XenMobile_App_Enterprise - Citrix Synergy Labs Home Page
advertisement
XenMobile App and Enterprise
Adolfo Montoya
Lead Support Readiness Specialist
July, 2013
Agenda
• App vs. Enterprise
• Architectural overview
• End-user experience
• Deployment options
• Troubleshooting
3
© 2013 Citrix | Confidential – Do Not Distribute
XenMobile
App and Enterprise Editions
App Edition
Use case
5
•
Mobile application management
•
Federated single sign-on
•
Secure email
•
Secure browsing
•
Automated account provisioning
•
Workflow
•
Policy based interapp security
•
App specific microVPN
•
Unified corporate app store
© 2013 Citrix | Confidential – Do Not Distribute
Client Side
Worx
Home
Receiver
WorxMail
WorxWeb
Server Side
App
Controller
NetScaler
Gateway
App Edition
ShareFile
XMA
Worx Home
Optional
XenApp
XenDesktop
NetScaler
SF/WI
Receiver
DMZ
© 2013 Citrix | Confidential – Do Not Distribute
Enterprise Edition
Use case
Client Side
Server Side
Worx Enroll
• All MDM Edition use cases
• All App Edition use cases
• Secure document sharing,
syncing & editing
Worx Home
WorxMail
NS Gateway
WorxWeb
ShareFile
Receiver
© 2013 Citrix | Confidential – Do Not Distribute
MDM Server
App Controller
Enterprise Edition
ShareFile
XNC
Worx Enroll
XDM
Receiver
Optional
XenApp
XenDesktop
NetScaler
XMA
Worx Home
© 2013 Citrix | Confidential – Do Not Distribute
DMZ
SF/WI
MDM
Edition
App
Edition
Enterprise
Edition
Configure, secure & provision mobile devices
One-click live chat & support
Access SharePoint & network drives
Secure mobile web browser
App-specific micro VPN
Secure mail, calendar and contacts app
Enterprise-enable any mobile app
Seamless Windows app integration
Unified corporate app store
Multi-factor single sign-on
Secure document sharing, sync & editing
Both cloud & on-premises data storage options
© 2013 Citrix | Confidential – Do Not Distribute
ShareFile Feature Comparison
Features
XM-MDM
(SF-Standard*)
XM-App
(SF-Standard*)
XM-Enterprise
(SF-Enterprise)
Read access to File shares and SharePoint
AD authentication
Data encryption
MDX-wrapped client
ShareFile Enterprise Features
Worx Mail integration, Cloud and customermanaged StorageZones, Editing,
Annotations, External Sharing, Windows and
Mac Sync, Outlook plug-in, Web-browser
access from Sharefile.com, time-expiry,
Request file, FTP access, usage reporting,
*Note: ShareFile Standard is not a standalone product. Name is used to describe ShareFile features for MDM and App editions
© 2013 Citrix | Confidential – Do Not Distribute
Citrix Mobility Product Line
XenMobile
MDM Edition
(Cloud or On-premise)
•
•
•
•
XM Device Manager
XM NetScaler Connector
ShareFile Standard
GoToAssist Integration
•
•
•
•
XenMobile
App Edition
XenMobile
Enterprise Edition
(Formerly CloudGateway)
(Integrated Solution)
XM App Controller 2.8
NetScaler Gateway 10.1
StoreFront 2.0 (optional)
ShareFile Standard
•
•
•
•
© 2013 Citrix | Confidential – Do Not Distribute
XM MDM Edition
XM App Edition
ShareFile Enterprise (Cloud
or On-premise)
GoToAssist Integration
XenMobile App Controller
Review
What is App Controller?
• Virtual VM running Linux OS
• Supported on
ᵒ XenServer 5.6 FP1 or later
ᵒ Hyper-V 2012
ᵒ VMware ESX 4.x or later
• Provides access to
ᵒ
ᵒ
ᵒ
ᵒ
ᵒ
Web/SaaS
Intranet sites
MDX-wrapped apps
Public store links
ShareFile
• Supports High Availability (Active/Passive)
• Supports Clustering (Active/Active)
© 2013 Citrix | Confidential – Do Not Distribute
What is App Controller?
• Supports remote access
ᵒ NetScaler Gateway 10.1*
• Supports Windows apps access
ᵒ StoreFront 1.2 or 2.0
ᵒ Web Interface 5.4 (IIS)
ᵒ VDI-in-a-Box 5.3
• System requirements
ᵒ 2 vCPU
ᵒ 4 GB of RAM
• Scalability
ᵒ 10,000 concurrent users per App Controller
*NetScaler Gateway 10.0 is not compatible with App Controller 2.8
© 2013 Citrix | Confidential – Do Not Distribute
Receiver for Web vs. Store
Receiver for Web
• Receiver for Web = Web-browser site
• Built-in site /Citrix/StoreWeb
• Beacons are not applicable
• Provides Provisioning File (e.g.
