Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

INT-XenMobile XDM and NetScaler Integration High Availability and

Services
NetScaler 10.1
XenMobile XDM and NetScaler Integration
High Availability and ActiveSync Filtering
Hands-on lab exercise guide
04/2013 – Version 1.0
Services
Table of Contents
Table of Contents .............................................................................................................................................. 2
Overview............................................................................................................................................................. 3
Exercise 1: External access to XDM components ....................................................................................... 4
Exercise 2: Front-ending Microsoft Exchange deployments with NetScaler ........................................ 14
Exercise 3: Installing and configuring XenMobile NetScaler Connector ............................................... 21
Exercise 4: Device enrollment and MDM policy configuration .............................................................. 29
Exercise 5: Configuring “Callout” to enforce XDM mail delivery policies ............................................ 39
Exercise 6: Configuring MDM policies to enforce email security for ActiveSync enabled devices. .. 47
Exercise 7: Optimizing and securing the “Callout” evaluation ................................................................ 56
Page 2
Services
Overview
Hands-on Training Module
This training module has the following details:
Objective



Audience

Provide hands on experience with the new features included in
NetScaler 10.1
Highlight some of solutions that can be accomplished by the new
features included in NetScaler 10.1
Provide additional documentation on the required components for
some of the features in order to successfully implement NetScaler
10.1.
Primary: Citrix Sales Engineers, Consultants, and Support Team
members
Lab Environment Details
This section is used to describe the lab environment and the virtual machines that are used.
Machine
XenServer
Client
Tools VM
Windows 7
Demo Linux (1)
Details
Hosts virtual machines
Thin-Client Notebook
Virtual Machine with the workshops tools installed
Virtual Machine
Virtual Machine (Will be created during the workshop)
Required Lab Credentials
Below are the login credentials required to connect to the workshop system and complete the lab
exercises.
Machine
PVS1
XenServer
Tools VM
Windows 7
Demo Linux (1)
Username
root
user
user
root
Password
citrix
citrix
citrix
citrix
Page 3
Services
Exercise 1: External access to XDM
components
Overview
XenMobile Device Manager is one of the key components of the XenMobile solution. Simpler
deployments usually contain a single XDM server; however, for high availability, it is recommended to
have multiple servers. Some of the key functionality for XDM is to provide device enrollment services and
this requires that the end-point devices establishes an SSL handshake to the XDM server. In order to load
balance these components, it is required to have an SSL_BRIDGE configuration to provide simple TCP
offloading while still allowing the mobile device to SSL handshake with the corresponding XDM server.
In this lab, we will configure external access using SSL to this component of the XenMobile solution
bundle. These instructions can be reused to add additional services for a full load-balancing setup.
Step by step guidance
Estimated time to complete this lab: XYZ minutes.
Step Action
1.
Once logged in at the self-paced portal, click the Start lab button to launch a connection to
published XenCenter.
2.
When XenCenter loads, right-click the XenCenter node and select Add…
Page 4
Services
Step
3.
Action
On the Add New Server screen enter the XenServer IP address provided on the portal
and in the Password field enter the password provided on the portal. The user name will
always be root.
4.
In XenCenter, click on the Site1-Win8Client VM and choose the Console tab. Login with
the following Credentials:
