The following table summarizes the many design decisions to consider when planning a NetScaler Gateway integration with XenMobile.
Design Decision
Decision Detail Design Guidance
Licensing and edition
What edition of NetScaler will you use?
Have you applied Platform licenses to NetScaler?
If you require MAM functionality, have you applied the NetScaler Universal Access Licenses?
Ensure that you apply the proper licenses to the NetScaler Gateway. If you are using XenMobile NetScaler Connector, integrated caching might be required; therefore, you must ensure that the appropriate NetScaler Edition is in place. The license requirements to enable NetScaler features are as follows.
XenMobile MDM load balancing requires a NetScaler standard platform license at a minimum.
ShareFile load balancing with StorageZones Controller requires a NetScaler standard platform license at a minimum.
The XenMobile Enterprise edition includes the required NetScaler Gateway Universal licenses for MAM.
Design Decision
Decision Detail Design Guidance
platform license or a NetScaler Enterprise platform license with the addition of an Integrated Caching license.
NetScaler version for XenMobile
What version is the NetScaler running in the XenMobile environment? Will a separate instance be required?
Citrix recommends using a dedicated instance of NetScaler for your NetScaler Gateway vServer. Be sure that the minimum required NetScaler version and build is in use for the XenMobile environment. It is usually best to use the latest compatible NetScaler version and build for XenMobile. If upgrading NetScaler Gateway would affect your existing environments, a second dedicated instance for XenMobile might be appropriate.
If you plan to share a NetScaler instance for XenMobile and other apps that use VPN connections, be sure that you have enough VPN licenses for both. Keep in mind that XenMobile test and production environments cannot share a NetScaler instance.
Certificates Do you require a higher degree of security for enrollments and access to the XenMobile environment? Is LDAP not an option?
The default configuration for XenMobile is user name and password authentication. To add another layer of security for enrollment and access to XenMobile environment, consider using certificate-based authentication. You can use certificates with LDAP for two-factor authentication, providing a higher degree of security without needing an RSA server.
If you don't allow LDAP and use smart cards or similar methods, configuring certificates allows you to represent a smart card to XenMobile. Users then enroll using a unique PIN that XenMobile generates for them. After a user has access, XenMobile creates and deploys the certificate subsequently used to authenticate to the XenMobile environment.
XenMobile supports Certificate Revocation List (CRL) only for a third party Certificate Authority. If you have a Microsoft CA configured, XenMobile uses NetScaler to manage revocation. When you configure client certificate-based authentication, consider whether you need to configure the NetScaler Certificate Revocation List (CRL) setting, Enable CRL Auto Refresh. This step ensures that the user of a device in MAM- only mode can't authenticate using an existing certificate on the
XenMobile Deployment Handbook
© 2016 Citrix Systems, Inc. All rights reserved 53
Design Decision
Decision Detail Design Guidance
device; XenMobile re-issues a new certificate, because it doesn't restrict a user from generating a user certificate if one is revoked. This setting increases the security of PKI entities when the CRL checks for expired PKI entities.
Networking topology
What NetScaler topology is required?
Citrix recommends using a NetScaler instance for XenMobile. However, if you don't want traffic going from the inside network out to the DMZ, you might consider setting up an additional instance of NetScaler, so that you're using one NetScaler instance for internal users and one for external users. Be aware that when users switch between the internal and external networks, DNS record caching can result in an increase in logon prompts in Worx Home.
Note that XenMobile does not currently support NetScaler Gateway double hop.
Dedicated or shared NetScaler Gateway VIPs Do you currently use NetScaler Gateway for XenApp and XenDesktop? Will XenMobile leverage the same NetScaler Gateway as XenApp and XenDesktop? What are the authentication requirements for both traffic flows?
