Intro:
Citrix Cloud XenMobile Service is essentially XenMobile hosted on Citrix Cloud which is hosted on AWS Cloud (Migration to Microsoft Azure for Citrix Cloud backend services is ongoing but most probably some services will remain on AWS for some time because of its initial design). Everything related to EMM XM management is done from the cloud and no management servers are required on-premise, even the public IP required for MDM is hosted on Citrix Cloud. This provides Ease of management, Ease of deployment, Native high availability, Enhanced security, and Better Pricing.
Citrix future strategy is for customers to start embracing cloud deployments.This is very clear with recent Citrix offerings in terms of XenApp and XenDesktop Cloud Service, XenMobile Service, ShareFile Service, Gateway as a service, App layering, and smart tools all offered as cloud services . XenDesktop Essentials and XenApp Essentials just shows the level of Citrix commitment and integration to cloud in general and Microsoft in specific ( In the hopes they will eventually buy ). More so partners are now encouraged by Citrix to lead with Cloud hosted deployments and the promotions/incentives offered are really tempting.
XenMobile Cloud Service can be licensed independently in different flavors each offering specific services at different prices as listed below or within a WorkSpace Suite Service license which would include all Citrix cloud services for a list price of 338$ per user annually :
Citrix Cloud XenMobile Service still requires two components on-premise that being a physical or cloud hosted Datacenter, First Citrix Cloud Connector must be installed on 2 different machines for HA which would provide authentication/resource location services and second NetScaler gateway to allow access to internal services hosted on-premise ( Mail, Documents, Web Apps, … ). NetScaler Gateway As a Service for XenApp and XenDesktop Services is already available for a price but for XenMobile I heard that they are working on it but nothing official, removing the on-premise requirement for NetScaler and utilize Cloud connector for all services would be a major undertaking and if possible a great advantage over other “cloud native” solutions. The architecture would look like this:
Enough said, I had the pleasure of gaining access to all cloud services recently through our Citrix channel ( Thanks Eyad )and for this post I am going to walk you though an end to end Citrix XenMobile Cloud Service deployment including on-premise NetScaler configuration to get MDM/MAM with Secure Apps up and running in no time and with no hassle in a production environment. Note that this is deployed locally and not hosted on a cloud, if your NetScaler is hosted on Azure, some NetScaler config changes need to be done which I will tackle in a later post especially in an NS HA deployment on azure even if Multi NIC/IP is configured as an Azure LB needs to front the NS Gateway for XM.
When XenMobile Service subscription is enabled, Citrix will schedule a call to walk you through activating the subscription and choosing the subdomain for MDM enrollment which is hosted at Citrix, it may take an hour or so after the call for the site to be activated and an email will be sent confirming the same. Now Citrix can help you with the configuration I guess but for the sake of it, better to know how things fall in place in-case of redeployment or any faced issues later on.
Note that MDM URL will be provided by Citrix in the format of X.cloud.com and MAM URL will be hosted on your on-prem NetScaler. For enrollment, in order to avoid using the Citrix provided URL which might not suite many, auto-discover service would be enabled to allow users to enroll using their email.
Prerequisites:
-
Citrix Cloud account with XenMobile service subscription. ( Citrix.cloud.com ).
-
Two domain joined Virtual Machines Server 2012 R2 or Server 2016 for Citrix Cloud Connector. Port 443 outbound open to the internet.
-
Two licensed NetScaler VPX in HA mode. (HA, Certificates, Name Server, and license need to be added initially).
-
One public IP for NetScaler Gateway. (Nated).
-
One Private IP for NetScaler Gateway and One Non-Routable IP ( Just an internal NetScaler IP ) for NetScaler LB virtual server.
-
Two Public DNS sub-domains (One for MDM which is optional and one for MAM).
-
Trusted public certificate.
- If you have a proxy make sure to set in IE and then run this command from an administrator CMD before installing cloud connector: netsh winhttp import proxy source =ie
Configuration:
Step 1: Install Citrix Cloud Connector on two domain joined virtual machines. Login to https://citrix.cloud.com/login , On The Left menu navigate to Resource Locations , click on the + Citrix Cloud Connector , Download the connector and install on both virtual machines ensuring that they have internet access and port 443 outbound is open. The connector needs to contact AD & DNS servers as well so make sure access is open. While installing the connector it will ask for Citrix cloud credentials after which it will take about 10 to 15 minutes to establish an connection. Finally check in Resource Locations if both installed connectors appear with a green checkmark and navigate to Identity and Access management using the left menu and make sure your domain forest name is showing correctly.
Step 2: On the left menu navigate to XenMobile Service , we are presented with three steps to complete before XenMobile service is operational. First we need to specify site settings so click on start for step 1 , choose the site name ( this will be your MDM enrollment URL, later we will create a subdomain with our public domain that will point to this site, CNAME does NOT work ) , choose a region nearest to your datacenter , subnet address will be provided by a Citrix personnel while on the onboarding call or by email , click next. An hour later an email will be sent that the site has been setup and ready for configuration.
Second for step 2 it will ask for Resource Location setup which we already configured earlier but you have to press the Set up Location tab then it will forward you to the Resource Location page, you don’t have to do any additional task there so just go back to XenMobile service page when you receive confirmation email that the site has been setup and you will find the third step 3 tab Configure accessible.
Step 3: Now that our XenMobile is setup, navigate to XenMobile Service and press on Configure, This will forward us to the initial XenMobile configuration page which will ask for 4 configuration steps. Unfortunately I missed to take snapshots for those configurations because I just pressed next and did not configure anything because all of these configurations can be completed after the wizard is finished and this is exactly what we are going to do. So just press next on the initial screens and lastly you will be presented with the normal XenMobile page we all are used to same as on-premise after which we will navigate to settings to configure Certificates, LDAP, NetScaler Gateway, and optionally notification server.
Navigate first to Settings tab on the upper right in XenMobile service console, click on LDAP, by default the domain configured with the connectors is visible, click on it, verify information ( no LDAP service account or password is required ), I changed User search by to sAMAccountName again totally up to you and save.
Second navigate to Certificates, since Citrix use there own public domain for MDM site there is no need for a public certificate for the same but we need to add the following to make sure MAM and backend applications work correctly. Add an APNS certificate to support IOS device enrollments and Add local domain root CA to ensure backend services work fine.
Third navigate to NetScaler Gateway, press on ADD, name your gateway and insert the External URL ( This is the MAM URL which will resolve to a public IP hosted on your router and Nated to the internal IP of the NetScaler Gateway on-premise ) , Ensure Password Required and Set as Default are ON then Save. click on the checkmark beside the newly created Access Gateway and click on Export Configuration Script, download it then Save.
Step 4: Now we need to configure the on-premise NetScaler using the download configuration script. The configuration script needs to be edited to reflect NetScaler Gateway IP, Non-Routable IP, LDAP service account and password, and the certificate to be assigned to the NetScaler gateway that will be created. First we need to verify that the deployed NetScaler is licensed, certificates added, NSIP and SNIP configured, and Name server added. Make sure the root certificates are added and linked correctly.
Second edit the Configuration Script downloaded earlier, upload to NetScaler , and apply to check the configured outcome. The “ NSXConfigBundle_CREATESCRIPT” needs to be edited through NotePad++ then the script uploaded to NetScaler /var folder , the two provided certificates uploaded to NetScaler /nsconfig/ssl folder , and the script deployed using NetScaler Bash Shell.
Open the script in NotePad++ , choose Replace All, and change the listed below variables:
This IP can be a non-routable IP since its only required for Inter-NetScaler communication but for the sake of testing I specified a routable IP on the same subnet as the gateway.
One note here is that just put the LDAP username without the @domain because it is already embedded in the script.
Another note For the certificate name is it should include the .cer .
Using WinSCP upload the configuration script and certificates provided.
Now open Putty , SSH to NetScaler, Login, Go into Shell Mode and apply the following script command:
Time to verify what the script has created on the on-premise NetScaler and verify all services are functional.
For some reason both LDAP policies created had the Server Name pointing to domain.local which is fine but it was not resolving, I changed both to the IP of my AD server instead of domain.local . Test to make sure LDAP is contactable and if you get an error stating that credentials provided are not correct just ignore it as its a bug and authentication will work fine.
Verify STA connecting to XenMobile MDM service on cloud port 8443 is up. If not verify NetScaler subnet IP has outbound 8443 internet open.
Step 5: Create a NAT rule for the public IP used for MAM access gateway URL to point to internal IP used for NetScaler Access Gateway Virtual Server , create a subdomain of your choice pointing to the provided XenMobile Service URL which was configured on the cloud service initially , and verify all pages are functional.
Step 6: Navigate back to Citrix Cloud XenMobile Service management console. For Testing I will create couple of device policies ( Location, Samsung MDM Key, and App inventory ) applying it to all users. I will also publish SecureWeb from Play Store with an internal web link to make sure backend services are operational through the NS gateway.
Step 7: Test, Test, & Test. Using an android device. Download Secure Hub and Enroll. Add SecureWeb and access internal web link.
For some reason using SideSync to mirror mobile to laptop when opening the internal page within SecureWeb was showing black but when shown in tab mode you can see that my internal vcenter management page using my internal domain FQDN is showing from within SecureWeb so everything is working as expected in terms of on-premise gateway.
Conclusion:
The whole setup took about an hour which is much less than what it would have taken to deploy XM locally since SQL HA, Hypervisor HA, and much more firewall work had to be done. The only missing part of the puzzle I would like to see soon is Gateway As A Service for XenMobile Service which would eliminate the need for an on-premise or cloud hosted NetScaler maintained by customer. Next step would be to configure XenDesktop integration with XM and ShareFile integration as well.
Let me know your thoughts.
Salam .
well done!
Thanks Biju very much appreciated .
Nice and very informative one !
Nice and very informative one !
Salam ?
Hello excellent article!
Could you please elaborate on a two VPX setup and IP addressing?
We are in the provisioning process and I want to make sure we are setting this up properly for Netscaler HA.
Thanks.
It depends on how and where NetScaler is being deployed. If its 2 on-premise NetScalers with HA Active-Passive , nothing needs to be changed , Finalize the configuration as detailed and after that add the second NetScaler in an HA pair and all config will replicate from the configured NS to the 2nd one.
Very well done, Saadallah Chebaro.
Recently, I deployed and configured the Citrix Cloud XenMobile Service, and because of the scripting that Citrix puts together, it took no time at all.
I came to your article through a google search, looking for info on configuring smtp notifications from internal Exchange relay, because the the “Rapid Deployment Team”, are busy, so I can’t seem get a straight answer from them.
Again, wonderful article.
Hi Adam,
interestingly enough I haven’t tried that yet. The question here if Cloud connector would pass SMTP traffic to the internal network and back to Citrix Cloud. Let me give it a try and will let you know.