ReceiverConfig.cr)
© 2013 Citrix | Confidential – Do Not Distribute
Receiver for Web vs. Store
Store
• Store = Services site
• Built-in store - /Citrix/Store
• Beacons are applicable
• Windows / Mac
ᵒ Receiver for Windows 3.4+
ᵒ Receiver for Mac 11.7+
• iOS / Android
ᵒ Receiver for iOS 5.7+
ᵒ Receiver for Android 3.3+
ᵒ Worx Home 8.5
© 2013 Citrix | Confidential – Do Not Distribute
Account Management
Connectors
SAML
© 2013 Citrix | Confidential – Do Not Distribute
FormFill
Web/SaaS App Launch (Form-fill)
Communication Flow
POST https://www.linkedin.com/uas/login-submit HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer:
POST
https://appc25lb.amc.ctx/webssouser/websso.do?action=authenticateUser&app=LinkedIn&reqtype=1&tok=uzgz
https://appc25lb.amc.ctx/Citrix/Store/prelaunch/app
uqVP11cmZ5HBGZICxbbogaOc2SJmhNJC3ufSkh59bCyHp48N671c5DdXjM8rnFRf0WXa3S72jwAyqw9ktYloq
HTTP/1.1
o9zY7Q9Dverh2p9Im1RGpeVLb520gggseFebkeC
User-Agent: CitrixReceiver Windows/6.1
Accept-Language: en-US
SelfService/3.4.0.33684 (Release)
GET
<form (compatible;
name="loginForm"
action="https://www.linkedin.com/uas/login-submit"
User-Agent: Mozilla/5.0
MSIE 9.0;
Windows
Accept:
*/* NT 6.1; WOW64; Trident/5.0)
https://appc25lb.amc.ctx/webssouser/websso.do?action=
method="post" onsubmit="return
false;">
Content-Type: application/x-www-form-urlencoded
Authorization:
authenticateUser&app=LinkedIn&reqtype=1&tok=uzgzuq
HTTP/1.1value="Sign%20In"/>
200 CitrixAuth
OK
<input
type="hidden"
name="signin"
Accept-Encoding: gzip, deflate
3AE8D47E126821ED18820861412E59A65E78F0745D0
VP11cmZ5HBGZICxbbogaOc2SJmhNJC3ufSkh59bCyH
Connection:
close
HTTP/1.1
200
OK
<input type="hidden" name="source_app"
value=""/>
Host: www.linkedin.com
F194A23A4675B4EEBFB58
p48N671c5DdXjM8rnFRf0WXa3S72jwAyqw9ktYloqo9zY
Content-Type:
text/html;charset=utf-8
Connection:
Keep-Alive
<input type="hidden" name="sourceAlias"
Content-Length: 209
Content-Type:
<no type> charset="utf-8"
7Q9Dverh2p9Im1RGpeVLb520gggseFebkeC
HTTP/1.1
Server:
Apache-Coyote/1.1
Content-Type:
text/plain;
value="0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi"/>
Connection: Keep-Alive
Host:
Accept:
text/html,
application/xhtml+xml,
Date: appc25lb.amc.ctx
Sat,
02 value="ajax%3A6347512470912353035"/>
Feb225
2013 23:35:11 GMT */*
Content-Length:
<input type="hidden" name="csrfToken"
Cache-Control: no-cache
Content-Length:
92en-US no-store, must-revalidate,
Accept-Language:
Cache-Control: no-cache,
<input type="hidden" name="session_redirect"
value=""/>
Cookie: leo_auth_token="LIM:3806491:a:21600:1359755785:bff46f2a2488465426f76ef12155817fcc5d9b84";
Expect:
100-continue
User-Agent:
Mozilla/5.0value="password123"/>
(compatible; MSIE 9.0; Windows
proxy-revalidate
https://appc25lb.amc.ctx/webssouser/websso.do?action=
<input type="hidden" name="session_password"
visit="v=1&M"; bcookie="v=2&8280d152-ee3e-4b89-ae16-36bc18b56010";
Accept-Encoding:
gzip,
deflate
NT
6.1; WOW64;value="adolfo.montoya@gmail.com"/>
Trident/5.0)
Set-Cookie:
authenticateUser&app=LinkedIn&reqtype=1&tok=uzgzuq
<input type="hidden" name="session_key"
_lipt="0_3SPdwJCAKEKd6iCDOMqnm3hkMlAr8DnGO4OSvk4m_QZsEKzgwUR9t9ELn6m4N4Y03pxdt35wH7
Accept-Encoding:
gzip,
deflate
OCAJSESSIONID=F3667612AE29262440D97FC21124
VP11cmZ5HBGZICxbbogaOc2SJmhNJC3ufSkh59bCyH
</form>
GKJ6mDq2vDIuge9cKi3Y9_neZgk2I89FU7KnIaTmlDicpapZRkxI53xpa85u_QkEezSUi7aPbw1oNqcLSLbsFwn
https://appc25lb.amc.ctx/webssouser/websso.do?action=
Host:
FB6B;appc25lb.amc.ctx
Path=/; HttpOnly; Secure
p48N671c5DdXjM8rnFRf0WXa3S72jwAyqw9ktYloqo9zY
</body>
4TJ_JSerq-84wECaZ-kU-f63authenticateUser&app=LinkedIn&reqtype=1
Connection:
Keep-Alive
Content-Length:
1954
7Q9Dverh2p9Im1RGpeVLb520gggseFebkeC
</html>
1lTfgSGFnDGhexnbvrJsRruQzH3VRfJxed6Yk8hgXfL97whxyOc_wzDJLprA8kYZZ8PIYEiAFJkbbhBKxM3Hqri3
mTA-"; __qca=P0-743823709-1352489739221
Client
signin=Sign%2520In&source_app=&sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi&c
srfToken=ajax%253A6347512470912353035&session_redirect=&session_password=password123&session_k
ey=adolfo.montoya@gmail.com
© 2013 Citrix | Confidential – Do Not Distribute
LinkedIn
App
Controller
Authentication System – Basics
App Controller
“App Enumeration”
Windows
DeniedApps,
(talk Web,
to Auth)
SaaS…
Store
Services
Trust
Auth
Service
© 2013 Citrix | Confidential – Do Not Distribute
Active
Directory
NetScaler Gateway Single Sign-on
• NetScaler Gateway Single Sign-on (SSO) or callback is used by StoreFront or
App Controller to request NetScaler Gateway for user credentials
• Callback URL requires a secure connection (HTTPS) back to the AG virtual
server who authenticated the user (most cases)
• Callback URL can be another AG virtual server on the same AG VPX/MPX
• Example: https://AG-VIP-FQDN/CitrixAuthService/AuthService.asmx (case
sensitive)
© 2013 Citrix | Confidential – Do Not Distribute
Before AG SSO happens…
• StoreFront Services or App Controller must trust the incoming Gateway
communication
• However, StoreFront and App Controller differ from what is being checked from
NetScaler Gateway
• Example:
ᵒ StoreFront checks for three different parameters inside the HTTP Header:
• X-Citrix-Via: this parameter will contain the AG FQDN end-user entered on their web browser or
Receiver. (ie. X-Citrix-Via: ag.example.com)
• X-Forwarded-For: this parameter will contain the SNIP/MIP of Access Gateway. (ie. XForwarded-For: 192.168.10.10)
• Remote Address: this parameter will contain the client IP address. Majority of times, this value
is never used by StoreFront
© 2013 Citrix | Confidential – Do Not Distribute
Before AG SSO happens…
• App Controller instead, it’s expecting the AG Header (ie. X-CitrixVia:ag.example.com) from NetScaler Gateway
• App Controller does not have a method to check the SNIP/MIP address
• Example:
ᵒ App Controller checks for one parameter inside the HTTP Header:
• X-Citrix-Via: this parameter will contain the AG FQDN end-user entered on their web browser or
Receiver. (ie. X-Citrix-Via: ag.example.com)
© 2013 Citrix | Confidential – Do Not Distribute
What to check?
App Controller
• Ensure External URL matches with the AG URL users will enter on their web
browsers or Receiver
• Callback URL needs to resolve back to the AG that authenticated the end-user
© 2013 Citrix | Confidential – Do Not Distribute
Account Management
Automatic Provisioning
Active
Directory
What privilege on
application?
Sync
Auth
Create
AppController
Log
Reporting
Systems
© 2013 Citrix | Confidential – Do Not Distribute
Users
Any app specific security
rules?
Additional approvals
required before creating
account?