Username: TRAINING\Administrator
Password: Citrix123
NOTE: For better performance, switch to a Remote Desktop connection.
5.
Login to the Site1-Win8Client with the following credentials:
Username: Administrator
Password: Citrix123
Page 5
Services
Step
6.
7.
Action
Click on the Desktop tile.
Check that the XenMobile Device Manager (XDM) component was installed by accessing
the XDM console.
Open IE and navigate to the following URL:
http://192.168.10.13/zdm/
Username: Administrator
Password: Citrix123
Page 6
Services
Step
8.
Action
Click on the Policies tab. The external FQDN should be displayed. This tell us that the
product was installed and customized for each environment correctly.
NOTE: The FQDN shown below will be different than the one in your environment.
Please refer back to the Student portal page for a list of external FQDNs assigned to your
lab.
Next, we will allow external access to XDM components. For this we will use the NetScaler
appliance to allow SSL connections to the XDM servers on ports TCP-443 (XenMobile Device
Manager UI) and TCP-8443 (XenMobile device enrollment).
9.
Open IE and navigate to the NetScaler Administration UI using the default credentials:
http://192.168.10.50
Username: nsroot
Password: nsroot
Page 7
Services
Step
10.
Action
First, create the Subnet IP for the NetScaler to contact backend resources. Navigate to
Configuration -> System -> Network -> IPs -> Add
IP Address: 192.168.10.51
Netmask: 255.255.255.0
IP Type: Subnet IP
11.
Click Create.
Navigate to Configuration -> Settings -> Configure Basic Features and enable the following
options: SSL Offloading, Load Balancing.
Page 8
Services
Step
12.
13.
Action
Navigate to Configuration -> Settings -> Configure Advanced Features and enable the
following options: Responder.
Next we will create the Server Object for XenMobile. Navigate to Configuration -> Traffic
Management -> Load Balancing -> Servers -> Add. Use the following parameters:
Name: XenMobile
IPAddress: 192.168.10.13
Click Create and Close to continue.
NOTE: XenMobile Device Manager (XDM) requires all mobile devices to establish an SSL
handshake directly with the MDM server. We need to configure an SSL_BRIDGE setup in order
for devices to register correctly with the server.
Page 9
Services
Step
14.
Action
Create the SSL_BRIDGE service on TCP port 443. In the NetScaler UI, navigate to
Configuration -> Traffic Management -> Load Balancing -> Services -> Add.
Use the following parameters:
Service Name: XenMobile_SVC
Server: XenMobile
Protocol: SSL_BRIDGE
Port: 443
Monitor: TCP
Click Create and then Close.
Page 10
Services
Step
15.
Action
Device enrollment requires access to an additional TCP port on the XDM server. Add
another service for TCP port 8443:
Service Name: XenMobileEnroll_SVC
Server: XenMobile
Protocol: SSL_BRIDGE
Port: 8443
Monitor: TCP
Click Create and then Close to finish.
Page 11
Services
Step
16.
Action
Next, create the XenMobile virtual server listening on port TCP 443. Use the following
parameters:
Vserver Name: XenMobile_vserver
Protocol: SSL_BRIDGE
Port: 443
Monitor: TCP
Service: XenMobile_SVC
17.
Click create and close to finish.
Lastly, add the XenMobile virtual server listening on port 8443.
Vserver Name: XenMobileEnroll_vserver
Protocol: SSL_BRIDGE
Port: 8443
Monitor: TCP
Service: XenMobileEnroll_SVC
Page 12
Services
Step Action
We will now test external access to these components. From your workstation (external device),
navigate to the FQDN of the second public IP address provided. This is located in the student
portal.
<Include snapshot>
18.
From an external browser, enter the corresponding URL for the 2nd Public IP address in the
address bar. Login with the following credentials:
Username: Administrator
Password: Citrix123
You should be able to login without receiving any SSL warnings.
19.
This completes with this exercise. Next, we will configure external access to Exchange 2010
by SSL offloading with NetScaler.
Summary
Key
Takeaways
The key takeaways for this exercise are:

SSL_BRIDGE is required to successfully front-end the XDM component.

