Product Documentation

XenMobile Integration

Jan 13, 2017

This article covers what to consider when planning how XenMobile will integrate with your existing network and other solutions. For example, if you're already using NetScaler for XenApp and XenDesktop, should you use the existing NetScaler instance or a new, dedicated instance?  Do you want to integrate with XenMobile the HDX apps that are published using StoreFront? Will you use ShareFile with XenMobile? Do you have a Network Access Control solution that you want to integrate into XenMobile? Do you deploy web proxies for all outbound traffic from your network?

NetScaler and NetScaler Gateway

NetScaler Gateway, which is mandatory for XenMobile ENT and MAM modes, provides a micro VPN path for access to all corporate resources and provides strong multi-factor authentication support. NetScaler load balancing is required for all XenMobile server device modes if you have multiple XenMobile servers or if the XenMobile server is inside your DMZ or internal network (and therefore traffic flows from devices to NetScaler to XenMobile).

You can leverage existing NetScaler instances or set up new ones for XenMobile. The following table notes the advantages and disadvantages of using existing or new, dedicated NetScaler instances.




Shared NetScaler MPX with a NetScaler Gateway VIP created for XenMobile

  • Leverages a common NetScaler instance for all Citrix remote connections: XenApp, full VPN, and clientless VPN.
  • Leverages the existing NetScaler configurations, such as for certificate authentication and for accessing services like DNS, LDAP, and NTP.
  • Uses a single NetScaler platform license.
  • It is more difficult to plan for scale when you handle two very different use cases on the same NetScaler.
  • Sometimes you will need a specific NetScaler version for a XenApp use case. That same version might have known issues for XenMobile, or vice versa.
  • If a NetScaler Gateway already exists, you cannot run the NetScaler for XenMobile wizard a second time to create the NetScaler configuration for XenMobile.
  • User access licenses installed on NetScaler and required for VPN connectivity are pooled and so are available to all NetScaler virtual servers, which means that a non-XenMobile service can potentially consume them.

Dedicated NetScaler VPX/MPX instance

Citrix recommends using a dedicated instance of NetScaler.

  • Easier to plan for scale and separates XenMobile traffic from a NetScaler instance that might already be resource constrained.
  • Avoids issues when XenMobile and XenApp need different NetScaler software versions. It is usually best to use the latest compatible NetScaler version and build for XenMobile.
  • Allows XenMobile configuration of NetScaler through the built-in NetScaler for XenMobile wizard.
  • Virtual and physical separation of services.
  • The user access licenses required for XenMobile are only available to XenMobile services on the NetScaler.
  • Requires setup of additional services on NetScaler to support XenMobile configuration.
  • Requires an additional NetScaler platform license. You must license each NetScaler instance for NetScaler Gateway.

For a table that summarizes the considerations for NetScaler and NetScaler Gateway integration for each XenMobile server mode, see Integrating with NetScaler and NetScaler Gateway.


If you have a Citrix XenApp and XenDesktop environment, you can integrate HDX applications with XenMobile using StoreFront. When you integrate HDX apps with XenMobile:

  • The apps are available to users who are enrolled with XenMobile.
  • The apps display in the XenMobile Store along with other mobile apps.
  • XenMobile uses the legacy PNAgent (services) site on StoreFront.
  • HDX apps start using the Citrix Receiver mobile app if it's installed on the device.

StoreFront has a limitation of 1 services site per StoreFront instance. Citrix generally recommends that you consider a new StoreFront Instance and services site for XenMobile if you have multiple stores and want to segment it from other production usage.

Considerations include:

  • Are there any different authentication requirements for StoreFront? The StoreFront services site requires Active Directory credentials for logon. Customers only using certificate-based authentication cannot enumerate applications through XenMobile using the same NetScaler Gateway.
  • Use the same store or create a new one?
  • Use the same or a different StoreFront server? 

The following table notes the advantages and disadvantages of using separate or combined storefronts for Receiver and XenMobile Apps.




Integrate your existing StoreFront instance with XenMobile server

Same store:
No additional configuration of StoreFront is required for XenMobile.

Same StoreFront server:
Leverage existing StoreFront installation and configuration.

Same store:
Any reconfiguration of StoreFront to support XenApp and XenDesktop workloads may adversely affect XenMobile as well.

