XenMobile App and Enterprise Adolfo Montoya Lead Support Readiness Specialist July, 2013 Agenda • App vs. Enterprise • Architectural overview • End-user experience • Deployment options • Troubleshooting 3 © 2013 Citrix | Confidential – Do Not Distribute XenMobile App and Enterprise Editions App Edition Use case 5 • Mobile application management • Federated single sign-on • Secure email • Secure browsing • Automated account provisioning • Workflow • Policy based interapp security • App specific microVPN • Unified corporate app store © 2013 Citrix | Confidential – Do Not Distribute Client Side Worx Home Receiver WorxMail WorxWeb Server Side App Controller NetScaler Gateway App Edition ShareFile XMA Worx Home Optional XenApp XenDesktop NetScaler SF/WI Receiver DMZ © 2013 Citrix | Confidential – Do Not Distribute Enterprise Edition Use case Client Side Server Side Worx Enroll • All MDM Edition use cases • All App Edition use cases • Secure document sharing, syncing & editing Worx Home WorxMail NS Gateway WorxWeb ShareFile Receiver © 2013 Citrix | Confidential – Do Not Distribute MDM Server App Controller Enterprise Edition ShareFile XNC Worx Enroll XDM Receiver Optional XenApp XenDesktop NetScaler XMA Worx Home © 2013 Citrix | Confidential – Do Not Distribute DMZ SF/WI MDM Edition App Edition Enterprise Edition Configure, secure & provision mobile devices One-click live chat & support Access SharePoint & network drives Secure mobile web browser App-specific micro VPN Secure mail, calendar and contacts app Enterprise-enable any mobile app Seamless Windows app integration Unified corporate app store Multi-factor single sign-on Secure document sharing, sync & editing Both cloud & on-premises data storage options © 2013 Citrix | Confidential – Do Not Distribute ShareFile Feature Comparison Features XM-MDM (SF-Standard*) XM-App (SF-Standard*) XM-Enterprise (SF-Enterprise) Read access to File shares and SharePoint AD authentication Data encryption MDX-wrapped client ShareFile Enterprise Features Worx Mail integration, Cloud and customermanaged StorageZones, Editing, Annotations, External Sharing, Windows and Mac Sync, Outlook plug-in, Web-browser access from Sharefile.com, time-expiry, Request file, FTP access, usage reporting, *Note: ShareFile Standard is not a standalone product. Name is used to describe ShareFile features for MDM and App editions © 2013 Citrix | Confidential – Do Not Distribute Citrix Mobility Product Line XenMobile MDM Edition (Cloud or On-premise) • • • • XM Device Manager XM NetScaler Connector ShareFile Standard GoToAssist Integration • • • • XenMobile App Edition XenMobile Enterprise Edition (Formerly CloudGateway) (Integrated Solution) XM App Controller 2.8 NetScaler Gateway 10.1 StoreFront 2.0 (optional) ShareFile Standard • • • • © 2013 Citrix | Confidential – Do Not Distribute XM MDM Edition XM App Edition ShareFile Enterprise (Cloud or On-premise) GoToAssist Integration XenMobile App Controller Review What is App Controller? • Virtual VM running Linux OS • Supported on ᵒ XenServer 5.6 FP1 or later ᵒ Hyper-V 2012 ᵒ VMware ESX 4.x or later • Provides access to ᵒ ᵒ ᵒ ᵒ ᵒ Web/SaaS Intranet sites MDX-wrapped apps Public store links ShareFile • Supports High Availability (Active/Passive) • Supports Clustering (Active/Active) © 2013 Citrix | Confidential – Do Not Distribute What is App Controller? • Supports remote access ᵒ NetScaler Gateway 10.1* • Supports Windows apps access ᵒ StoreFront 1.2 or 2.0 ᵒ Web Interface 5.4 (IIS) ᵒ VDI-in-a-Box 5.3 • System requirements ᵒ 2 vCPU ᵒ 4 GB of RAM • Scalability ᵒ 10,000 concurrent users per App Controller *NetScaler Gateway 10.0 is not compatible with App Controller 2.8 © 2013 Citrix | Confidential – Do Not Distribute Receiver for Web vs. Store Receiver for Web • Receiver for Web = Web-browser site • Built-in site /Citrix/StoreWeb • Beacons are not applicable • Provides Provisioning File (e.g. ReceiverConfig.cr) © 2013 Citrix | Confidential – Do Not Distribute Receiver for Web vs. Store Store • Store = Services site • Built-in store - /Citrix/Store • Beacons are applicable • Windows / Mac ᵒ Receiver for Windows 3.4+ ᵒ Receiver for Mac 11.7+ • iOS / Android ᵒ Receiver for iOS 5.7+ ᵒ Receiver for Android 3.3+ ᵒ Worx Home 8.5 © 2013 Citrix | Confidential – Do Not Distribute Account Management Connectors SAML © 2013 Citrix | Confidential – Do Not Distribute FormFill Web/SaaS App Launch (Form-fill) Communication Flow POST https://www.linkedin.com/uas/login-submit HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: POST https://appc25lb.amc.ctx/webssouser/websso.do?action=authenticateUser&app=LinkedIn&reqtype=1&tok=uzgz https://appc25lb.amc.ctx/Citrix/Store/prelaunch/app uqVP11cmZ5HBGZICxbbogaOc2SJmhNJC3ufSkh59bCyHp48N671c5DdXjM8rnFRf0WXa3S72jwAyqw9ktYloq HTTP/1.1 o9zY7Q9Dverh2p9Im1RGpeVLb520gggseFebkeC User-Agent: CitrixReceiver Windows/6.1 Accept-Language: en-US SelfService/3.4.0.33684 (Release) GET <form (compatible; name="loginForm" action="https://www.linkedin.com/uas/login-submit" User-Agent: Mozilla/5.0 MSIE 9.0; Windows Accept: */* NT 6.1; WOW64; Trident/5.0) https://appc25lb.amc.ctx/webssouser/websso.do?action= method="post" onsubmit="return false;"> Content-Type: application/x-www-form-urlencoded Authorization: authenticateUser&app=LinkedIn&reqtype=1&tok=uzgzuq HTTP/1.1value="Sign%20In"/> 200 CitrixAuth OK <input type="hidden" name="signin" Accept-Encoding: gzip, deflate 3AE8D47E126821ED18820861412E59A65E78F0745D0 VP11cmZ5HBGZICxbbogaOc2SJmhNJC3ufSkh59bCyH Connection: close HTTP/1.1 200 OK <input type="hidden" name="source_app" value=""/> Host: www.linkedin.com F194A23A4675B4EEBFB58 p48N671c5DdXjM8rnFRf0WXa3S72jwAyqw9ktYloqo9zY Content-Type: text/html;charset=utf-8 Connection: Keep-Alive <input type="hidden" name="sourceAlias" Content-Length: 209 Content-Type: <no type> charset="utf-8" 7Q9Dverh2p9Im1RGpeVLb520gggseFebkeC HTTP/1.1 Server: Apache-Coyote/1.1 Content-Type: text/plain; value="0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi"/> Connection: Keep-Alive Host: Accept: text/html, application/xhtml+xml, Date: appc25lb.amc.ctx Sat, 02 value="ajax%3A6347512470912353035"/> Feb225 2013 23:35:11 GMT */* Content-Length: <input type="hidden" name="csrfToken" Cache-Control: no-cache Content-Length: 92en-US no-store, must-revalidate, Accept-Language: Cache-Control: no-cache, <input type="hidden" name="session_redirect" value=""/> Cookie: leo_auth_token="LIM:3806491:a:21600:1359755785:bff46f2a2488465426f76ef12155817fcc5d9b84"; Expect: 100-continue User-Agent: Mozilla/5.0value="password123"/> (compatible; MSIE 9.0; Windows proxy-revalidate https://appc25lb.amc.ctx/webssouser/websso.do?action= <input type="hidden" name="session_password" visit="v=1&M"; bcookie="v=2&8280d152-ee3e-4b89-ae16-36bc18b56010"; Accept-Encoding: gzip, deflate NT 6.1; WOW64;value="adolfo.montoya@gmail.com"/> Trident/5.0) Set-Cookie: authenticateUser&app=LinkedIn&reqtype=1&tok=uzgzuq <input type="hidden" name="session_key" _lipt="0_3SPdwJCAKEKd6iCDOMqnm3hkMlAr8DnGO4OSvk4m_QZsEKzgwUR9t9ELn6m4N4Y03pxdt35wH7 Accept-Encoding: gzip, deflate OCAJSESSIONID=F3667612AE29262440D97FC21124 VP11cmZ5HBGZICxbbogaOc2SJmhNJC3ufSkh59bCyH </form> GKJ6mDq2vDIuge9cKi3Y9_neZgk2I89FU7KnIaTmlDicpapZRkxI53xpa85u_QkEezSUi7aPbw1oNqcLSLbsFwn https://appc25lb.amc.ctx/webssouser/websso.do?action= Host: FB6B;appc25lb.amc.ctx Path=/; HttpOnly; Secure p48N671c5DdXjM8rnFRf0WXa3S72jwAyqw9ktYloqo9zY </body> 4TJ_JSerq-84wECaZ-kU-f63authenticateUser&app=LinkedIn&reqtype=1 Connection: Keep-Alive Content-Length: 1954 7Q9Dverh2p9Im1RGpeVLb520gggseFebkeC </html> 1lTfgSGFnDGhexnbvrJsRruQzH3VRfJxed6Yk8hgXfL97whxyOc_wzDJLprA8kYZZ8PIYEiAFJkbbhBKxM3Hqri3 mTA-"; __qca=P0-743823709-1352489739221 Client signin=Sign%2520In&source_app=&sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi&c srfToken=ajax%253A6347512470912353035&session_redirect=&session_password=password123&session_k ey=adolfo.montoya@gmail.com © 2013 Citrix | Confidential – Do Not Distribute LinkedIn App Controller Authentication System – Basics App Controller “App Enumeration” Windows DeniedApps, (talk Web, to Auth) SaaS… Store Services Trust Auth Service © 2013 Citrix | Confidential – Do Not Distribute Active Directory NetScaler Gateway Single Sign-on • NetScaler Gateway Single Sign-on (SSO) or callback is used by StoreFront or App Controller to request NetScaler Gateway for user credentials • Callback URL requires a secure connection (HTTPS) back to the AG virtual server who authenticated the user (most cases) • Callback URL can be another AG virtual server on the same AG VPX/MPX • Example: https://AG-VIP-FQDN/CitrixAuthService/AuthService.asmx (case sensitive) © 2013 Citrix | Confidential – Do Not Distribute Before AG SSO happens… • StoreFront Services or App Controller must trust the incoming Gateway communication • However, StoreFront and App Controller differ from what is being checked from NetScaler Gateway • Example: ᵒ StoreFront checks for three different parameters inside the HTTP Header: • X-Citrix-Via: this parameter will contain the AG FQDN end-user entered on their web browser or Receiver. (ie. X-Citrix-Via: ag.example.com) • X-Forwarded-For: this parameter will contain the SNIP/MIP of Access Gateway. (ie. XForwarded-For: 192.168.10.10) • Remote Address: this parameter will contain the client IP address. Majority of times, this value is never used by StoreFront © 2013 Citrix | Confidential – Do Not Distribute Before AG SSO happens… • App Controller instead, it’s expecting the AG Header (ie. X-CitrixVia:ag.example.com) from NetScaler Gateway • App Controller does not have a method to check the SNIP/MIP address • Example: ᵒ App Controller checks for one parameter inside the HTTP Header: • X-Citrix-Via: this parameter will contain the AG FQDN end-user entered on their web browser or Receiver. (ie. X-Citrix-Via: ag.example.com) © 2013 Citrix | Confidential – Do Not Distribute What to check? App Controller • Ensure External URL matches with the AG URL users will enter on their web browsers or Receiver • Callback URL needs to resolve back to the AG that authenticated the end-user © 2013 Citrix | Confidential – Do Not Distribute Account Management Automatic Provisioning Active Directory What privilege on application? Sync Auth Create AppController Log Reporting Systems © 2013 Citrix | Confidential – Do Not Distribute Users Any app specific security rules? Additional approvals required before creating account? Account Management Configure Automatic Provisioning © 2013 Citrix | Confidential – Do Not Distribute App Controller HA connections App Controller HA Mobile Apps TCP 9736 Active HTTPS 443 (AppC VIP) Web & SaaS Apps Worx Home Standby ShareFile Data © 2013 Citrix | Confidential – Do Not Distribute App Controller HA • Define Role Preference ᵒ Primary ᵒ Secondary • Define VIP, Peer IP and Shared Key ᵒ IP address for VIP ᵒ IP address of secondary AppController ᵒ Enter shared key that both App Controllers will share to trust each other • Enable/Disable Appliance Failover • Show current status of Appliance Failover © 2013 Citrix | Confidential – Do Not Distribute Considerations • App Controller in appliance failover does not require a load balancer – ie. NetScaler • App Controller synchronizes the following information ᵒ ᵒ ᵒ ᵒ ᵒ User passwords database Web/SaaS/Mobile/ShareFile information Devices Workflows SSL certificates • Once appliance failover occurs, the new active App Controller will send an ARP broadcast updating the MAC address of the VIP © 2013 Citrix | Confidential – Do Not Distribute App Controller Device Registration What is it? • Requirement to have more control over ‘Apps’ deployed to mobile devices • Receiver needs to communicate with App Controller either directly, or through NetScaler Gateway • Receiver ‘checks in’ to the App Controller when it starts • Management functions are: 1. Device Registration 2. Device Lock or Wipe 3. Device Update © 2013 Citrix | Confidential – Do Not Distribute DMS • Device Management Service: Runs on App Controller – and processes requests from Receiver clients • Upon a