Product Documentation

XenMobile Service

Dec 26, 2017

The Citrix Cloud XenMobile Service is a Unified Endpoint Management (UEM) environment for managing devices, apps, and users. With XenMobile you manage device and app policies and deliver any app to users on any device or operating system. Your business information stays protected with strict security for identity, devices, apps, data, and networks.

Citrix hosts the Cloud environment in data centers located throughout the world to deliver high performance, rapid response, and support. With XenMobile Service, you pay a subscription fee instead of purchasing and managing licenses.

Citrix Cloud Operations handles various infrastructure and monitoring tasks, freeing you to focus on the user experience and on managing devices, apps, and policies.

Citrix responsibilities

XenMobile Server nodes

NetScaler Gateway initial integration and configuration

NetScaler Load Balancer


Cloud Connector software configuration

SAML authentication integration with ShareFile

XenMobile site monitoring: Instance, database, enterprise connectivity (LDAP), VPN tunnel (if applicable), public SSL certificate, XenMobile licensing

Customer responsibilities

NetScaler Gateway management and updates

Machines where Cloud Connectors are installed

LDAP/Active Directory


ShareFile: Initial ShareFile configuration, on-premises StorageZone Controller installation, ShareFile updates

XenMobile configuration: Devices, policies, apps, delivery groups, actions, and client certificates

You connect to XenMobile Service through Cloud Connector, which serves as a channel for communication between Citrix Cloud and your resource locations. Cloud Connector enables cloud management without requiring any complex networking or infrastructure configuration such as VPNs or IPsec tunnels.

Resource locations contain the resources required to deliver services to your subscribers. For XenMobile Services, resource locations are your LDAP, DNS, and PKI servers.

Citrix Cloud XenMobile Service Onboarding Handbook: The XenMobile Service Onboarding Handbook consolidates all the available information around XenMobile Service, so you can proceed in a smooth enablement and onboarding to XenMobile Service. You can use this document to record changes for your internal processes and document the service for internal references to high-level and functional designs.

XenMobile Deployment Handbook: Planning a XenMobile deployment involves many considerations. For recommendations, common questions, and use cases for your XenMobile environment, including reference architecture diagrams for XenMobile Service, see the XenMobile Deployment Handbook.

XenMobile Server documentation: The XenMobile Server documentation covers the latest on-premises release of XenMobile Server. For details about using the XenMobile console, see the articles under XenMobile Server. Citrix notifies you when the What’s new articles for XenMobile Service are updated for a new release.

Note these differences between XenMobile Server and XenMobile Service:

  • The Remote Support client is not available for XenMobile Service.
  • XenMobile Service server-side components are not FIPS 140-2 compliant.
  • Citrix does not support syslog integration in XenMobile Service with an on-premises syslog server. Instead, you can download the logs from the Support page in the XenMobile console. When doing so, you must click Download All to get system logs. For details, see View and analyze log files in XenMobile.

Architecture diagram

The following diagram shows an architectural overview of a XenMobile Service cloud deployment:

localized image

Resource locations

Place resource locations where they best meet your business needs, such as in a public cloud, in a branch office, private cloud, or a data center. Factors that determine the choice of location include:

  • Proximity to subscribers
  • Proximity to data
  • Scale requirements
  • Security attributes

You can build any number of resource locations. For example, you might:

  • Build a resource location in your data center for the head office based on subscribers and applications that require proximity to the data.
  • Add a separate resource location for your global users in a public cloud. Alternatively, build separate resource locations in branch offices to provide the applications best served close to the branch workers.
  • Add a further resource location on a separate network that provides restricted applications. This setup provides restricted visibility to other resources and subscribers without the need to adjust the other resource locations.

Cloud Connector

Cloud Connector authenticates and encrypts all communication between Citrix Cloud and your resource locations. Cloud Connector establishes connections to Citrix Cloud. Cloud Connector doesn't accept incoming connections.

If you require a micro VPN, you must use an on-premises NetScaler with Cloud Connector.

Cloud Connector, along with NetScaler Gateway and your servers for Exchange, web apps, Active Directory, and PKI reside in your data center. Mobile devices communicate with XenMobile Service and your on-premises NetScaler Gateway. The following diagram shows the basic architecture when using Cloud Connector with XenMobile Service. For more information, see Cloud Connector.

localized image

The following diagram shows the traffic flow for Cloud Connector.

localized image


The following figure shows the onboarding steps. When you are evaluating or purchasing XenMobile Service, the XenMobile Service Operations team provides ongoing onboarding help. The Operations team also communicates with you to ensure that the core XenMobile Services are running and configured correctly.

localized image

For a quick overview of XenMobile Service onboarding and configuration, watch this video.

