This post has already been read 37401 times!
Citrix XenMobile behind a single IP is something I have been working on and trying to get working for a while now. In my lab I can only have a single external IP address, this is normally not an issue but when it comes to Citrix XenMobile you need 2 external DNS Names and IP Addresses. 1 for MDM traffic and 1 for MAM traffic. Using a Citrix NetScaler you can get away with using a single external IP Address with a combination of port forwarding and content switching you can get a fully working XenMobile 10 deployment in your lab.
Please Note:
This is currently not supported by Citrix so don’t try to deploy this in a production environment and get help if you have issues but its great to get it running in your lab and start to play with XenMobile.
For this environment I have the following set-up
External DNS records
- enroll.bretty.me.uk –> My Public IP
- mobile.bretty.me.uk –> My Public IP
Firewall Rules
- Port 8443 allowed to internal Content Switch IP
- Port 7443 allowed to internal NetScaler Gateway for XenMobile
- Port 443 allowed to internal Content Switch IP
Certificates
Make sure these are set-up and installed on your NetScaler already
- Single wildcard or SAN certificate allowing secure access to both above dns names
Services Enabled on NetScaler
- Content Switching
- Load Balancing
- SSL
- NetScaler Gateway
NetScaler Pre-Req’s
- DNS Name Server Present
- DNS Suffix Entered
- Certificates Uploaded
- Licensed
- SNIP Configured
XenMobile Pre-Req’s
- XenMobile 10 Configured internally with the fqdn configured the SAME as the enrollment URL you will give your users
- LDAP configured on XenMobile
- XenMobile Licenses
- Certificates installed on XenMobile Appliance (APNS Certificate if using iOS)
So, lets get going.
At the bottom of this article you will find a script to run on your NetScaler to configure all of this for you. When you need to replace items in the script I will specify that on dollar signs i.e $IpAddressOfXenMobileServer$
Below is an overview of what the script will do
- Add Domain for Clientless Access to the Global Settings for NetScaler Gateway
- Set Up the Cookies Policy for XenMobile
- Add the HTTP Profile
- Add XenMobile Server
- Add LDAP Authentication Policy for NetScaler Gateway
- Add Load Balancing vServers
- Add Mobile NetScaler Gateway
- Add Content Switches
- Add Content Switching Actions
- Add Content Switching Policies
- Add Clientless Access Profiles
- Add Clientless Policies
- Bind Services to vServer
- Bind Policies to Content Switch
- Add local DNS record for Enrolment VIP
- Bind Monitor to Service
- Set MDM vServer Client Certificate Authentication
- Set Content Switch Client Certificate Authentication
- Add SSL Policy and Action
- Add NetScaler Gateway Session Policies
- Bind STA and AppController to NetScaler Gateway
- Bind Policies to NetScaler Gateway
- Bind Certificates to vServers and NetScaler Gateway
- Bind SSL Policy to MDM vServer
After you have run this script you should see that your services are running on your NetScaler
NetScaler Gateway
Content Switches
Load Balancing vServers
All you need to do now is configure your NetScaler in XenMobile and test enroll a device
Log into your XenMobile Admin portal, click on the cog in the top right and select NetScaler Gateway. Fill out your NetScaler Gateway URL (Include the port 7443) and click on save.
Ok, its now time to test an enrollment. If you head over to Manage and Devices you will see I do not currently have any enrolled devices
Open Worx Home on your mobile device (I am using my iPhone)
Enter your enrolment url
Select to Enroll
Enter your username and password
Install the XenMobile CA
Install the XenMobile Profile Service
Open in Worx Home
Set a new PIN
Enrolled!
As you can now see in the XenMobile Device status – my iPhone is now enrolled.
That’s it for now – hopefully this will help some of you who want to run XenMobile in your lab but only have a single external IP Address
Laters,
b@m
#Add Clientless Access Domain bind policy patset ns_cvpn_default_inet_domains $EnrollmentURL$:8443 #Add Cookie Policy add policy patset xenmobile_cookies bind policy patset xenmobile_cookies CsrfToken -index 1 bind policy patset xenmobile_cookies ASP.NET_SessionId -index 2 bind policy patset xenmobile_cookies CtxsPluginAssistantState -index 3 bind policy patset xenmobile_cookies CtxsAuthId -index 4 #Add HTTP Profile add ns httpProfile http.prof.mdm.ssl.offload -conMultiplex DISABLED #Add XenMobile Server add server XenMobile $XenMobileServerIP$ #Add XenMobile Service add service svc.mdm XenMobile HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CustomServerID $CustomServerID$ -CKA NO -TCPB NO -CMP NO #Add LDAP Policy add authentication ldapAction auth.prof.ldaps -serverIP $DomainControllerIP$ -serverPort $Port$ -ldapBase "LDAPBase$" -ldapBindDn $BindAccount$ -ldapBindDnPassword $BindPassword$ -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName userPrincipalName -groupAttrName memberOf -subAttributeName cn -secType SSL -ssoNameAttribute userPrincipalName -passwdChange ENABLED -nestedGroupExtraction ON -groupNameIdentifier sAMAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute cn add authentication ldapPolicy auth.pol.ldaps ns_true auth.prof.ldaps #Add Load Balancing vServers add lb vserver vsvr.mdm.443 SSL $MDMLB-IP$ 443 -persistenceType SSLSESSION -timeout 1440 -cltTimeout 180 -httpProfileName http.prof.mdm.ssl.offload add lb vserver vsvr.mdm.8443 SSL 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 -httpProfileName http.prof.mdm.ssl.offload add lb vserver vsvr.mam.8443 SSL $MAMLB-IP$ 8443 -persistenceType CUSTOMSERVERID -rule "HTTP.REQ.COOKIE.VALUE(\"ACNODEID\")" -cltTimeout 180 #Add Mobile NetScaler Gateway add vpn vserver netscaler.gateway.mobile SSL $NetScalerGatewayIP$ 7443 -Listenpolicy NONE #Add Content Switches add cs vserver cswitch.443 SSL $ContentSwitchIP$ 443 -cltTimeout 180 add cs vserver cswitch.8443 SSL $ContentSwitchIP$ 8443 -cltTimeout 180 -httpProfileName http.prof.mdm.ssl.offload #Add Content Switching Actions add cs action cswitch.act.enroll.443 -targetLBVserver vsvr.mdm.443 add cs action cswitch.act.enroll.8443 -targetLBVserver vsvr.mdm.8443 #Add Content Switching Policies add cs policy cswitch.pol.enroll.443 -rule "HTTP.REQ.HOSTNAME.CONTAINS(\"$EnrollmentURL$\")" -action cswitch.act.enroll.443 add cs policy cswitch.pol.enroll.8443 -rule "HTTP.REQ.URL.CONTAINS(\"/zdm\")" -action cswitch.act.enroll.8443 #Add Clientless Access Profiles add vpn clientlessAccessProfile clientless_prof_rewrite add vpn clientlessAccessProfile clientless_prof_no_rewrite set vpn clientlessAccessProfile clientless_prof_rewrite -URLRewritePolicyLabel ns_cvpn_default_inet_url_label -ClientConsumedCookies xenmobile_cookies #Add Clientless Policies add vpn clientlessAccessPolicy clientless_pol_rewrite TRUE clientless_prof_rewrite add vpn clientlessAccessPolicy clientless_pol_no_rewrite "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\") && HTTP.REQ.HEADER(\"X-Citrix-Gateway\").EXISTS" clientless_prof_no_rewrite #Bind Services to vServer bind lb vserver vsvr.mdm.443 svc.mdm bind lb vserver vsvr.mdm.8443 svc.mdm bind lb vserver vsvr.mam.8443 svc.mdm #Bind Policies to Content Switch bind cs vserver cswitch.443 -policyName cswitch.pol.enroll.443 -priority 100 bind cs vserver cswitch.8443 -policyName cswitch.pol.enroll.8443 -priority 100 bind cs vserver cswitch.8443 -lbvserver vsvr.mam.8443 #Add local DNS record for Enrollment VIP add dns addRec $EnrollmentURL$ $ContentSwitchIP$ #Bind Monitor to Service bind service svc.mdm -monitorName http-ecv #Set MDM vServer Client Certificate Authentication set ssl vserver vsvr.mdm.443 -clientAuth ENABLED -clientCert Optional -sslRedirect ENABLED -ssl3 DISABLED #Set Content Switch Client Certificate Authentication set ssl vserver cswitch.443 -clientAuth ENABLED -clientCert Optional -ssl3 DISABLED #Add SSL Policy and Action add ssl action ssl.act.mdm -clientCert ENABLED -certHeader NSClientCert add ssl policy ssl.pol.mdm -rule CLIENT.SSL.CLIENT_CERT.EXISTS -action ssl.act.mdm #Add NetScaler Gateway Session Policies add vpn sessionAction mobile.act.native -splitDns BOTH -sessTimeout 1440 -splitTunnel OFF -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy OFF -ClientChoices OFF -forcedTimeout 1440 -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "$EnrollmentURL$:8443" add vpn sessionAction mobile.act.web -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -homePage "$EnrollmentURL$:8443/Citrix/StoreWeb" -icaProxy OFF -wihome "$EnrollmentURL$:8443/Citrix/StoreWeb" -ClientChoices OFF -clientlessVpnMode ON -SecureBrowse ENABLED add vpn sessionAction mobile.act.vpn -splitDns BOTH -splitTunnel OFF -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -homePage "$EnrollmentURL$:8443/Citrix/StoreWeb" -icaProxy OFF -ClientChoices OFF -clientlessVpnMode OFF -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "$EnrollmentURL$:8443" add vpn sessionPolicy mobile.pol.native "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS" mobile.act.native add vpn sessionPolicy mobile.pol.web "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS" mobile.act.web add vpn sessionPolicy mobile.pol.vpn "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer NOTEXISTS" mobile.act.vpn #Bind STA and AppController to NetScaler Gateway bind vpn vserver netscaler.gateway.mobile -staServer "$EnrollmentURL$:8443" bind vpn vserver netscaler.gateway.mobile -appController "$EnrollmentURL$:8443" #Bind Policies to NetScaler Gateway bind vpn vserver netscaler.gateway.mobile -policy auth.pol.ldaps bind vpn vserver netscaler.gateway.mobile -policy mobile.pol.native -priority 100 bind vpn vserver netscaler.gateway.mobile -policy mobile.pol.web -priority 100 bind vpn vserver netscaler.gateway.mobile -policy mobile.pol.vpn -priority 100 bind vpn vserver netscaler.gateway.mobile -policy clientless_pol_no_rewrite -priority 80 -gotoPriorityExpression END -type REQUEST bind vpn vserver netscaler.gateway.mobile -policy clientless_pol_rewrite -priority 100 -gotoPriorityExpression END -type REQUEST #Bind Certificates to vServers and NetScaler Gateway (REPLACE CERTIFICATE NAMES WITH YOUR OWN) bind ssl vserver vsvr.mdm.443 -certkeyName wildcard.public bind ssl vserver vsvr.mdm.443 -certkeyName int.public -CA -ocspCheck Optional bind ssl vserver vsvr.mdm.443 -certkeyName root.internal -CA -ocspCheck Optional bind ssl vserver vsvr.mdm.443 -certkeyName xenmobile.device -CA -ocspCheck Optional bind ssl vserver vsvr.mdm.443 -certkeyName root.public -CA -ocspCheck Optional bind ssl vserver vsvr.mdm.8443 -certkeyName wildcard.public bind ssl vserver vsvr.mdm.8443 -certkeyName int.public -CA -ocspCheck Optional bind ssl vserver vsvr.mdm.8443 -certkeyName root.internal -CA -ocspCheck Optional bind ssl vserver vsvr.mdm.8443 -certkeyName root.public -CA -ocspCheck Optional bind ssl vserver cswitch.443 -certkeyName wildcard.public bind ssl vserver cswitch.443 -certkeyName int.public -CA -ocspCheck Optional bind ssl vserver cswitch.443 -certkeyName root.internal -CA -ocspCheck Optional bind ssl vserver cswitch.443 -certkeyName xenmobile.device -CA -ocspCheck Optional bind ssl vserver cswitch.443 -certkeyName root.public -CA -ocspCheck Optional bind ssl vserver cswitch.8443 -certkeyName wildcard.public bind ssl vserver