successful registration, it returns a Device ID which is used by receiver in subsequent requests © 2013 Citrix | Confidential – Do Not Distribute Workflows What is it? • Workflow is also known as “Application Provisioning” • End-users request app access to their direct manager or an ‘approver’ • App Controller will contact employee’s manager or approver via email • Workflows can be applied to: ᵒ Web/SaaS apps ᵒ iOS/Android mobile apps • It only works with Citrix Receiver connections to a store © 2013 Citrix | Confidential – Do Not Distribute Web & SaaS Apps Mobile Apps © 2013 Citrix | Confidential – Do Not Distribute © 2013 Citrix | Confidential – Do Not Distribute Manager vs. Approvers • Two ways to support approvals ᵒ Send email to employee manager (up to 3 levels) ᵒ Send email to approver • If manager approval is selected make sure employee’s manager is defined on Active Directory • Additional approvers can be anyone from Active Directory © 2013 Citrix | Confidential – Do Not Distribute Workflow approvals via Email How does it work? Employee © 2013 Citrix | Confidential – Do Not Distribute Workflow approvals via Email How does it work? Manager © 2013 Citrix | Confidential – Do Not Distribute Workflow approvals via Email How does it work? Employee © 2013 Citrix | Confidential – Do Not Distribute Receiver for Windows 3.3 vs. 3.4+ Receiver for Windows 3.4+ Receiver for Windows 3.3 © 2013 Citrix | Confidential – Do Not Distribute Considerations • Workflow email requests to Managers / Approvers may take between 1-15 minutes approx. • Not supported via Receiver for Web sites • If one of the Managers or Approvers do not accept (or respond) the app request, the end-user cannot subscribe to the app • Preferably use the latest Citrix Receivers (mobile or desktop) ᵒ ᵒ ᵒ ᵒ Receiver for Windows 3.4 or later Receiver for Mac 11.7 or later Receiver for iOS 5.7.1 or later Receiver for Android 3.3 or later © 2013 Citrix | Confidential – Do Not Distribute XenMobile App Controller Version 2.8 What’s New? • Integration with XenMobile MDM server • Integration with GoToAssist • Integration with StoreFront • Integration with NetScaler Gateway 10.1 • Worx Store Branding • End-user experience © 2013 Citrix | Confidential – Do Not Distribute Remote Access Scenarios (NetScaler Gateway 10.1) NG + App Controller only • Ideal for Enterprise customers that want application management • Customers create Enterprise MDX-app store • Clientless access (CVPN) is required • NetScaler Gateway needs Universal Licenses © 2013 Citrix | Confidential – Do Not Distribute NG + AppController + MDM • Ideal for Enterprise customers that want application and device management • Customers create Enterprise MDX-app store • Clientless access (CVPN) is required • NetScaler Gateway needs Universal Licenses NG + App Controller + MDM + StoreFront • Ideal for Enterprise customers that application and device management, plus unified store • Clientless access (CVPN) is required • NetScaler Gateway needs Universal Licenses Mobile Platforms Worx Home for iOS / Worx Home for Android © 2013 Citrix | Confidential – Do Not Distribute Remote Access iOS • Worx Home for iOS includes the following header info ᵒ User-Agent = CitrixReceiver ᵒ VpnCapable (for MicroVPN) ᵒ X-Citrix-Gateway: https://NetScalerGateway-FQDN © 2013 Citrix | Confidential – Do Not Distribute POST /cgi/login HTTP/1.1 Host: agdara.amc.ctx X-Citrix-Gateway: https://agdara.amc.ctx User-Agent: CitrixReceiver/com.zenprise.zpmdmbeta iOS/8.5.0 (build 8.5.0.163) CitrixReceiver-iPad CFNetwork Darwin VpnCapable Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-us CONTENT_LENGTH: 28 Content-Type: application/x-www-form-urlencoded Content-Length: 28 Connection: keep-alive CONTENT_TYPE: application/x-www-form-urlencoded Remote Access iOS • Worx Home name is included in other parts of communication © 2013 Citrix | Confidential – Do Not Distribute GET /vpn/index.html HTTP/1.1 Host: agdara.amc.ctx Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: Worx%20Home/8.5.0.163 CFNetwork/609.1.4 Darwin/13.0.0 Accept-Language: en-us Accept: */* Remote Access Android • Worx Home for Android includes the following header info ᵒ User-Agent = CitrixReceiver ᵒ VpnCapable (for MicroVPN) ᵒ X-Citrix-Gateway: https://NetScalerGateway-FQDN • No Worx Home name in User-Agent! © 2013 Citrix | Confidential – Do Not Distribute POST /cgi/login HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded Accept-Language: en-US, en User-Agent: CitrixReceiver/1.0 Android/4.3 JWR66V VpnCapable Cookie: pwcount=0; X-Citrix-Gateway: https://agdara.amc.ctx Content-Length: 28 Host: agdara.amc.ctx Connection: Keep-Alive Accept-Encoding: gzip Worx Home vs. Receiver Feature MDM Registration AppC Registration GoToAssist remote support Provisioning File Email-based account discovery MDX apps access HDX apps access Secure Browse support MicroVPN support © 2013 Citrix | Confidential – Do Not Distribute Worx Home / Enroll Receiver Remote Access How do I configure my mobile client? Mobile Receivers Provisioning File Worx Home 8.5 (iOS/Android) iOS 5.8 Android 3.4 Win8/RT 1.3 © 2013 Citrix | Confidential – Do Not Distribute Email-based Account discovery NetScaler Gateway FQDN Deployment Modes • Types of deployment ᵒ Local connections only ᵒ Local and remote connections via NetScaler Gateway • StoreFront integration may be used in some scenarios • Note: Worx Home client is unable to communicate with StoreFront store © 2013 Citrix | Confidential – Do Not Distribute XenMobile Deployments NG + AppController only App Controller NetScaler Gateway Internet © 2013 Citrix | Confidential – Do Not Distribute DMZ LAN Remote Access AppController Configuration • Define Deployment ᵒ ᵒ ᵒ ᵒ ᵒ Enable = Yes Display name Callback URL = https://AGFQDN External URL = https://AGFQDN Logon type • Domain only • Security token only • Domain and security token © 2013 Citrix | Confidential – Do Not Distribute Remote Access Simplified Wizard • Two ways to initiate the wizard ᵒ NetScaler Gateway > Enterprise Store © 2013 Citrix | Confidential – Do Not Distribute Remote Access Simplified Wizard • Two ways to initiate the wizard ᵒ Deployment type > NetScaler Gateway* *Assuming you don’t have any virtual servers © 2013 Citrix | Confidential – Do Not Distribute Remote Access Simplified Wizard • Two ways to initiate the wizard ᵒ Deployment type > NetScaler Gateway © 2013 Citrix | Confidential – Do Not Distribute Remote Access Simplified Wizard • Select XenMobile • Enter App Controller FQDN © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Virtual Server name • IP address • Mode = SmartAccess © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • SSL certificate © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • LDAP authentication policy © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Three session policies bound to the virtual server ᵒ Receiver connections ᵒ Receiver for Web connections ᵒ Access Gateway Plugin connections © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Native Receiver connection policy © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Native Receiver connection profile ᵒ ᵒ ᵒ ᵒ ᵒ Split Tunnel = OFF Session Time-out (mins) = 1440 (1 day) Clientless Access = ON Clientless Access URL Encoding = Clear Single Sign-on to Web Applications = checked © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Native Receiver connection profile ᵒ ICA Proxy = OFF ᵒ Web Interface Address = https://AppC-FQDN ᵒ Single Sign-on Domain = domain • Need to be defined manually if you don’t want UPN auth ᵒ Account Services Address = https://AppC-FQDN © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Receiver for Web connection policy © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Receiver for Web connection profile ᵒ ᵒ ᵒ ᵒ Home Page = https://AppC-FQDN/Citrix/StoreWeb Clientless Access = ON Plug-in Type = Java Single Sign-on to Web Applications = checked © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Receiver for Web connection profile ᵒ ICA Proxy = OFF ᵒ Web Interface Address = https://AppCFQDN/Citrix/StoreWeb ᵒ Single Sign-on Domain = domain • Need to be defined manually if you don’t want UPN auth © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Access Gateway Plug-in connection policy © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Access Gateway Plug-in connection profile ᵒ ᵒ ᵒ ᵒ ᵒ ᵒ Home Page = https://AppC-FQDN/Citrix/StoreWeb Split Tunnel = OFF Clientless Access = Allow Clientless Access URL Encoding = Clear Plug-in Type = Windows/Mac OS X Single Sign-on to Web Applications = checked © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Access Gateway Plug-in connection profile ᵒ ICA Proxy = OFF ᵒ Web Interface Address = https://AppCFQDN/Citrix/StoreWeb ᵒ Single Sign-on Domain = domain • Need to be defined manually if you don’t want UPN auth ᵒ Account Services Address = https://AppC-FQDN © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Two clientless access policies get created ᵒ Receiver connections ᵒ Anything else – ie. Receiver connections, Receiver for Web © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Receiver connections clientless access policy © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Rewrite tab ᵒ Nothing selected © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Finding URLs tab ᵒ Nothing selected © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Client Cookies tab ᵒ Nothing selected © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Receiver for Web connections clientless access policy © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Rewrite tab ᵒ URL Rewrite = ns_cvpn_default_inet_url_label © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Finding URLs tab ᵒ Nothing selected © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Client Cookies tab ᵒ Cookies created © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Pattern set for App Controller cookies ᵒ ᵒ ᵒ ᵒ CsrfToken = index 1 ASP.NET_SessionId = index 2 CtxsPluginAssistantState = index 3 CtxsAuthId = index 4 © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Secure Ticket Authority defined for WorxMail ᵒ https://AppC-FQDN © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Clientless Access domains defined ᵒ Allowed Domains • App Controller FQDN © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Finally, AppController URL binding at the AG virtual server level (not Global!) © 2013 Citrix | Confidential – Do Not Distribute What gets created? Simplified Wizard • Finally, AppController URL binding at the AG virtual server level (not Global!) © 2013 Citrix | Confidential – Do Not Distribute XenMobile Deployments NG + AppController + MDM NetScaler Gateway XM Device Manager App Controller Internet © 2013 Citrix | Confidential – Do Not Distribute DMZ LAN Remote Access XDM Configuration • Define App Controller Webservice configuration ᵒ Host Name = IP address or FQDN ᵒ Shared Key = alphanumeric value – ie. Citrix or Citrix1234 ᵒ Enable App Controller = checked © 2013 Citrix | Confidential – Do Not Distribute Remote Access AppController Configuration • Define Deployment ᵒ ᵒ ᵒ ᵒ ᵒ Enable = Yes Display name Callback URL = https://AGFQDN External URL = https://AGFQDN Logon type • Domain only • Security token only • Domain and security token © 2013 Citrix | Confidential – Do Not Distribute Remote Access AppController Configuration • Define XenMobile Configuration ᵒ Host = XDM FQDN ᵒ Port = 80 or 443 ᵒ Shared Key = alphanumeric value – ie. Citrix or citrix123 ᵒ Instance Path = /zdm (default) ᵒ Allow secure access = Yes/No ᵒ Require Device Manager Enrollment = Yes/No © 2013 Citrix | Confidential – Do Not Distribute XenMobile Deployments NG + AppController + MDM + StoreFront (A) NetScaler Gateway XM Device Manager App Controller Internet © 2013 Citrix | Confidential – Do Not Distribute DMZ LAN StoreFront 2.0 Remote Access XDM Configuration • Define App Controller Webservice configuration ᵒ Host Name = IP address or FQDN ᵒ Shared Key = alphanumeric value – ie. Citrix or Citrix1234 ᵒ Enable App Controller = checked © 