When your Citrix environment includes XenMobile, plus XenApp and XenDesktop, you can use the same NetScaler instance and NetScaler Gateway vServer for both. Due to potential versioning conflicts and environment isolation, a dedicated NetScaler instance and NetScaler Gateway are recommend for each XenMobile environment. However, if a dedicated NetScaler instance is not an option, Citrix
recommends using a dedicated NetScaler Gateway vServer rather than a vServer shared between XenMobile and XenApp and XenDesktop, to separate the traffic flows for Worx Home. If you use LDAP authentication, Receiver and Worx Home can authenticate to the same NetScaler Gateway with no issues. If you use certificate-based authentication, XenMobile pushes a certificate in the MDX container and Worx Home uses the certificate to authenticate with NetScaler Gateway. Before Worx Home 10.3.5, Receiver could use the same certificate as Worx Home to authenticate to the same NetScaler Gateway. As of Worx Home 10.3.5, Receiver is separate from Worx Home and can't use the same certificate as Worx Home to authenticate to the same NetScaler Gateway.
You might consider this work around, which allows you to use the same FQDN for two NetScaler Gateway VIPs. You can
Design Decision
Decision Detail Design Guidance
create two NetScaler Gateway VIPs with the same IP address, but the one for Worx Home uses the standard 443 port and the one for XenApp and XenDesktop (which deploy Receiver) uses port 444. Then, one FQDN resolves to the same IP address. For this work around, you might need to configure StoreFront to return an ICA file for port 444, instead of the default, port 443. This workaround doesn't require users to enter a port number.
NetScaler Gateway time-outs
How do you want to configure the NetScaler Gateway time-outs for XenMobile traffic?
NetScaler Gateway includes the settings Session time-out and Forced time-out. For details, see Recommended Configurations in this handbook. Keep in mind that there are different time-out values for background services, NetScaler, and for accessing applications while offline.
XenMobile load balancer IP address for MAM
Are you using internal or external IP addresses for VIPs?
In environments where you can use public IP addresses for NetScaler Gateway VIPs, assigning the XenMobile load
balancing VIP and address in this manner will cause enrollment failures.
Ensure that the load balancing VIP uses an internal IP to avoid enrollment failures in this scenario. This virtual IP address must follow the RFC 1918 standard of private IP addresses. If you use a non-private IP address for this virtual server, NetScaler will not be able to contact the XenMobile server successfully during the authentication process. For details, see
XenMobile Deployment Handbook
© 2016 Citrix Systems, Inc. All rights reserved 55 MDM load
balancing mechanism
How will the
XenMobile servers be load balanced by NetScaler Gateway?
Use SSL Bridge if XenMobile is in the DMZ. Use SSL Offload, if required to meet security standards, when XenMobile server is in the internal network.
When you load balance XenMobile server with NetScaler VIPs in SSL Bridge mode, Internet traffic flows directly to XenMobile server, where
connections terminate. SSL Bridge mode is the simplest mode to set up and troubleshoot.
When you load balance XenMobile server with NetScaler VIPs in SSL Offload mode, Internet traffic flows directly to NetScaler, where connections terminate. NetScaler then establishes new sessions from NetScaler to XenMobile server. SSL Offload mode involves additional complexity during setup and troubleshooting.
Service port for MDM load balancing with SSL Offload
If you will use SSL Offload mode for Load Balancing, What port will the back-end service use?
For SSL Offload, choose port 80 or 8443 as follows:
Leverage port 80 back to XenMobile server, for true offloading.
If your security requirements include end-to-end encryption, you must use port 8443 only (not port 443) for the secure service from NetScaler back to XenMobile server.
Enrollment FQDN
What will be the FQDN for enrollment and XenMobile
instance/load balancing VIP?
Initial configuration of the first XenMobile server in a cluster requires that you enter the XenMobile server FQDN. That FQDN must match your MDM VIP URL and your Internal MAM LB VIP URL. (An internal NetScaler address record resolves the MAM LB VIP.) In addition, you must use the same certificate as the XenMobile SSL listener certificate, Internal MAM LB VIP certificate, and MDM VIP certificate (if using SSL Offload for MDM VIP).
