XenMobile Enterprise Edition includes multiple Citrix components which can result in many different integration issues. In this session we will review the top integration issues and discuss the recommended troubleshooting and prevention steps for each issue.
What you will learn:
- Device Manager and App Controller integration best practices
- NetScaler configuration troubleshooting - SSL Bridge vs. SSL Offloading
- Device Manager enrollment - using a 3rd party certificate
Good afternoon everyone and welcome to the afternoon sessions at TechEdge.
Here are the core components which a XenMobile Enterprise solution would usually consist of.
The device represents an external mobile device, be it a tablet or a smartphone. On the device, the user has downloaded Worx Home, to be able to access the XenMobile environment. Worx Home is a single unified app, supporting both XenMobile Device Management enrollment of the device as well as a Mobile applications management mode, with the ability to deliver apps to the device. Worx Home can be seen as the orchestrator app which allows users to gain access to both their work apps and data, and these apps can be mobile, web, saas and even windows apps, as well as managing encryption keys, providing micro-VPN sessions and managing MDX policies.
As the device is usually in an untrusted network, using a 3G, 4G or a public Wi-Fi network, we would place a NetScaler to handle the traffic between the external environment and the internal one. The NetScaler load balancer is used to load balance multiple device manager servers as well as handle the external connection, allowing the MDM server to be placed in the internal network. The NetScaler is also used to provide a SSL VPN gateway, allowing user authentication at the perimeter.
We also have the AppController on the internal network for applications management which is where you’d deploy the Worx applications, configure the application policies and decide who gets access to which applications through AD membership entitlement rules.
Now in terms of authentication flow, on first use (next slide)
the user will enter either their email address which will drive an autodiscovery to identify which is the right backend MDM server the user will connect to or the user can insert the server URL details themselves. Another option is to use an invitation URL which the user can click on which will open up the logon page.
Regardless of the enrollment method used, the user will provide their credentials to allow the MDM server to identify the user. This could be the AD username and password or could be a one time passcode, something that will allow the MDM server to identify who the user is.
This will drive a connection to NetScaler load balancer. Specifically here we have two SSL virtual servers, one over port 443 and the other over port 8443. With XenMobile 8.6, we now have the ability to allow the NetScaler load balancer to handle the SSL offload of the connection, with the load balancer terminating the connection and creating a new connection over port 80 to the XDM server, which now reside within the internal network.
Another benefit of this configuration is that with SSL offload on the NetScaler, this reduces the load on the XDM servers by saving a lot of CPU processing time, allowing for better scalability and also making the NetScaler the de-facto authentication point for all XenMobile traffic.
The traffic flow to the XenMobile Device Manager containing the user credentials allows XenMobile Device Manager to identify and authenticate the user. Once the user has been authenticated through an LDAP connection, the device manager will enroll the device and keep track of that device, using a device certificate, post enrollment which is installed on the user’s device.
Once the device is enrolled the Device manager will create an internal mapping between the user LDAP identity and the device identity verified by the device certificate as part of the enrollment. This mapping will allow any policies associated with that user account to be deployed to the device as well as any applications and additional security settings, including the NetScaler Gateway Virtual Server URL.
After MDM enrollment, Worx Home will try to authenticate to the NetScaler Gateway Virtual server, which is protecting access to the XenMobile App Controller and all Worx applications, using the gateway URL it received from the XenMobile device manager after enrollment.
The gateway will utilize the user credentials received from Worx Home to authenticate the user. With XenMobile 8.6, we introduced multi-domain support for App Controller and it is actually the NetScaler Gateway which will be responsible for authenticating the users for each of the different domains specified.
After the NetScaler validates the user’s identity, the NetScaler triggers an internal request to App Controller, along with the user’s ID and domain.
The App Controller will look up the user’s group membership on AD, to identify what set of apps the user is entitled to and uses this information to populate a built-in web store with the list of applications that the user has access to.