This article covers what to consider when planning how XenMobile is to integrate with your existing network and solutions. For example, if you’re already using NetScaler for XenApp and XenDesktop:
- Should you use the existing NetScaler instance or a new, dedicated instance?
- Do you want to integrate with XenMobile the HDX apps that are published using StoreFront?
- Do you plan to use ShareFile with XenMobile?
- Do you have a Network Access Control solution that you want to integrate into XenMobile?
- Do you deploy web proxies for all outbound traffic from your network?
NetScaler and NetScaler Gateway
NetScaler Gateway required mandatory for XenMobile ENT and MAM modes. NetScaler Gateway provides a micro VPN path for access to all corporate resources and provides strong multi-factor authentication support. NetScaler load balancing is required for all XenMobile Server device modes:
- If you have multiple XenMobile Servers.
- Or, if the XenMobile Server is inside your DMZ or internal network (and therefore traffic flows from devices to NetScaler to XenMobile).
You can use existing NetScaler instances or set up new ones for XenMobile. The following sections note the advantages and disadvantages of using existing or new, dedicated NetScaler instances.
Shared NetScaler MPX with a NetScaler Gateway VIP created for XenMobile
- Uses a common NetScaler instance for all Citrix remote connections: XenApp, full VPN, and clientless VPN.
- Uses the existing NetScaler configurations, such as for certificate authentication and for accessing services like DNS, LDAP, and NTP.
- Uses a single NetScaler platform license.
- It is more difficult to plan for scale when you handle two very different use cases on the same NetScaler.
- Sometimes you need a specific NetScaler version for a XenApp use case. That same version might have known issues for XenMobile. Or XenMobile might have known issues for the NetScaler version.
- If a NetScaler Gateway exists, you cannot run the NetScaler for XenMobile wizard a second time to create the NetScaler configuration for XenMobile.
- Except when Platinum licenses are used for NetScaler Gateway 11.1 or later: User access licenses installed on NetScaler and required for VPN connectivity are pooled. Because those licenses are available to all NetScaler virtual servers, services other than XenMobile can potentially consume them.
Dedicated NetScaler VPX/MPX instance
Citrix recommends using a dedicated instance of NetScaler.
- Easier to plan for scale and separates XenMobile traffic from a NetScaler instance that might already be resource constrained.
- Avoids issues when XenMobile and XenApp need different NetScaler software versions. The recommendation generally is to use the latest compatible NetScaler version and build for XenMobile.
- Allows XenMobile configuration of NetScaler through the built-in NetScaler for XenMobile wizard.
- Virtual and physical separation of services.
- Except when Platinum licenses are used for NetScaler Gateway 11.1 or later: The user access licenses required for XenMobile are only available to XenMobile services on the NetScaler.
- Requires setup of extra services on NetScaler to support XenMobile configuration.
- Requires another NetScaler platform license. License each NetScaler instance for NetScaler Gateway.
For information about what to consider when integrating NetScaler and NetScaler Gateway with each XenMobile server mode, see Integrating with NetScaler and NetScaler Gateway.
If you have a Citrix XenApp and XenDesktop environment, you can integrate HDX applications with XenMobile using StoreFront. When you integrate HDX apps with XenMobile:
- The apps are available to users who are enrolled with XenMobile.
- The apps display in the XenMobile Store along with other mobile apps.
- XenMobile uses the legacy PNAgent (services) site on StoreFront.
- When Citrix Receiver is installed on a device, HDX apps start using the Receiver.
StoreFront has a limitation of one services site per StoreFront instance. Suppose that you have multiple stores and want to segment it from other production usage. In that case, Citrix generally recommends that you consider a new StoreFront Instance and services site for XenMobile.
- Are there any different authentication requirements for StoreFront? The StoreFront services site requires Active Directory credentials for logon. Customers only using certificate-based authentication cannot enumerate applications through XenMobile using the same NetScaler Gateway.
- Use the same store or create a new one?
- Use the same or a different StoreFront server?
The following sections note the advantages and disadvantages of using separate or combined storefronts for Receiver and mobile productivity apps.
Integrate your existing StoreFront instance with XenMobile server
- Same store: No additional configuration of StoreFront is required for XenMobile, assuming that you use the same NetScaler VIP for HDX access. Suppose that you choose to use the same store and want to direct Receiver access to a new NetScaler VIP. In that case, add the appropriate NetScaler Gateway configuration to StoreFront.
- Same StoreFront server: Uses the existing StoreFront installation and configuration.
- Same store: Any reconfiguration of StoreFront to support XenApp and XenDesktop workloads may adversely affect XenMobile as well.
- Same StoreFront server: In large environments, consider the additional load from XenMobile usage of PNAgent for app enumeration and start-up.
Use a new, dedicated StoreFront instance for integration with XenMobile server
- New store: Any configuration changes of the StoreFront store for XenMobile should not affect existing XenApp and XenDesktop workloads.
