Product Documentation

System requirements

While waiting for Citrix to provision the XenMobile Service, be sure to prepare for your XenMobile Service deployment by installing Cloud Connector. Although Citrix hosts and delivers your XenMobile Service solution, some communication and port setup is required. That setup connects the XenMobile Service infrastructure to corporate services, such as Active Directory.

Cloud Connector requirements

Citrix uses Cloud Connector to integrate the XenMobile Service architecture into your existing infrastructure. Cloud Connector integrates the following resource locations to the XenMobile Service securely over port 443: LDAP, PKI Server, internal DNS queries, and Citrix Receiver enumeration.

  • At least two dedicated Windows Server 2012 R2 or Windows Server 2016 machines that are joined to your Active Directory domain. The machines can be virtual or physical. The machine where you are installing the Connector must be in sync with UTC time for proper installation and operation. For a full list of the latest requirements, see the deployment materials provided by your Citrix Account Team.

    The onboarding wizard guides you through installing Cloud Connector on those machines.

  • For more platform system requirements, see Citrix Cloud Connector.

NetScaler Gateway requirements

XenMobile Service requires a NetScaler Gateway installed in your resource location for the following scenarios:

  • You require a micro VPN for access to internal network resources for line of business apps. Those apps are wrapped with Citrix MDX technology. The micro VPN needs NetScaler Gateway to connect to internal back-end infrastructures.
  • You plan to use XenMobile Apps, such as Citrix Secure Mail.
  • You plan to integrate XenMobile with Microsoft Intune/EMS.

The requirements:

For information, see the Citrix Support article How to Add an SSL Certificate Bundle on the NetScaler Appliance.

  • Unused public IP address for NetScaler Gateway Virtual Server
  • Publicly resolvable Fully Qualified Domain Name (FQDN) for NetScaler Gateway Virtual Server
  • Cloud-hosted XenMobile Intermediate and Root certificates (provided in the script bundle)
  • Unused internal private IP address for the proxy load balancer IP
  • For port requirements, see “NetScaler Gateway port requirements” later in this article.
  • XenMobile integration with Microsoft Intune/EMS
  • Deploying Citrix NetScaler VPX on Microsoft Azure

For information about NetScaler requirements, see the deployment materials provided by your Citrix Account Team.

ShareFile requirements

ShareFile file sync and sharing services are available in the XenMobile Premium Service offering. ShareFile StorageZones Controller extends the ShareFile software as a service (SaaS) cloud storage by providing your ShareFile account with private data storage.

ShareFile StorageZones Controller requirements:

  • A dedicated physical or virtual machine
  • Windows Server 2012 R2 or Windows Server 2016
  • 2 vCPUs
  • 4 GB RAM
  • 50 GB hard disk space
  • Server roles for Web Server (IIS):

    • Application Development: ASP. NET 4.5.2
    • Security: Basic Authentication
    • Security: Windows Authentication

ShareFile platform requirements:

  • The ShareFile installer requires administrative privileges on the Windows Server
  • ShareFile Admin user name

Port requirements

To enable devices and apps to communicate with XenMobile Service, you open specific ports in your firewalls. The following diagram shows the traffic flow for XenMobile Service.

Diagram of XenMobile Service traffic flow

The following sections list the ports that you must open.

NetScaler Gateway port requirements

Open ports to allow user connections from Citrix Secure Hub and Citrix Receiver through NetScaler Gateway to:

  • XenMobile
  • StoreFront
  • Other internal network resources, such as intranet websites

For more information about NetScaler Gateway, see Configuration Settings for your XenMobile Environment in the NetScaler Gateway documentation. For information about IP addresses owned by NetScaler, see How a NetScaler Communicates with Clients and Servers in the NetScaler documentation. That section includes information about the NetScaler IP (NSIP) virtual server IP (VIP) and subnet IP (SNIP) addresses.

TCP Port Description Source Destination
53 (TCP and UDP) Used for DNS connections. NetScaler Gateway SNIP DNS server
80/443 NetScaler Gateway passes the micro VPN connection to the internal network resource through the second firewall. NetScaler Gateway SNIP Intranet websites
123 (TCP and UDP) Used for Network Time Protocol (NTP) services. NetScaler Gateway SNIP NTP server
389 Used for insecure LDAP connections. NetScaler Gateway NSIP (or, if using a load balancer, SNIP) LDAP authentication server or Microsoft Active Directory
443 Used for connections to StoreFront from Citrix Receiver or Receiver for Web to XenApp and XenDesktop. Internet NetScaler Gateway
443 Used for connections to XenMobile for web, mobile, and SaaS app delivery. Internet NetScaler Gateway
443 Used for Cloud Connector communication – LDAP, DNS, PKI & Citrix Receiver enumeration Cloud Connector Servers https://*.citrixworkspacesapi.net, https://*.cloud.com, https://*.blob.core.windows.net/, https://*.servicebus.windows.net
636 Used for secure LDAP connections. NetScaler Gateway NSIP (or, if using a load balancer, SNIP) LDAP authentication server or Active Directory
1494 Used for ICA connections to Windows-based applications in the internal network. Citrix recommends keeping this port open. NetScaler Gateway SNIP XenApp or XenDesktop
1812 Used for RADIUS connections. NetScaler Gateway NSIP RADIUS authentication server
2598 Used for connections to Windows-based applications in the internal network using session reliability. Citrix recommends keeping this port open. NetScaler Gateway SNIP XenApp or XenDesktop
3269 Used for Microsoft Global Catalog secure LDAP connections. NetScaler Gateway NSIP (or, if using a load balancer, SNIP) LDAP authentication server or Active Directory
8443 Used for enrollment, XenMobile Store, and mobile app management (MAM). NetScaler Gateway SNIP XenMobile
8443 Secure Ticket Authority (STA) port used for Secure Mail authentication token NetScaler Gateway SNIP XenMobile
4443 Used for accessing the XenMobile console by an administrator through the browser. Access point (browser) XenMobile

