XenMobile Server

Configure FIPS with XenMobile

Federal Information Processing Standards (FIPS) mode in XenMobile supports U.S. federal government customers by using only FIPS 140-2 certified libraries for all encryption operations. Installing your XenMobile Server with FIPS mode ensures that all data for the XenMobile client and server are fully compliant with FIPS 140-2. That compliance applies to data at rest and data in transit.

Before installing a XenMobile Server in FIPS mode, complete the following prerequisites.

  • Use an external SQL Server 2014 for the XenMobile database. The SQL Server must also be configured for secure SSL communication. For instructions on configuring secure SSL communication to the SQL Server, see Enable Encrypted Connections to the Database Engine (SQL Server Configuration Manager).

  • Secure SSL communication requires that you install a trusted SSL certificate from a well-known certificate authority (CA) on your SQL Server. SQL Server 2014 cannot accept a wildcard certificate. Citrix recommends you to request an SSL certificate with the FQDN of the SQL Server.

Configuring FIPS mode

You can enable FIPS mode only during the initial setup of the XenMobile Server. It is not possible to enable FIPS after installation is complete. So, if you are planning to use FIPS mode, you must install the XenMobile Server with FIPS mode from the start. For XenMobile clusters, all cluster nodes must have FIPS enabled. You cannot have a mix of FIPS and non-FIPS XenMobile Servers in the same cluster.

There is a Toggle FIPS mode option in the XenMobile command-line interface that is not for production use. This option is intended for non-production, diagnostic use and is not supported on a production XenMobile Server.

  1. During initial setup, enable FIPS mode.

  2. Upload the root CA certificate for your SQL Server.

  3. Specify the server name and port of your SQL Server, the credentials for logging into SQL Server, and the database name to create for XenMobile.


    You can use either a SQL logon or an Active Directory account to access the SQL Server, but the logon you use must have the DBcreator role.

  4. To use an Active Directory account, enter the credentials in the format domain\username.

  5. Once these steps are complete, continue with the XenMobile initial setup.

To confirm that the configuration of FIPS mode is successful, log on to the XenMobile command-line interface. The phrase In FIPS Compliant Mode appears in the logon banner.

Importing Certificates

The following procedure describes how to configure FIPS on XenMobile by importing a certificate.

SQL Prerequisites

  1. The connection to the SQL instance from XenMobile must be secure and must be SQL Server version 2012 or SQL Server 2014. To secure the connection, see How to enable SSL encryption for an instance of SQL Server by using Microsoft Management Console.

  2. If the service does not restart properly, check the following: Open Services.msc.

    1. Copy the logon account information used for the SQL Server service.

    2. Open MMC.exe on the SQL Server.

    3. Go to File > Add/Remove Snap-in and then double-click the certificates item to add the certificates snap-in. Select the computer account and local computer in the two pages on the wizard.

    4. Click OK.

    5. Expand Certificates (Local Computer) > Personal > Certificates and find the imported SSL certificate.

    6. Right-click the imported certificate (selected in the SQL Server Configuration Manager) and then click All Tasks > Manage Private Keys.

    7. Under Group or User names, click Add.

    8. Enter the SQL service account name that you copied in the earlier step.

    9. Clear the Allow Full Control option. By default the service account has both Full control and Read permissions, but it must only be able to read the private key.

    10. Close MMC and start the SQL service.

  3. Make sure that the SQL service is started correctly.

Internet Information Services (IIS) Prerequisites

  1. Download the root certificate (base 64).

  2. Copy the root certificate to the default site on the IIS server, C:\inetpub\wwwroot.

  3. Check the Authentication checkbox for the default site.

  4. Set Anonymous to enabled.

  5. Select the Failed Request Tracking rules checkbox.

  6. Make sure that the .cer is not blocked.

  7. Browse to the location of the .cer in a web browser from the local server, https://localhost/certname.cer. The root cert text appears in the browser.

  8. If the root cert does not appear in your web browser, make sure that ASP is enabled on the IIS server as follows.

    1. Open Server Manager.

    2. Navigate to the wizard in Manage > Add Roles and Features.

    3. In the server roles, expand Web Server (IIS), expand Web Server, expand Application Development, and then select ASP.

    4. Click Next until the install completes.

  9. Browse to https://localhost/cert.cer.

    For more information, see Web Server (IIS).


    You can use the IIS instance of the CA for this procedure.

Importing the Root Certificate During Initial FIPS Configuration

When you complete the steps to configure XenMobile for the first time in the command-line console, you must complete these settings to import the root certificate. For details on the installation steps, see Installing XenMobile.

  • Enable FIPS: Yes
  • Upload Root Certificate: Yes
  • Copy(c) or Import(i): i
  • Enter HTTP URL to import: https://<FQDN of IIS server>/cert.cer
  • Server: FQDN of SQL Server
  • Port: 1433
  • User name: Service account which can create the database (domain\username).
  • Password: The password for the service account.
  • Database Name: A name of your choice.

Enable FIPS mode on mobile devices

By default, FIPS mode is disabled on mobile devices. To enable FIPS mode, go to Settings > Client Properties, edit the Enable FIPS Mode property, and set the value to true. For more information, see Client properties.

Configure FIPS with XenMobile