- New StoreFront server: Server configuration changes should not affect XenApp and XenDesktop workflow. Additionally, load outside of XenMobile usage of PNAgent for app enumeration and launch should not affect scalability.
- New store: StoreFront store configuration.
- New StoreFront server: Requires new StoreFront installation and configuration.
For more information, see XenApp and XenDesktop through Citrix Secure Hub in the XenMobile documentation.
ShareFile enables users to access and sync all of their data from any device. With ShareFile, users can securely share data with people both inside and outside the organization. If you integrate ShareFile with XenMobile Advanced Edition or Enterprise Edition, XenMobile can provide ShareFile with:
- Single sign-on authentication for XenMobile App users.
- Active Directory-based user account provisioning.
- Comprehensive access control policies.
Mobile users can benefit from the full ShareFile Enterprise feature set.
Alternatively, you can configure XenMobile to integrate only with StorageZone Connectors. Through StorageZone Connectors, ShareFile provides access to:
- Ddocuments and folders
- Network file shares
- In SharePoint sites: Site collections and document libraries.
Connected file shares can include the same network home drives used in Citrix XenDesktop and XenApp environments. You use the XenMobile console to configure the integration with ShareFile Enterprise or StorageZones Connectors. For more information, see ShareFile use with XenMobile.
The following sections note the questions to ask when making design decisions for ShareFile.
Integrate with ShareFile Enterprise or only StorageZone Connectors
Questions to ask:
- Do you need to store data in Citrix-managed StorageZones?
- Do you want to provide users with file sharing and sync capabilities?
- Do you want to enable users to access files on the ShareFile website? Or to access Office 365 content and Personal Cloud connectors from mobile devices?
- If the answer to any of those questions is “yes,” integrate with ShareFile Enterprise.
- An integration with only StorageZone Connectors gives iOS users secure mobile access to existing on-premises storage repositories, such as SharePoint sites and network file shares. In this configuration, you don’t set up a ShareFile subdomain, provision users to ShareFile, or host ShareFile data. Using StorageZones Connectors with XenMobile complies with security restrictions against leaking user information outside of the corporate network.
ShareFile StorageZones Controller server location
Questions to ask:
- Do you require on-premises storage or features such as StorageZone Connectors?
- If using on-premises features of ShareFile, where will the ShareFile StorageZones Controllers sit in the network?
- Determine whether to locate the StorageZones Controller servers in the ShareFile cloud, in your on-premises single-tenant storage system, or in supported third-party cloud storage.
- StorageZones Controllers require some internet access to communicate with the Citrix ShareFile Control Plane. You can connect in several ways, including direct access, NAT/PAT configurations, or proxy configurations.
Questions to ask:
- What are the CIFS share paths?
- What are the SharePoint URLs?
- Determine if on-premises StorageZones Controllers are required to access those locations.
- Due to StorageZone Connector communication with internal resources such as file repositories, CIFS shares, and SharePoint: Citrix recommends that StorageZones Controllers reside in the internal network behind DMZ firewalls and fronted by NetScaler.
SAML integration with XenMobile Enterprise
Questions to ask:
- Is Active Directory authentication required for ShareFile?
- Does first time use of the ShareFile app for XenMobile require SSO?
- Is there a standard IdP in your current environment?
- How many domains are required to use SAML?
- Are there multiple email aliases for Active Directory users?
- Are there any Active Directory domain migrations in progress or scheduled soon?
XenMobile Enterprise environments may choose to use SAML as the authentication mechanism for ShareFile. The authentication options are:
- Use XenMobile server as the Identity Provider (IdP) for SAML
This option can provide excellent user experience and automate ShareFile account creation, as well as enable mobile app SSO features.
- XenMobile server is enhanced for this process: It does not require the synchronization of Active Directory.
- Use the ShareFile User Management Tool for user provisioning.
- Use a supported third-party vendor as the IdP for SAML
If you have an existing and supported IdP and don’t require mobile app SSO capabilities, this option might be the best fit for you. This option also requires the use of the ShareFile User Management Tool for account provisioning.
Using third-party IdP solutions such as ADFS may also provide SSO capabilities on the Windows client side. Be sure to evaluate use cases before choosing your ShareFile SAML IdP.
Additionally, to satisfy both use cases, you can configure ADFS and XenMobile as a dual IDP.
Questions to ask:
- Which ShareFile mobile app do you plan to use (public, MDM, MDX)?
- You distribute mobile productivity apps from the Apple App Store and Google Play Store. With that public app store distribution, you obtain wrapped apps from the Citrix downloads page.
- If security is low and you don’t require containerization, the public ShareFile application may not be suitable. In an MDM-only environment, you can deliver the MDM version of the ShareFile app using XenMobile in MDM mode.