Multiple services can be bound to the virtual server in order to provide
redundancy. Use SSLSESSIONID or SRCIP persistence depending on the
requirements.
Page 13
Services
Exercise 2: Front-ending Microsoft Exchange
deployments with NetScaler
Overview
In order for enforcing mail delivery policies to external mobile devices, the NetScaler appliance needs to
be the front-end device to the internal Microsoft Exchange infrastructure. In this exercise, we will
complete the necessary configuration on the NetScaler appliance as well as the Exchange server for the
deployment to be externally accessible.
Step by step guidance
Estimated time to complete this lab: XYZ minutes.
Step Action
1.
In the Site1-Win8Client VM, open a new instance of IE and navigate to the OWA URL to
verify that Exchange 2010 was correctly provisioned:
https://ex1.training.lab/owa/
Username: TRAINING\User1
Password: Citrix123
Since this is the first time accessing the user’s mailbox, accept the defaults for language and
time-zone.
If you are able to login to the user’s mailbox, continue with the next step.
Page 14
Services
Step
2.
3.
Action
Go back to the NetScaler Configuration utility already opened in IE. Re-login with the
following credentials, if the session has expired:
Username: nsroot
Password: nsroot
Next, we have to create the Exchange server object. Navigate to Configuration -> Traffic
Management -> Load Balancing -> Servers -> Add. Use the following parameters:
Name: Exchange
IPAddress: 192.168.10.15
Page 15
Services
Step
4.
Action
Proceed to create the associated services. On the NetScaler UI, navigate to Configuration > Traffic Management -> Load Balancing -> Services -> Add.
First create the Exchange Service on port 443:
Service Name: Exchange_SVC
Protocol: SSL
Port: 443
Monitor: TCP
Click Create and then Close.
Page 16
Services
Step
5.
Action
Next, let’s create the virtual server used for external access. Navigate to Configuration ->
Traffic Management -> Load Balancing -> Virtual Servers -> Add
Vserver Name: Exchange_vserver
Protocol: SSL
Port: 443
Monitor: TCP
Service: Exchange_SVC
6.
Continue with the next step.
Since this is an SSL virtual server, we need to bind a server certificate. For this lab, we will
use a production SSL certificate already preloaded in the default configuration. Click on the
SSL settings tab, and bind the wildcard.mycitrixtraining.net certificate.
Click Create and then Close.
Page 17
Services
Step
7.
Action
From your workstation, open a browser instance (IE / Firefox / Chrome / or Safari) and
test connectivity to OWA by entering the external URL for IP#2.
https://your-dashed-fqnd.mycitrixtraining.net/owa/
Use the following credentials:
Username: TRAINING\user1
Password: Citrix123
You should be able to login and access the user’s mailbox:
Page 18
Services
Step
8.
Action
Now, we will test connectivity from your mobile device using the ActiveSync protocol. Add
a new Exchange account and configure email access using the following settings:
Since there are many different mobile device
Server: your-dashed-fqdn.mycitrixtraining.net
Email: user1@training.lab
Username: user1
Password: Citrix123
Domain: TRAINING
SSL enabled: YES
Port: 443
You should be able to access the user’s mailbox.
NOTE: In Android devices, the device will prompt you to allow the server to control some
of the security features required when setting up a new Exchange account. Click OK to
accept.
9.
To test basic Exchange functionality across different clients, on your external workstation,
go back to the OWA session you previously signed in using the User1 account. Logout
from that session and log back in with the credentials for User2.
Username: TRAINING/user2
Password: Citrix123
10.
Send an email to user1@training.lab. Verify that you receive this email on your mobile
device.
This concludes with this exercise. Next, we will install and configure the XenMobile
NetScaler connector.
Page 19
Services
Summary
Key
Takeaways
The key takeaways for this exercise are:

In order for the NetScaler appliance to interface with the XenMobile Device
Manager API, it uses an intermediary component called XenMobile
NetScaler Connector