Network and firewall requirements

To enable devices and apps to communicate with XenMobile Service, you open specific ports in your firewalls. The following tables list those ports.

Open ports from the internal network to Citrix Cloud:

TCP port Source IP Description Destination Destination IP
443   Cloud Connector https://*.citrixworkspacesapi.net, https://*.cloud.com, https://*.sharefile.com, https://cwsproduction.blob.core.wind ows.net/downloads, https://*.servicebus.windows.net  
443   Administrative Console https://*.citrixworkspacesapi.net, https://*.cloud.com, https://*.citrix.com, https://cwsproduction.blob.core.windows.net/downloads  
4443   XenMobile console access through a browser XenMobile  

Open ports from the Internet to the DMZ:

TCP port Description Source IP Destination Destination IP
443 XenMobile Client Device   NetScaler Gateway IP  
443 XenMobile Client Device   NetScaler VIP ShareFile  
443 ShareFile Public IP CTX208318 NetScaler VIP ShareFile  

Open ports from the DMZ to the internal network:

TCP port Description Source IP Destination Destination IP
389 or 636 NetScaler NSIP   Active Directory IP  
53 (UDP) NetScaler NSIP   DNS Server IP  
443 NetScaler SNIP   Exchange (EAS) Server IP  
443 NetScaler SNIP   Internal Web Apps/Services  
443 NetScaler SNIP   ShareFile StorageZone Controller IP  

Open ports from the internal network to the DMZ:

TCP port Description Source IP Destination Destination IP
443 Admin Client   NetScaler NSIP  

Open ports from the internal network to the Internet:

TCP port Description Source IP Destination Destination IP
443 Exchange (EAS) Server IP   XenMobile Push Notification Listeners (1)  
443 ShareFile StorageZone Controller IP   ShareFile Control Plane CTX208318

(1) us-east-1.mailboxlistener.xm.citrix.com, eu-west-1.mailboxlistener.xm.citrix.com, ap-southeast-1.mailboxlistener.xm.citrix.com

Open ports from the corporate WiFi to the Internet:

TCP port Description Source IP Destination Destination IP
5223 XenMobile Client Device   Apple APNS Servers 17.0.0.0/8
5228 XenMobile Client Device   Google Cloud Messaging android.apis.google.com
5229 XenMobile Client Device   Google Cloud Messaging android.apis.google.com
5230 XenMobile Client Device   Google Cloud Messaging android.apis.google.com
443 XenMobile Client Device   Windows Push Notification Service *.notify.windows.com
443 / 80 XenMobile Client Device   Apple iTunes App Store ax.itunes.apple.com, *.mzstatic.com, vpp.itunes.apple.com
443 / 80 XenMobile Client Device   Google Play play.google.com, android.clients.google.com, android.l.google.com
443 / 80 XenMobile Client Device   Microsoft App Store login.live.com, *.notify.windows.com
443 XenMobile Client Device   XenMobile Auto Discovery Service discovery.mdm.zenprise.com
8443 / 443 XenMobile Client Device   XenMobile Service  
443 ShareFile StorageZone Controller IP   ShareFile Control Plane CTX208318

Port requirement for Auto Discovery Service connectivity

This port configuration ensures that Android devices connecting from Secure Hub for Android can access the Citrix Auto Discovery Service (ADS) from within the internal network. The ability to access the ADS is important when downloading any security updates made available through the ADS.

Note

ADS connections might not support your proxy server. In this scenario, allow the ADS connection to bypass the proxy server.

If you want to enable certificate pinning, complete the following prerequisites:

  • Collect XenMobile Server and NetScaler certificates. The certificates must be in PEM format and must be a public certificate and not the private key.
  • Contact Citrix Support and place a request to enable certificate pinning. During this process, you are asked for your certificates.

Certificate pinning requires that devices connect to ADS before the device enrolls. This requirement ensures that the latest security information is available to Secure Hub. For Secure Hub to enroll a device, the device must reach the ADS. Therefore, opening ADS access within the internal network is critical to enabling devices to enroll.

To allow access to the ADS for Secure Hub for Android, open port 443 for the following FQDN and IP addresses:

FQDN IP address Port IP and port usage
discovery.mdm.zenprise.com 52.5.138.94 443 Secure Hub - ADS Communication
discovery.mdm.zenprise.com 52.1.30.122 443 Secure Hub - ADS Communication
ads.xm.cloud.com 34.194.83.188 443 Secure Hub - ADS Communication
ads.xm.cloud.com 34.193.202.23 443 Secure Hub - ADS Communication