Account Management
Configure Automatic Provisioning
© 2013 Citrix | Confidential – Do Not Distribute
App Controller HA connections
App Controller
HA
Mobile Apps
TCP 9736
Active
HTTPS 443 (AppC VIP)
Web & SaaS
Apps
Worx Home
Standby
ShareFile Data
© 2013 Citrix | Confidential – Do Not Distribute
App Controller HA
• Define Role Preference
ᵒ Primary
ᵒ Secondary
• Define VIP, Peer IP and Shared Key
ᵒ IP address for VIP
ᵒ IP address of secondary AppController
ᵒ Enter shared key that both App Controllers
will share to trust each other
• Enable/Disable Appliance Failover
• Show current status of Appliance
Failover
© 2013 Citrix | Confidential – Do Not Distribute
Considerations
• App Controller in appliance failover does not require a
load balancer – ie. NetScaler
• App Controller synchronizes the following information
ᵒ
ᵒ
ᵒ
ᵒ
ᵒ
User passwords database
Web/SaaS/Mobile/ShareFile information
Devices
Workflows
SSL certificates
• Once appliance failover occurs, the new active App
Controller will send an ARP broadcast updating the MAC
address of the VIP
© 2013 Citrix | Confidential – Do Not Distribute
App Controller Device Registration
What is it?
• Requirement to have more control over ‘Apps’ deployed to
mobile devices
• Receiver needs to communicate with App Controller either
directly, or through NetScaler Gateway
• Receiver ‘checks in’ to the App Controller when it starts
• Management functions are:
1. Device Registration
2. Device Lock or Wipe
3. Device Update
© 2013 Citrix | Confidential – Do Not Distribute
DMS
• Device Management Service: Runs on App Controller – and
processes requests from Receiver clients
• Upon a successful registration, it returns a Device ID which
is used by receiver in subsequent requests
© 2013 Citrix | Confidential – Do Not Distribute
Workflows
What is it?
• Workflow is also known as “Application Provisioning”
• End-users request app access to their direct manager
or an ‘approver’
• App Controller will contact employee’s manager or
approver via email
• Workflows can be applied to:
ᵒ Web/SaaS apps
ᵒ iOS/Android mobile apps
• It only works with Citrix Receiver connections to a
store
© 2013 Citrix | Confidential – Do Not Distribute
Web & SaaS
Apps
Mobile Apps
© 2013 Citrix | Confidential – Do Not Distribute
© 2013 Citrix | Confidential – Do Not Distribute
Manager vs. Approvers
• Two ways to support approvals
ᵒ Send email to employee manager (up to 3 levels)
ᵒ Send email to approver
• If manager approval is selected make sure employee’s
manager is defined on Active Directory
• Additional approvers can be anyone from Active
Directory
© 2013 Citrix | Confidential – Do Not Distribute
Workflow approvals via Email
How does it work?
Employee
© 2013 Citrix | Confidential – Do Not Distribute
Workflow approvals via Email
How does it work?
Manager
© 2013 Citrix | Confidential – Do Not Distribute
Workflow approvals via Email
How does it work?
Employee
© 2013 Citrix | Confidential – Do Not Distribute
Receiver for Windows 3.3 vs. 3.4+
Receiver for Windows 3.4+
Receiver for Windows 3.3
© 2013 Citrix | Confidential – Do Not Distribute
Considerations
• Workflow email requests to Managers / Approvers may take
between 1-15 minutes approx.
• Not supported via Receiver for Web sites
• If one of the Managers or Approvers do not accept (or
respond) the app request, the end-user cannot subscribe to
the app
• Preferably use the latest Citrix Receivers (mobile or desktop)
ᵒ
ᵒ
ᵒ
ᵒ
Receiver for Windows 3.4 or later
Receiver for Mac 11.7 or later
Receiver for iOS 5.7.1 or later
Receiver for Android 3.3 or later
© 2013 Citrix | Confidential – Do Not Distribute
XenMobile App Controller
Version 2.8
What’s New?
• Integration with XenMobile MDM server
• Integration with GoToAssist
• Integration with StoreFront
• Integration with NetScaler Gateway 10.1
• Worx Store Branding
• End-user experience
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access Scenarios
(NetScaler Gateway 10.1)
NG + App Controller
only
• Ideal for Enterprise
customers that want
application management
• Customers create
Enterprise MDX-app
store
• Clientless access
(CVPN) is required
• NetScaler Gateway
needs Universal Licenses
© 2013 Citrix | Confidential – Do Not Distribute
NG + AppController +
MDM
• Ideal for Enterprise
customers that want
application and device
management
• Customers create
Enterprise MDX-app
store
• Clientless access
(CVPN) is required
• NetScaler Gateway
needs Universal Licenses
NG + App Controller +
MDM + StoreFront
• Ideal for Enterprise
customers that
application and device
management, plus
unified store
• Clientless access
(CVPN) is required
• NetScaler Gateway
needs Universal
Licenses
Mobile Platforms
Worx Home for iOS / Worx Home for Android
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
iOS
• Worx Home for iOS includes the
following header info
ᵒ User-Agent = CitrixReceiver
ᵒ VpnCapable (for MicroVPN)
ᵒ X-Citrix-Gateway: https://NetScalerGateway-FQDN
© 2013 Citrix | Confidential – Do Not Distribute
POST /cgi/login HTTP/1.1
Host: agdara.amc.ctx
X-Citrix-Gateway: https://agdara.amc.ctx
User-Agent: CitrixReceiver/com.zenprise.zpmdmbeta
iOS/8.5.0 (build 8.5.0.163) CitrixReceiver-iPad CFNetwork
Darwin VpnCapable
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-us
CONTENT_LENGTH: 28
Content-Type: application/x-www-form-urlencoded
Content-Length: 28
Connection: keep-alive
CONTENT_TYPE: application/x-www-form-urlencoded
Remote Access
iOS
• Worx Home name is included in other
parts of communication
© 2013 Citrix | Confidential – Do Not Distribute
GET /vpn/index.html HTTP/1.1
Host: agdara.amc.ctx
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: Worx%20Home/8.5.0.163 CFNetwork/609.1.4
Darwin/13.0.0
Accept-Language: en-us
Accept: */*
Remote Access
Android
• Worx Home for Android includes the
following header info
ᵒ User-Agent = CitrixReceiver
ᵒ VpnCapable (for MicroVPN)
ᵒ X-Citrix-Gateway: https://NetScalerGateway-FQDN
• No Worx Home name in User-Agent!
© 2013 Citrix | Confidential – Do Not Distribute
POST /cgi/login HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US, en
User-Agent: CitrixReceiver/1.0 Android/4.3 JWR66V
VpnCapable
Cookie: pwcount=0;
X-Citrix-Gateway: https://agdara.amc.ctx
Content-Length: 28
Host: agdara.amc.ctx
Connection: Keep-Alive
Accept-Encoding: gzip
Worx Home vs. Receiver
Feature
MDM Registration
AppC Registration
GoToAssist remote support
Provisioning File
Email-based account
discovery
MDX apps access
HDX apps access
Secure Browse support
MicroVPN
support
© 2013 Citrix | Confidential
– Do Not Distribute
Worx Home / Enroll
Receiver
Remote Access
How do I configure my mobile client?
