Author: Jeroen J.V Lebon 1
Citrix Cloud XenMobile Service Onboarding Handbook
Citrix Systems Netherlands BV
Spaces Zuidas, 5th floor
Barbara Strozzilaan 201
1083 HN
Amsterdam
Phone: +31 (0)20 302 3400
E-mail: [email protected]
Web: http://www.citrix.nl
Customer Name
Author: Jeroen J.V Lebon 2
Citrix Cloud XenMobile Service Onboarding Handbook
Index Versioning ........................................................................................................................................................................... 4
Terminology ........................................................................................................................................................................ 4
Introduction ........................................................................................................................................................................ 5
References .......................................................................................................................................................................... 5
Why XenMobile Service from Citrix Cloud? ............................................................................................................................ 5
XenMobile Service Features.................................................................................................................................................. 6
XenMobile Service Editions ................................................................................................................................................... 6
XenMobile Service High Level Architecture ............................................................................................................................ 7
XenMobile Service Traffic Flow ............................................................................................................................................. 8
XenMobile Service Cloud Connector Traffic Flow .................................................................................................................... 8
Citrix Cloud Trial Request for XenMobile Service and ShareFile................................................................................................ 9
Sign up for Citrix Cloud with an existing Citrix Account ....................................................................................................... 9
Sign up for Citrix Cloud if you don’t have a Citrix Account ................................................................................................... 9
Fill in the required information and accept the Terms of Service to create a Citrix Cloud account. ................................... 10
Select a Home Region that best suits your Performance and Business needs...................................................................... 11
Request your XenMobile License Entitlement .................................................................................................................. 12
Request a XenMobile Service Trial .................................................................................................................................. 12
XenMobile Service Trial Sales Engineer engagement ........................................................................................................ 14
We need more information about how to setup your XenMobile Cloud site. ................................................................. 15
Citrix ShareFile Trial Request .............................................................................................................................................. 15
Starting your XenMobile Service Trial by specifying your Site details ...................................................................................... 16
Starting the Configuration.......................................................................................................................................... 17
Configure MDM ........................................................................................................................................................ 17
Site Name ................................................................................................................................................................. 18
Cloud data center region ........................................................................................................................................... 19
OPTIONAL – Limit XenMobile console access to: .......................................................................................................... 19
Completing the Request ............................................................................................................................................ 19
Preparing the Citrix XenMobile Service and ShareFile Prerequisites ....................................................................................... 20
Citrix Cloud Connector Requirements ............................................................................................................................. 20
Server Requirements ................................................................................................................................................. 20
Platform Requirements ............................................................................................................................................. 20
Citrix Cloud Resource Location Setup .................................................................................................................................. 21
Setting Up the default Resource Location .................................................................................................................... 21
Citrix Cloud Connector Setup .............................................................................................................................................. 21
Download Citrix Cloud Connector ............................................................................................................................... 21
Installation Requirements .......................................................................................................................................... 22
The following occurs during installation ...................................................................................................................... 22
Complete the Citrix Cloud Connector Setup................................................................................................................. 22
Citrix NetScaler Requirements ............................................................................................................................................ 23
NetScaler Requirements ............................................................................................................................................ 23
NetScaler Platform Requirements .............................................................................................................................. 23
NetScaler MAM Requirements ................................................................................................................................... 23
NetScaler ShareFile Requirements .............................................................................................................................. 23