2013 Citrix | Confidential – Do Not Distribute Remote Access AppController Configuration • Define Deployment ᵒ ᵒ ᵒ ᵒ ᵒ Enable = Yes Display name Callback URL = https://AGFQDN External URL = https://AGFQDN Logon type • Domain only • Security token only • Domain and security token © 2013 Citrix | Confidential – Do Not Distribute Remote Access AppController Configuration • Define XenMobile Configuration ᵒ Host = XDM FQDN ᵒ Port = 80 or 443 ᵒ Shared Key = alphanumeric value – ie. Citrix or citrix123 ᵒ Instance Path = /zdm (default) ᵒ Allow secure access = Yes/No ᵒ Require Device Manager Enrollment = Yes/No © 2013 Citrix | Confidential – Do Not Distribute Remote Access AppController Configuration • Define Windows Apps ᵒ Host = StoreFront FQDN ᵒ Port = 80 or 443 ᵒ Relative Path = /Citrix/<StoreName>/PNAgent/config.xml ᵒ Allow secure access = Yes/No © 2013 Citrix | Confidential – Do Not Distribute Remote Access StoreFront Configuration • Define NetScaler Gateway ᵒ Display Name ᵒ NetScaler Gateway URL = External Gateway URL ᵒ Version • 10.0 (build 69.4) or later • 9.x • 5.x ᵒ Subnet IP address = (optional) ᵒ Logon Type • • • • • Domain Security Token Domain and Security Token SMS authentication Smart card ᵒ Callback URL = External Gateway URL © 2013 Citrix | Confidential – Do Not Distribute Remote Access StoreFront Configuration • Define Secure Ticket Authority (STA) ᵒ XenApp ᵒ XenDesktop © 2013 Citrix | Confidential – Do Not Distribute Remote Access StoreFront Configuration • Enable Remote Access to the store ᵒ No VPN tunnel ᵒ Full VPN tunnel © 2013 Citrix | Confidential – Do Not Distribute Remote Access NetScaler Configuration • Define Secure Ticket Authority (STA) ᵒ XenApp ᵒ XenDesktop © 2013 Citrix | Confidential – Do Not Distribute Remote Access NG + AppController + MDM + StoreFront • Pros ᵒ Single NetScaler Gateway VIP ᵒ Single store access • Cons ᵒ Follow me apps do not work on Worx Home ᵒ Follow me apps for Windows do not work • Mobile devices • Desktop platforms © 2013 Citrix | Confidential – Do Not Distribute XenMobile Deployments NG + AppController + MDM + StoreFront (B) Receiver (Win/Mac) NetScaler Gateway StoreFront 2.0 XM Device Manager WorxHome (iOS Android) Internet © 2013 Citrix | Confidential – Do Not Distribute DMZ LAN App Controller Remote Access XDM Configuration • Define App Controller Webservice configuration ᵒ Host Name = IP address or FQDN ᵒ Shared Key = alphanumeric value – ie. Citrix or Citrix1234 ᵒ Enable App Controller = checked © 2013 Citrix | Confidential – Do Not Distribute Remote Access AppController Configuration • Define Deployment (NetScaler) ᵒ ᵒ ᵒ ᵒ ᵒ Enable = Yes Display name Callback URL = https://AGFQDN External URL = https://AGFQDN Logon type • Domain only • Security token only • Domain and security token © 2013 Citrix | Confidential – Do Not Distribute Remote Access AppController Configuration • Define Deployment (StoreFront) ᵒ Enable = Yes ᵒ Authentication Server = OFF ᵒ Web address = https://SF-FQDN © 2013 Citrix | Confidential – Do Not Distribute Remote Access AppController Configuration • Define XenMobile Configuration ᵒ Host = XDM FQDN ᵒ Port = 80 or 443 ᵒ Shared Key = alphanumeric value – ie. Citrix or citrix123 ᵒ Instance Path = /zdm (default) ᵒ Allow secure access = Yes/No ᵒ Require Device Manager Enrollment = Yes/No © 2013 Citrix | Confidential – Do Not Distribute Remote Access AppController Configuration • Define Windows Apps ᵒ Host = StoreFront FQDN ᵒ Port = 80 or 443 ᵒ Relative Path = /Citrix/<StoreName>/PNAgent/config.xml ᵒ Allow secure access = Yes/No © 2013 Citrix | Confidential – Do Not Distribute Remote Access StoreFront Configuration • Define Delivery Controller ᵒ ᵒ ᵒ ᵒ Display Name Type = AppController Server = AppC FQDN Port = 443 © 2013 Citrix | Confidential – Do Not Distribute Remote Access StoreFront Configuration • Define NetScaler Gateway ᵒ Display Name ᵒ NetScaler Gateway URL = External Gateway URL ᵒ Version • 10.0 (build 69.4) or later • 9.x • 5.x ᵒ Subnet IP address = (optional) ᵒ Logon Type • • • • • Domain Security Token Domain and Security Token SMS authentication Smart card ᵒ Callback URL = External Gateway URL © 2013 Citrix | Confidential – Do Not Distribute Remote Access StoreFront Configuration • Define Secure Ticket Authority (STA) ᵒ XenApp ᵒ XenDesktop © 2013 Citrix | Confidential – Do Not Distribute Remote Access StoreFront Configuration • Enable Remote Access to the store ᵒ No VPN tunnel ᵒ Full VPN tunnel © 2013 Citrix | Confidential – Do Not Distribute Remote Access NetScaler Configuration • Create a virtual server in SmartAccess mode ᵒ Clientless access will be used for StoreFront and App Controller © 2013 Citrix | Confidential – Do Not Distribute Remote Access NetScaler Configuration • Create three session policies ᵒ Desktop Receiver policy = redirects Win/Mac Receiver users to StoreFront store ᵒ Receiver for Web policy = redirects Win/Mac/mobile users to StoreFront’s Receiver for Web site ᵒ Worx Home policy = redirects iOS/Android Worx Home users to AppController’s store © 2013 Citrix | Confidential – Do Not Distribute Remote Access NetScaler Configuration • Desktop Receiver policy expression ᵒ (REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER UserAgent CONTAINS Windows) || (REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER UserAgent CONTAINS Mac) © 2013 Citrix | Confidential – Do Not Distribute Remote Access NetScaler Configuration • Desktop Receiver profile ᵒ Clientless Access = ON ᵒ Clientless Access URL Encoding = Clear ᵒ Single Sign-on to Web Applications = checked © 2013 Citrix | Confidential – Do Not Distribute Remote Access NetScaler Configuration • Desktop Receiver profile ᵒ Default Authorization Action = ALLOW ᵒ Secure Browse = uncheck © 2013 Citrix | Confidential – Do Not Distribute Remote Access NetScaler Configuration • Desktop Receiver profile ᵒ ᵒ ᵒ ᵒ ICA Proxy = OFF Web Interface Access = https://SF-FQDN Single Sign-on Domain = domain Account Services Address = https://SFFQDN © 2013 Citrix | Confidential – Do Not Distribute Remote Access