- What's new in XenMobile Server 10.8
- Fixed issues
- Known issues
- System requirements and compatibility
- Install and configure
- Certificates and authentication
- User accounts, roles, and enrollment
- ActiveSync Gateway
- Android for Work
- Bulk enrollment of iOS and macOS devices
- Client properties
- Deploy iOS and macOS devices through Apple DEP
- Device enrollment limit
- Enroll devices
- Firebase Cloud Messaging
- Google Play credentials
- Integrate with Apple Education features
- Network Access Control
- Samsung KNOX
- Security actions
- Shared devices
- XenMobile Autodiscovery Service
- Device policies by platform
- AirPlay mirroring device policy
- AirPrint device policy
- Android for Work app restriction policy
- Android for Work permissions
- APN device policy
- App access device policy
- App attributes device policy
- App configuration device policy
- App inventory device policy
- App lock device policy
- App network usage device policy
- Apps notifications device policy
- App restrictions device policy
- App tunneling device policy
- App uninstall device policy
- App uninstall restrictions device policy
- BitLocker device policy
- Browser device policy
- Calendar (CalDav) device policy
- Cellular device policy
- Connection manager device policy
- Connection scheduling device policy
- Contacts (CardDAV) device policy
- Control OS Updates device policy
- Copy Apps to Samsung Container device policy
- Credentials device policy
- Custom XML device policy
- Defender device policy
- Delete files and folders device policy
- Delete registry keys and values device policy
- Device Health Attestation device policy
- Device name device policy
- Education Configuration device policy
- Enterprise Hub device policy
- Exchange device policy
- Files device policy
- FileVault device policy
- Font device policy
- Home screen layout device policy
- Import iOS & macOS Profile device policy
- Kiosk device policy for Samsung SAFE
- Launcher configuration device policy for Android
- LDAP device policy
- Location device policy
- Mail device policy
- Managed domains device policy
- MDM options device policy
- Organization information device policy
- Passcode device policy
- Personal hotspot device policy
- Profile Removal device policy
- Provisioning profile device policy
- Provisioning profile removal device policy
- Proxy device policy
- Registry device policy
- Remote support device policy
- Restrictions device policy
- Roaming device policy
- Samsung MDM license key device policy
- Samsung SAFE firewall device policy
- SCEP device policy
- Siri and dictation policies
- SSO account device policy
- Storage encryption device policy
- Store device policy
- Subscribed calendars device policy
- Terms and conditions device policy
- VPN device policy
- Wallpaper device policy
- Web content filter device policy
- Webclip device policy
- WiFi device policy
- Windows CE certificate device policy
- Windows Information Protection device policy
- XenMobile options device policy
- XenMobile uninstall device policy
- Add apps
- Add media
- Deploy resources
- Automated actions
- Monitor and support
- REST APIs
- XenMobile Mail Manager 10.x
- XenMobile NetScaler Connector
- On-premises XenMobile interaction with Active Directory
- Management Modes
- Device Requirements
- Security and User Experience
- User Communities
- Email Strategy
- XenMobile Integration
- Multi-Site Requirements
- Integrating with NetScaler Gateway and NetScaler
- SSO and Proxy Considerations for MDX Apps
- Reference Architecture for On-Premises Deployments
- Server Properties
- Device and App Policies
- User Enrollment Options
- Tuning XenMobile Operations
- App Provisioning and Deprovisioning
- Dashboard-Based Operations
- Role-Based Access Control and XenMobile Support
- Systems Monitoring
- Disaster Recovery
- Citrix Support Process
- Sending group enrollment invitations in XenMobile
- Configuring an on-premises Device Health Attestation server
- Configuring certificate-based authentication with EWS for Secure Mail push notifications
SSO and Proxy Considerations for MDX Apps
XenMobile integration with NetScaler enables you to provide users with single sign-on (SSO) to all backend HTTP/HTTPS resources. Depending on your SSO authentication requirements, you can configure user connections for an MDX app to use either of these options:
- Secure Browse, which is a type of clientless VPN
- Full VPN Tunnel
If NetScaler isn’t the best way to provide SSO in your environment, you can set up an MDX app with policy-based local password caching. This article explores the various SSO and proxy options, with a focus on Secure Web. The concepts apply to other MDX apps.
The following flow chart summarizes the decision flow for SSO and user connections.
This section provides general information about the authentication methods supported by NetScaler.
When you configure NetScaler for Security Assertion Markup Language (SAML), users can connect to web apps that support the SAML protocol for single sign-on. NetScaler Gateway supports the identity provider (IdP) single sign-on for SAML web apps.
- Configure SAML SSO in the NetScaler Traffic profile.
- Configure the SAML iDP for the requested service.
If SSO to web apps is enabled in the session profile, NetScaler performs NTLM authentication automatically.
- Enable SSO in the NetScaler Session or Traffic profile.
XenMobile supports Kerberos for Secure Web only. When you configure NetScaler for Kerberos SSO, NetScaler uses impersonation when a user password is available to NetScaler. Impersonation means that NetScaler uses user credentials to get the ticket required to gain access to services, such as Secure Web.
- Configure the NetScaler “Worx” Session policy to allow it to identify the Kerberos Realm from your connection.