ShareFile Requirements ..................................................................................................................................................... 24
Author: Jeroen J.V Lebon 3
Citrix Cloud XenMobile Service Onboarding Handbook
ShareFile StorageZones Controller Requirements ........................................................................................................ 24
ShareFile StorageZones Controller Server Role Requirements ....................................................................................... 24
ShareFile Platform Requirements ............................................................................................................................... 24
Customer Infrastructure Components ................................................................................................................................. 24
Infrastructure Components Reference Table ............................................................................................................... 24
Network and Firewall Requirements ................................................................................................................................... 25
Open ports from Internal Network to Citrix Cloud ........................................................................................................ 25
Open ports from Internet to DMZ ............................................................................................................................... 25
Open ports from DMZ to Internal ............................................................................................................................... 25
Open ports from Internal to DMZ ............................................................................................................................... 26
Open ports from DMZ to Internet ............................................................................................................................... 26
Open ports from Internal to Internet .......................................................................................................................... 26
Open ports from Corporate WIFI to Internet ............................................................................................................... 26
Port requirement for Auto Discovery Service connectivity ..................................................................................... 27
Certificate Pinning Prerequisites ............................................................................................................................ 27 Google/Apple/Microsoft Requirements ............................................................................................................................... 27
Apple ....................................................................................................................................................................... 27
Google ..................................................................................................................................................................... 27
Microsoft ................................................................................................................................................................. 28
Deployment Use Cases ....................................................................................................................................................... 28
Deployment Scenarios ....................................................................................................................................................... 29
XenMobile Service MDM Pilot Test Cases Example ............................................................................................................... 30
Pilot MDM Test Matrix ................................................................................................................................................... 30
XenMobile Secure Productivity Apps/MDX Pilot Test Cases Example ..................................................................................... 31
Pilot XenMobile Secure Productivity Apps/MDX Test Matrix ............................................................................................. 31
Author: Jeroen J.V Lebon 4
Citrix Cloud XenMobile Service Onboarding Handbook
Versioning Version History
Version Status Date Description Author
1.0 Ready to publish 26 December 2017 Jeroen J.V Lebon
1.1 Draft 5 February 2018 Update Jeroen J.V Lebon
1.2 Draft 4 April 2018 Update Jeroen J.V Lebon
Name Title Role
Jeroen J.V Lebon Senior Sales Engineer – Mobility Specialist Author
Christopher Friend Field Readiness Manager, EMEA Field Readiness Contributor / Reviewer
Jaromir Kirson Lead Sales Engineer, Key Account Managers Contributor / Use cases
Justin Maeder Product Manager, XenMobile Service Contributor / Reviewer
Kathy Paxton Content Developer Contributor / Reviewer
Team Citrix XenMobile Rapid Deployment Contributor / Reviewer
Terminology
Terminology
Term Definition
Customer Refers to (customer name) and its representatives
Citrix Refers to Citrix Systems and its representatives
CTX Citrix
XMS XenMobile Service
SF ShareFile
MDM Mobile Device Management
MAM Mobile Application Management
NTS NetScaler
XNC XenMobile NetScaler Connector
XMM XenMobile Mail Manager
APNS Apple Notification Service
WNS Windows Notification Service
EFSS Enterprise File Sync and Sharing
MDX Mobile Device Experience
ADS AutoDiscovery Service
UEM Unified Endpoint Management
MTD Mobile Thread Defense
SNIP Subnet IP
NSIP NetScaler IP
VIP Virtual IP
NSG NetScaler Gateway
Author: Jeroen J.V Lebon 5
Citrix Cloud XenMobile Service Onboarding Handbook
Introduction The XenMobile Service delivered via Citrix Cloud provides industry leading EMM/UEM capabilities for all business types who are looking to embrace the cloud and reduce TCO for their mobile infrastructure. The XenMobile Service is an elastic pay-as-you-go SaaS subscription which allows IT to easily secure and manage mobile devices and applications while giving users the freedom to experience work and life their way. As part of a Bring Your Own Device (BYOD) program, the XenMobile service even allows end-users to use their own personal device for access to critical corporate resources. An assisted web-based onboarding process can have the XenMobile service up and running in a matter of hours, saving IT the time and resources required to build out the infrastructure themselves. As part of the onboarding process, XenMobile easily integrates with on-premises enterprise systems allowing IT to quickly gain control over mobile devices and applications.
References This document is created with the intension to consolidate all the available information around Citrix Cloud XenMobile Service and provide you with the information you need to proceed in a smooth enablement and onboarding to Citrix Cloud XenMobile Service. In the below table, you can find reference links to detailed information online. Please read this information or contact your Citrix Sales Engineer if you need more information or have questions. In addition, you can use this document to record changes for your internal processes and document the service for internal references to high-level and functional designs.