Same StoreFront server:
In large environments, consider the additional load from XenMobile usage of PNAgent for app enumeration and start-up.

Leverage a new, dedicated StoreFront instance for integration with XenMobile server

New store:
Any configuration changes of the StoreFront store for XenMobile should not affect existing XenApp and XenDesktop workloads.

New StoreFront server:
Server configuration changes should not affect XenApp and XenDesktop workflow. Additionally, load outside of XenMobile usage of PNAgent for app enumeration and launch should not affect scalability.

New store:
Additional configuration of your StoreFront store is required for XenMobile.

New StoreFront server:
New StoreFront installation and configuration is required.


ShareFile enables users to access and sync all of their data from any device and securely share it with people both inside and outside the organization. If you integrate ShareFile with XenMobile Advanced Edition or Enterprise Edition, XenMobile provides ShareFile with single sign-on authentication for XenMobile App users, Active Directory-based user account provisioning, and comprehensive access control policies. The XenMobile console enables you to perform ShareFile configuration.

Through StorageZone Connectors, ShareFile provides access to documents and folders network file shares and in SharePoint sites, site collections, and document libraries. Connected file shares can include the same network home drives used in Citrix XenDesktop and XenApp environments.

The following table notes the questions to ask when making design decisions for ShareFile.


Questions to Ask

Design Decision

ShareFile StorageZones Controller server location

  • Will you require on-premises storage or features such as StorageZone Connectors?
  • If using on-premises features of ShareFile, where will the ShareFile StorageZones Controllers sit in the network?

Determine whether to locate the StorageZones Controller server(s) in the ShareFile-managed cloud, in your on-premises single-tenant storage system, or in supported third-party cloud storage.

StorageZones Controllers require some internet access to communicate with the Citrix ShareFile Control Plane. You can achieve this in a number of ways, including direct access, NAT/PAT configurations, or proxy configurations.

StorageZone Connectors

  • What are the CIFS share paths?
  • What are the SharePoint URLs?

Determine if on-premises StorageZones Controllers are required to access those locations.

Due to StorageZone Connector communication with internal resources such as file repositories, CIFS shares, and SharePoint, Citrix recommends that StorageZones Controllers reside in the internal network behind DMZ firewall(s) and fronted by NetScaler.

SAML integration with XenMobile Enterprise

  • Is Active Directory authentication required for ShareFile?
  • Does first time use of the wrapped MDX ShareFile app require SSO?
  • Is there a standard IdP in your current environment?
  • How many domains are required to use SAML?
  • Are there multiple email aliases for Active Directory users?
  • Are there any Active Directory domain migrations in progress or scheduled in the near future?

XenMobile Enterprise environments may choose to leverage SAML as the authentication mechanism for ShareFile. The authentication options are:

  • Leverage XenMobile server as the Identity Provider (IdP) for SAML

This option can provide excellent user experience and automate ShareFile account creation, as well as enable mobile app SSO features.

  • XenMobile server is enhanced for this process: It does not require the synchronization of Active Directory, and has an improved user provisioning process over previous versions.
  • Leverage a supported third-party vendor as the IdP for SAML

If you have an existing and supported IdP and don't require mobile app SSO capabilities, this might be the best fit for you. Be aware that this option also requires the use of the ShareFile User Management Tool for account provisioning.

Leveraging third-party IdP solutions such as ADFS may also provide SSO capabilities on the Windows client side, so be sure to evaluate use cases before choosing your ShareFile SAML IdP.

Additionally, to satisfy both use cases, you can Configure and ADFS and XenMobile as a Dual IdP.

Mobile Apps

  • Which ShareFile mobile app will you use (public, MDM, MDX)?
  • Is application wrapping required?

Be sure to consider all factors when determining the mobile client for use with ShareFile. In a XenMobile Enterprise environment, where containerization and first-time use SSO is required, the wrapped MDX ShareFile app may be the best fit. If security is low and you don't require containerization, the public ShareFile application may not be suitable. In an MDM-only environment, you can leverage and deliver the MDM version of the ShareFile app using XenMobile in MDM mode.

For more information, see Citrix ShareFile for XenMobile in the XenMobile Apps documentation.