Mobile Receivers
Provisioning File
Worx Home 8.5
(iOS/Android)
iOS 5.8
Android 3.4
Win8/RT 1.3
© 2013 Citrix | Confidential – Do Not Distribute
Email-based
Account discovery
NetScaler
Gateway FQDN
Deployment Modes
• Types of deployment
ᵒ Local connections only
ᵒ Local and remote connections via NetScaler
Gateway
• StoreFront integration may be used in
some scenarios
• Note: Worx Home client is unable to
communicate with StoreFront store
© 2013 Citrix | Confidential – Do Not Distribute
XenMobile Deployments
NG + AppController only
App Controller
NetScaler Gateway
Internet
© 2013 Citrix | Confidential – Do Not Distribute
DMZ
LAN
Remote Access
AppController Configuration
• Define Deployment
ᵒ
ᵒ
ᵒ
ᵒ
ᵒ
Enable = Yes
Display name
Callback URL = https://AGFQDN
External URL = https://AGFQDN
Logon type
• Domain only
• Security token only
• Domain and security token
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
Simplified Wizard
• Two ways to initiate the wizard
ᵒ NetScaler Gateway > Enterprise Store
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
Simplified Wizard
• Two ways to initiate the wizard
ᵒ Deployment type > NetScaler Gateway*
*Assuming you don’t have any virtual servers
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
Simplified Wizard
• Two ways to initiate the wizard
ᵒ Deployment type > NetScaler Gateway
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
Simplified Wizard
• Select XenMobile
• Enter App Controller FQDN
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Virtual Server name
• IP address
• Mode = SmartAccess
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• SSL certificate
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• LDAP authentication policy
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Three session policies bound to the virtual server
ᵒ Receiver connections
ᵒ Receiver for Web connections
ᵒ Access Gateway Plugin connections
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Native Receiver connection policy
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Native Receiver connection profile
ᵒ
ᵒ
ᵒ
ᵒ
ᵒ
Split Tunnel = OFF
Session Time-out (mins) = 1440 (1 day)
Clientless Access = ON
Clientless Access URL Encoding = Clear
Single Sign-on to Web Applications = checked
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Native Receiver connection profile
ᵒ ICA Proxy = OFF
ᵒ Web Interface Address = https://AppC-FQDN
ᵒ Single Sign-on Domain = domain
• Need to be defined manually if you don’t want UPN auth
ᵒ Account Services Address = https://AppC-FQDN
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Receiver for Web connection policy
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Receiver for Web connection profile
ᵒ
ᵒ
ᵒ
ᵒ
Home Page = https://AppC-FQDN/Citrix/StoreWeb
Clientless Access = ON
Plug-in Type = Java
Single Sign-on to Web Applications = checked
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Receiver for Web connection profile
ᵒ ICA Proxy = OFF
ᵒ Web Interface Address = https://AppCFQDN/Citrix/StoreWeb
ᵒ Single Sign-on Domain = domain
• Need to be defined manually if you don’t want UPN auth
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Access Gateway Plug-in connection policy
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Access Gateway Plug-in connection profile
ᵒ
ᵒ
ᵒ
ᵒ
ᵒ
ᵒ
Home Page = https://AppC-FQDN/Citrix/StoreWeb
Split Tunnel = OFF
Clientless Access = Allow
Clientless Access URL Encoding = Clear
Plug-in Type = Windows/Mac OS X
Single Sign-on to Web Applications = checked
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Access Gateway Plug-in connection profile
ᵒ ICA Proxy = OFF
ᵒ Web Interface Address = https://AppCFQDN/Citrix/StoreWeb
ᵒ Single Sign-on Domain = domain
• Need to be defined manually if you don’t want UPN auth
ᵒ Account Services Address = https://AppC-FQDN
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Two clientless access policies get created
ᵒ Receiver connections
ᵒ Anything else – ie. Receiver connections, Receiver for Web
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Receiver connections clientless access policy
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Rewrite tab
ᵒ Nothing selected
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Finding URLs tab
ᵒ Nothing selected
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Client Cookies tab
ᵒ Nothing selected
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Receiver for Web connections clientless access policy
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Rewrite tab
ᵒ URL Rewrite = ns_cvpn_default_inet_url_label
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Finding URLs tab
ᵒ Nothing selected
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Client Cookies tab
ᵒ Cookies created
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Pattern set for App Controller
cookies
ᵒ
ᵒ
ᵒ
ᵒ
CsrfToken = index 1
ASP.NET_SessionId = index 2
CtxsPluginAssistantState = index 3
CtxsAuthId = index 4
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Secure Ticket Authority defined
for WorxMail
ᵒ https://AppC-FQDN
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Clientless Access domains defined
ᵒ Allowed Domains
• App Controller FQDN
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Finally, AppController URL binding at the AG virtual server level (not
Global!)
© 2013 Citrix | Confidential – Do Not Distribute
What gets created?
Simplified Wizard
• Finally, AppController URL binding at the AG virtual server level (not
Global!)
© 2013 Citrix | Confidential – Do Not Distribute
XenMobile Deployments
NG + AppController + MDM
NetScaler Gateway
XM Device Manager
App Controller
Internet
© 2013 Citrix | Confidential – Do Not Distribute
DMZ
LAN
Remote Access
XDM Configuration
• Define App Controller Webservice
configuration
ᵒ Host Name = IP address or FQDN
ᵒ Shared Key = alphanumeric value – ie.
Citrix or Citrix1234
ᵒ Enable App Controller = checked
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
AppController Configuration
• Define Deployment
ᵒ
ᵒ
ᵒ
ᵒ
ᵒ
Enable = Yes
Display name
Callback URL = https://AGFQDN
External URL = https://AGFQDN
Logon type
• Domain only
• Security token only
• Domain and security token
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
AppController Configuration
• Define XenMobile Configuration
ᵒ Host = XDM FQDN
ᵒ Port = 80 or 443
ᵒ Shared Key = alphanumeric value – ie.
Citrix or citrix123
ᵒ Instance Path = /zdm (default)
ᵒ Allow secure access = Yes/No
ᵒ Require Device Manager Enrollment
= Yes/No
© 2013 Citrix | Confidential – Do Not Distribute
XenMobile Deployments
NG + AppController + MDM + StoreFront (A)
NetScaler Gateway
XM Device Manager
App Controller
Internet
© 2013 Citrix | Confidential – Do Not Distribute
DMZ
LAN
StoreFront 2.0
Remote Access
XDM Configuration
• Define App Controller Webservice
configuration
ᵒ Host Name = IP address or FQDN
ᵒ Shared Key = alphanumeric value – ie.
Citrix or Citrix1234
ᵒ Enable App Controller = checked
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
AppController Configuration
• Define Deployment
ᵒ
ᵒ
ᵒ
ᵒ
ᵒ
Enable = Yes
Display name
Callback URL = https://AGFQDN
External URL = https://AGFQDN
Logon type
• Domain only
• Security token only
• Domain and security token
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
AppController Configuration
• Define XenMobile Configuration
ᵒ Host = XDM FQDN
ᵒ Port = 80 or 443
ᵒ Shared Key = alphanumeric value – ie.
Citrix or citrix123
ᵒ Instance Path = /zdm (default)
ᵒ Allow secure access = Yes/No
ᵒ Require Device Manager Enrollment
= Yes/No
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
AppController Configuration
• Define Windows Apps
ᵒ Host = StoreFront FQDN
ᵒ Port = 80 or 443
ᵒ Relative Path =
/Citrix/<StoreName>/PNAgent/config.xml
ᵒ Allow secure access = Yes/No
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
StoreFront Configuration
• Define NetScaler Gateway
ᵒ Display Name
ᵒ NetScaler Gateway URL = External
Gateway URL
ᵒ Version
• 10.0 (build 69.4) or later
• 9.x
• 5.x
ᵒ Subnet IP address = (optional)
ᵒ Logon Type
•
•
•
•
•
Domain
Security Token
Domain and Security Token
SMS authentication
Smart card
ᵒ Callback URL = External Gateway URL
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
StoreFront Configuration
• Define Secure Ticket Authority (STA)
ᵒ XenApp
ᵒ XenDesktop
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
StoreFront Configuration
• Enable Remote Access to the store
ᵒ No VPN tunnel
ᵒ Full VPN tunnel
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
NetScaler Configuration
• Define Secure Ticket Authority
(STA)
ᵒ XenApp
ᵒ XenDesktop
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
NG + AppController + MDM + StoreFront
• Pros
ᵒ Single NetScaler Gateway VIP
ᵒ Single store access
• Cons
ᵒ Follow me apps do not work on Worx Home
ᵒ Follow me apps for Windows do not work
• Mobile devices
• Desktop platforms
© 2013 Citrix | Confidential – Do Not Distribute
XenMobile Deployments
NG + AppController + MDM + StoreFront (B)
Receiver
(Win/Mac)
NetScaler Gateway
StoreFront 2.0
XM Device Manager
WorxHome
(iOS Android)
Internet
© 2013 Citrix | Confidential – Do Not Distribute
DMZ
LAN
App Controller
Remote Access
XDM Configuration
• Define App Controller Webservice
configuration
ᵒ Host Name = IP address or FQDN
ᵒ Shared Key = alphanumeric value – ie.
Citrix or Citrix1234
ᵒ Enable App Controller = checked
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
AppController Configuration
• Define Deployment (NetScaler)
ᵒ
ᵒ
ᵒ
ᵒ
ᵒ
Enable = Yes
Display name
Callback URL = https://AGFQDN
External URL = https://AGFQDN
Logon type
• Domain only
• Security token only
• Domain and security token
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
AppController Configuration
• Define Deployment (StoreFront)
ᵒ Enable = Yes
ᵒ Authentication Server = OFF
ᵒ Web address = https://SF-FQDN
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
AppController Configuration
• Define XenMobile Configuration
ᵒ Host = XDM FQDN
ᵒ Port = 80 or 443
ᵒ Shared Key = alphanumeric value – ie.
Citrix or citrix123
ᵒ Instance Path = /zdm (default)
ᵒ Allow secure access = Yes/No
ᵒ Require Device Manager Enrollment
= Yes/No
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
AppController Configuration
• Define Windows Apps
ᵒ Host = StoreFront FQDN
ᵒ Port = 80 or 443
ᵒ Relative Path =
/Citrix/<StoreName>/PNAgent/config.xml
ᵒ Allow secure access = Yes/No
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
StoreFront Configuration
• Define Delivery Controller
ᵒ
ᵒ
ᵒ
ᵒ
Display Name
Type = AppController
Server = AppC FQDN
Port = 443
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
StoreFront Configuration
• Define NetScaler Gateway
ᵒ Display Name
ᵒ NetScaler Gateway URL = External
Gateway URL
ᵒ Version
• 10.0 (build 69.4) or later
• 9.x
• 5.x
ᵒ Subnet IP address = (optional)
ᵒ Logon Type
•
•
•
•
•
Domain
Security Token
Domain and Security Token
SMS authentication
Smart card
ᵒ Callback URL = External Gateway URL
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
StoreFront Configuration
• Define Secure Ticket Authority (STA)
ᵒ XenApp
ᵒ XenDesktop
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
StoreFront Configuration
• Enable Remote Access to the store
ᵒ No VPN tunnel
ᵒ Full VPN tunnel
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
NetScaler Configuration
• Create a virtual server in
SmartAccess mode
ᵒ Clientless access will be used for
StoreFront and App Controller
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
NetScaler Configuration
• Create three session policies
ᵒ Desktop Receiver policy = redirects Win/Mac Receiver users to StoreFront store
ᵒ Receiver for Web policy = redirects Win/Mac/mobile users to StoreFront’s Receiver for
Web site
ᵒ Worx Home policy = redirects iOS/Android Worx Home users to AppController’s store
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
NetScaler Configuration
• Desktop Receiver policy
expression
ᵒ (REQ.HTTP.HEADER User-Agent CONTAINS
CitrixReceiver && REQ.HTTP.HEADER UserAgent CONTAINS Windows) ||
(REQ.HTTP.HEADER User-Agent CONTAINS
CitrixReceiver && REQ.HTTP.HEADER UserAgent CONTAINS Mac)
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
NetScaler Configuration
• Desktop Receiver profile
ᵒ Clientless Access = ON
ᵒ Clientless Access URL Encoding = Clear
ᵒ Single Sign-on to Web Applications = checked
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
NetScaler Configuration
• Desktop Receiver profile
ᵒ Default Authorization Action = ALLOW
ᵒ Secure Browse = uncheck
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
NetScaler Configuration
• Desktop Receiver profile
ᵒ
ᵒ
ᵒ
ᵒ
ICA Proxy = OFF
Web Interface Access = https://SF-FQDN
Single Sign-on Domain = domain
Account Services Address = https://SFFQDN
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
NetScaler Configuration
• Receiver for Web site policy
expression
ᵒ REQ.HTTP.HEADER User-Agent
NOTCONTAINS CitrixReceiver &&
REQ.HTTP.HEADER Referer EXISTS
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
NetScaler Configuration
• Receiver for Web site profile
ᵒ Home Page = https://SFFQDN/Citrix/StoreWeb
ᵒ Clientless Access = ON
ᵒ Clientless Access URL Encoding =
Obscure
ᵒ Single Sign-on to Web Applications =
checked
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
NetScaler Configuration
• Receiver for Web site profile
ᵒ Default Authorization Action = ALLOW
ᵒ Secure Browse = uncheck
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
NetScaler Configuration
• Receiver for Web site profile
ᵒ ICA Proxy = OFF
ᵒ Web Interface Address = https://SFFQDN
ᵒ Single Sign-on Domain = domain
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
NetScaler Configuration
• Worx Home policy expression
ᵒ (REQ.HTTP.HEADER User-Agent CONTAINS
CitrixReceiver && REQ.HTTP.HEADER UserAgent CONTAINS zenprise)||
(REQ.HTTP.HEADER User-Agent CONTAINS
CitrixReceiver/1.0)
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
NetScaler Configuration
• Worx Home profile
ᵒ
ᵒ
ᵒ
ᵒ
Split Tunnel = OFF/ON
Session Time-out (mins) = 1440 (1 day)
Clientless Access = ON
Clientless Access URL Encoding =
Clear
ᵒ Plug-in Type = Windows/Mac OS X
(MicroVPN)
ᵒ Single Sign-on to Web Applications =
checked
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
NetScaler Configuration
• Worx Home profile
ᵒ Default Authorization Action = ALLOW
ᵒ Secure Browse = checked
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
NetScaler Configuration
• Worx Home profile
ᵒ
ᵒ
ᵒ
ᵒ
ICA Proxy = OFF
Web Interface Address = https://AppC-FQDN
Single Sign-on Domain = domain
Account Services Address = https://AppCFQDN
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
NetScaler Configuration
• Verify you have two Clientless Access policies
ᵒ Receiver/Worx Home connections
ᵒ Anything else – ie. Receiver for Web, Receiver/Worx Home connections
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
NetScaler Configuration
• Clientless Access domains defined
ᵒ Allowed Domains
• App Controller FQDN
• StoreFront FQDN
ᵒ Bind FQDNs via CLI (recommended)
• bind patset ns_cvpn_default_inet_domains appc28.amc.ctx
• bind patset ns_cvpn_default_inet_domains storefrontlb.amc.ctx
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
NetScaler Configuration
• Define Secure Ticket Authority
(STA)
ᵒ XenApp
ᵒ XenDesktop
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
NetScaler Configuration
• Finally, AppController URL binding at the AG virtual server level (not
Global!)
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
NetScaler Configuration
• Finally, AppController URL binding at the AG virtual server level (not
Global!)
© 2013 Citrix | Confidential – Do Not Distribute
Remote Access
NG + AppController + MDM + StoreFront
• Pros
ᵒ Single NetScaler Gateway VIP
ᵒ Follow me apps for Windows will work for Win/Mac
• Cons
ᵒ Follow me apps do not work on Worx Home
• Mobile devices
© 2013 Citrix | Confidential – Do Not Distribute
“Can I push MDX / Web and SaaS apps to
mobile devices?”
© 2013 Citrix | Confidential – Do Not Distribute
Integration with XenMobile Device Manager
• New option on App Controller
ᵒ Require app installation
• Works with App Controller and
XenMobile Device Manager integration
• Require app installation option can
automatically subscribe/install
Web/SaaS and MDX apps
© 2013 Citrix | Confidential – Do Not Distribute
Integration with XenMobile Device Manager
• Host = IP address or FQDN
of MDM server
• Port = 80 or 443
• Shared Key = alphanumeric
value – e.g. Citrix123
• Instance Path = /zdm
• Require Device Manager
Enrollment = recommended
© 2013 Citrix | Confidential – Do Not Distribute
Integration with XenMobile Device Manager
Overview
• App Controller will upload all
MDX, public store apps,
Web/SaaS to MDM server
ᵒ Securely – HTTPS 443
ᵒ Non-secure – HTTP 80
• App Controller will upload the
NetScaler URL or AppC URL for
Worx Home
• User requests access to MDX
app, MDM will push it to the
mobile device
© 2013 Citrix | Confidential – Do Not Distribute
443
XDM
XMA
Integration with XenMobile Device Manager
What is being uploaded?
• If Require Device Management enrollment = Yes
From App Controller to Device Manager
POST /zdm/cxf/wsapi/configuration/mdmrequired HTTP/1.1
Accept: application/json
Content-Type: application/json
Authorization: Basic YWRtaW46Y2l0cml4
User-Agent: Jakarta Commons-HttpClient/3.0.1
Host: ftlvxmdm.amc.ctx
Content-Length: 31
XDM
Enrollment
Required?
Yes / No
{"errorcode":0,"required":true}
XMA
© 2013 Citrix | Confidential – Do Not Distribute
Integration with XenMobile Device Manager
What is being uploaded?
• If Require Device Management enrollment = Yes
OK done!
From Device Manager to App Controller
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie:
JSESSIONID=FFAEE9B40D6E797859A03C275E80B999;
Path=/zdm/; HttpOnly
Date: Fri, 09 Aug 2013 14:55:16 GMT
Content-Type: application/json
Content-Length: 53
XDM
{"response":"mdm_required_flag properly set to true"}
XMA
© 2013 Citrix | Confidential – Do Not Distribute
Integration with XenMobile Device Manager
What is being uploaded?
• If Google Play credentials saved in App
Controller
From App Controller to Device Manager
POST /zdm/cxf/wsapi/configuration/gplaycredentials HTTP/1.1
Accept: application/json
Content-Type: application/json
Authorization: Basic YWRtaW46Y2l0cml4
User-Agent: Jakarta Commons-HttpClient/3.0.1
Host: ftlvxmdm.amc.ctx
Content-Length: 125
XDM
Google Play
Credentials
{"gplay_credentials":{"store_login":“username","store_password":“p
assword","android_id":“androidID"}}
XMA
© 2013 Citrix | Confidential – Do Not Distribute
Integration with XenMobile Device Manager
What is being uploaded?
• If Google Play credentials saved in App
Controller
OK done!
From Device Manager to App Controller
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie:
JSESSIONID=6B7578836D06A6D51BFED315486D8089;
Path=/zdm/; HttpOnly
Date: Fri, 09 Aug 2013 14:58:39 GMT
Content-Type: application/json
Content-Length: 40
XDM
{"response":"Credential properly saved"}
XMA
© 2013 Citrix | Confidential – Do Not Distribute
Integration with XenMobile Device Manager
What is being uploaded?
