Citrix XenMobile 10 (MDM and MAM) Behind a Single IP Address Using Citrix NetScaler

Citrix XenMobile 10 (MDM and MAM) Behind a Single IP Address Using Citrix NetScaler

Citrix XenMobile 10 (MDM and MAM) Behind a Single IP Address Using Citrix NetScaler

This post has already been read 18888 times!

Citrix XenMobile behind a single IP is something I have been working on and trying to get working for a while now.  In my lab I can only have a single external IP address, this is normally not an issue but when it comes to Citrix XenMobile you need 2 external DNS Names and IP Addresses.  1 for MDM traffic and 1 for MAM traffic.  Using a Citrix NetScaler you can get away with using a single external IP Address with a combination of port forwarding and content switching you can get a fully working XenMobile 10 deployment in your lab.

Please Note:

This is currently not supported by Citrix so don’t try to deploy this in a production environment and get help if you have issues but its great to get it running in your lab and start to play with XenMobile.

For this environment I have the following set-up

External DNS records

  • enroll.bretty.me.uk –> My Public IP
  • mobile.bretty.me.uk –> My Public IP

Firewall Rules

  • Port 8443 allowed to internal Content Switch IP
  • Port 7443 allowed to internal NetScaler Gateway for XenMobile
  • Port 443 allowed to internal Content Switch IP

Certificates

Make sure these are set-up and installed on your NetScaler already

  • Single wildcard or SAN certificate allowing secure access to both above dns names

Services Enabled on NetScaler

  • Content Switching
  • Load Balancing
  • SSL
  • NetScaler Gateway

NetScaler Pre-Req’s

  • DNS Name Server Present
  • DNS Suffix Entered
  • Certificates Uploaded
  • Licensed
  • SNIP Configured

XenMobile Pre-Req’s

  • XenMobile 10 Configured internally with the fqdn configured the SAME as the enrollment URL you will give your users
  • LDAP configured on XenMobile
  • XenMobile Licenses
  • Certificates installed on XenMobile Appliance (APNS Certificate if using iOS)

So, lets get going.

At the bottom of this article you will find a script to run on your NetScaler to configure all of this for you.  When you need to replace items in the script I will specify that on dollar signs i.e $IpAddressOfXenMobileServer$

Below is an overview of what the script will do

  • Add Domain for Clientless Access to the Global Settings for NetScaler Gateway
  • Set Up the Cookies Policy for XenMobile
  • Add the HTTP Profile
  • Add XenMobile Server
  • Add LDAP Authentication Policy for NetScaler Gateway
  • Add Load Balancing vServers
  • Add Mobile NetScaler Gateway
  • Add Content Switches
  • Add Content Switching Actions
  • Add Content Switching Policies
  • Add Clientless Access Profiles
  • Add Clientless Policies
  • Bind Services to vServer
  • Bind Policies to Content Switch
  • Add local DNS record for Enrolment VIP
  • Bind Monitor to Service
  • Set MDM vServer Client Certificate Authentication
  • Set Content Switch Client Certificate Authentication
  • Add SSL Policy and Action
  • Add NetScaler Gateway Session Policies
  • Bind STA and AppController to NetScaler Gateway
  • Bind Policies to NetScaler Gateway
  • Bind Certificates to vServers and NetScaler Gateway
  • Bind SSL Policy to MDM vServer

After you have run this script you should see that your services are running on your NetScaler

NetScaler Gateway

01 - gateway up

Content Switches

02 - cs up

Load Balancing vServers

03 - vservers up

All you need to do now is configure your NetScaler in XenMobile and test enroll a device

Log into your XenMobile Admin portal, click on the cog in the top right and select NetScaler Gateway.  Fill out your NetScaler Gateway URL (Include the port 7443) and click on save.

04 - netscaler

Ok, its now time to test an enrollment.  If you head over to Manage and Devices you will see I do not currently have any enrolled devices

05 - no devices

Open Worx Home on your mobile device (I am using my iPhone)

Enter your enrolment url

01 - initial

Select to Enroll

02 - enroll

Enter your username and password

03 - enter dreds

Install the XenMobile CA

04 - install xenmobile ca

Install the XenMobile Profile Service

05 - install xenmobile profile

Open in Worx Home

06 - open in worx

Set a new PIN

07 - set worx pin

Enrolled!