Security, policies, and access control    

  • What restrictions do you require for desktop, web, and mobile users?
  • What standard access control settings do you want for users?
  • What file retention policy will you use?

ShareFile lets you manage employee permissions and device security. For information, see Employee Permissions and Managing Devices and Apps.

Some ShareFile device security settings and MDX policies control the same features. In those cases, XenMobile policies take precedence, followed by the ShareFile device security settings. Examples: If you disable external apps in ShareFile, but enable them in XenMobile, the external apps will be disabled in ShareFile. If the XenMobile configuration doesn't require a PIN/passcode, but the ShareFile configuration requires one, XenMobile won't require a PIN/passcode, but the ShareFile app will.  

Standard vs. Restricted StorageZones

Do you require Restricted StorageZones?

A standard StorageZone is intended for non-sensitive data and enables employees to share data with non-employees. This option supports workflows that involve sharing data outside of your domain.

A restricted StorageZone protects sensitive data: Only authenticated domain users can access the data stored in the zone.

Web Proxies

The most likely scenario for routing XenMobile traffic through an HTTP(S)/SOCKS proxy is when the subnet that the XenMobile server resides in doesn't have outbound Internet access to the required Apple, Google, or Microsoft IP addresses. You can specify proxy server settings in XenMobile to route all Internet traffic to the proxy server. For more information, see Enable proxy servers.

The following table describes the advantages and disadvantages of the most common proxy used with XenMobile.




Use an HTTP(S)/ SOCKS Proxy with XenMobile server.

In cases where policies do not permit outbound Internet connections from the XenMobile server subnet, you can configure an HTTP(S) or SOCKS proxy to provide Internet connectivity.

If the proxy server fails, APNs (iOS) or Google Cloud Messaging (Android) connectivity breaks, which causes device notifications to fail for all iOS and Android devices.

Use an HTTP(S) Proxy with Secure Web.

You can monitor HTTP/HTTPS traffic to ensure that Internet activity complies with your organization's standards.

This configuration requires all Secure Web Internet traffic to tunnel back to the corporate network before they are sent back out to the Internet. As a result, this could affect Internet browsing performance, if browsing is constrained by your organization's Internet connection.

Your NetScaler session profile configuration for split tunneling affects the traffic as follows.

When NetScaler Split Tunneling is off:

  • All traffic is forced to use the micro VPN or clientless VPN (cVPN) tunnel back to the NetScaler Gateway, if the MDX Network access policy is Tunneled to the internal network.
  • You must configure NetScaler traffic policies/profiles for the proxy server and bind them to the NetScaler Gateway VIP.

Important: Be sure to exclude Secure Hub cVPN traffic from the proxy.

When NetScaler Split Tunneling is on:

  • Apps configured with the MDX Network access policy set to Tunneled to the internal network first attempt to get the web resource directly and then fall back to NetScaler Gateway if the web resource is not publicly available.
  • You must configure NetScaler traffic policies/profiles for the proxy server and bind them to the NetScaler Gateway VIP.

Important: Be sure to exclude Secure Hub cVPN traffic from the proxy.

Access Control

Enterprises can now manage mobile devices inside and outside of networks. Enterprise Mobility Management solutions such as XenMobile are great at providing security and controls for mobile devices independent of location. However, when coupled with a Network Access Control (NAC) solution, you can add quality of service and more fine-grained control to devices that are internal to your network. That combination enables you to extend the XenMobile-managed device security assessment through your NAC solution, which can then use the XenMobile security assessment to facilitate and handle authentication decisions. Citrix has validated NAC integration with XenMobile for Cisco Identity Services Engine (ISE) or ForeScout; Citrix doesn't guarantee integration for other NAC solutions.

Advantages of a NAC solution integration with XenMobile include the following:

  • Better security, compliance and control for all endpoints on an enterprise network.
  • A NAC solution can detect devices at the instant they attempt to connect to your network, query XenMobile for device attributes, and then use that information to determine whether to allow, block, limit, or redirect those devices depending on the security policies you choose to enforce.
  • A NAC solution provides IT administrators with a view of unmanaged and non-compliant devices.

For a description of the NAC compliance filters supported by XenMobile, see Network Access Control in the XenMobile documentation.