• Uploading apps
From App Controller to Device Manager
POST /zdm/cxf/wsapi/package/10cbccea-8d27-4cc9-86ed-d43e7078bc8b
HTTP/1.1
Accept: application/json
Content-Type: application/json
Authorization: Basic YWRtaW46Y2l0cml4
User-Agent: Jakarta Commons-HttpClient/3.0.1
Host: ftlvxmdm.amc.ctx
Content-Length: 323
{"application":{"options":{"remove_when_mdm_removed":true,"prevent_b
ackup_data":false},"id":"10cbccea-8d27-4cc9-86edd43e7078bc8b","type":"IPA","install_once":true,"required":false,"url":"http
s://appc28.amc.ctx:443/lscs/mobileapps/10cbccea-8d27-4cc9-86edd43e7078bc8b/WorxMail-Release-1.2-162.ipa?SID=7175718355373095794"}}
© 2013 Citrix | Confidential – Do Not Distribute
XDM
Uploading
MDX / Web /
SaaS
XMA
Integration with XenMobile Device Manager
What is being uploaded?
• Uploading apps
ᵒ If app already exists – HTTP 500 Error
ᵒ Otherwise, HTTP 200 OK
Already
have it!
From Device Manager to App Controller
HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=88D0391354052CD4A12901521A02C22D;
Path=/zdm/; HttpOnly
Date: Fri, 09 Aug 2013 14:58:39 GMT
Content-Type: application/json
Content-Length: 64
Connection: close
{"error":{"description":"Package ID already exists","code":201}}
© 2013 Citrix | Confidential – Do Not Distribute
XDM
XMA
Integration with XenMobile Device Manager
What is being uploaded?
• Upload NetScaler Gateway URL
ᵒ If remote access is disabled, then, AppC URL is
provided
From App Controller to Device Manager
POST /zdm/cxf/wsapi/configuration/appcfqdn HTTP/1.1
Accept: application/json
Content-Type: application/json
Authorization: Basic YWRtaW46Y2l0cml4
User-Agent: Jakarta Commons-HttpClient/3.0.1
Host: ftlvxmdm.amc.ctx
Content-Length: 25
XDM
AppC /
NetScaler
FQDN
{"fqdn":"agdara.amc.ctx"}
XMA
© 2013 Citrix | Confidential – Do Not Distribute
Integration with XenMobile Device Manager
What is being uploaded?
• Upload NetScaler Gateway URL
ᵒ If remote access is disabled, then, AppC URL is
provided
FQDN Set!
From Device Manager to App Controller
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2C4B7B47E6617751B700F1471068DBB0;
Path=/zdm/; HttpOnly
Date: Fri, 09 Aug 2013 14:58:40 GMT
Content-Type: application/json
Content-Length: 50
XDM
{"response":"fqdn properly set to agdara.amc.ctx"}
XMA
© 2013 Citrix | Confidential – Do Not Distribute
Integration with GTA
• Support email = help desk
email address
• Support phone = help desk
phone number
• GoToAssist Chat =
GoToAssist token for chat
services
• GoToAssist Ticket =
GoToAssist ticket
generated from portal
© 2013 Citrix | Confidential – Do Not Distribute
Branding Your Store
© 2013 Citrix | Confidential – Do Not Distribute
Receiver Email Template
• Do not use this option for Worx Home!
• The Provisioning File (.cr) is only
compatible with Citrix Receiver (mobile or
desktop)
© 2013 Citrix | Confidential – Do Not Distribute
Google Play Store Apps
• To allow App Controller
download data from Google
Play store
• Typo on App Controller UI
• Type on Android phone dialpad *#*#8255#*#*
© 2013 Citrix | Confidential – Do Not Distribute
Secure Browse vs. MicroVPN
Secure Browse
• Client-side rewrite
feature to access
intranet sites
• Available on Receiver
for iOS 5.6.1 or later
• Must use NetScaler
Gateway 10 (build
69.4 or later)
© 2013 Citrix | Confidential – Do Not Distribute
MicroVPN
• On-demand application
VPN tunnel between
mobile device and
NetScaler Gateway
• Available on Receiver
for Android 3.1 or later
and Receiver for iOS
5.7
• Supported with Worx
Home and MDX-apps
• Must use NetScaler
Gateway 10 (build 69.4
or later)
WorxWeb
• Native iOS/Android
mobile browser
application
• Securely connects to
corporate network
using on-demand
MicroVPN tunnel
• Must use NetScaler
Gateway 10 (build
69.4 or later)
How do I connect to intranet sites?
iOS /
Android
WorxWeb
installed?
Yes
Connect
via
MicroVPN
© 2013 Citrix | Confidential – Do Not Distribute
No
Worx
Home
iOS?
Yes
Needs
WorxWeb
No
Worx
Home
Android?
Yes
Connect
via
Webkit
No
Secure Browse
NetScaler Gateway Configuration
• By default, Secure Browse is enabled
on NetScaler
ᵒ Global Settings
ᵒ Session Policy
© 2013 Citrix | Confidential – Do Not Distribute
Secure Browse
NetScaler Gateway Configuration
• By default, Secure Browse is enabled
on NetScaler
ᵒ Global Settings
ᵒ Session Policy
© 2013 Citrix | Confidential – Do Not Distribute
Secure Browse
Example
© 2013 Citrix | Confidential – Do Not Distribute
Secure Browse
Example
• Initial request from Citrix Receiver to NetScaler Gateway:
GET https://ag10716b.adolfolab.ctx/AGServices/rewriteMode HTTP/1.1
Host: ag10716b.adolfolab.ctx
User-Agent: CitrixReceiver
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Cookie: NSC_AAAC=8479f0c77ce505f3430c90be66fa643300904253245525d5f4f58455e445a4a42;
NSC_FSSO=1; pwcount=2
Connection: keep-alive
Proxy-Connection: keep-alive
© 2013 Citrix | Confidential – Do Not Distribute
Secure Browse
Example
• If Secure Browse is enabled, NetScaler Gateway will respond with the
following:
HTTP/1.1 200 OK
Content-Length: 23
Cache-control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain
SB:SecureBrowse
RW:cvpn
© 2013 Citrix | Confidential – Do Not Distribute
Secure Browse
Example
• If Secure Browse is disabled, NetScaler Gateway will respond with the
following:
HTTP/1.1 200 OK
Content-Length: 23
Cache-control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain
RW:cvpn
© 2013 Citrix | Confidential – Do Not Distribute
Secure Browse
Example
• Citrix Receiver will start the rewrite on the client-side:
GET https://ag10716b.adolfolab.ctx/SecureBrowse/http/web.cloud.ctx:8080/index.html HTTP/1.1
Host: ag10716b.adolfolab.ctx
User-Agent: Mozilla/5.0 (iPad; CPU OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B206
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
X-Citrix-Gateway: ag10716b.adolfolab.ctx
CitrixSecureBrowserIOS: YES
Cookie: NSC_AAAC=8479f0c77ce505f3430c90be66fa643300904253245525d5f4f58455e445a4a42;NSC_FSSO=1;pwcount=2;
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive
© 2013 Citrix | Confidential – Do Not Distribute
Considerations
• Secure Browse will work as long as you have
Clientless Access (CVPN) enabled on NetScaler
• If CVPN is disabled, Secure Browse will not work
• If Secure Browse is disabled, Citrix Receiver will
use CVPN to connect to resources
© 2013 Citrix | Confidential – Do Not Distribute
MicroVPN
MicroVPN
• On-demand application VPN tunnel between mobile
device and NetScaler Gateway
• Platforms supported
ᵒ Android
ᵒ iOS
• MDX-apps support
ᵒ WorxMail
ᵒ WorxWeb
• Receivers that support Microvpn
ᵒ Worx Home 8.5
ᵒ Receiver for Android 3.1 or later
ᵒ Receiver for iOS 5.7 or later
© 2013 Citrix | Confidential – Do Not Distribute
MicroVPN
How does it work?
