Product Documentation

XenMobile Service

May 23, 2017

The Citrix Cloud XenMobile Service, previously called XenMobile Cloud, offers a XenMobile enterprise mobility management (EMM) environment for managing apps, devices, users, and groups of users. With XenMobile Service, Citrix handles the configuration and maintenance of the infrastructure onsite through the Citrix Cloud Operations group. This separation lets you focus exclusively on the user experience and on managing devices, policies, and apps. With XenMobile Service, you pay a subscription fee instead of purchasing and managing licenses.

Cloud Operations administrators handle maintenance and configuration of the network connectivity, NetScaler integration, and ShareFile integration. Citrix hosts the Cloud environment in data centers located throughout the world to deliver high performance, rapid response, and support.

You connect to XenMobile Service through Cloud Connector, which serves as a channel for communication between Citrix Cloud and your resource locations. Cloud Connector enables cloud management without requiring any complex networking or infrastructure configuration such as VPNs or IPsec tunnels.

Resource locations contain the resources required to deliver services to your subscribers. For XenMobile Services, resource locations are your LDAP, DNS, and PKI servers.

XenMobile Deployment Handbook: Planning a XenMobile deployment involves many considerations. For recommendations, common questions, and use cases for your XenMobile environment, including reference architecture diagrams for XenMobile Service, see the XenMobile Deployment Handbook.

Note

  • The Remote Support client is not available in XenMobile Service versions 10.x for Windows CE and Samsung Android devices.
  • XenMobile Service server-side components are not FIPS 140-2 compliant.
  • Citrix does not support syslog integration in XenMobile Service with an on-premises syslog server. Instead, you can download the logs from the Support page in the XenMobile console. When doing so, you must click Download All to get system logs. For details, see View and analyze log files in XenMobile.

Resource locations

Place resource locations where they best meet your business needs, such as in a public cloud, in a branch office, private cloud, or a data center. Factors that determine the choice of location include:

  • Proximity to subscribers
  • Proximity to data
  • Scale requirements
  • Security attributes

You can build any number of resource locations. For example, you might:

  • Build a resource location in your data center for the head office based on subscribers and applications that require proximity to the data.
  • Add a separate resource location for your global users in a public cloud. Alternatively, build separate resource locations in branch offices to provide the applications best served close to the branch workers.
  • Add a further resource location on a separate network that provides restricted applications. This setup provides restricted visibility to other resources and subscribers without the need to adjust the other resource locations.

Cloud Connector

Cloud Connector authenticates and encrypts all communication between Citrix Cloud and your resource locations. Cloud Connector establishes connections to Citrix Cloud. Cloud Connector doesn't accept incoming connections.

If you require a micro-VPN, you must use an on-premises NetScaler with Cloud Connector.

Cloud Connector, along with NetScaler Gateway and your servers for Exchange, web apps, Active Directory, and PKI reside in your data center. Mobile devices communicate with XenMobile Service and your on-premises NetScaler Gateway. The following diagram shows the basic architecture when using Cloud Connector with XenMobile Service. For more information, see Cloud Connector.

localized image

Onboarding

The following figure shows the onboarding steps. When you are evaluating or purchasing XenMobile Service, the XenMobile Service Operations team provides ongoing onboarding help. The Operations team also communicates with you to ensure that the core XenMobile Services are running and configured correctly.

localized image

To sign up for a Citrix account and request a XenMobile Service trial, contact your Citrix Sales Representative. When you're ready to proceed, go to https://onboarding.cloud.com.

After you log in, a screen similar to the following appears. Next to XenMobile Service, click Request Trial.

localized image


The button then changes to Trial Requested. You receive an email to notify you when your trial becomes available.

While waiting for the trial, be sure to prepare for your XenMobile Service deployment by reviewing Cloud Connector. Although Citrix hosts and delivers your XenMobile Service solution, some communication and port requirements are required. That setup connects the XenMobile Service infrastructure to corporate services, such as Active Directory.

After you are authorized to access the trial, the button for XenMobile Service changes to Manage, which opens a wizard. Follow the instructions in that wizard to configure your connection to XenMobile Service.

The following diagram shows the first screen that you see when starting a trial.

localized image

To complete the setup for Cloud Connector, you need:

  • An available subnet address for the XenMobile Service network.
  • At least two Windows Server 2012 R2 or Windows Server 2016 machines that are joined to your Active Directory domain. The wizard guides you through installing Cloud Connector on those machines.

For more information, see Cloud Connector.

Port requirements

To enable devices and apps to communicate with XenMobile Service, you open specific ports in your firewalls. The following tables list the ports that must be open.

Open ports for NetScaler Gateway to manage XenMobile Service

Open the following ports to allow user connections from Citrix Secure Hub and Citrix Receiver through NetScaler Gateway to the following components:

  • XenMobile
  • StoreFront
  • Other internal network resources, such as intranet websites

For more information about NetScaler Gateway, see Configuration Settings for your XenMobile Environment in the NetScaler Gateway documentation. For information about IP addresses owned by NetScaler, see How a NetScaler Communicates with Clients and Servers in the NetScaler documentation. That section includes information about the NetScaler IP (NSIP) virtual server IP (VIP) and subnet IP (SNIP) addresses.

TCP port

Description

Source

Destination

53 (TCP and UDP)

Used for DNS connections.

NetScaler Gateway

DNS server

80/443

NetScaler Gateway passes the Micro-VPN connection to the internal network resource through the second firewall.

NetScaler Gateway

Intranet websites

123 (TCP and UDP)

Used for Network Time Protocol (NTP) services.

NetScaler Gateway

NTP server

389

Used for insecure LDAP connections.