XenMobile Service General Information https://docs.citrix.com/en-us/xenmobile/xenmobile-service.html
XenMobile Service Use Cases https://support.citrix.com/article/CTX223709
Cloud Connector https://docs.citrix.com/en-us/xenmobile/xenmobile-service/prerequisites-administration.html
Citrix Cloud https://citrix.cloud.com/
XenMobile How to https://support.citrix.com/pages/xenmobile-how
Citrix Software Downloads https://www.citrix.nl/downloads/
ShareFile Firewall Configuration and IP Address
https://support.citrix.com/article/CTX208318
Why XenMobile Service from Citrix Cloud? 1. Faster deployment. Hours instead of days. 2. No upfront cost. Minimal to no infrastructure. 3. Access to new features and bug fixes before the on-premises releases. 4. Peace of mind. 99.9% uptime. 5. No co-mingling of customer data with dedicated instances. 6. Predictable budget. 7. OpEx. Pay and get value as you go.
Author: Jeroen J.V Lebon 6
Citrix Cloud XenMobile Service Onboarding Handbook
XenMobile Service Features 1. Citrix Cloud Connector technology provides a secure channel for communications between Citrix Cloud and your
Resource Locations. This enables cloud management without requiring any complex networking or infrastructure configurations such as VPNs or IPSec Tunnels.
2. Fully secure and redundant channel connecting Citrix Cloud to corporate resource locations. 3. Easy deployment without complex infrastructure configurations. 4. Consistency with other Citrix Cloud services: All Citrix Cloud services including virtualized apps and desktops have
standardized on Citrix Cloud Connector for enterprise connectivity delivered with a single consistent experience. 5. Provide enterprise connectivity to customers with strict corporate security requirements that do not allow for IPSec
connectivity to cloud services. 6. Citrix XenMobile MDX Security Specifics include FIPS compliant SSL encryption for all MDX application data at rest and
in transit (FIPS NetScaler Gateway on-premises required). 7. Highly available architecture including redundant database resources and disaster recovery options for every data
center. 8. Enterprise Integration with LDAP, PKI and certificate services to meet security and identity requirements.
XenMobile Service Editions The XenMobile Service from Citrix Cloud comes in three feature rich varieties: Standard Service, Advanced Service and Premium Service.
Standard Service Advance Service Premium Service
Technology MDM MAM EFSS Micro VPN MDX XenMobile Apps* ShareFile Enterprise Edition Secure Notes + ** Global Features Enterprise App Store Unified App Store*** End-to-end security compliance Multi-factor single sign-in to apps and data
Integration with LDAP, Microsoft Exchange, PKI, NAC, VPN, Wi-Fi, and certificate services
Role-based access and views Endpoint and Application Policy configuration
Data Lost and Data Leakage for Apps (OS)
Data Lost and Data Leakage for XenMobile Apps (MDX)
Over-the-air Endpoint provisioning and self-service enrollment
Author: Jeroen J.V Lebon 7
Citrix Cloud XenMobile Service Onboarding Handbook
*XenMobile Apps include the following:
Secure Hub
Secure Mail
Secure Web
Secure Tasks
ShareConnect
QuickEdit
ScanDirect **Secure Notes + requires ShareFile Enterprise Edition. ***Unified App Store can include:
Public Store Apps
Enterprise Apps
XenMobile Apps (MDX)
Web & SaaS Apps
Web Links
XenApp/XenDesktop Published Applications
XenMobile Service High Level Architecture
Author: Jeroen J.V Lebon 8
Citrix Cloud XenMobile Service Onboarding Handbook
XenMobile Service Traffic Flow
XenMobile Service Cloud Connector Traffic Flow
Author: Jeroen J.V Lebon 9
Citrix Cloud XenMobile Service Onboarding Handbook
Citrix Cloud Trial Request for XenMobile Service and ShareFile Sign up for Citrix Cloud with an existing Citrix Account Open a browser and go to the http://citrix.cloud.com webpage. Customers with an existing Citrix.com account can use this to get started on the Citrix XenMobile Service. Just enter your existing username and password.
