This post has already been read 40410 times!
I was building a Citrix XenMobile and AppController Poc for a demo and came across an issue when presenting the entire solution externally via a single IP address. Normally you would require 2 external entry points – 1 for XenMobile and 1 for AppController. This way you would allow access to XenMobile for device enrolment and also allow access to AppController for the unified application store.
In some cases this may not be possible as the client may only have a single available external IP Address. The following article will describe the process I used to achieve this. It may not be perfect but it certainly works for me and I now have a unified App Store with Windows, Saas, Native and Mobile apps with MicroVPN all in one place.
(I know – before you e-mail me, there are no Windows Apps above. Trust me – it works. My XenDesktop 7 Controller was turned off at this time !)
So, onto the fun stuff. Initially you will need 1 Internal XenMobile Server (Lets Say 192.168.0.10) and 1 Internal AppController (Lets Say 192.168.0.11). You will also need a NetScaler Installed (Don’t configure the Gateway just yet, lets say 192.168.0.12)
Step 1 is to install and configure XenMobile. I will not re-invent the wheel here as RobinHobo has written a great article here on how to do this. The only point worth paying special attention to is shown below. You will NEED to enter the exact external dns name that you intend using to enrol the devices.
The above post will cover off the following:
- Setting up the XenMobile Pre-reqs
- Installing XenMobile
- First Time Config of XenMobile
- Certificate Replacement
- NetScaler Load Balancing for XenMobile
The load balancing section of this post will ask you to use the wizards to set up the NetScaler to handle the load balanced traffic to the XenMobile backend. This is a great was of getting your system up and running however it will use SSL_BRIDGE as the load balancing method. This is not the most secure method of setting this up. For a Poc it is sufficient but Citrix have not released a patch for XenMobile to allow SSL Offload. What I would suggest doing is installing the jar file for the patch found here:
Then I would then reconfigure the Load Balancer on the NetScaler to use SSL Offload rather than SSL Bridging.
There is a good article on SSL Offloading via a NetScaler here if you need help with this.
So, at this point you should have a XenMobile Server up and running, linked to your Active Directory with the certificates replaced with your own.
The Next Step is to configure the AppController. This is fortunately easier as Citrix have given us a Appliance for this. So, import the appliance and start it up.
Again, Citrix have given us a document for setting up AppController’s IP Address here, once this is done you can log into the AppController using the following URL https://IPADDRESS:4443
Run the initial configuration wizard (document found here).
Finally you should replace the AppController’s default certificate. If you generate an internal cert for the AppControllers dns name on a Windows machine and export it with the private key as a pfx file you can follow this document to install it onto the appliance. You should also install the root certificate onto the appliance as a trusted publisher so that the AppController trusts the XenMobile Server etc. This can be done by obtaining the Root Cert and following this document.
So, now you have a working XenMobile and AppController setup. All you need to do now is link it all together and present it externally.
Obviously you are going to be using a NetScaler to present the solution externally. So far you have a working NetScaler (With Universal Licenses [this is required for MicroVPN]) with a single load balancer configured on it for Xenmobile (say xenmobile.domain.com).
The first thing you want to do is set up 2 firewall rules to forward traffic to XenMobile. Set up a rule for port 443 to point at your Load Balancer IP Address and another rule for port 8443 (required for Apple device registration) to point to the same IP Address.
Thats the XenMobile forwarding done. If you test going to https://xenmobile.domain.com/zdm from an external browser you should see the XenMobile Admin Portal.
Next, create a new NetScaler Gateway BUT use the port 444 instead of port 443. Bind the relevant certificate to the virtual server and bind the relevant LDAP authentication policy. If you need help on this then google “NetScaler LDAP Authentication Policy” and “NetScaler Certificate Install” and you will find loads of information on this.
Next create a firewall rule to forward port 444 to the IP Address of the NetScaler Gateway you have just created. If you now go to an external browser and type in https://yourgateway.domain.com:444 you should see the NetScaler Gateway login page. Don’t get excited yet though, it wont do anything just yet.
So now for the complicated but. You now need to create all the session policies for clientless access and for WorxHome and Storefront etc. The following document describes the process and I would suggest following it to the letter. I have personally run through this document over 10 times due to testing etc and can say – it is brilliant.
Now there is a wizard on the NetScaler for setting up a gateway for Enterprise Applications but I would recommend following this instead. If for no other reason that you can give the policies a name that actually means something !!
Also, the above document assumes that you have a Citrix StoreFront instance running as well as AppController etc. If you don’t have that then its not a problem – just leave the StoreFront stuff out of the config.
Another point worth mentioning is that on all requests for the NetScaler Gateway during the above document make sure you enter the port as well as the dns name. i.e: https://gateway.domain.com:444
Finally, add an internal dns record for the same name to point to the internal interface of your NetScaler Gateway – this will make the callback procedure run a lot smoother.
Once this is done you can download WorxHome from your mobile device and enrol.
You are now ready to add applications to AppController and configurations to XenMobile. In order to use the MicroVPN function you WILL have to wrap WorxMail and WorxWeb. The AppController will not tunnel traffic unless you do this. I have written a document on doing this here.
Thats it, hopefully this will help someone out and prevent them having to go through the same pain I did to get this working. I am sure there are other ways of doing this such as re-directing the XenMobile external ports etc but this seems to work well for me.