08 - enrolled

As you can now see in the XenMobile Device status – my iPhone is now enrolled.

06 - iphone enrolled

That’s it for now – hopefully this will help some of you who want to run XenMobile in your lab but only have a single external IP Address

Laters,

b@m

 

#Add Clientless Access Domain
bind policy patset ns_cvpn_default_inet_domains $EnrollmentURL$:8443

#Add Cookie Policy
add policy patset xenmobile_cookies
bind policy patset xenmobile_cookies CsrfToken -index 1
bind policy patset xenmobile_cookies ASP.NET_SessionId -index 2
bind policy patset xenmobile_cookies CtxsPluginAssistantState -index 3
bind policy patset xenmobile_cookies CtxsAuthId -index 4

#Add HTTP Profile 
add ns httpProfile http.prof.mdm.ssl.offload -conMultiplex DISABLED

#Add XenMobile Server
add server XenMobile $XenMobileServerIP$

#Add XenMobile Service
add service svc.mdm XenMobile HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CustomServerID $CustomServerID$ -CKA NO -TCPB NO -CMP NO

#Add LDAP Policy
add authentication ldapAction auth.prof.ldaps -serverIP $DomainControllerIP$ -serverPort $Port$ -ldapBase "LDAPBase$" -ldapBindDn $BindAccount$ -ldapBindDnPassword $BindPassword$ -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName userPrincipalName -groupAttrName memberOf -subAttributeName cn -secType SSL -ssoNameAttribute userPrincipalName -passwdChange ENABLED -nestedGroupExtraction ON -groupNameIdentifier sAMAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute cn
add authentication ldapPolicy auth.pol.ldaps ns_true auth.prof.ldaps

#Add Load Balancing vServers
add lb vserver vsvr.mdm.443 SSL $MDMLB-IP$ 443 -persistenceType SSLSESSION -timeout 1440 -cltTimeout 180 -httpProfileName http.prof.mdm.ssl.offload
add lb vserver vsvr.mdm.8443 SSL 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 -httpProfileName http.prof.mdm.ssl.offload
add lb vserver vsvr.mam.8443 SSL $MAMLB-IP$ 8443 -persistenceType CUSTOMSERVERID -rule "HTTP.REQ.COOKIE.VALUE(\"ACNODEID\")" -cltTimeout 180

#Add Mobile NetScaler Gateway
add vpn vserver netscaler.gateway.mobile SSL $NetScalerGatewayIP$ 7443 -Listenpolicy NONE

#Add Content Switches
add cs vserver cswitch.443 SSL $ContentSwitchIP$ 443 -cltTimeout 180
add cs vserver cswitch.8443 SSL $ContentSwitchIP$ 8443 -cltTimeout 180 -httpProfileName http.prof.mdm.ssl.offload

#Add Content Switching Actions
add cs action cswitch.act.enroll.443 -targetLBVserver vsvr.mdm.443
add cs action cswitch.act.enroll.8443 -targetLBVserver vsvr.mdm.8443

#Add Content Switching Policies
add cs policy cswitch.pol.enroll.443 -rule "HTTP.REQ.HOSTNAME.CONTAINS(\"$EnrollmentURL$\")" -action cswitch.act.enroll.443
add cs policy cswitch.pol.enroll.8443 -rule "HTTP.REQ.URL.CONTAINS(\"/zdm\")" -action cswitch.act.enroll.8443

#Add Clientless Access Profiles
add vpn clientlessAccessProfile clientless_prof_rewrite
add vpn clientlessAccessProfile clientless_prof_no_rewrite
set vpn clientlessAccessProfile clientless_prof_rewrite -URLRewritePolicyLabel ns_cvpn_default_inet_url_label -ClientConsumedCookies xenmobile_cookies

