Product Documentation

Architecture Overview

Feb 12, 2016

The XenMobile components you deploy are based on the device or app management requirements of your organization. The components of XenMobile are modular and build on each other. For example, you want to give users in your organization remote access to mobile apps and you need to track the device types with which users connect. In this scenario, you would deploy XenMobile with NetScaler Gateway. XenMobile is where you manage apps and devices, and NetScaler Gateway enables users to connect to your network.

Deploying XenMobile components: You can deploy XenMobile to enable users to connect to resources in your internal network in the following ways:

  • Connections to the internal network. If your users are remote, they can connect by using a VPN or micro VPN connection through NetScaler Gateway to access apps and desktops in the internal network.
  • Device enrollment. Users can enroll mobile devices in XenMobile so you can manage the devices in the XenMobile console that connect to network resources.
  • Web, SaaS, and mobile apps. Users can access their web, SaaS, and mobile apps from XenMobile through Worx Home.
  • Windows-based apps and virtual desktops. Users can connect with Citrix Receiver or a web browser to access Windows-based apps and virtual desktops from StoreFront or the Web Interface.

To achieve some or all of these capabilities, Citrix recommends deploying XenMobile components in the following order:

  • NetScaler Gateway. You can configure settings in NetScaler Gateway to enable communication with XenMobile, StoreFront, or the Web Interface by using the Quick Configuration wizard. Before using the Quick Configuration wizard in NetScaler Gateway, you must install XenMobile, StoreFront, or the Web Interface so that you can set up communication with it.
  • XenMobile. After you install XenMobile, you can configure policies and settings in the XenMobile console that allow users to enroll their mobile devices. You also can configure mobile, web, and SaaS apps. Mobile apps can include apps from the Apple App Store or Google Play. Users can also connect to mobile apps you wrap with the MDX Toolkit and upload to the console.

  • MDX Toolkit. The MDX Toolkit can securely wrap an app that was created within your organization or a mobile app made outside the company, such as the Citrix Worx apps. After you wrap an app, you then use the XenMobile console to add the app to XenMobile and change the policy configuration as needed. You can also add app categories, apply workflows, and deploy apps to delivery groups. See About the MDX Toolkit.
  • StoreFront (optional). You can provide access to Windows-based apps and virtual desktops from StoreFront through connections with Receiver.
  • ShareFile Enterprise (optional). If you deploy ShareFile, you can enable enterprise directory integration through XenMobile, which acts as a Security Assertion Markup Language (SAML) identity provider. For more information about configuring identity providers for ShareFile, see the ShareFile support site.

XenMobile supports an integrated solution that provides device management, as well as app management through the XenMobile console. This section describes the reference architecture for the XenMobile deployment.

For more information about how to configure XenMobile 10 Enterprise Edition for a disaster recovery deployment including an architectural diagram, see the Disaster Recovery Guide for XenMobile.

The following figures illustrate different reference architectures for the XenMobile deployment. In the figures, the numbers on the connectors represent ports that must be opened to allow connections between the components. For a complete list of ports, see XenMobile Port Requirements.

Mobile device management (MDM) mode – In the recommended model for MDM mode, the XenMobile server is positioned in the DMZ with an optional NetScaler in front, which provides additional protection for XenMobile.

localized image

Mobile app management (MAM) mode – In this recommended MAM mode, the XenMobile server is positioned with NetScaler Gateway in front, which provides additional protection for XenMobile. The first figure shows a deployment without NetScaler Gateway and the second shows the deployment with NetScaler Gateway.  

localized image

MAM with NetScaler Gateway (recommended deployment)

localized image

MDM and MAM modes – Using the MDM and MAM modes together provides mobile app and data management, as well as mobile device management. In the recommended deployment mode, the XenMobile server is positioned in the DMZ with NetScaler in front.

localized image

XenMobile in the internal network - Another deployment option is to position the XenMobile server in the internal network, rather than in the DMZ. This deployment is used if your security policy requires that only network appliances can be placed in the DMZ. With this deployment, because the XenMobile server is not in the DMZ, you do not need to open up ports on the internal firewall to allow access to SQL Server and PKI servers from the DMZ.

localized image

Cluster deployment – In a production environment, Citrix recommends deploying the XenMobile solution in a cluster configuration for both scalability, as well as server redundancy purposes. Also, leveraging the NetScaler SSL Offload capability can further reduce the load on the XenMobile server and increase throughput.

localized image