NetScaler Configuration • Receiver for Web site policy expression ᵒ REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS © 2013 Citrix | Confidential – Do Not Distribute Remote Access NetScaler Configuration • Receiver for Web site profile ᵒ Home Page = https://SFFQDN/Citrix/StoreWeb ᵒ Clientless Access = ON ᵒ Clientless Access URL Encoding = Obscure ᵒ Single Sign-on to Web Applications = checked © 2013 Citrix | Confidential – Do Not Distribute Remote Access NetScaler Configuration • Receiver for Web site profile ᵒ Default Authorization Action = ALLOW ᵒ Secure Browse = uncheck © 2013 Citrix | Confidential – Do Not Distribute Remote Access NetScaler Configuration • Receiver for Web site profile ᵒ ICA Proxy = OFF ᵒ Web Interface Address = https://SFFQDN ᵒ Single Sign-on Domain = domain © 2013 Citrix | Confidential – Do Not Distribute Remote Access NetScaler Configuration • Worx Home policy expression ᵒ (REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER UserAgent CONTAINS zenprise)|| (REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver/1.0) © 2013 Citrix | Confidential – Do Not Distribute Remote Access NetScaler Configuration • Worx Home profile ᵒ ᵒ ᵒ ᵒ Split Tunnel = OFF/ON Session Time-out (mins) = 1440 (1 day) Clientless Access = ON Clientless Access URL Encoding = Clear ᵒ Plug-in Type = Windows/Mac OS X (MicroVPN) ᵒ Single Sign-on to Web Applications = checked © 2013 Citrix | Confidential – Do Not Distribute Remote Access NetScaler Configuration • Worx Home profile ᵒ Default Authorization Action = ALLOW ᵒ Secure Browse = checked © 2013 Citrix | Confidential – Do Not Distribute Remote Access NetScaler Configuration • Worx Home profile ᵒ ᵒ ᵒ ᵒ ICA Proxy = OFF Web Interface Address = https://AppC-FQDN Single Sign-on Domain = domain Account Services Address = https://AppCFQDN © 2013 Citrix | Confidential – Do Not Distribute Remote Access NetScaler Configuration • Verify you have two Clientless Access policies ᵒ Receiver/Worx Home connections ᵒ Anything else – ie. Receiver for Web, Receiver/Worx Home connections © 2013 Citrix | Confidential – Do Not Distribute Remote Access NetScaler Configuration • Clientless Access domains defined ᵒ Allowed Domains • App Controller FQDN • StoreFront FQDN ᵒ Bind FQDNs via CLI (recommended) • bind patset ns_cvpn_default_inet_domains appc28.amc.ctx • bind patset ns_cvpn_default_inet_domains storefrontlb.amc.ctx © 2013 Citrix | Confidential – Do Not Distribute Remote Access NetScaler Configuration • Define Secure Ticket Authority (STA) ᵒ XenApp ᵒ XenDesktop © 2013 Citrix | Confidential – Do Not Distribute Remote Access NetScaler Configuration • Finally, AppController URL binding at the AG virtual server level (not Global!) © 2013 Citrix | Confidential – Do Not Distribute Remote Access NetScaler Configuration • Finally, AppController URL binding at the AG virtual server level (not Global!) © 2013 Citrix | Confidential – Do Not Distribute Remote Access NG + AppController + MDM + StoreFront • Pros ᵒ Single NetScaler Gateway VIP ᵒ Follow me apps for Windows will work for Win/Mac • Cons ᵒ Follow me apps do not work on Worx Home • Mobile devices © 2013 Citrix | Confidential – Do Not Distribute “Can I push MDX / Web and SaaS apps to mobile devices?” © 2013 Citrix | Confidential – Do Not Distribute Integration with XenMobile Device Manager • New option on App Controller ᵒ Require app installation • Works with App Controller and XenMobile Device Manager integration • Require app installation option can automatically subscribe/install Web/SaaS and MDX apps © 2013 Citrix | Confidential – Do Not Distribute Integration with XenMobile Device Manager • Host = IP address or FQDN of MDM server • Port = 80 or 443 • Shared Key = alphanumeric value – e.g. Citrix123 • Instance Path = /zdm • Require Device Manager Enrollment = recommended © 2013 Citrix | Confidential – Do Not Distribute Integration with XenMobile Device Manager Overview • App Controller will upload all MDX, public store apps, Web/SaaS to MDM server ᵒ Securely – HTTPS 443 ᵒ Non-secure – HTTP 80 • App Controller will upload the NetScaler URL or AppC URL for Worx Home • User requests access to MDX app, MDM will push it to the mobile device © 2013 Citrix | Confidential – Do Not Distribute 443 XDM XMA Integration with XenMobile Device Manager What is being uploaded? • If Require Device Management enrollment = Yes From App Controller to Device Manager POST /zdm/cxf/wsapi/configuration/mdmrequired HTTP/1.1 Accept: application/json Content-Type: application/json Authorization: Basic YWRtaW46Y2l0cml4 User-Agent: Jakarta Commons-HttpClient/3.0.1 Host: ftlvxmdm.amc.ctx Content-Length: 31 XDM Enrollment Required? Yes / No {"errorcode":0,"required":true} XMA © 2013 Citrix | Confidential – Do Not Distribute Integration with XenMobile Device Manager What is being uploaded? • If Require Device Management enrollment = Yes OK done! From Device Manager to App Controller HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=FFAEE9B40D6E797859A03C275E80B999; Path=/zdm/; HttpOnly Date: Fri, 09 Aug 2013 14:55:16 GMT Content-Type: application/json Content-Length: 53 XDM {"response":"mdm_required_flag properly set to true"} XMA © 2013 Citrix | Confidential – Do Not Distribute Integration with XenMobile Device Manager What is being uploaded? • If Google Play credentials saved in App Controller From App Controller to Device Manager POST /zdm/cxf/wsapi/configuration/gplaycredentials HTTP/1.1 Accept: application/json Content-Type: application/json Authorization: Basic YWRtaW46Y2l0cml4 User-Agent: Jakarta Commons-HttpClient/3.0.1 Host: ftlvxmdm.amc.ctx Content-Length: 125 XDM Google Play Credentials {"gplay_credentials":{"store_login":“username","store_password":“p assword","android_id":“androidID"}} XMA © 2013 Citrix | Confidential – Do Not Distribute Integration with XenMobile Device Manager What is being uploaded? • If Google Play credentials saved in App Controller OK done! From Device Manager to App Controller HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=6B7578836D06A6D51BFED315486D8089; Path=/zdm/; HttpOnly