citirx day 2013: citrix enterprise mobility
TRANSCRIPT
Citrix Enterprise Mobility XenMobile Enterprise, Architecture,
Components and more..
October 30th 2013
© 2013 Citrix
Agenda
• Quick Overview
• Enterprise Mobility Management
• Components, Architecture and Communications
• Administrator and User POV
• Tips and Tricks
© 2013 Citrix
What Does an Enterprise XenMobile Solution Consist of?
ShareFile
Mobile Devices
Nets
cale
rG
ate
wa
y
XDM Server
XMA Server
ServersA Cloud File
Sharing Service
© 2013 Citrix
What Problems Does XenMobile Help You Solve
Data
Management
App
Management
Device
Management
• Secure data through device encryption,
authentication, app containerization and cloud
file services
• Manage what applications are on the device,
who can access the apps and how they access
data
• Push policies to the device such as passcode
or disable camera. Control the device through
actions such as lock or selectively wipe device
© 2013 Citrix
Device Management Components
NetscalerXDM Server
Device
Management
App
Store
Web clips
Public Apps
Mobile Enroll
WorxHome
Active
Sync
Filter
XNC
DMZ
Ex
ch
an
ge
© 2013 Citrix
The XenMobile Device Manager
supports the following platforms:ᵒ iOS
ᵒ Android
ᵒ Windows 8 Phone
ᵒ Windows 8 Tablet
ᵒ Windows Mobile
ᵒ Symbian
Supported Device Platforms
© 2013 Citrix
Device Management - Demo
© 2013 Citrix
XDM
Cluster
Netscaler
XenMobile MDM HA Architecture
Mobile Enroll
DMZWorxHome
XDM
Active-Passive
XDM
Load Balancer
SQL
© 2013 Citrix
Device Management Details
NetscalerXDM Server
Device
Management
App
Store
Web clips
Public Apps
WorxHome
Active
Sync Filter
XNC
DMZ
Exchange
SQL
Active
Directory
Auth + User / Group InfoAppstore Traffic
Mail invitations
© 2013 Citrix
XenMobile AppC Architecture
Mobile Enroll
Netscaler
DMZWorxHome
XMA
App
Store
SaaS
Apps
MDX
Apps
HDX
Apps
© 2013 Citrix
XenMobile AppC Clustering
Mobile Enroll
Netscaler
DMZWorxHome
XMA
XMA
Prim./Active (CL. Head)
Sec./Passive
443AppC HA Pair
TC
P 9
73
6
443 (AppC VIP)
XMA
TC
P 9
73
7
Service Node
Load Balancer
© 2013 Citrix
Optional
XenMobile AppC Architecture – Integrated Mode
Mobile Enroll
ShareFile
Netscaler
DMZ
Storefront
WorxHome
XenApp
XenDesktop
XDM
XMA
Active Sync
Filter XNC
© 2013 Citrix
XenMobile Netscaler Gateway Architecture
Netscaler Gateway
V Server
V Server
V Server
Netscaler Gateway VIP
“Special” tunnels – STA etc
AAA VPN cVPN
© 2013 Citrix
NetScaler Gateway Demo
© 2013 Citrix
XenMobile AppC Architecture
Netscaler
Exchange
Web
Active
Directory
Auth
XMA Auth
User/Group attr
WorkflowV ServerMail approval
Micro VPN
© 2013 Citrix
Citrix Native Apps
WorxHome as “Hub”
Enterprise Authentication
Micro-VPN
Secure Storage
Constrained Execution
Other Native Apps
Native3rd Party
NativeYour App
Remote Apps
WebApps
HDX*Apps
* HDX Apps require Receiver for ICA/HDX
© 2013 Citrix
NetscalerGateway
app private data vault
logon
policies
Secure IPC
MDX Framework MDX Framework MDX Framework
app private data vault
app private data vault
shared data vault
Secure Network Tunnel
MDX Architecture
Managed apps
vault encryption
MDX Framework provided by either:
1. Wrapping toolset
2. Directly compiled SDK
app
one
app
two
Worx Home XenMobile
© 2013 Citrix
MDX Application Behavior
App
StartupCheck
PoliciesNeed to
login ?
