdomain, provision users to Citrix Files, or host Citrix Files data. Using storage zones connectors with XenMobile complies with security restrictions against leaking user information outside of the corporate network.
Questions to ask:
- Do you require on-premises storage or features such as storage zone connectors?
- If using on-premises features of Citrix Files, where will the storage zones controllers sit in the network?
- Determine whether to locate the storage zones controller servers in the Citrix Files cloud, in your on-premises single-tenant storage system, or in supported third-party cloud storage.
- Storage zones controllers require some internet access to communicate with the Citrix Files Control Plane. You can connect in several ways, including direct access, NAT/PAT configurations, or proxy configurations.
Questions to ask:
- What are the CIFS share paths?
- What are the SharePoint URLs?
- Determine if on-premises storage zones controllers are required to access those locations.
- Due to storage zone connector communication with internal resources such as file repositories, CIFS shares, and SharePoint: Citrix recommends that storage zones controllers reside in the internal network behind DMZ firewalls and fronted by Citrix ADC.
Questions to ask:
- Is Active Directory authentication required for Citrix Files?
- Does first time use of the Citrix Files app for XenMobile require SSO?
- Is there a standard IdP in your current environment?
- How many domains are required to use SAML?
- Are there multiple email aliases for Active Directory users?
- Are there any Active Directory domain migrations in progress or scheduled soon?
XenMobile Enterprise environments may choose to use SAML as the authentication mechanism for Citrix Files. The authentication options are:
- Use XenMobile server as the Identity Provider (IdP) for SAML
This option can provide excellent user experience and automate Citrix Files account creation, as well as enable mobile app SSO features.
- XenMobile server is enhanced for this process: It does not require the synchronization of Active Directory.
- Use the Citrix Files User Management Tool for user provisioning.
- Use a supported third-party vendor as the IdP for SAML
If you have an existing and supported IdP and don’t require mobile app SSO capabilities, this option might be the best fit for you. This option also requires the use of the Citrix Files User Management Tool for account provisioning.
Using third-party IdP solutions such as ADFS may also provide SSO capabilities on the Windows client side. Be sure to evaluate use cases before choosing your Citrix FIles SAML IdP.
Additionally, to satisfy both use cases, you can configure ADFS and XenMobile as a dual IdP.
Questions to ask:
- Which Citrix Files mobile app do you plan to use (public, MDM, MDX)?
- You distribute mobile productivity apps from the Apple App Store and Google Play Store. With that public app store distribution, you obtain wrapped apps from the Citrix downloads page.
- If security is low and you don’t require containerization, the public Citrix Files application may not be suitable. In an MDM-only environment, you can deliver the MDM version of the Citrix Files app using XenMobile in MDM mode.
- For more information, see Apps and Citrix Files for XenMobile.
Questions to ask:
- What restrictions do you require for desktop, web, and mobile users?
- What standard access control settings do you want for users?
- What file retention policy do you plan to use?
- Citrix Files lets you manage employee permissions and device security. For information, see Employee Permissions and Managing Devices and Apps.
- Some Citrix Files device security settings and MDX policies control the same features. In those cases, XenMobile policies take precedence, followed by the Citrix Files device security settings. Examples: If you disable external apps in Citrix Files, but enable them in XenMobile, the external apps get disabled in Citrix Files. You can configure the apps so that XenMobile doesn’t require a PIN/passcode, but the Citrix Files app requires a PIN/passcode.
Questions to ask:
- Do you require restricted storage zones?
- A standard storage zone is intended for non-sensitive data and enables employees to share data with non-employees. This option supports workflows that involve sharing data outside of your domain.
- A restricted storage zone protects sensitive data: Only authenticated domain users can access the data stored in the zone.
The most likely scenario for routing XenMobile traffic through an HTTP(S)/SOCKS proxy is as follows: When the subnet that the XenMobile server resides in doesn’t have outbound Internet access to the required Apple, Google, or Microsoft IP addresses. You can specify proxy server settings in XenMobile to route all Internet traffic to the proxy server. For more information, see Enable proxy servers.
The following table describes the advantages and disadvantages of the most common proxy used with XenMobile.
|Use an HTTP(S)/ SOCKS Proxy with XenMobile server.||In cases where policies do not permit outbound Internet connections from the XenMobile server subnet: You can configure an HTTP(S) or SOCKS proxy to provide Internet connectivity.||If the proxy server fails, APNs (iOS) or Firebase Cloud Messaging (Android) connectivity breaks. As a result, device notifications fail for all iOS and Android devices.|
|Use an HTTP(S) Proxy with Secure Web.||You can monitor HTTP/HTTPS traffic to ensure that Internet activity complies with your organization’s standards.||This configuration requires all Secure Web Internet traffic to tunnel back to the corporate network before they are sent back out to the Internet. If your Internet connection constrains browsing: This configuration could affect Internet browsing performance.|
Your Citrix ADC session profile configuration for split tunneling affects the traffic as follows.
When Citrix ADC Split Tunneling is off:
- If the MDX Network access policy is Tunneled to the internal network: All traffic is forced to use the micro VPN or clientless VPN (cVPN) tunnel back to the Citrix Gateway.
- Configure Citrix ADC traffic policies/profiles for the proxy server and bind them to the Citrix Gateway VIP.
Be sure to exclude Secure Hub cVPN traffic from the proxy.
- For more information, see XenMobile Secure Hub Traffic Through Proxy Server in Secure Browse Mode.
When Citrix ADC Split Tunneling is on:
- When apps are configured with the MDX Network access policy set to Tunneled to the internal network: The apps first attempt to get the web resource directly. If the web resource is not publicly available, those apps then fall back to Citrix Gateway.
- Configure Citrix ADC traffic policies and profiles for the proxy server. Then, bind those policies and profiles to the Citrix Gateway VIP.
Be sure to exclude Secure Hub cVPN traffic from the proxy.
Your Citrix ADC session profile configuration for Split DNS (under Client experience) functions similarly to Split Tunneling.
With Split DNS enabled and set to Both:
- The client first attempts to resolve the FQDN locally and then falls back to Citrix ADC for DNS resolution during failure.
With Split DNS set to Remote:
- DNS resolution occurs only on Citrix ADC.
With Split DNS set to Local:
- The client attempts to resolve the FQDN locally. Citrix ADC isn’t used for DNS resolution.
Enterprises can manage mobile devices inside and outside of networks. Enterprise Mobility Management solutions such as XenMobile are great at providing security and controls for mobile devices, independent of location. However, when you combine them with a Network Access Control (NAC) solution, you can add QoS and more fine-grained control to devices that are internal to your network. That combination enables you to extend the XenMobile device security assessment through your NAC solution. Your NAC solution then can use the XenMobile security assessment to facilitate and handle authentication decisions.
You can use any of these solutions to enforce NAC policies:
- Citrix Gateway
- Cisco Identity Services Engine (ISE)
Citrix doesn’t guarantee integration for other NAC solutions.
Advantages of a NAC solution integration with XenMobile include the following:
- Better security, compliance, and control for all endpoints on an enterprise network.
- A NAC solution can:
- Detect devices at the instant they attempt to connect to your network.
- Query XenMobile for device attributes.
- Use that device information to determine whether to allow, block, limit, or redirect those devices. Those decisions depend on the security policies you choose to enforce.
- A NAC solution provides IT administrators with a view of unmanaged and non-compliant devices.
For a description of the NAC compliance filters supported by XenMobile and a configuration overview, see Network Access Control.