Date: Fri, 09 Aug 2013 14:58:39 GMT Content-Type: application/json Content-Length: 40 XDM {"response":"Credential properly saved"} XMA © 2013 Citrix | Confidential – Do Not Distribute Integration with XenMobile Device Manager What is being uploaded? • Uploading apps From App Controller to Device Manager POST /zdm/cxf/wsapi/package/10cbccea-8d27-4cc9-86ed-d43e7078bc8b HTTP/1.1 Accept: application/json Content-Type: application/json Authorization: Basic YWRtaW46Y2l0cml4 User-Agent: Jakarta Commons-HttpClient/3.0.1 Host: ftlvxmdm.amc.ctx Content-Length: 323 {"application":{"options":{"remove_when_mdm_removed":true,"prevent_b ackup_data":false},"id":"10cbccea-8d27-4cc9-86edd43e7078bc8b","type":"IPA","install_once":true,"required":false,"url":"http s://appc28.amc.ctx:443/lscs/mobileapps/10cbccea-8d27-4cc9-86edd43e7078bc8b/WorxMail-Release-1.2-162.ipa?SID=7175718355373095794"}} © 2013 Citrix | Confidential – Do Not Distribute XDM Uploading MDX / Web / SaaS XMA Integration with XenMobile Device Manager What is being uploaded? • Uploading apps ᵒ If app already exists – HTTP 500 Error ᵒ Otherwise, HTTP 200 OK Already have it! From Device Manager to App Controller HTTP/1.1 500 Internal Server Error Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=88D0391354052CD4A12901521A02C22D; Path=/zdm/; HttpOnly Date: Fri, 09 Aug 2013 14:58:39 GMT Content-Type: application/json Content-Length: 64 Connection: close {"error":{"description":"Package ID already exists","code":201}} © 2013 Citrix | Confidential – Do Not Distribute XDM XMA Integration with XenMobile Device Manager What is being uploaded? • Upload NetScaler Gateway URL ᵒ If remote access is disabled, then, AppC URL is provided From App Controller to Device Manager POST /zdm/cxf/wsapi/configuration/appcfqdn HTTP/1.1 Accept: application/json Content-Type: application/json Authorization: Basic YWRtaW46Y2l0cml4 User-Agent: Jakarta Commons-HttpClient/3.0.1 Host: ftlvxmdm.amc.ctx Content-Length: 25 XDM AppC / NetScaler FQDN {"fqdn":"agdara.amc.ctx"} XMA © 2013 Citrix | Confidential – Do Not Distribute Integration with XenMobile Device Manager What is being uploaded? • Upload NetScaler Gateway URL ᵒ If remote access is disabled, then, AppC URL is provided FQDN Set! From Device Manager to App Controller HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=2C4B7B47E6617751B700F1471068DBB0; Path=/zdm/; HttpOnly Date: Fri, 09 Aug 2013 14:58:40 GMT Content-Type: application/json Content-Length: 50 XDM {"response":"fqdn properly set to agdara.amc.ctx"} XMA © 2013 Citrix | Confidential – Do Not Distribute Integration with GTA • Support email = help desk email address • Support phone = help desk phone number • GoToAssist Chat = GoToAssist token for chat services • GoToAssist Ticket = GoToAssist ticket generated from portal © 2013 Citrix | Confidential – Do Not Distribute Branding Your Store © 2013 Citrix | Confidential – Do Not Distribute Receiver Email Template • Do not use this option for Worx Home! • The Provisioning File (.cr) is only compatible with Citrix Receiver (mobile or desktop) © 2013 Citrix | Confidential – Do Not Distribute Google Play Store Apps • To allow App Controller download data from Google Play store • Typo on App Controller UI • Type on Android phone dialpad *#*#8255#*#* © 2013 Citrix | Confidential – Do Not Distribute Secure Browse vs. MicroVPN Secure Browse • Client-side rewrite feature to access intranet sites • Available on Receiver for iOS 5.6.1 or later • Must use NetScaler Gateway 10 (build 69.4 or later) © 2013 Citrix | Confidential – Do Not Distribute MicroVPN • On-demand application VPN tunnel between mobile device and NetScaler Gateway • Available on Receiver for Android 3.1 or later and Receiver for iOS 5.7 • Supported with Worx Home and MDX-apps • Must use NetScaler Gateway 10 (build 69.4 or later) WorxWeb • Native iOS/Android mobile browser application • Securely connects to corporate network using on-demand MicroVPN tunnel • Must use NetScaler Gateway 10 (build 69.4 or later) How do I connect to intranet sites? iOS / Android WorxWeb installed? Yes Connect via MicroVPN © 2013 Citrix | Confidential – Do Not Distribute No Worx Home iOS? Yes Needs WorxWeb No Worx Home Android? Yes Connect via Webkit No Secure Browse NetScaler Gateway Configuration • By default, Secure Browse is enabled on NetScaler ᵒ Global Settings ᵒ Session Policy © 2013 Citrix | Confidential – Do Not Distribute Secure Browse NetScaler Gateway Configuration • By default, Secure Browse is enabled on NetScaler ᵒ Global Settings ᵒ Session Policy © 2013 Citrix | Confidential – Do Not Distribute Secure Browse Example © 2013 Citrix | Confidential – Do Not Distribute Secure Browse Example • Initial request from Citrix Receiver to NetScaler Gateway: GET https://ag10716b.adolfolab.ctx/AGServices/rewriteMode HTTP/1.1 Host: ag10716b.adolfolab.ctx User-Agent: CitrixReceiver Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate Cookie: NSC_AAAC=8479f0c77ce505f3430c90be66fa643300904253245525d5f4f58455e445a4a42; NSC_FSSO=1; pwcount=2 Connection: keep-alive Proxy-Connection: keep-alive © 2013 Citrix | Confidential – Do Not Distribute Secure Browse Example • If Secure Browse is enabled, NetScaler Gateway will respond with the following: HTTP/1.1 200 OK Content-Length: 23 Cache-control: no-cache, no-store Pragma: no-cache Content-Type: text/plain SB:SecureBrowse RW:cvpn © 2013 Citrix | Confidential – Do Not Distribute Secure Browse Example • If Secure Browse is disabled, NetScaler Gateway will respond with the following: HTTP/1.1 200 OK Content-Length: 23 Cache-control: no-cache, no-store Pragma: no-cache Content-Type: text/plain RW:cvpn © 2013 Citrix | Confidential – Do Not Distribute Secure Browse Example • Citrix Receiver will start the rewrite on the client-side: GET https://ag10716b.adolfolab.ctx/SecureBrowse/http/web.cloud.ctx:8080/index.html HTTP/1.1 Host: ag10716b.adolfolab.ctx User-Agent: Mozilla/5.0 (iPad; CPU OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B206 