To sign up for a Citrix account and request a XenMobile Service trial, contact your Citrix Sales Representative. When you're ready to proceed, go to

After you log in, a screen similar to the following appears. Next to XenMobile Service, click Request Trial.

localized image

The button then changes to Trial Requested. You receive an email to notify you when your trial becomes available.

While waiting for the trial, be sure to prepare for your XenMobile Service deployment by reviewing Cloud Connector. Although Citrix hosts and delivers your XenMobile Service solution, some communication and port requirements are required. That setup connects the XenMobile Service infrastructure to corporate services, such as Active Directory.

After you are authorized to access the trial, the button for XenMobile Service changes to Manage, which opens a wizard. Follow the instructions in that wizard to configure your connection to XenMobile Service.

The following diagram shows the first screen that you see when starting a trial.

localized image

To complete the setup for Cloud Connector, you need:

  • An available subnet address for the XenMobile Service network.
  • At least two Windows Server 2012 R2 or Windows Server 2016 machines that are joined to your Active Directory domain. The wizard guides you through installing Cloud Connector on those machines.

For more information, see Cloud Connector.

Link an existing ShareFile account to Citrix Cloud

If you have a ShareFile account that existed before you signed up with Citrix Cloud, you must link that account to Citrix Cloud. To link your account, your email address must be an administrator of the ShareFile account. When you’re ready to proceed, go to

After you log in, a screen similar to the following appears.

localized image

In the ShareFile tile, choose Link Account.

localized image

After we confirm your ShareFile account, the following page appears:

localized image

Click Link Account to complete the process. You can immediately manage your ShareFile account from within Citrix Cloud.

Port requirements

To enable devices and apps to communicate with XenMobile Service, you open specific ports in your firewalls. The following diagram shows the traffic flow for XenMobile Service.

localized image

The following tables list the ports that must be open.

Open ports for NetScaler Gateway to manage XenMobile Service

Open the following ports to allow user connections from Citrix Secure Hub and Citrix Receiver through NetScaler Gateway to the following components:

  • XenMobile
  • StoreFront
  • Other internal network resources, such as intranet websites

For more information about NetScaler Gateway, see Configuration Settings for your XenMobile Environment in the NetScaler Gateway documentation. For information about IP addresses owned by NetScaler, see How a NetScaler Communicates with Clients and Servers in the NetScaler documentation. That section includes information about the NetScaler IP (NSIP) virtual server IP (VIP) and subnet IP (SNIP) addresses.

TCP port




53 (TCP and UDP)

Used for DNS connections.

NetScaler Gateway

DNS server


NetScaler Gateway passes the micro VPN connection to the internal network resource through the second firewall.

NetScaler Gateway

Intranet websites

123 (TCP and UDP)

Used for Network Time Protocol (NTP) services.

NetScaler Gateway

NTP server


Used for insecure LDAP connections.

NetScaler Gateway

LDAP authentication server or Microsoft Active Directory


Used for connections to StoreFront from Citrix Receiver or Receiver for Web to XenApp and XenDesktop.


NetScaler Gateway

Used for connections to XenMobile for web, mobile, and SaaS app delivery.


NetScaler Gateway

Used for Cloud Connector communication – LDAP, DNS, PKI & Citrix Receiver enumeration

Cloud Connector Servers





Used for secure LDAP connections.

NetScaler Gateway

LDAP authentication server or Active Directory


Used for ICA connections to Windows-based applications in the internal network. Citrix recommends keeping this port open.

NetScaler Gateway

XenApp or XenDesktop


Used for RADIUS connections.

NetScaler Gateway

RADIUS authentication server


Used for connections to Windows-based applications in the internal network using session reliability. Citrix recommends keeping this port open.

NetScaler Gateway

XenApp or XenDesktop


Used for Microsoft Global Catalog insecure LDAP connections.

NetScaler Gateway

LDAP authentication server or Active Directory


Used for Microsoft Global Catalog secure LDAP connections.

NetScaler Gateway

LDAP authentication server or Active Directory


Used for enrollment, XenMobile Store, and mobile app management (MAM).

NetScaler Gateway


Secure Ticket Authority (STA) port used for Secure Mail authentication token

NetScaler Gateway



Used for accessing the XenMobile console by an administrator through the browser.

