Product Documentation

Pre-Installation Checklist

May 06, 2015

Before you install XenMobile components in your network, you need the right prerequisites. These prerequisites include:

  • Network settings. These settings include IP addresses, ports, DNS, Network Time Protocol (NTP) and SMTP servers, and the IP address or fully qualified domain name (FQDN) of a load balancer.
  • Hardware and sizing requirements. These include Windows Servers, hypervisors, and NetScaler Gateway requirements. The NetScaler Gateway appliance you select (VPX, MDX, or SDX) determines the maximum number of user connections to your XenMobile deployment.
  • Certificates. These include server, root, intermediate, Apple Push Notification service (APNs), and certificates for wrapping mobile apps with the MDX Toolkit.
  • Licenses. Licenses are required for XenMobile MDM Edition and NetScaler Gateway.
  • Active Directory settings. These settings are required for XenMobile MDM Edition and for XenMobile App Edition.
  • Authentication method Before deploying XenMobile components, it's important to decide on an authentication method. For example, you should decide if you are implementing the Worx PIN that you configure in App Controller. The Worx PIN caches Active Directory credentials and works with client certificate authentication. Authentication settings can enable LDAP, RADIUS, one-time passwords, client certificate authentication, and two-factor authentication. If users connect to internal web sites, you need to configure authentication for NetScaler Gateway and SharePoint to allow single sign-on (SSO) to work.
    Note: If you implement an authentication method for users and then change the method after users enroll, users will need to enroll again.
  • Load balancers. Load balancers manage connections to your XenMobile deployment. You might also need to plan for packet inspection appliances to monitor network traffic entering your internal network.
  • Email server and data synchronization settings These settings include Exchange Server and ActiveSync configurations for XenMobile MDM Edition and WorxMail.
  • Databases. These databases include either Microsoft SQL Server or Postgres for XenMobile MDM Edition. The Postgres database comes with XenMobile MDM Edition and installs when you install Device Manager.
    Note: Citrix recommends that you use Microsoft SQL Server. You should only use PostgreSQL in test deployments.

You can use this checklist to note the settings and prerequisites for installing NetScaler Gateway, Device Manager, and App Controller. Each task or note includes a column indicating the component or components for which the requirement applies. The checklist has an extra column that you can use to check off each task as you complete it and to record information.

For installation instructions for each XenMobile component, see the following:

Basic Network Connectivity

The following are the network settings you need for the XenMobile solution.

Prerequisite description Configure on component Note the setting

Note the fully qualified domain name (FQDN) to which remote users connect.

NetScaler Gateway

Device Manager

 

Note the public and local IP address.

You need these IP addresses to configure the firewall to set up network address translation (NAT).

Device Manager

NetScaler Gateway

App Controller

 

Note the subnet mask.

Device Manager

NetScaler Gateway

App Controller

Note the DNS IP addresses.

Device Manager

NetScaler Gateway

App Controller

 

Write down the WINS server IP addresses (if applicable).

NetScaler Gateway

 

Identify and write down the NetScaler Gateway host name.

Note: This is not the FQDN. The FQDN is contained in the signed server certificate that is bound to the virtual server and to which users connect. You can configure the host name by using the Setup Wizard in NetScaler Gateway.

NetScaler Gateway

 

Note the App Controller FQDN.

App Controller

 

Note the IP address of App Controller.

Reserve one IP address if you install one instance of App Controller.

Reserve three IP addresses if you configure high availability on App Controller. There is one virtual IP address and an IP address for each node. If you configure a cluster, note all of the IP addresses you need.

App Controller

 

Note the IP address or FQDN of the Network Time Protocol (NTP) server.

NetScaler Gateway

App Controller

 
  • One public IP address configured on NetScaler Gateway
  • One external DNS entry for NetScaler Gateway

NetScaler Gateway

 

Note the web proxy server IP address, port, proxy host list, and the administrator user name and password. These settings are optional if you deploy a proxy server in your network (if applicable).

Note: You can user either the sAMAccountName or the User Principal Name (UPN) when configuring the user name for the web proxy.

App Controller

NetScaler Gateway

 

Write down the default gateway IP address.

App Controller

NetScaler Gateway

Device Manager

 

Write down the system IP (NSIP) address and subnet mask.

NetScaler Gateway

 

Write down the subnet IP (SNIP) address and subnet mask.

NetScaler Gateway

Write down the NetScaler Gateway virtual server IP address and FQDN from the certificate.

If you need to configure multiple virtual servers, write down all of the virtual IP addresses and FQDNs from the certificates.

NetScaler Gateway

 

Write down the internal networks that users can access through NetScaler Gateway.

Example: 10.10.0.0/24

Enter all internal networks and network segments that users need access to when they connect with Worx Home or the NetScaler Gateway Plug-in when split tunneling is set to On.

NetScaler Gateway

 

Licensing

XenMobile requires you to purchase licensing options for NetScaler Gateway and Device Manager. For more information about Citrix Licensing, see The Citrix Licensing System.

Prerequisite description Configure on component Note the location

Obtain Universal licenses from the Citrix web site. For details, see Installing NetScaler Gateway Licenses.

NetScaler Gateway

 

Obtain perpetual, annual, or hosted cloud-based server licensing. For details, see XenMobile licensing.

Device Manager

 

Certificates

Device Manager, App Controller, and NetScaler Gateway require certificates to enable connections with other Citrix products and applications and from user devices. For more information about certificates, see the following topics:

Note: For Device Manager, you need to install the required Java components, as noted later in this checklist, before you install the APNs certificate.
Prerequisite description Configure on component Note the setting

Obtain and install required certificates.

You can create Certificate Signing Requests (CSRs) by using Windows Server and Internet Information Services (IIS). You can also create CSRs in NetScaler Gateway and App Controller.

App Controller

Device Manager

NetScaler Gateway

Ports

You need to open ports to allow communication with the XenMobile components. For a complete list of all ports you need to open for the XenMobile Solution, see XenMobile Port Requirements.

Prerequisite description Configure on component Note the setting

Open ports for the XenMobile Solution

App Controller

Device Manager

NetScaler Gateway

 

Active Directory Settings

Important: When you add users in Active Directory for App Controller, you must enter the first name, last name, and email in the user properties. If you do not configure users in Active Directory with this information, App Controller cannot synchronize these individuals. When users attempt to start an app, users receive a message that they are not authorized to use the app.
Prerequisite description Configure on component Note the setting

Note the Active Directory IP address and port.

If you use port 636, install a root certificate from a CA on Device Manager.

If you use port 636, install a root certificate from a CA on App Controller.

App Controller

Device Manager

NetScaler Gateway

 

Note the Active Directory domain name.

App Controller

Device Manager

NetScaler Gateway

 

Note the Active Directory service account.

The Active Directory service account is the account that App Controller and Device Manager uses to query Active Directory.

App Controller

Device Manager

NetScaler Gateway

 

Note the Base DN.

This is the directory level under which users are located; for example, cn=users,dc=ace,dc=com. NetScaler Gateway, App Controller, and Device Manager use this to query Active Directory.

Note: If your Active Directory database is large, you can configure multiple Base DNs to which App Controller or Device Manager binds and in which the server searches to find user objects. For example, you can use the following: ou=Finance,dc=ace,dc=com; ou=Sales,dc=ace,dc=com

App Controller

Device Manager

NetScaler Gateway

 

Note the Group Base DN.

This is the directory level under which users are located. You can use the same value that you used for Base DN.

NetScaler Gateway, App Controller, and Device Manager use this to query Active Directory.

App Controller

Device Manager

NetScaler Gateway

 

Note a user account for testing.

This is an Active Directory account that you can use to log on and test single sign-on (SSO).

App Controller

Device Manager

NetScaler Gateway

 

During installation, you must specify a Service Account for the initial configuration of AppController. The Service Account must have privileges to read base DN configured in the AppController to perform a successful delta sync with Active Directory.
 

Permissions

Description

Read Privileges on the sub-tree

The permission is required for the service account to read users and groups from the sub-tree.

Return deleted objects

The permission is required for the service account to retrieve the deleted objects(users/groups) from AD during delta sync. Without setting the return deleted object permission to the service account, AD does not return any deleted objects when queried during delta sync.

Replication Synchronization

Replication Synchronization allows service account to manually force the replication of the containers on which they have been assigned the Replication Synchronization permission.

Replicating Directory Changes

The Replicate Directory Changes permission allows service account to query for the changes in the directory. This permission does not allow an account to make any changes in the directory.

Database Requirements for Device Manager

Prerequisite description Configure on component Note the setting

Note the SQL Server user accounts.

Configure a service account with administrator rights to SQL Server, including the following access rights: Creator, Owner, and Read/Write permissions.

Device Manager

Note the Windows Service Account.

This account is for the Device Manager Server and the database. The account must be a Local Administrator of the computer on which you install Device Manager Server.

Device Manager

Note the SQL Server FQDN or IP address.

Device Manager

Connections Between App Controller, Device Manager, and NetScaler Gateway

You can configure Device Manager and App Controller to connect. Complete the following tasks that are indicated for Device Manager if you deploy App Controller in your internal network. If users connect to App Controller from an external network, such as the Internet, users must connect to NetScaler Gateway before accessing mobile, web, and SaaS apps. If that is the case, complete the following tasks that are indicated for NetScaler Gateway.

Note: Configure App Controller settings on Device Manager first. Then, you can configure Device Manager settings in App Controller.
Prerequisite description Configure on component Note the setting

Note the Device Manager host name.

App Controller

Note the Device Manager port (80 or 443).

App Controller

Note the shared key from Device Manager.

Enter the same shared key in Device Manager and App Controller.

App Controller

Device Manager

Note if you want mobile devices to enroll in Device Manager as a requirement before connecting to App Controller.

App Controller

Note the App Controller host name.

Device Manager

Write down the FQDN or IP address of App Controller.

NetScaler Gateway

 

Identify web, SaaS, and mobile iOS or Android applications users can access.

NetScaler Gateway

 

Note the Callback URL to allow communication between App Controller and NetScaler Gateway

App Controller

User Connections: Access to XenDesktop, XenApp, the Web Interface, or StoreFront

In NetScaler Gateway, you need to create two virtual servers. One virtual server allows user connections to App Controller from Worx Home. Citrix recommends that you use the Quick Configuration wizard in NetScaler Gateway to configure these settings.

You create a second virtual server to enable user connections from Receiver and web browsers to connect to Windows-based applications and virtual desktops in XenApp and XenDesktop. Citrix recommends configuring the virtual server, session and clientless access policies by using the NetScaler Gateway Policy Manager. For more information, see Configuring Access to StoreFront Through NetScaler Gateway.

Prerequisite description Configure on component Note the setting

Note the NetScaler Gateway host name and external URL.

The external URL is the web address with which users connect.

App Controller

 

Note the NetScaler Gateway callback URL.

App Controller

 

Note the IP addresses and subnets masks for the virtual servers.

NetScaler Gateway

Note the path for Program Neighborhood Agent or a XenApp Services site.

NetScaler Gateway

App Controller

 

Note the FQDN or IP address of the XenApp or XenDesktop server running the Secure Ticket Authority (STA) (for ICA connections only).

NetScaler Gateway

 
Note the public FQDN for Device Manager.

NetScaler Gateway

Note the public FQDN for Worx Home.

NetScaler Gateway

Devices

XenMobile enables you to manage devices running a range of platforms. For details of the specific platforms and versions supported, see Supported Device Platforms for XenMobile 9.0.

Prerequisite description Configure on component Note the devices

Note the mobile device platforms in your organization.

Device Manager