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 X-Citrix-Gateway: ag10716b.adolfolab.ctx CitrixSecureBrowserIOS: YES Cookie: NSC_AAAC=8479f0c77ce505f3430c90be66fa643300904253245525d5f4f58455e445a4a42;NSC_FSSO=1;pwcount=2; Accept-Language: en-us Accept-Encoding: gzip, deflate Connection: keep-alive Proxy-Connection: keep-alive © 2013 Citrix | Confidential – Do Not Distribute Considerations • Secure Browse will work as long as you have Clientless Access (CVPN) enabled on NetScaler • If CVPN is disabled, Secure Browse will not work • If Secure Browse is disabled, Citrix Receiver will use CVPN to connect to resources © 2013 Citrix | Confidential – Do Not Distribute MicroVPN MicroVPN • On-demand application VPN tunnel between mobile device and NetScaler Gateway • Platforms supported ᵒ Android ᵒ iOS • MDX-apps support ᵒ WorxMail ᵒ WorxWeb • Receivers that support Microvpn ᵒ Worx Home 8.5 ᵒ Receiver for Android 3.1 or later ᵒ Receiver for iOS 5.7 or later © 2013 Citrix | Confidential – Do Not Distribute MicroVPN How does it work? • Receiver POST Credentials to NetScaler Gateway POST https://50-23-246-210.mycitrixdemo.net/cgi/login HTTP/1.1 Host: 50-23-246-210.mycitrixdemo.net User-Agent: CitrixReceiver/com.citrix.ReceiveriPad iOS/5.7 (build 170) CitrixReceiveriPad CFNetwork Darwin VpnCapable Content-Length: 24 Accept: */* X-Citrix-Gateway: https://50-23-246-210.mycitrixdemo.net © 2013 Citrix | Confidential – Do Not Distribute MicroVPN How does it work? • The fact that Receiver sends a VPN Capable User-Agent: CitrixReceiver/com.citrix.ReceiveriPad iOS/5.7 (build 170) CitrixReceiver-iPad CFNetwork Darwin VpnCapable • Access Gateway returns the /cgi/setclient? For iOS: HTTP/1.1 302 Object Moved Location: /cgi/setclient?iosc Set-Cookie: NSC_AAAC=55f4f4d9926e4b6533f6033 24b45fa1f0311fe8c345525d5f4f58455 e445a4a42;Secure;HttpOnly;Path=/ © 2013 Citrix | Confidential – Do Not Distribute For Android: HTTP/1.1 302 Object Moved Location: /cgi/setclient?andr Set-Cookie: NSC_AAAC=55f4f4d9926e4b6533f6033 24b45fa1f0311fe8c345525d5f4f58455e 445a4a42;Secure;HttpOnly;Path=/ Troubleshooting App Controller Troubleshooting • Troubleshooting menu from console • Network Utilities • Advanced logging tracing • Support Bundle to log collection and traces © 2013 Citrix | Confidential – Do Not Distribute Troubleshooting • Troubleshooting menu available under the new console Main Menu (option 3) © 2013 Citrix | Confidential – Do Not Distribute Troubleshooting Troubleshooting Menu • Network Utilities ᵒ PING, ARP, Routing Table and others • Logs ᵒ Admins can review the last 1000 lines of log ᵒ Provides advanced logging settings for specific modules • Support Bundle ᵒ Collects all AppController logs, core dumps and network traces © 2013 Citrix | Confidential – Do Not Distribute Troubleshooting Network Menu • Network information • Show Routing Table • Show ARP Table • PING • Traceroute • DNS lookup • Network Trace © 2013 Citrix | Confidential – Do Not Distribute Troubleshooting Network Information • Displays detailed information of network adapters ᵒ ᵒ ᵒ ᵒ ᵒ IP address Subnet mask MAC address MTU size Adapter state (UP/DOWN) © 2013 Citrix | Confidential – Do Not Distribute Troubleshooting Routing Table • Displays routes information associated with AppController © 2013 Citrix | Confidential – Do Not Distribute Troubleshooting ARP Table • Displays Address Resolution Protocol (ARP) information associated with AppController © 2013 Citrix | Confidential – Do Not Distribute Troubleshooting PING • Test by sending ICMP packets from AppController VM to a destination host © 2013 Citrix | Confidential – Do Not Distribute Troubleshooting Traceroute • Test by sending ICMP packets from AppController VM to a destination host and count the number of hops © 2013 Citrix | Confidential – Do Not Distribute Troubleshooting DNS Lookup • Test Domain Name Resolution (DNS) from AppController to destination host © 2013 Citrix | Confidential – Do Not Distribute Troubleshooting Network Trace • Capture network traces in pcap format on one or more interfaces • Supports filtering options • Press Enter to stop network tracing • Network traces can only be extracted via the Support Bundle © 2013 Citrix | Confidential – Do Not Distribute Troubleshooting Logs Menu • Advanced logging settings to trace specific AppController modules • For more information, please refer to http://kb.citrite.net/article/CTX128435 • Option 5 displays the last 1000 lines of logging entries © 2013 Citrix | Confidential – Do Not Distribute Troubleshooting Support Bundle Menu • Provide Admins collection all AppController logs and network traces in a compressed file (.ZIP) • Admins have the choice to encrypt the Support Bundle (optional) • To extract the Support Bundle ᵒ Upload via FTP ᵒ Upload via SCP © 2013 Citrix | Confidential – Do Not Distribute Troubleshooting Generate Support Bundle • Admins have the option to encrypt or not the Support Bundle • Support Bundle filename will contain date/time, IP address and compression format extension (.ZIP) © 2013 Citrix | Confidential – Do Not Distribute Troubleshooting Upload Support Bundle • Admins have the option to upload it via FTP or SCP • For more information on how to upload it via FTP, please refer to http://support.citrix.com/article/CTX128 855 • Admins have to enter FTP server hostname and location where to upload the file © 2013 Citrix | Confidential – Do Not Distribute Troubleshooting Upload Support Bundle via FTP • Admins have to enter FTP server hostname, user credentials and location where to upload the file © 2013 Citrix | Confidential – Do Not Distribute Troubleshooting Support Bundle Contents • Sas_core – core dumps • Sas_log – management, system, debug, informational logs • Sas_trace – network traces • Sys_info – AppController system information ᵒ ᵒ ᵒ ᵒ ᵒ ARP entries Disk space usage Interface configuration Routing table Running processes • Var_log – authentication, daemon, kernel, mail, system and user logs © 2013 Citrix | Confidential – Do Not Distribute Work better. Live better.