Encry
ptio
nV
PN
Polic
ies
Device
Storage
Network
Access
Inter App
Comms
© 2013 Citrix
MDX VPN Access
XMA
Internal
Services
Authentication
Policy
Control
VPN, cVPN, STA
Netscaler
© 2013 Citrix
MDX Toolkit - System requirements
• JDK v1.7
• Android SDK
• Android APK Tool
• Digitally Signed Certificate
• iOS Distribution
Provisioning Profile
• Certificate
• X-code command-line
tools
© 2013 Citrix
Application Management - Demo
© 2013 Citrix
Tips & Tricks: Helpful information
• E-Docs is your friend
• http://support.citrix.com/product/xm/v8.5
© 2013 Citrix
Tips & Tricks: Worx Home vs. Receiver
Feature Worx Home Receiver
MDM Registration
AppC Registration
GoToAssist remote support
Provisioning File
Email-based account discovery
MDX apps access
HDX apps access
Secure Browse support
MicroVPN support
© 2013 Citrix
DMZ ZoneInternet Zone Corporate LAN Zone
Web & SaaS Apps
389/636
80/443(App Specific)
44344380 for downloads
DNS 53NTP 123
2195 &2196
iOS only 5223
80
443
80 /443 / 8443
80/443(App Specific)
Netscaler
80 /4438443
80/443 80/443
StoreFront XA/XD
443 443 for Form-Fill auth
443
443
443
DNS 53NTP 123
1494 / 2598
1433
443
445
AppController
DNS & NTP
Active Directory
ExchangeCIFS
SharePoint
NSIP
AG VIP
XNC
SNIP
SQL
MS CS
StorageZoneController
9080
FIREW
ALL
FIREW
ALL
XDM
AppleApp Store
GoolePlay Store
LB VIP
© 2013 Citrix
Tips & Tricks: NetScaler Gateway SSO
• NetScaler Gateway Single Sign-on (SSO) or callback is used by StoreFront or
App Controller to request NetScaler Gateway for user credentials
• Callback URL requires a secure connection (HTTPS) back to the AG virtual
server who authenticated the user (most cases)
• Callback URL can be another NG virtual server on the same NG VPX/MPX
• Example: https://NG-VIP-FQDN/CitrixAuthService/AuthService.asmx
(case sensitive)
© 2013 Citrix
Tips & Tricks: What to check for SSO?AppController & Storefront
• Ensure External URL matches with the AG URL users will enter on their web
browsers or Receiver
• Callback URL needs to resolve back to the AG that authenticated the end-user
AppController StoreFront
© 2013 Citrix
Certificates
• Being used all over in the XM worldᵒ XDM Server
• WEB / HTTPS
• Device Certs
ᵒ AppC• WEB / HTTPS
• SAML
ᵒ Netscaler• WEB / HTTPS
ᵒ XenDesktop / XenApp / Storefront• WEB / HTTPS
© 2013 Citrix
Secure Browse
• Client-side rewrite
feature to access
intranet sites
• Available on Receiver
for iOS 5.6.1 or later
• Must use NetScaler
Gateway 10 (build
69.4 or later)
• Native iOS/Android
mobile browser
application
• Securely connects to
corporate network
using on-demand
Micro-VPN tunnel
• Must use NetScaler
Gateway 10 (build
69.4 or later)
• On-demand application VPN tunnel between mobile device and NetScaler Gateway
• Available on Receiver for Android 3.1 or later and Receiver for iOS 5.7
• Must use NetScaler Gateway 10 (build 69.4 or later)
Micro-VPN WorxWeb
© 2013 Citrix
Tips & Tricks: How does the endpoint know if
Secure Browse is available
• Secure Browse is enabled by default
• WorxHome requests:ᵒ GET https://FQDN/AGServices/rewriteMode HTTP/1.1
• Netscaler Gateway responses
HTTP/1.1 200 OK
Content-Length: 23
Cache-control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain
SB:SecureBrowse
RW:cvpn
HTTP/1.1 200 OK
Content-Length: 23
Cache-control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain
RW:cvpn
© 2013 Citrix
Tips & Tricks: How does the endpoint indicate
support for micro VPN
• Receiver / WorxHome HTTP POST to NetScaler Gateway
POST https://FQDN/cgi/login HTTP/1.1
Host: FQDN
User-Agent: CitrixReceiver/com.citrix.ReceiveriPad iOS/5.7 (build 170)
CitrixReceiver-iPad CFNetwork Darwin VpnCapable
HTTP/1.1 302 Object MovedLocation: /cgi/setclient?ioscSet-Cookie: NSC_AAAC=55f4f4d9926e4b6533f603324b45fa1f0311fe8c345525d5f4f58455e445a4a42;Secure;HttpOnly;Path=/
HTTP/1.1 302 Object MovedLocation: /cgi/setclient?andrSet-Cookie: NSC_AAAC=55f4f4d9926e4b6533f603324b45fa1f0311fe8c345525d5f4f58455e445a4a42;Secure;HttpOnly;Path=/
© 2013 Citrix
Tips & Tricks: Using STA with WorxMail
• Mail typically operates in a 24/7 mode, hence when using mVPN this may have
an impact on battery life.
• STA in AppC has additional features specifically for WorxMail, the main
difference is a “ticket table” to keep track of the tickets
• AppC STA allows proxying TCP connection to CAS / Exchange via SOCKS5
Note: This is exclusively used (supported) for WorxMail,
even in theory other apps could leverage this method too
© 2013 Citrix
Tips & Tricks: Using STA with WorxMail
• Configure the “new” STA for WorxMail at the NetScaler Gateway
Add the
AppC URL to
the STA list
© 2013 Citrix
Tips & Tricks: Using STA with WorxMail
• Configure the WorxMail policies at the AppC
Add the following information:
• Background Network Services
(including port number)
• Ticket Expiration
• Services Gateway (NG FQDN)
© 2013 Citrix
Questions / Discussion
Work better. Live better.