How to present Citrix XenMobile 8.6 and AppController 2.9 Externally from a single IP Address

How to present Citrix XenMobile 8.6 and AppController 2.9 Externally from a single IP Address

How to present Citrix XenMobile 8.6 and AppController 2.9 Externally from a single IP Address

This post has already been read 42234 times!

I was building a Citrix XenMobile and AppController Poc for a demo and came across an issue when presenting the entire solution externally via a single IP address.  Normally you would require 2 external entry points – 1 for XenMobile and 1 for AppController.  This way you would allow access to XenMobile for device enrolment and also allow access to AppController for the unified application store.

In some cases this may not be possible as the client may only have a single available external IP Address.  The following article will describe the process I used to achieve this.  It may not be perfect but it certainly works for me and I now have a unified App Store with Windows, Saas, Native and Mobile apps with MicroVPN all in one place.

Unified App Store

Unified App Store

(I know – before you e-mail me, there are no Windows Apps above.  Trust me – it works.  My XenDesktop 7 Controller was turned off at this time !)

So, onto the fun stuff.  Initially you will need 1 Internal XenMobile Server (Lets Say and 1 Internal AppController (Lets Say  You will also need a NetScaler Installed (Don’t configure the Gateway just yet, lets say

Citrix XenMobile

Step 1 is to install and configure XenMobile.  I will not re-invent the wheel here as RobinHobo has written a great article here on how to do this.  The only point worth paying special attention to is shown below.  You will NEED to enter the exact external dns name that you intend using to enrol the devices.


External DNS Name

The above post will cover off the following:

  • Setting up the XenMobile Pre-reqs
  • Installing XenMobile
  • First Time Config of XenMobile
  • Certificate Replacement
  • NetScaler Load Balancing for XenMobile

The load balancing section of this post will ask you to use the wizards to set up the NetScaler to handle the load balanced traffic to the XenMobile backend.  This is a great was of getting your system up and running however it will use SSL_BRIDGE as the load balancing method.  This is not the most secure method of setting this up.  For a Poc it is sufficient but Citrix have not released a patch for XenMobile to allow SSL Offload.  What I would suggest doing is installing the jar file for the patch found here:

Then I would then reconfigure the Load Balancer on the NetScaler to use SSL Offload rather than SSL Bridging.

There is a good article on SSL Offloading via a NetScaler here if you need help with this.

So, at this point you should have a XenMobile Server up and running, linked to your Active Directory with the certificates replaced with your own.

Citrix AppController

The Next Step is to configure the AppController.  This is fortunately easier as Citrix have given us a Appliance for this.  So, import the appliance and start it up.

Again, Citrix have given us a document for setting up AppController’s IP Address here, once this is done you can log into the AppController using the following URL https://IPADDRESS:4443

Run the initial configuration wizard (document found here).

Finally you should replace the AppController’s default certificate.  If you generate an internal cert for the AppControllers dns name on a Windows machine and export it with the private key as a pfx file you can follow this document to install it onto the appliance.  You should also install the root certificate onto the appliance as a trusted publisher so that the AppController trusts the XenMobile Server etc.  This can be done by obtaining the Root Cert and following this document.

So, now you have a working XenMobile and AppController setup.  All you need to do now is link it all together and present it externally.


Obviously you are going to be using a NetScaler to present the solution externally.  So far you have a working NetScaler (With Universal Licenses [this is required for MicroVPN]) with a single load balancer configured on it for Xenmobile (say

The first thing you want to do is set up 2 firewall rules to forward traffic to XenMobile.  Set up a rule for port 443 to point at your Load Balancer IP Address and another rule for port 8443 (required for Apple device registration) to point to the same IP Address.

Thats the XenMobile forwarding done.  If you test going to from an external browser you should see the XenMobile Admin Portal.


XenMobile Admin Console

Next, create a new NetScaler Gateway BUT use the port 444 instead of port 443.  Bind the relevant certificate to the virtual server and bind the relevant LDAP authentication policy.  If you need help on this then google “NetScaler LDAP Authentication Policy” and “NetScaler Certificate Install” and you will find loads of information on this.

Next create a firewall rule to forward port 444 to the IP Address of the NetScaler Gateway you have just created.  If you now go to an external browser and type in you should see the NetScaler Gateway login page.  Don’t get excited yet though, it wont do anything just yet.


NetScaler Gateway

So now for the complicated but.  You now need to create all the session policies for clientless access and for WorxHome and Storefront etc.  The following document describes the process and I would suggest following it to the letter.  I have personally run through this document over 10 times due to testing etc and can say – it is brilliant.

Now there is a wizard on the NetScaler for setting up a gateway for Enterprise Applications but I would recommend following this instead.  If for no other reason that you can give the policies a name that actually means something !!

Also, the above document assumes that you have a Citrix StoreFront instance running as well as AppController etc.  If you don’t have that then its not a problem – just leave the StoreFront stuff out of the config.

Another point worth mentioning is that on all requests for the NetScaler Gateway during the above document make sure you enter the port as well as the dns name.  i.e:

Finally, add an internal dns record for the same name to point to the internal interface of your NetScaler Gateway – this will make the callback procedure run a lot smoother.

Once this is done you can download WorxHome from your mobile device and enrol.


Citrix Worx Home

You are now ready to add applications to AppController and configurations to XenMobile.  In order to use the MicroVPN function you WILL have to wrap WorxMail and WorxWeb.  The AppController will not tunnel traffic unless you do this.  I have written a document on doing this here.

Thats it, hopefully this will help someone out and prevent them having to go through the same pain I did to get this working.  I am sure there are other ways of doing this such as re-directing the XenMobile external ports etc but this seems to work well for me.




8 thoughts on “How to present Citrix XenMobile 8.6 and AppController 2.9 Externally from a single IP Address

  1. web design company

    After I initially left a comment I appear to have
    clicked the -Notify me when new comments are added- checkbox and
    from now on whenever a comment is added I recieve 4 emails with the same comment.
    Is there an easy method you are able to remove me from that
    service? Thank you!

    Here is my blog – web design company

  2. Andy Hansen

    I followed your seteps and then just got stumped when you said “The first thing you want to do is set up 2 firewall rules to forward traffic to XenMobile” Can you advise how to set these rules up as they are the key to redirecting traffic to the two virtual servers…. Assuming that it is the same process for the 4444 port gateway as well Thanks Andy

    1. Andy Hansen

      After a nights sleep I now understand you mean the Firewall on your router redirecting the port not on the netscaler. Thanks for the blog

        1. Andy

          I have got MDM setup and working through the netscaler, I have got App controller setup and internally works fine. I got the gateway access via my external IP and 444 as per your picture and I can access MDM through the load balancer. If I just have MDM it works fine if I connect Appcontroller I get an error on the device “Problem connecting” Access to your company network is not currently available… I just think that MDM is not telling the client to go to the gateway on port 444…..Any ideas where to troubleshoot? I have no storefront at the moment so just trying to connect via worx home. Thanks in advance

          1. Andy

            Below is a section from my work home log, it appears MDM is telling works home to use 443 port,did you have to change this somewhere in MDM?
            ForbidJB = 0;
            MaxProtocolVersion = 11;
            NeedsCaOnDevice = 1;
            SecurePort = 443;
            “appc_url” = “”;
            iosInternalTxtEnabled = 0;
            “mdm_required_flag” = 1;

    1. Bretty Post author

      Hi there,

      You will have 2 URL,s pointing to the same IP address once it configured. 1 for mobile registration and one for your NetScaler Gaterway. Im my case i use for the NetScaler Gateway and for the WorxHome registration process.

      Hope this helps,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.