#Add Clientless Policies
add vpn clientlessAccessPolicy clientless_pol_rewrite TRUE clientless_prof_rewrite
add vpn clientlessAccessPolicy clientless_pol_no_rewrite "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\") && HTTP.REQ.HEADER(\"X-Citrix-Gateway\").EXISTS" clientless_prof_no_rewrite

#Bind Services to vServer
bind lb vserver vsvr.mdm.443 svc.mdm
bind lb vserver vsvr.mdm.8443 svc.mdm
bind lb vserver vsvr.mam.8443 svc.mdm

#Bind Policies to Content Switch
bind cs vserver cswitch.443 -policyName cswitch.pol.enroll.443 -priority 100
bind cs vserver cswitch.8443 -policyName cswitch.pol.enroll.8443 -priority 100
bind cs vserver cswitch.8443 -lbvserver vsvr.mam.8443

#Add local DNS record for Enrollment VIP
add dns addRec $EnrollmentURL$ $ContentSwitchIP$

#Bind Monitor to Service
bind service svc.mdm -monitorName http-ecv

#Set MDM vServer Client Certificate Authentication
set ssl vserver vsvr.mdm.443 -clientAuth ENABLED -clientCert Optional -sslRedirect ENABLED -ssl3 DISABLED

#Set Content Switch Client Certificate Authentication
set ssl vserver cswitch.443 -clientAuth ENABLED -clientCert Optional -ssl3 DISABLED

#Add SSL Policy and Action
add ssl action ssl.act.mdm -clientCert ENABLED -certHeader NSClientCert
add ssl policy ssl.pol.mdm -rule CLIENT.SSL.CLIENT_CERT.EXISTS -action ssl.act.mdm

#Add NetScaler Gateway Session Policies
add vpn sessionAction mobile.act.native -splitDns BOTH -sessTimeout 1440 -splitTunnel OFF -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy OFF -ClientChoices OFF -forcedTimeout 1440 -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "$EnrollmentURL$:8443"
add vpn sessionAction mobile.act.web -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -homePage "$EnrollmentURL$:8443/Citrix/StoreWeb" -icaProxy OFF -wihome "$EnrollmentURL$:8443/Citrix/StoreWeb" -ClientChoices OFF -clientlessVpnMode ON -SecureBrowse ENABLED
add vpn sessionAction mobile.act.vpn -splitDns BOTH -splitTunnel OFF -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -homePage "$EnrollmentURL$:8443/Citrix/StoreWeb" -icaProxy OFF -ClientChoices OFF -clientlessVpnMode OFF -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "$EnrollmentURL$:8443"
add vpn sessionPolicy mobile.pol.native "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS" mobile.act.native
add vpn sessionPolicy mobile.pol.web "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS" mobile.act.web
add vpn sessionPolicy mobile.pol.vpn "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer NOTEXISTS" mobile.act.vpn

#Bind STA and AppController to NetScaler Gateway
bind vpn vserver netscaler.gateway.mobile -staServer "$EnrollmentURL$:8443"
bind vpn vserver netscaler.gateway.mobile -appController "$EnrollmentURL$:8443"

#Bind Policies to NetScaler Gateway
bind vpn vserver netscaler.gateway.mobile -policy auth.pol.ldaps
bind vpn vserver netscaler.gateway.mobile -policy mobile.pol.native -priority 100
bind vpn vserver netscaler.gateway.mobile -policy mobile.pol.web -priority 100
bind vpn vserver netscaler.gateway.mobile -policy mobile.pol.vpn -priority 100
bind vpn vserver netscaler.gateway.mobile -policy clientless_pol_no_rewrite -priority 80 -gotoPriorityExpression END -type REQUEST
bind vpn vserver netscaler.gateway.mobile -policy clientless_pol_rewrite -priority 100 -gotoPriorityExpression END -type REQUEST

#Bind Certificates to vServers and NetScaler Gateway (REPLACE CERTIFICATE NAMES WITH YOUR OWN)
bind ssl vserver vsvr.mdm.443 -certkeyName wildcard.public
bind ssl vserver vsvr.mdm.443 -certkeyName int.public -CA -ocspCheck Optional
bind ssl vserver vsvr.mdm.443 -certkeyName root.internal -CA -ocspCheck Optional
bind ssl vserver vsvr.mdm.443 -certkeyName xenmobile.device -CA -ocspCheck Optional
bind ssl vserver vsvr.mdm.443 -certkeyName root.public -CA -ocspCheck Optional
bind ssl vserver vsvr.mdm.8443 -certkeyName wildcard.public
bind ssl vserver vsvr.mdm.8443 -certkeyName int.public -CA -ocspCheck Optional
bind ssl vserver vsvr.mdm.8443 -certkeyName root.internal -CA -ocspCheck Optional
bind ssl vserver vsvr.mdm.8443 -certkeyName root.public -CA -ocspCheck Optional
bind ssl vserver cswitch.443 -certkeyName wildcard.public
bind ssl vserver cswitch.443 -certkeyName int.public -CA -ocspCheck Optional
bind ssl vserver cswitch.443 -certkeyName root.internal -CA -ocspCheck Optional
bind ssl vserver cswitch.443 -certkeyName xenmobile.device -CA -ocspCheck Optional
bind ssl vserver cswitch.443 -certkeyName root.public -CA -ocspCheck Optional
bind ssl vserver cswitch.8443 -certkeyName wildcard.public
bind ssl vserver cswitch.8443 -certkeyName int.public -CA -ocspCheck Optional
bind ssl vserver cswitch.8443 -certkeyName root.internal -CA -ocspCheck Optional
bind ssl vserver cswitch.8443 -certkeyName root.public -CA -ocspCheck Optional
bind ssl vserver netscaler.gateway.mobile -certkeyName wildcard.public
bind ssl vserver netscaler.gateway.mobile -certkeyName int.public -CA -ocspCheck Optional
bind ssl vserver netscaler.gateway.mobile -certkeyName root.internal -CA -ocspCheck Optional
bind ssl vserver netscaler.gateway.mobile -certkeyName root.public -CA -ocspCheck Optional
bind ssl vserver vsvr.mam.8443 -certkeyName wildcard.public

#Bind SSL Policy to MDM vServer
bind ssl vserver vsvr.mdm.443 -policyName ssl.pol.mdm -priority 100

8 thoughts on “Citrix XenMobile 10 (MDM and MAM) Behind a Single IP Address Using Citrix NetScaler

  1. Pingback: XenMobile 10.x and NetScaler 10.x – A Comprehensive HowTo Guide – blog – Alexander Ollischer | Citrix | Microsoft

  2. r00nster

    Can this be used in conjunction with traditional NetScaler Gateway for XenApp/XenDesktop (ICAProxy) using the same single IP address?
    Like you I have a home lab behind a single IP address with a fully working NetScaler Gateway / ICAProxy fronting a XenDesktop/XenApp 7.x environment. I’ve been wanting to introduce XenMobile for some time but was told (by people at Citrix) it wasn’t possible because of having to content switch XenMobile MDM/MAM & ICAProxy all at the same time. Looking at you’re article above it looks as if you are almost (if not all the way) there ??

    1. Bretty Post author

      That is correct and the config I have posted is not currently supported by Citrix. However it does work in a lab environment and will CS the ICA and MAM traffic over different back end gateways.

  3. r00nster

    Excellent! Yes I’m fully aware CS of XenMobile isn’t a support configuration but for a home lab is ideal. I will give the configuration a try. Is there anything specific I need to be aware of given ICAProxy is already in-situ? I see in your configuration above you are applying a CS on port 443. Will I need to add something to also include ICAProxy in the CS configuration? Thanks again

  4. Sasca

    Hi

    Great Post.

    When I already have a Netscaler Gateway running on port 443, do I have to add a second NS gateway running on port 7443 or can I use the existing gateway?

    We dont use wildcard certificates cause of security reasons. What would be the common name of the certificates for the vsvr.mdm.443, vsvr.mdm.8443, cswitch.443 & cswitch.8443?

    For what is the “xenmobile.device -CA” Certifacte?

Leave a Reply

Your email address will not be published. Required fields are marked *