Access point (browser)


Open XenMobile ports to manage devices

Open the following ports to allow XenMobile to communicate in your network.

TCP port





Used for enrollment and agent setup for Android and Windows Mobile.



Used for enrollment and agent setup for Android and Windows devices, and the XenMobile web console.

Internal LAN and WiFi


Used for APNs outbound connections from iOS devices on Wi-Fi networks to *

iOS devices on WiFi networks

Internet (APNs hosts using the public IP address


Used for enrollment of iOS and Windows Phone devices.



LAN and WiFi

Port requirement for Auto Discovery Service connectivity

This port configuration ensures that Android devices connecting from Secure Hub for Android can access the Citrix Auto Discovery Service (ADS) from within the internal network. The ability to access the ADS is important when downloading any security updates made available through the ADS.

Note: ADS connections might not support your proxy server. In this scenario, allow the ADS connection to bypass the proxy server.

If you want to enable certificate pinning, do the following prerequisites:

  • Collect XenMobile Server and NetScaler certificates. The certificates must be in PEM format and must be a public certificate and not the private key.
  • Contact Citrix Support and place a request to enable certificate pinning. During this process, you are asked for your certificates.

Certificate pinning requires that devices connect to ADS before the device enrolls. This requirement ensures that the latest security information is available to Secure Hub for the environment in which the device is enrolling. For Secure Hub to enroll a device, the device must reach the ADS. Therefore, opening ADS access within the internal network is critical to enabling devices to enroll.

To allow access to the ADS for Secure Hub for Android, open port 443 for the following FQDN and IP addresses:


IP address

Service Level Goal

The XenMobile Service (the Service) design uses industry best practices to achieve cloud scale and a high degree of service availability.

The Citrix goal is to maintain at least 99.9% availability in any 30 calendar day period. You can monitor service interruptions and scheduled maintenance on an ongoing basis at


The calculation of this Service Level Goal doesn't include loss of availability from the following causes:

  • Customer failure to follow configuration requirements for the service documented on
  • Caused by any component not managed by Citrix including, but not limited to the following:
    • Customer controlled physical and virtual machines
    • Customer installed and maintained operating systems
    • Customer installed and controlled networking equipment or other hardware
    • Customer defined and controlled security settings, group policies, and other configuration policies
    • Public cloud provider failures, ISP failures, or other failures external to the control of Citrix.
  • Service disruption because of reasons beyond the control of Citrix, including natural disaster, war, acts of terrorism, or government action.

XenMobile Service technical security overview

Citrix Cloud manages the control plane for XenMobile environments, including the XenMobile Server, NetScaler load balancer, and a MySQL database. The cloud service integrates with a customer data center using Citrix Cloud Connector. XenMobile Service customers who use Cloud Connector typically manage NetScaler Gateway in their data centers.

The following figure illustrates the service and its security boundaries.

localized image

The information in this section:

  • Is intended to provide an introduction to and overview of the security functionality of Citrix Cloud.
  • Defines the division of responsibility between Citrix and customers for securing the Citrix Cloud deployment.
  • Is not intended to serve as configuration and administration guidance for Citrix Cloud or any of its components or services.

Data flow

The control plane has limited read-access to user and group objects from a customer directory and other services such as DNS. The control plane accesses those services over Citrix Cloud Connector, which uses secure HTTPS connections.

Company data, such as email, intranet, and web-app traffic, flows directly between a device and the application servers over NetScaler Gateway. NetScaler Gateway is deployed in the customer data center.

Data isolation

The control plane stores metadata needed for managing user devices and their mobile applications. The service itself consists of a mix of multi- and single-tenant components. However, per the service architecture, customer metadata is always stored separately for each tenant and secured by using unique credentials.

Credential handling

The service handles the following types of credentials:

  • User credentials: User credentials are transmitted from the device to the control plane over an HTTPS connection. The control plane validates these credentials with a directory in the customer directory over a secure connection.
  • Administrator credentials: Administrators authenticate against Citrix Cloud, which uses the sign-on system from Citrix Online. This process generates a one-time signed JSON Web Token (JWT), which gives the administrator access to the service.
  • Active Directory credentials: The control plane requires bind-credentials to read user meta-data from Active Directory. These credentials are encrypted using AES-256 encryption and saved in a per-tenant database.

Deployment considerations

Citrix recommends that you consult the published best practices documentation for deploying NetScaler Gateway within your environments.

More information

See the following resources for more security information: