This post has already been read 60611 times!
Update: A few new steps to get this working have been added to this post, plus (and this is important) when you are installing MDM by following this post DO NOT UPDATE THE CERTIFICATES. Run with the self signed certificates that XenMobile will install by default.
I was working on a XenMobile MDM Pilot and whilst working on it Citrix released a patch to enable SSL Offload at the NetScaler for MDM traffic. I thought I would write a post on setting this up and converting from a wizard driven Load Balancer for MDM to a manually created SSL Offload solution.
Firstly you will need to download the Citrix Patch to the XenMobile MDM Server and save it to a convenient location. The patch can be found here:
You may need a My Citrix account to access this download.
Once you have the patch on the MDM Server log into it and copy the patch to the following location:
\XenMobile Device Manager\tomcat\webapps\[instance_name]\WEB-INF\lib (on all cluster nodes, in a clustered XDM config)
Restart the ZDM Service (or better still restart the entire MDM server).
Thats it! your MDM server is patched. Of course you will need to re-configure the NetScaler or you will still be using SSL BRIDGE for the load balancer.
You should check that the patch is installed by going to the following URL on your MDM Server https://localhost/zdm/helper.jsp and you should see the following patches listed.
As you can see below, my MDM server is currently running on the dns name xenmobile.domain.com. This is configured as a SSL_BRIDGE load balancer on the NetScaler, also shown below.
You can also see by the image below that I have NO SSL Offloading in place currently.
So, to migrate from the old bridged connection to an offloaded one you first need to disable and remove the existing Virtual Server (Load Balancer) and the existing Services.
You then need to create a new service for each MDM server you have in your cluster (This needs to be done on port 80 in order to offload to that). The Service parameters are:
- Monitor – tcp
- Server – XenMobile MDM Server
- Port 80
Ensure that the service is reporting as up before proceeding
You will then need to create the SSL Offload Load Balancers to handle both services. You will again need one for 443 and one for 8443.
Before you do this you will have to upload 2 new certificates to the NetScaler from the MDM Server. Follow the below steps to do this. (Note: Thanks to Justin Maeder from Citrix for these steps)
On XenMobile Device Manager Server browse to C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\conf and open cacerts.PEM in notepad
You should have 2 separate certs inside this file – The top is the Devices Cert and the bottom is the Root Cert.
The file should look something like this:
Copy the top certificate to a new file called Device-CA.cer
Copy the bottom certificate to a new file called Root-CA.cer
Inside the NetScaler GUI navigate to Traffic Management > SSL > Certificates and install both certificate files
After both certificates are uploaded, you will now need to link them together. In the Certificates pane select the Devices-CA certificate and choose Action > Link. When this opens, you should choose your Root-CA certificate that you uploaded earlier.
Inside the NetScaler GUI navigate to SSL > Policies and then click Add.
Beside the Action field (To the right) click on the Plus sign
Enter a Name for the SSL Action and make the following changes
- Client Certificate – ENABLED
- Certificate Tag – NSClientCert
Click on Expression Builder to reveal the Expression Builder dialogue box. Using the drop-down options, create the following expression:
Create the SSL Policy
You will now have to create 2 SSL Offload Servers. 1 for port 443 and 1 for port 8443 (Apple device enrolment)
Inside the NetScaler GUI navigate to Traffic Management > Load Balancing > Virtual Servers
Create a new virtual server bound to the service on port 80 you created earlier. Use the parameters shown below.
Click the SSL Settings tab and add the certificates in this order: External SSL (dns name your users will use to access XenMobile), Devices-CA, Root-CA. When adding the devices and root CA click the down arrow on the add button and add them as a CA.
Click the SSL Policies button and bind the policy you created earlier.
Click the SSL Parameters button and enable Client Authentication and set the cert to optional. This is shown below.
Create another Virtual Server for port 8443, bind the service on port 80 to it and add the EXTERNAL certificate to it.
You should now have 2 SSL Offload Servers showing as live.
Thats it! Assuming the external port forwarding and dns is in place you should be able to connect to your MDM server and SSL will be offloaded at the NetScaler. Test connecting and setting up your Apple and Android devices.
Hope this helps someone out.