- Configure a Kerberos Constrained Delegation (KCD) account on NetScaler. Configure that account with no password and bind it to a traffic policy on your XenMobile gateway.
- For those and other configuration details, see the Citrix blog: WorxWeb and Kerberos Impersonation SSO.
Kerberos Constrained Delegation
XenMobile supports Kerberos for Secure Web only. When you configure NetScaler for Kerberos SSO, NetScaler uses constrained delegation when a user password is not available to NetScaler.
With constrained delegation, NetScaler uses a specified administrator account to get tickets on behalf of users and services.
- Configure a KCD account in Active Directory with the required permissions and a KDC account on NetScaler.
- Enable SSO in the NetScaler Traffic profile.
- Configure the back-end website for Kerberos authentication.
- For those and other configuration details, see the Citrix blog, Configuring Kerberos Single Sign-on for WorxWeb.
Form Fill Authentication
When you configure NetScaler for Form-based single sign-on, users can log on one time to access all protected apps in your network. This authentication method applies to apps that use Secure Browse or Full VPN modes.
- Configure Form-based SSO in the NetScaler Traffic profile.
Digest HTTP authentication
If you enable SSO to web apps in the session profile, NetScaler performs digest HTTP authentication automatically. This authentication method applies to apps that use Secure Browse or Full VPN modes.
- Enable SSO in the NetScaler Session or Traffic profile.
Basic HTTP authentication
If you enable SSO to web apps in the session profile, NetScaler performs basic HTTP authentication automatically. This authentication method applies to apps that use Secure Browse or Full VPN modes.
- Enable SSO in the NetScaler Session or Traffic profile.
The following sections describe the user connection types for Secure Web. For more information, see this Secure Web article in the Citrix documentation, Configuring user connections.
Full VPN Tunnel
Connections that tunnel to the internal network can use a full VPN tunnel. Use the Secure Web Preferred VPN mode policy to configure full VPN tunnel. Citrix recommends Full VPN tunnel for connections that use client certificates or end-to-end SSL to a resource in the internal network. Full VPN tunnel handles any protocol over TCP. You can use full VPN tunnel with Windows, Mac, iOS, and Android devices.
In Full VPN Tunnel mode, NetScaler does not have visibility inside an HTTPS session.
Connections that tunnel to the internal network can use a variation of a clientless VPN, referred to as Secure Browse. Secure Browse is the default configuration specified for the Secure Web Preferred VPN mode policy. Citrix recommends Secure Browse for connections that require single sign-on (SSO).
In Secure Browse mode, NetScaler breaks the HTTPS session into two parts:
- From the client to NetScaler
- From NetScaler to the back-end resource server.
In this manner, NetScaler has full visibility into all transactions between the client and server, enabling it to provide SSO.
You can also configure proxy servers for Secure Web when used in secure browse mode. For details, see the blog XenMobile WorxWeb Traffic Through Proxy Server in Secure Browse Mode.
Full VPN Tunnel with PAC
You can use a Proxy Automatic Configuration (PAC) file with a full VPN tunnel deployment for Secure Web on iOS and Android devices. XenMobile supports proxy authentication provided by NetScaler. A PAC file contains rules that define how web browsers select a proxy to access a given URL. PAC file rules can specify handling for both internal and external sites. Secure Web parses PAC file rules and sends the proxy server information to NetScaler Gateway. NetScaler Gateway is unaware of the PAC file or proxy server.
For authentication to HTTPS web sites: The Secure Web MDX policy, Enable web password caching, enables Secure Web to authenticate and provide SSO to the proxy server through MDX.
When planning your SSO and proxy configuration, you must also decide whether to use NetScaler split tunneling. Citrix recommends that you use NetScaler split tunneling only if needed. This section provides a high-level look at how split tunneling works: NetScaler determines the traffic path based on its routing table. When NetScaler split tunneling is on, Secure Hub distinguishes internal (protected) network traffic from Internet traffic. Secure Hub makes that determination based on the DNS suffix and Intranet applications. Secure Hub then tunnels only the internal network traffic through the VPN tunnel. When NetScaler split tunneling is off, all traffic goes through the VPN tunnel.
- If you prefer to monitor all the traffic due to security considerations, turn off NetScaler split tunneling. As a result, all traffic goes through the VPN tunnel.
- If you use Full VPN Tunnel with PAC, you must disable NetScaler Gateway split tunneling. If split tunneling is on and you configure a PAC file, the PAC file rules override the NetScaler split tunneling rules. A proxy server configured in a traffic policy does not override NetScaler split tunneling rules.
By default, the Network access policy is set to Tunneled to the internal network for Secure Web. With that configuration, MDX apps use NetScaler split tunnel settings. The Network access policy default differs for some other XenMobile Apps.
NetScaler Gateway also has a micro VPN reverse split tunnel mode. This configuration supports an exclusion list of IP addresses that aren’t tunneled to the NetScaler. Instead, those addresses are sent by using the device internet connection. For more information about reverse split tunneling, see the NetScaler Gateway documentation.
XenMobile includes a Reverse split tunnel exclusion list. To prevent certain websites from tunneling through NetScaler Gateway: Add a comma-separated list of fully qualified domain names (FQDN) or DNS suffixes that connect by using the local area network (LAN) instead. This list applies only to Secure Browse mode with NetScaler Gateway configured for reverse split tunneling.