NetScaler Gateway

LDAP authentication server or Microsoft Active Directory

443

Used for connections to StoreFront from Citrix Receiver or Receiver for Web to XenApp and XenDesktop.

Internet

NetScaler Gateway

Used for connections to XenMobile for web, mobile, and SaaS app delivery.

Internet

NetScaler Gateway

Used for Cloud Connector communication – LDAP, DNS, PKI & PNAgent enumeration

Cloud Connector Servers

https://*.citrixworkspacesapi.net

https://*.cloud.com

https://cwsproduction.blob.core.windows.net/downloads

https://*.servicebus.windows.net

636

Used for secure LDAP connections.

NetScaler Gateway

LDAP authentication server or Active Directory

1494

Used for ICA connections to Windows-based applications in the internal network. Citrix recommends keeping this port open.

NetScaler Gateway

XenApp or XenDesktop

1812

Used for RADIUS connections.

NetScaler Gateway

RADIUS authentication server

2598

Used for connections to Windows-based applications in the internal network using session reliability. Citrix recommends keeping this port open.

NetScaler Gateway

XenApp or XenDesktop

3268

Used for Microsoft Global Catalog insecure LDAP connections.

NetScaler Gateway

LDAP authentication server or Active Directory

3269

Used for Microsoft Global Catalog secure LDAP connections.

NetScaler Gateway

LDAP authentication server or Active Directory

8443

Used for enrollment, XenMobile Store, and mobile app management (MAM).

NetScaler Gateway

XenMobile

Secure Ticket Authority (STA) port used for Secure Mail authentication token

NetScaler Gateway

XenMobile

4443

Used for accessing the XenMobile console by an administrator through the browser.

Access point (browser)

XenMobile

Open XenMobile ports to manage devices

Open the following ports to allow XenMobile to communicate in your network.

TCP port

Description

Source

Destination

443

Used for enrollment and agent setup for Android and Windows Mobile.

Internet

XenMobile

Used for enrollment and agent setup for Android and Windows devices, the XenMobile web console, and MDM Remote Support Client.

Internal LAN and WiFi

5223

Used for APNs outbound connections from iOS devices on Wi-Fi networks to *.push.apple.com.

iOS devices on WiFi networks

Internet (APNs hosts using the public IP address 17.0.0.0/8)

8443

Used for enrollment of iOS and Windows Phone devices.

Internet

XenMobile

LAN and WiFi

Port requirement for Auto Discovery Service connectivity

This port configuration ensures that Android devices connecting from Secure Hub for Android can access the Citrix Auto Discovery Service (ADS) from within the internal network. The ability to access the ADS is important when downloading any security updates made available through the ADS.

Note: ADS connections might not support your proxy server. In this scenario, allow the ADS connection to bypass the proxy server.

If you want to enable certificate pinning, do the following prerequisites:

  • Collect XenMobile Server and NetScaler certificates. The certificates must be in PEM format and must be a public certificate and not the private key.
  • Contact Citrix Support and place a request to enable certificate pinning. During this process, you are asked for your certificates.

Certificate pinning requires that devices connect to ADS before the device enrolls. This requirement ensures that the latest security information is available to Secure Hub for the environment in which the device is enrolling. For Secure Hub to enroll a device, the device must reach the ADS. Therefore, opening ADS access within the internal network is critical to enabling devices to enroll.

To allow access to the ADS for Secure Hub for Android, open port 443 for the following FQDN and IP addresses:

FQDN

IP address

discovery.mdm.zenprise.com

54.225.219.53

54.243.185.79

107.22.184.230

107.20.173.245

184.72.219.144

184.73.241.73

54.243.233.48

204.236.239.233

107.20.198.193

XenMobile Service technical security overview

Citrix Cloud manages the control plane for XenMobile environments, including the XenMobile Server, NetScaler load balancer, and a mySQL database. The cloud service integrates with a customer data center using Citrix Cloud Connector. XenMobile Service customers who use Cloud Connector typically manage NetScaler Gateway in their data centers.

The following figure illustrates the service and its security boundaries.

localized image

Note

This information:

  • Is intended to provide an introduction to and overview of the security functionality of Citrix Cloud.
  • Defines the division of responsibility between Citrix and customers for securing the Citrix Cloud deployment.
  • Is not intended to serve as configuration and administration guidance for Citrix Cloud or any of its components or services.

Data flow

The control plane has limited read-access to user and group objects from a customer directory and other services such as DNS. The control plane accesses those services over Citrix Cloud Connector, which uses secure HTTPS connections.

Company data, such as email, intranet, and web-app traffic, flows directly between a device and the application servers over NetScaler Gateway. NetScaler Gateway is deployed in the customer data center.

Data isolation

The control plane stores metadata needed for managing user devices and their mobile applications. The service itself consists of a mix of multi- and single-tenant components. However, per the service architecture, customer metadata is always stored separately for each tenant and secured by using unique credentials.

Credential handling

The service handles the following types of credentials:

  • User credentials: User credentials are transmitted from the device to the control plane over an HTTPS connection. The control plane validates these credentials with a directory in the customer directory over a secure connection.
  • Administrator credentials: Administrators authenticate against Citrix Cloud, which uses the sign-on system from Citrix Online. This process generates a one-time signed JSON Web Token (JWT), which gives the administrator access to the service.
  • Active Directory credentials: The control plane requires bind-credentials to read user meta-data from Active Directory. These credentials are encrypted using AES-256 encryption and saved in a per-tenant database.

Deployment considerations

Citrix recommends that users consult the published best practices documentation for deploying NetScaler Gateway within their environments.

More information

See the following resources for more security information: