Product Documentation

XenMobile Cloud Prerequisites and Administration

Feb 24, 2016

The steps that make up the onboarding process from the time you make a request for a XenMobile Cloud instance through to user testing with the devices in your organization are shown in the following figure. When you are evaluating or purchasing XenMobile Cloud, the XenMobile Cloud Operational team provides ongoing onboarding help and communication to ensure that the core XenMobile Cloud services are running and configured correctly.

localized image

Citrix hosts and delivers your XenMobile Cloud solution.  Some communication and port requirements, however, are required to connect the XenMobile Cloud infrastructure to corporate services, such as Active Directory. Review the following sections to prepare for your XenMobile Cloud deployment. 

XenMobile Cloud IPSec tunnel gateways

You can use a XenMobile Enterprise Connector, an IPsec tunnel to connect the XenMobile Cloud infrastructure with corporate services, such as Active Directory.

The IPsec gateways listed in the following Amazon Web Services website are officially tested and supported with the XenMobile Cloud solution: http://aws.amazon.com/vpc/faqs/. Scroll to the “Q. What customer gateway devices are known to work with Amazon VPC?” section to find the list of supported gateways.

注意

If your IPSec gateway is not part of the approved list, the IPsec gateway may still work with XenMobile Cloud, but could take longer to set up, and may require you to use one of the official supported IPSec gateways as a fallback plan. 

Your IPSec gateway needs to have a public IP address assigned directly to it, and the address cannot use Network Address Translation (NAT).

The following figure shows how the IPsec tunnel is configured in the XenMobile Cloud solution to connect to your corporate services through various ports. 

localized image

The following table shows communication and port requirements for a XenMobile Cloud deployment, including IPSec tunnel requirements.

Source

Destination

Protocols

Port

Description

External (edge) firewall – Inbound rules

Public IP addresses of XenMobile cloud (AWS) IPCSEC VPN 1

Customer IPSec appliance

UPD

500

IPSec IKE configuration.

Public IP addresses of XenMobile cloud (AWS) IPCSEC VPN 1

Customer IPSec appliance

IP Protocol ID

50

IPSec ESP protocol.

Public IP addresses of XenMobile cloud (AWS) IPCSEC VPN 1

Customer IPSec appliance

ICMP

 

For troubleshooting (can be removed post-setup).

External (edge) firewall – Outbound rules

Customer DMZ subnet

Public IP addresses of XenMobile cloud (AWS) IPSec VPN 1

UDP

500

IPSec IKE configuration.

Customer DMZ subnet

Public IP addresses of XenMobile cloud (AWS) IPSec VPN 1

IP Protocol ID

50, 51

IPSec ESP protocol.

Customer DMZ subnet

Public IP addresses of XenMobile cloud (AWS) IPSec VPN 1

ICMP

 

For Troubleshooting (can be removed post-setup).

Internal firewall – Inbound rules

Unused and routable /24 customer subnet  2

Internal DNS servers in customer data center

TCP, UPP, ICMP

53

DNS resolution.

Unused and routable /24 customer subnet  2

Active Directory domain controllers in customer data center

LDAP(TCP)

389, 636

3268, 3269

For user Active Directory authentication and directory queries to domain controllers.

Unused and routable /24 customer subnet  2

Active Directory domain controllers in customer data center

ICMP

 

For troubleshooting (can be removed once the entire setup is completed).

Unused and routable /24 customer subnet  2

Exchange Servers in customer data center

SMTP (TCP)

25

Optional: For XenMobile email notification.

Unused and routable /24 customer subnet  2

Exchange Servers in customer data center

HTTP, HTTPS (TCP)

80, 443

Exchange ActiveSync, which is needed if ActiveSync traffic is sent from device to the XenMobile cloud infrastructure (through IPSec tunnel) to the Exchange Servers.

 

This is NOT needed if the user device will communicate with a public ActiveSync FQDN via the Internet without a need for going through the XenMobile IPSec tunnel to the Exchange Servers.

Unused and routable /24 customer subnet  2

Application servers, such as intranet/web servers, SharePoint servers, and so on.

HTTP, HTTPS (TCP)

80, 443

Access to intranet and/or application servers from user mobile devices through the XenMobile IPSec tunnel. Each application server needs to be added to the firewall rules with the port number required to access the application (typically port 80 and/or 443).

Unused and routable /24 customer subnet  2

PKI server (if on-premise PKI is used)

HTTPS (TCP)

443

Optional (not used for XenMobile POCs):

This can be leveraged to establish an integration between the XenMobile cloud infrastructure and an on-premise PKI infrastructure (such as Microsoft CA) to establish certificate-based authentication within the XenMobile solution.

Unused and routable /24 customer subnet  2

RADIUS server

UDP

1812

Optional (not used for XenMobile POCs):

This can be used to establish two-factor authentication within the XenMobile solution.

Internal firewall – outbound rules

Internal customer subnets,  from where the XenMobile console needs to be available

Unused and routable /24 customer subnet  2

TCP

4443

XenMobile App Controller (MAM) console in the XenMobile Cloud infrastructure.

1 Will be provided by the XenMobile Cloud team when the XenMobile Cloud instance and IPSec components are provisioned in the XenMobile Cloud infrastructure.

2 An unused /24 subnet provided by the customer as part of the provisioning process, which does not conflict with internal subnets in the customer data center, and which is routable.

If you plan to deploy XenMobile Mail Manager or XenMobile NetScaler Connector for native email filtering, such as the ability to block or allow email connectivity from native email clients on users' mobile devices, review the following additional requirements. 

XenMobile Apple APNs certificate

If you plan to manage IOS devices with your XenMobile Cloud deployment, you need an Apple APNs certificate. You should prepare the certificate before you deploy your XenMobile Cloud solution. For steps, see Requesting an APNs certificate.

WorxMail for iOS push notification certificate

If you want to make use of push notification for your WorxMail deployment, you should prepare an Apple APNS certificate for iOS WorxMail push notification. For details, see Push Notifications for WorxMail for iOS

XenMobile MDX Toolkit

The MDX Toolkit is an app wrapping technology that prepares apps for secure deployment with XenMobile. If you want to wrap apps, such as Citrix WorxMail, WorxMail, WorxNotes, QuickEdit, and so on, you need to install the MDX Toolkit. For details, see About the MDX Toolkit.  

If you plan to wrap iOS apps, you need an Apple Developer account to create the necessary Apple distribution profiles. For details, see the MDX Toolkit System Requirements and the Apple Developer account website. 

If you plan to wrap apps for Windows Phone 8.1 devices, see the System Requirements.

XenMobile autodiscovery for Windows Phone enrollment

If you want to make use of XenMobile autodiscovery for your Windows Phone 8.1 enrollment, make sure you have a public SSL certificate available. For details, see To enable autodiscovery in XenMobile for user enrollment.

The XenMobile console

The XenMobile Cloud solution makes use of the same web console as an on-premise XenMobile deployment. In this way, day-to-day administration of your Cloud solution, such as policy management, app management, device management and so on occurs in a similar way as an on-premise XenMobile deployment. For information about managing apps and devices in the XenMobile console, see Getting Started with the XenMobile Console.

XenMobile device enrollment

For information about XenMobile enrollment options for the different device platforms, see Enrolling Users and Devices.

XenMobile support

For details on how to access supported related information and tools in the XenMobile console, see XenMobile Support and Maintenance.