cswitch.8443 -certkeyName int.public -CA -ocspCheck Optional bind ssl vserver cswitch.8443 -certkeyName root.internal -CA -ocspCheck Optional bind ssl vserver cswitch.8443 -certkeyName root.public -CA -ocspCheck Optional bind ssl vserver netscaler.gateway.mobile -certkeyName wildcard.public bind ssl vserver netscaler.gateway.mobile -certkeyName int.public -CA -ocspCheck Optional bind ssl vserver netscaler.gateway.mobile -certkeyName root.internal -CA -ocspCheck Optional bind ssl vserver netscaler.gateway.mobile -certkeyName root.public -CA -ocspCheck Optional bind ssl vserver vsvr.mam.8443 -certkeyName wildcard.public #Bind SSL Policy to MDM vServer bind ssl vserver vsvr.mdm.443 -policyName ssl.pol.mdm -priority 100
Pingback: XenMobile 10.x and NetScaler 10.x – A Comprehensive HowTo Guide – blog – Alexander Ollischer | Citrix | Microsoft
Can this be used in conjunction with traditional NetScaler Gateway for XenApp/XenDesktop (ICAProxy) using the same single IP address?
Like you I have a home lab behind a single IP address with a fully working NetScaler Gateway / ICAProxy fronting a XenDesktop/XenApp 7.x environment. I’ve been wanting to introduce XenMobile for some time but was told (by people at Citrix) it wasn’t possible because of having to content switch XenMobile MDM/MAM & ICAProxy all at the same time. Looking at you’re article above it looks as if you are almost (if not all the way) there ??
That is correct and the config I have posted is not currently supported by Citrix. However it does work in a lab environment and will CS the ICA and MAM traffic over different back end gateways.
Excellent! Yes I’m fully aware CS of XenMobile isn’t a support configuration but for a home lab is ideal. I will give the configuration a try. Is there anything specific I need to be aware of given ICAProxy is already in-situ? I see in your configuration above you are applying a CS on port 443. Will I need to add something to also include ICAProxy in the CS configuration? Thanks again
Hi Dave,
Great post but got a question 😉
When you are talking about $EnrollmentURL$:8443, do you mean (in your case): enroll.bretty.me.uk:8443 or https://enroll.bretty.me.uk:8443??
I saw this multiple times in the script 😉
Best regards, Jeroen.
Yep, that’s right.
HTTPS:// with the enroll URL.
Hi
Great Post.
When I already have a Netscaler Gateway running on port 443, do I have to add a second NS gateway running on port 7443 or can I use the existing gateway?
We dont use wildcard certificates cause of security reasons. What would be the common name of the certificates for the vsvr.mdm.443, vsvr.mdm.8443, cswitch.443 & cswitch.8443?
For what is the “xenmobile.device -CA” Certifacte?
Hi David, would you please be able to explain the cert types at the bottom of tge script. Im very familiar with netscaler but dont understand these parts. I get the root.public and int.public but what is the device one and root.internal?
Hello There, I’m having some troubles with the content switching, once modified the script, when I try to enroll the device, i get the error “invalid user/password” and don’t know where to start with troubleshooting…
LDAP policy is ok, certificates are ok too.
greetings!!
Hi Dave,
brilliant site, really 🙂
I try to get this working too but with no success so far.
In Netscaler I have almost ev. green (which has nothing to say how I learned), the only red point is the STA connection which I don’t get working. I tried it with IP’s also, https, http, I think every possible combination I found.
All the rest should be correct, and I only use an external certificate with SAN, the same as the SSL listener on my XenMobile server.
Is there something to take care of to get the STA connection working ?
Thanks and regards
Hampe