Important: After you configure the enrollment FQDN,
you cannot change it. A new enrollment FQDN will require a new SQL Server database and XenMobile server re-build.
WorxWeb traffic Will you restrict WorxWeb to internal
If you will use WorxWeb for internal web browsing only, NetScaler Gateway configuration is straightforward,
web browsing only? Will you enable WorxWeb for both internal and external web browsing?
assuming that WorxWeb can reach all internal sites by default; you might need to configure firewalls and proxy servers.
If you will use WorxWeb for both internal and external browsing, you must enable the SNIP to have outbound internet access. Because IT generally views enrolled devices (using the MDX container) as an extension of the corporate network, IT typically wants WorxWeb
connections to come back to NetScaler, go through a proxy server, and then go out to Internet. By default, WorxWeb access tunnels to the internal network, which means that WorxWeb uses a per-application VPN tunnel back to the internal network for all network access and NetScaler uses split tunnel settings.
For a discussion of WorxWeb connections, see Configuring User Connections in the XenMobile documentation.
Push
Notifications for WorxMail
Will you use push notifications?
For iOS:
If your NetScaler Gateway configuration includes Secure Ticket Authority (STA) and split tunneling is off, NetScaler Gateway must allow traffic from WorxMail to the Citrix listener service URLs specified in Push Notifications for WorxMail for iOS.
For Android:
As an alternative to the MDX policy, Active poll
period, you can use Google Cloud Messaging
(GCM) to control how and when Android devices need to connect to XenMobile. With GCM
configured, any security action or deploy command triggers a push notification to Worx Home to prompt the user to reconnect to the XenMobile server.
XenMobile Deployment Handbook
© 2016 Citrix Systems, Inc. All rights reserved 57 HDX STAs What STAs to use if HDX
application access will be integrated?
HDX STAs must match the STAs in StoreFront and must be valid for the XenApp/XenDesktop farm.
ShareFile Will you use ShareFile StorageZone Controllers in the environment? What ShareFile VIP URL will you use?
If you will include ShareFile StorageZone Controllers in your environment, ensure that you correctly configure the following: ShareFile Content Switch VIP (used by the ShareFile Control Plane to communicate with the StorageZone Controller servers), ShareFile Load Balancing VIPs, and all required policies and profiles. For information, see Configure NetScaler for
StorageZones Controller in the Citrix StorageZones documentation.
SAML IDP If SAML is required for ShareFile, do you want to use XenMobile as the SAML IdP?
The recommended best practice is to integrate ShareFile with XenMobile Advanced Edition or XenMobile Enterprise Edition, a simpler alternative to configuring SAML-based federation. When you use ShareFile with those XenMobile editions, XenMobile provides ShareFile with single sign-on (SSO)
authentication of Worx Mobile App users, user account provisioning based on Active Directory, and
comprehensive access control policies. The XenMobile console enables you to perform ShareFile configuration and to monitor service levels and license usage.
Note that there are two types of ShareFile clients: ShareFile Worx clients (also referred to as wrapped ShareFile) and ShareFile mobile clients (also referred to as unwrapped ShareFile). To understand the differences, see How ShareFile Worx Clients Differ from ShareFile Mobile Clients in the XenMobile documentation.
You can configure XenMobile and ShareFile to use SAML to provide SSO access to ShareFile mobile apps you wrap with the MDX toolkit, as well as to non-
wrapped ShareFile clients, such as the web site, Outlook plugin, or sync clients.
If you want to use XenMobile as the SAML IdP for ShareFile, ensure that the proper configurations are in
place. For details, see Configuring XenMobile and the ShareFile App for Single Sign-On Using SAML in the XenMobile documentation.
ShareConnect direct
connections
Will users access a host computer from a
computer or mobile device running ShareConnect using direct connections?
ShareConnect enables users to connect securely to their computers through iPads, Android tablets, and Android phones to access their files and applications. For direct connections, XenMobile uses NetScaler Gateway to provide secure access to resources outside of the local network. For configuration details, see ShareConnect in the XenMobile documentation.