The NetScaler leverages a new RESTful API via callout to enforce mail
delivery policies according to the security requirements of the enterprise
Page 20
Services
Exercise 3: Installing and configuring
XenMobile NetScaler Connector
Overview
One of the features XM offers is the ability to apply policies to mobile devices. The XenMobile solution
leverages additional components to enforce external mail clients from accessing the Microsoft Exchange
infrastructure in order to retrieve mail according to applied policies. As part of a new component
announced with NetScaler 10.1, the NetScaler appliance can interface with the XDM API through a new
component labeled “XenMobile NetScaler Connector”. XNC provides a device level authorization service
of ActiveSync clients to NetScaler acting as a reverse proxy for the Exchange ActiveSync protocol.
In this exercise, we will focus on installing the XNC component and configuring it properly to continue
with the NetScaler integration configuration.
Step by step guidance
Description:
Estimated time to complete this lab: XYZ minutes.
Step Action
1.
In XenCenter, select the Site1-XenMobile VM and click on the Console tab. Login with
the following credentials:
Username: TRAINING\Administrator
Password: Citrix123
Page 21
Services
Step
2.
3.
4.
5.
6.
Action
Click on Start-> Run and open the following UNC path:
\\AD\Software\XNC\
Copy the XncInstall.zip file to the desktop.
Extract the content of this file and execute the installer. Click next to continue.
Accept the default options, agree to the license terms, and click Next to install the
component. Click Next and then Close to finish.
Page 22
Services
Step
7.
8.
Action
Choose No when prompted to display the release notes.
Click Start and then open the XenMobile NetScaler Configuration utility.
Page 23
Services
Step
9.
10.
Action
In the XNC Configuration utility, select the Web Service tab and configure the listening
address for the XNC service. Click Save and then Start the service.
NOTE: Since we have installed XNC on the XDM host, we do not require encryption as
all the traffic will not be placed on the wire. We will chose HTTP and port 9080 for the
configuration service.
Since XDM users SSL for its API, we need to use a valid FQDN to resolve to server IP.
Open the hosts file located at the following location:
C:\Windows\System32\drivers\etc
and add a new entry as follows:
192.168.10.13
your-dashed-fqdn.mycitrixtraining.net
Page 24
Services
Step
11.
Action
Next, we have to define a provider. Go back to the XNC configuration utility and configure
a new Provider using the following parameters:
Name: ZDM
Url: https://your-dashed-fqdn.mycitrixtraining.net/zdm/services/MagConfigService
Username: Training\Administator
Password: Citrix123
Click Test Connectivity and Save to continue.
12.
After you save the configuration, the utility prompts you to start the Configuration Service
and Notification Services. Click OK to acknowledge each prompt.
Page 25
Services
13.
Click on Start and select Run. Type services.msc to open the Services management console
and start the required services:
14.
The next step is to define the type of access to restrict. Since mobile devices use the
ActiveSync protocol, highlight the Microsoft-Server-ActiveSync entry and click on edit:
15.
In the Policy option, select Static + ZDM: Block mode to block
16.
NOTE: These policies combine local (aka static) rules with those from ZDM. Block Mode
means that all devices not explicitly identified by the rules will be blocked access to
ActiveSync.
Click Save to finish.
Page 26
Services
17.
Lastly, we need to allow XDM to report additional information to XNC via its API. From
your workstation, access the XDM console using the following URL:
https://your-dashed-ip.mycitrixtraining.net/zdm/
18.
19.
Username: Administrator
Password: Citrix123
Once logged in, click on the Options link on the top right corner.
On the XenMobile Server Options, navigate to the Modules Configurations -> Secure
Mobile Gateway and enable the following filters:
Forbidden Apps: Deny
Implicit Allow / Deny: Allow
Click Close to commit the changes.
20.
This concludes with this exercise. Next we will configure the necessary callout policy on the
NetScaler to interface XNC in order to determine if a user/device should be
allowed/blocked to access the Exchange infrastructure using ActiveSync.
Summary
Page 27
Services
Key
Takeaways
The key takeaways for this exercise are:

In order for the NetScaler appliance to interface with the XenMobile Device
Manager API, it uses an intermediary component called XenMobile
NetScaler Connector

The NetScaler leverages a new RESTful API via callout to enforce mail
delivery policies according to the security requirements of the enterprise
Page 28
Services
Exercise 4: Device enrollment and MDM policy
configuration
Overview
In order to apply ActiveSync policies, the mobile device needs to register with the XDM server. This
requires to install the XenMobile Connect agent on the mobile device and complete the enrollment
process. By default, our XenMobile Device Manager applies the following policies:

Performs a software inventory and reports back to the MDM server

Configures the XenMobile Connect agent to check-in every 2 minutes (Android-only setting)

Sets a 5-digit PIN number requirement (Completed already for Android devices, in our lab we will
add it to the iOS packed in order to get some practice configuring deployment package options)

Offers the user the possibility to install Citrix Receiver and GotoMeeting clients from the App
Store
Step by step guidance
Estimated time to complete this lab: XYZ minutes.
Step Action
1.
First, let’s configure the PIN requirement policy for iOS devices in order for you to get
familiar with the console.
From your workstation, open a browser instance (IE/Chrome/Firefox/Safari) and login the
XDM console by navigating to the external URL corresponding to the 2nd external IP used
in the previous exercise.
https://your-dashed-fqdn.mycitrixtraining.net/zdm/
2.
Username: Administrator
Password: Citrix123
Depending on your platform (iOS/Android), labels for packages and other options change.
In the following section, we will list the actions required for each platform.
Page 29
Services
Step
3.
Action
In the XDM console, navigate to the Deployment tab.
For Android: Highlight the Base Android package and click Edit.
For iOS: the name of the package is Base iOS package. Highlight it and Click edit.
4.
Select the resources link on the left menu to jump to the policies bound to this deployment
package.
Page 30
Services
Step
5.
Action
For Android: Expand the MDM policies, select the Require Pin policy, and click finish to
commit the changes.
For iOS: Expand the Configurations node. Select “Require PIN” and added to the
Resources to Deploy list. Click on Finish to finalize the configuration.
6.
Before sending notifications to mobile devices via email, we need to configure a notification
SMTP server. In the XDM console, click on the Options link on the top right corner.
Page 31
Services
Step
7.
8.
Action
On the Options window, expand Notifications and highlight Notification Server. Select
New -> SMTP server.
Complete the “Create a new SMTP configuration” using the following parameters:
Name: Exchange
Description: Training.lab Exchange
SMTP Server: ex1.training.lab
SMTP port: 25
Secure Channel Protocol: None
No Authentication: Checked
From Name: Administrator
From Email: adminnistrator@training.lab
Click create to commit the changes and then close to return to the XDM console.
Page 32
Services
Step
9.
Action
It is time to register our devices with the MDM server. For this, we will send an enrollment
invitation to the User1.
Click on the enrollment tab, select New -> Enrollment invitation
10.
In the General tab, select your device platform (Android / iOS)
For device ownership and enrollment mode select the following defaults:
Device Ownership: Employee
Enrollment Mode: Invitation URL
11.
Click on the User tab. Fill in the user filed with “user1”. Since we are using email for
enrollment invite, leave the Notification section empty.
Page 33
Services
Step
12.
Action
The enrollment invite is create, but will not get sent immediately. In the enrollment tab,
check the box next to the new notification, and click on the Notify button.
13.
Accept the prompt and send the notification:
14.
On your device, you should have received an email with the enrollment URL. To make sure
that we download the latest version of the agent, tap on the second link to download the
package from the App Store for your device.
NOTE: The screenshot might change depending on your device/platform/Mobile OS
version. This was tested on a Nexus 7 tablet running Android 4.2.2.
Page 34
Services
Step
15.
Action
Install the Citrix Mobile Connect agent.
Android:
iOS:
NOTE: Once the application is installed, the device will prompt you to install the Citrix
Mobile Enroll agent.
Page 35
Services
Step
16.
Action
Once installed, open the application and complete the enrollment process by providing the
following information:
Username: user1
Server: your-dashed-fqdn.mycitrixtraining.net
Password: Citrix123
17.
NOTE: The device will prompt you to install additional profiles (iOS) or active device
administrators (Android). The prompts will be different depending on the platform/OS
version/device type. Accept by installing the required profiles or adding the corresponding
device administrators in order to complete the enrollment process.
In the Citrix Mobile Connect agent, your device should be able to display the applications
pushed as part of the default packages as well as other settings in the configuration node.
For Android, inspect the Apps option and verify the applications appear on the list.
For iOS, open the Connect application and inspect the Configuration -> App Info
option to verify the Connect status. Force a Refresh to check-in with the server.
Page 36
Services
Step
18.
Action
On your workstation, go back to the XenMobile console and inspect the devices tab. Verify
your device was registered.
19.
Check if software inventory was performed on the device. Highlight the device and click
on edit.
20.
Inspect the Software Tab. Verify that all the installed applications show up on the list. We
will use this information later when configuring additional mail policies.
21.
This concludes with this exercise. Next, we will configure the NetScaler to interface with
XNC and allow or deny the user to get their mail.
Page 37
Services
Summary
Key
Takeaways
The key takeaways for this exercise are:

A device can be registered in multiple ways. The XDM server is able to
contact the user via SMS or e-mail and send an enrollment URL to
download the package directly from the server or App Store. Alternatively,
this can be completed manually by download the package directly and
completing the enrollment process.

By default no configuration is pushed to the mobile device. In our example,
base packages have been provisioned to perform simple actions on the
mobile device
Page 38
Services
Exercise 5: Configuring “Callout” to enforce
XDM mail delivery policies
Overview
In this exercise, we will complete the necessary configuration to leverage the callout feature and interface
with the XNC in order to enforce any mail delivery policies available to the device or user.
Step by step guidance
Estimated time to complete this lab: XYZ minutes.
Step Action
1.
In XenCenter, login to Site1-Win8Client. Open IE and login to the NetScaler
administration utility with the following credentials:
Username: nsroot
Password: nsroot
2.
http://192.168.10.50
Navigate to Configuration -> Traffic Management -> Load Balancing -> Services. Click on
add to create a new service for the XenMobile NetScaler Connector listening on port
TCP 9080 using the following parameters:
Click Create and Close to commit the changes.
Page 39
Services
Step
3.
Action
Next, we will create the vserver where we will bind the callout. Since this vserver will not
receive live traffic, but just callouts when evaluating an ActiveSync request, we can disable
the directly addressable option.
Navigate to Configuration -> Traffic Management -> Load Balancing -> Virtual Servers.
Click Add and configure a virtual server with the following parameters. Don’t forget to bind
the service created in the previous step.
Click Create and then Close.
Page 40
Services
Step
4.
Action
Now, we will create the HTTP callout. Navigate to Configuration -> AppExpert -> HTTP
Callouts -> Add. Create a new callout with the following parameters:
Name: ActiveSyncFilter
Virtual Server: ActiveSyncFilter_vserver
Attribute-based: Checked
Return Type: TEXT
Expression to extract data from Response: HTTP.RES.BODY(20)
Do not click create just yet! We need to define the Request Attributes for the callout to
complete correctly. See next step.
Page 41
Services
Step
5.
Action
In the Create HTTP Callout window, click on configure Request Attributes:
Page 42
Services
Step Action
6. In the Configure HTTP Callout Request Attributes window, configure the callout with
the following parameters:
IMPORTANT: Please note that the user expression below has a SPACE “ “ after the
keyword “Basic”:
Name
Method
Host Expression
URL Stem
Expression
GET
“callout.asfilter.internal”
“/services/ActiveSync/Authorize”
user
PARAMETERS
HTTP.REQ.HEADER("authorization").AFTER_STR("Basic
").B64DECODE.BEFORE_STR(":").HTTP_URL_SAFE
Agent
url
resultType
Value
HTTP.REQ.HEADER(“user-agent”).HTTP_URL_SAFE
("https://"+HTTP.REQ.HOSTNAME+HTTP.REQ.URL).B64EN
CODE
“json”
Click OK and OK to commit the changes.
Page 43
Services
Step
7.
Action
Next navigate to Configuration -> AppExpert -> Responder -> Policies -> Add
Configure a Responder policy with the following parameters:
Name: ActiveSyncFilter
Action: Drop
Expression: HTTP.REQ.URL.STARTSWITH("/Microsoft-Server-ActiveSync") &&
HTTP.REQ.HOSTNAME.EQ("callout.asfilter.internal").NOT &&
SYS.HTTP_CALLOUT(ActiveSyncFilter).CONTAINS("deny")
Click Create and then Close.
Page 44
Services
Step
8.
9.
10.
Action
Bind this Responder policy to the Exchange virtual server. Navigate to Configuration ->
Traffic Management -> Virtual Servers. Open the properties of the Exchange_vserver,
select the Policies tab, click on Responder, then Insert Policy, and bind the
ActiveSyncFilter policy.
Click OK to commit the changes.
Go back to your mobile device and try to get your mail, you should be successful. Next we
will create a blacklist application policy to restrict the existence of some packages in order
for the user to be able to access their mailbox.
This concludes with this exercise.
Page 45
Services
Summary
Key
Takeaways
The key takeaways for this exercise are:

All the components of the solution use an API to exchange information
about the status of users and devices. This information can be used on the
NetScaler to enforce security policies based on the device actions.
Page 46
Services
Exercise 6: Configuring MDM policies to
enforce email security for ActiveSync enabled
devices.
Overview
In this exercise, we will configure MDM policies to determine device compliance based on the software
packages installed on the device. This information will be made available to the NetScaler appliance via the
XNC API in order to enforce email security policies.
Step by step guidance
Estimated time to complete this lab: XYZ minutes.
Step Action
1.
On your external workstation, open the XDM console by navigating to the following URL
which corresponds to your external IP #2:
https://your-dashed-fqdn.mycitrixtraining.net/zdm/
2.
Username: Administrator
Password: Citrix123
Click on the Policies tab. Expand App Policies and highlight Applications Access
Policies.
Page 47
Services
Step
3.
Action
Click on New Applications Access Policy and create a new policy with the following
parameters:
For Android:
Name: Android App Black List
Access Policy: Forbidden
OS type: Android
4.
For iOS:
Name: iOS App Black List
Access Policy: Forbidden
OS type: iOS
Click on New app and enter the following information:
For Android:
App Name: Instagram
App package name: com.instagram.android
For iOS:
App Name: Instagram
App bundle ID: com.burbn.instagram
Click Create and Create again to commit the changes.
NOTE: This application will be used to determine if the device is in compliance. This lab
requires that you install/uninstall the application multiple times to test for the policy. If you
would like to use another application, please note the package name exactly as it appears in
the software inventory list.
Next, we will need to modify the deployment package to enforce this rules during the next agent
check-in. This will determine the device compliance and modifies the SMG status flag.
Page 48
Services
Step
5.
Action
Click on Deployment tab, highlight the package for your platform, click edit, and navigate
to the Resources option.
6.
Expand Application Access Policy and select the App Black List for your platform as a
Resource to Deploy. Click Finish to commit deploy the package.
7.
In the Application Access Policy settings, tick the checkboxes for each App Black List and
click on Apply App List.
Page 49
Services
Step
8.
Action
Package deployment might take a few mins as it will be completed during the next agent
check in. If you would like to force an agent check-in, open the Citrix Mobile Connect
application on your mobile device and complete the below instructions for each platform:
For Android:
Tap on the Configuration -> Connection Status option to force an agent check-in.
For iOS:
Tap on the Configuration -> Refresh option to force a policy refresh.
Page 50
Services
Step
9.
Action
In a few mins, the devices will report its status to the XDM server. Go back to the XDM
console and navigate to the Devices tab. Expand ActiveDirectory -> traning.lab and
highlight the Training Users container.
You will see that the devices are now flagged as blocked for the SMG status:
Page 51
Services
Step
10.
Action
Go back to your mobile device and attempt to access the user’s mailbox. You should be
denied access.
Android mail client:
iOS mail client:
Page 52
Services
Step
11.
Action
To verify the configuration, let’s inspect the dynamic policies and logs in XNC. On the
Site1-XenMobile VM, open the XenMobile NetScaler Configuration Console and Click
on the Policies tab.
12.
13.
In the upper right corner click on Refresh to get the latest policies from XDM.
Expand the ZDM (deny) node. You should see the list of devices on the deny list
according to the SMG status being reported.
14.
Click on the Log tab. Select All Actions from the menu and click Go. The XNC log should
display the latest attempts from any device connecting through the NetScaler.
Page 53
Services
Step
15.
16.
17.
18.
Action
From your mobile device, attempt to access the user’s mailbox. You should receive the
same denied message. Go back to the XNC Console log and Click go. New requests should
appear on the list.
Now, on your mobile device, proceed to uninstall Instagram and force and agent check-in.
Wait a few mins and inspect the SMG status on the XDM console. The system should have
cleared the flag as the device is back in compliance.
Attempt to access the user’s mailbox. The mail client should be able to perform a full
refresh.
This concludes with this exercise.
Page 54
Services
Summary
Key
Takeaways
The key takeaways for this exercise are:

XNC queries the XenMobile Device Manager API to build a dynamic policy
set.

The NetScaler appliance uses this information to enforce email restriction
rules.
Page 55
Services
Exercise 7: Optimizing and securing the
“Callout” evaluation
Overview
In this exercise, we leverage the new support in NetScaler 10.1 to perform callouts over SSL as well as the
new Integrated Caching options to secure and optimize the callout policy result evaluation to avoid having
to query the XNC component on every single request.
Step by step guidance
Description:
Estimated time to complete this lab: XYZ minutes.
Step Action
1.
2.
3.
4.
5.
6.
7.
8.
9.
Page 56
Services
Summary
Key
Takeaways
The key takeaways for this exercise are:

Callouts over HTTPs are now possible in NetScaler 10.1

New options in the callout configuration allows us to cache the result
without overloading the web service providing the results for the callout
policy. This is a desirable configuration for any customer implementation.
Page 57
Services
Revision History
Revision
1.0
Change Description
Updated By
Original Version
David Jimenez
Date
04/18/2018
About Citrix
Citrix Systems, Inc. (NASDAQ:CTXS) is the leading provider of virtualization, networking and software as a service
technologies for more than 230,000 organizations worldwide. Its Citrix Delivery Center, Citrix Cloud Center (C3)
and Citrix Online Services product families radically simplify computing for millions of users, delivering applications
as an on-demand service to any user, in any location on any device. Citrix customers include the world’s largest
Internet companies, 99 percent of Fortune Global 500 enterprises, and hundreds of thousands of small businesses
and prosumers worldwide. Citrix partners with over 10,000 companies worldwide in more than 100 countries.
Founded in 1989, annual revenue in 2008 was $1.6 billion.
http://www.citrix.com
© 2013 Citrix Systems, Inc. All rights reserved. Citrix®, Citrix Delivery Center™, Citrix Cloud Center™,
XenApp™, XenServer™, NetScaler®, XenDesktop™, Citrix Repeater™, Citrix Receiver™, Citrix Workflow
Studio™, GoToMyPC®, GoToAssist®, GoToMeeting®, GoToWebinar®, GoView™ and HiDef Corporate™ are
trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the United States
Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are property of
their respective owners.
Page 58
Related documents
NetScaler
NetScaler
So You Missed Citrix Synergy 2013 - Entisys.com
So You Missed Citrix Synergy 2013 - Entisys.com
University of New Hampshire
University of New Hampshire
SharePoint Administrator
SharePoint Administrator
Citrix NetScaler Overview - Open Line Smart Cloud Solutions
Citrix NetScaler Overview - Open Line Smart Cloud Solutions
Receiver Feature Matrix
Receiver Feature Matrix
White paper XenMobile and Palo Alto Networks A combined
White paper XenMobile and Palo Alto Networks A combined
Download