- For more information, see Apps and Citrix ShareFile for XenMobile.
Security, policies, and access control
Questions to ask:
- What restrictions do you require for desktop, web, and mobile users?
- What standard access control settings do you want for users?
- What file retention policy do you plan to use?
- ShareFile lets you manage employee permissions and device security. For information, see Employee Permissions and Managing Devices and Apps.
- Some ShareFile device security settings and MDX policies control the same features. In those cases, XenMobile policies take precedence, followed by the ShareFile device security settings. Examples: If you disable external apps in ShareFile, but enable them in XenMobile, the external apps get disabled in ShareFile. You can configure the apps so that XenMobile doesn’t require a PIN/passcode, but the ShareFile app requires a PIN/passcode.
Standard vs. Restricted StorageZones
Questions to ask:
- Do you require Restricted StorageZones?
- A standard StorageZone is intended for non-sensitive data and enables employees to share data with non-employees. This option supports workflows that involve sharing data outside of your domain.
- A restricted StorageZone protects sensitive data: Only authenticated domain users can access the data stored in the zone.
The most likely scenario for routing XenMobile traffic through an HTTP(S)/SOCKS proxy is as follows: When the subnet that the XenMobile server resides in doesn’t have outbound Internet access to the required Apple, Google, or Microsoft IP addresses. You can specify proxy server settings in XenMobile to route all Internet traffic to the proxy server. For more information, see Enable proxy servers.
The following table describes the advantages and disadvantages of the most common proxy used with XenMobile.
|Use an HTTP(S)/ SOCKS Proxy with XenMobile server.||In cases where policies do not permit outbound Internet connections from the XenMobile server subnet: You can configure an HTTP(S) or SOCKS proxy to provide Internet connectivity.||If the proxy server fails, APNs (iOS) or Google Cloud Messaging (Android) connectivity breaks. As a result, device notifications fail for all iOS and Android devices.|
|Use an HTTP(S) Proxy with Secure Web.||You can monitor HTTP/HTTPS traffic to ensure that Internet activity complies with your organization’s standards.||This configuration requires all Secure Web Internet traffic to tunnel back to the corporate network before they are sent back out to the Internet. If your Internet connection constrains browsing: This configuration could affect Internet browsing performance.|
Your NetScaler session profile configuration for split tunneling affects the traffic as follows.
When NetScaler Split Tunneling is off:
- If the MDX Network access policy is Tunneled to the internal network: All traffic is forced to use the micro VPN or clientless VPN (cVPN) tunnel back to the NetScaler Gateway.
- Configure NetScaler traffic policies/profiles for the proxy server and bind them to the NetScaler Gateway VIP.
Be sure to exclude Secure Hub cVPN traffic from the proxy.
- For more information, see XenMobile Secure Hub Traffic Through Proxy Server in Secure Browse Mode.
When NetScaler Split Tunneling is on:
- When apps are configured with the MDX Network access policy set to Tunneled to the internal network: The apps first attempt to get the web resource directly. If the web resource is not publicly available, those apps then fall back to NetScaler Gateway.
- Configure NetScaler traffic policies and profiles for the proxy server. Then, bind those policies and profiles to the NetScaler Gateway VIP.
Be sure to exclude Secure Hub cVPN traffic from the proxy.
Your NetScaler session profile configuration for Split DNS (under Client experience) functions similarly to Split Tunneling.
With Split DNS enabled and set to Both:
- The client first attempts to resolve the FQDN locally and then falls back to NetScaler for DNS resolution during failure.
With Split DNS set to Remote:
- DNS resolution occurs only on NetScaler.
With Split DNS set to Local:
- The client attempts to resolve the FQDN locally. NetScaler isn’t used for DNS resolution.
Enterprises can now manage mobile devices inside and outside of networks. Enterprise Mobility Management solutions such as XenMobile are great at providing security and controls for mobile devices, independent of location. However, when coupled with a Network Access Control (NAC) solution, you can add QoS and more fine-grained control to devices that are internal to your network. That combination enables you to extend the XenMobile device security assessment through your NAC solution. Your NAC solution then can use the XenMobile security assessment to facilitate and handle authentication decisions. Citrix has validated NAC integration with XenMobile for Cisco Identity Services Engine (ISE) or ForeScout. Citrix doesn’t guarantee integration for other NAC solutions.
Advantages of a NAC solution integration with XenMobile include the following:
- Better security, compliance, and control for all endpoints on an enterprise network.
- A NAC solution can:
- Detect devices at the instant they attempt to connect to your network.
- Query XenMobile for device attributes.
- Then use that information to determine whether to allow, block, limit, or redirect those devices. Those decisions depend on the security policies you choose to enforce.
- A NAC solution provides IT administrators with a view of unmanaged and non-compliant devices.
For a description of the NAC compliance filters supported by XenMobile, see Network Access Control.