• Receiver POST Credentials to NetScaler Gateway
POST https://50-23-246-210.mycitrixdemo.net/cgi/login HTTP/1.1
Host: 50-23-246-210.mycitrixdemo.net
User-Agent: CitrixReceiver/com.citrix.ReceiveriPad iOS/5.7 (build 170) CitrixReceiveriPad CFNetwork Darwin VpnCapable
Content-Length: 24
Accept: */*
X-Citrix-Gateway: https://50-23-246-210.mycitrixdemo.net
© 2013 Citrix | Confidential – Do Not Distribute
MicroVPN
How does it work?
• The fact that Receiver sends a VPN Capable User-Agent:
CitrixReceiver/com.citrix.ReceiveriPad iOS/5.7 (build 170) CitrixReceiver-iPad CFNetwork
Darwin VpnCapable
• Access Gateway returns the /cgi/setclient?
For iOS: HTTP/1.1 302 Object Moved
Location: /cgi/setclient?iosc
Set-Cookie:
NSC_AAAC=55f4f4d9926e4b6533f6033
24b45fa1f0311fe8c345525d5f4f58455
e445a4a42;Secure;HttpOnly;Path=/
© 2013 Citrix | Confidential – Do Not Distribute
For Android:
HTTP/1.1 302 Object Moved
Location: /cgi/setclient?andr
Set-Cookie:
NSC_AAAC=55f4f4d9926e4b6533f6033
24b45fa1f0311fe8c345525d5f4f58455e
445a4a42;Secure;HttpOnly;Path=/
Troubleshooting
App Controller
Troubleshooting
• Troubleshooting menu from console
• Network Utilities
• Advanced logging tracing
• Support Bundle to log collection and traces
© 2013 Citrix | Confidential – Do Not Distribute
Troubleshooting
• Troubleshooting menu available
under the new console Main Menu
(option 3)
© 2013 Citrix | Confidential – Do Not Distribute
Troubleshooting
Troubleshooting Menu
• Network Utilities
ᵒ PING, ARP, Routing Table and others
• Logs
ᵒ Admins can review the last 1000 lines
of log
ᵒ Provides advanced logging settings for
specific modules
• Support Bundle
ᵒ Collects all AppController logs, core
dumps and network traces
© 2013 Citrix | Confidential – Do Not Distribute
Troubleshooting
Network Menu
• Network information
• Show Routing Table
• Show ARP Table
• PING
• Traceroute
• DNS lookup
• Network Trace
© 2013 Citrix | Confidential – Do Not Distribute
Troubleshooting
Network Information
• Displays detailed information
of network adapters
ᵒ
ᵒ
ᵒ
ᵒ
ᵒ
IP address
Subnet mask
MAC address
MTU size
Adapter state (UP/DOWN)
© 2013 Citrix | Confidential – Do Not Distribute
Troubleshooting
Routing Table
• Displays routes information associated with AppController
© 2013 Citrix | Confidential – Do Not Distribute
Troubleshooting
ARP Table
• Displays Address Resolution Protocol (ARP) information
associated with AppController
© 2013 Citrix | Confidential – Do Not Distribute
Troubleshooting
PING
• Test by sending ICMP packets from AppController VM to a
destination host
© 2013 Citrix | Confidential – Do Not Distribute
Troubleshooting
Traceroute
• Test by sending ICMP packets from AppController VM to a
destination host and count the number of hops
© 2013 Citrix | Confidential – Do Not Distribute
Troubleshooting
DNS Lookup
• Test Domain Name Resolution (DNS) from AppController to
destination host
© 2013 Citrix | Confidential – Do Not Distribute
Troubleshooting
Network Trace
• Capture network traces in pcap format on one or more interfaces
• Supports filtering options
• Press Enter to stop network tracing
• Network traces can only be extracted via the Support Bundle
© 2013 Citrix | Confidential – Do Not Distribute
Troubleshooting
Logs Menu
• Advanced logging settings to trace
specific AppController modules
• For more information, please refer to
http://kb.citrite.net/article/CTX128435
• Option 5 displays the last 1000 lines
of logging entries
© 2013 Citrix | Confidential – Do Not Distribute
Troubleshooting
Support Bundle Menu
• Provide Admins collection all
AppController logs and network
traces in a compressed file (.ZIP)
• Admins have the choice to encrypt
the Support Bundle (optional)
• To extract the Support Bundle
ᵒ Upload via FTP
ᵒ Upload via SCP
© 2013 Citrix | Confidential – Do Not Distribute
Troubleshooting
Generate Support Bundle
• Admins have the option to encrypt or not the Support Bundle
• Support Bundle filename will contain date/time, IP address and compression
format extension (.ZIP)
© 2013 Citrix | Confidential – Do Not Distribute
Troubleshooting
Upload Support Bundle
• Admins have the option to upload it via
FTP or SCP
• For more information on how to upload
it via FTP, please refer to
http://support.citrix.com/article/CTX128
855
• Admins have to enter FTP server
hostname and location where to upload
the file
© 2013 Citrix | Confidential – Do Not Distribute
Troubleshooting
Upload Support Bundle via FTP
• Admins have to enter FTP server hostname, user credentials and location
where to upload the file
© 2013 Citrix | Confidential – Do Not Distribute
Troubleshooting
Support Bundle Contents
• Sas_core – core dumps
• Sas_log – management, system, debug, informational
logs
• Sas_trace – network traces
• Sys_info – AppController system information
ᵒ
ᵒ
ᵒ
ᵒ
ᵒ
ARP entries
Disk space usage
Interface configuration
Routing table
Running processes
• Var_log – authentication, daemon, kernel, mail, system
and user logs
© 2013 Citrix | Confidential – Do Not Distribute
Work better. Live better.