Sign up for Citrix Cloud if you don’t have a Citrix Account Open a browser and go to the http://citrix.cloud.com webpage. Customers with no Citrix.com account click Don’t have an account? Sign up and try it free. This link redirects you to the http://onboarding.cloud.com webpage.
Author: Jeroen J.V Lebon 10
Citrix Cloud XenMobile Service Onboarding Handbook
Fill in the required information and accept the Terms of Service to create a Citrix Cloud account.
Author: Jeroen J.V Lebon 11
Citrix Cloud XenMobile Service Onboarding Handbook
Select a Home Region that best suits your Performance and Business needs When your organization is onboarded to Citrix Cloud and you sign in for the first time, you are asked to choose a region -- currently the US or EMEA. Pick a region that maps to where the majority of your users and resources will be located.
Important: You can choose a region only once, when your organization is onboarded. You cannot change
your region later.
NOTE: The selected region is for services hosted by the Citrix Cloud platform and NOT the region where the
XenMobile Service instances are located. For more information visit: https://docs.citrix.com/en-us/citrix-
cloud/overview/signing-up-for-citrix-cloud/geographical-considerations.html
Author: Jeroen J.V Lebon 12
Citrix Cloud XenMobile Service Onboarding Handbook
Request your XenMobile License Entitlement Customers with already purchased licenses fulfillment can click Manage.
Request a XenMobile Service Trial After you log in with your Citrix Cloud account, a screen similar to the following appears. Below XenMobile Service, click Request Trial.
Author: Jeroen J.V Lebon 13
Citrix Cloud XenMobile Service Onboarding Handbook
Author: Jeroen J.V Lebon 14
Citrix Cloud XenMobile Service Onboarding Handbook
The button then changes to Trial Requested. You receive an email to notify you when your trial becomes available.
Trials must be approved by the XenMobile Rapid Deployment Team ([email protected]).
XenMobile Service Trial Sales Engineer engagement After you request a trial, a Citrix Sales Engineer follows up on the trial request by completing a Podio form. Provide your Citrix Sales Engineer with the below required information.
Site Name [customers choice].xm.cloud.com
Customer Organization Name
Customer Contact Name
Customer Email
Region Americas East / Americas West / EMEA / APAC / LAC
Request Type Pilot for XenMobile Cloud purchase XenMobile Cloud Production
Edition Premium Advanced Standard
Tunnel Options Cloud Connector None – Local users
Citrix Sales Engineer Email
Kick-off Meeting Date & Time
The Kick-off meeting introduces Sales and the Customer to the Rapid Deploy and Cloud Ops teams. We will
cover the entire process, expectations, requirements, and Citrix Cloud account creation. Please give us at
least a 24-hour notice for this Kick-off meeting. The Kick-off meeting can only take place when all the
prerequisites are in place.
Author: Jeroen J.V Lebon 15
Citrix Cloud XenMobile Service Onboarding Handbook
We need more information about how to setup your XenMobile Cloud site. After you click Manage, the following prompt indicates that the rapid deployment team hasn't selected an enterprise connectivity type. Please reach out to [email protected] or your Citrix Sales Engineer to complete this request.
Citrix ShareFile Trial Request After you log in with your (existing or newly created) Citrix Cloud account, a screen similar to the following appears. In the ShareFile section, select the drop-down box and click Request Trial.
If you are already a ShareFile customer, you can link your current ShareFile Account.
Author: Jeroen J.V Lebon 16
Citrix Cloud XenMobile Service Onboarding Handbook
Enter your subdomain in the required field and then click Request Trial.
Starting your XenMobile Service Trial by specifying your Site details When you receive the email from the XenMobile Rapid Deployment Team indicating that your Site is approved, you next set up the Site Details to complete the provisioning of your XenMobile Cloud Service. Follow the below steps to provide the information necessary to provision your site. After providing this information, you can start with implementing the prerequisites in this document.
Log in to Citrix Cloud and click Start to specify XenMobile Site Details
Author: Jeroen J.V Lebon 17
Citrix Cloud XenMobile Service Onboarding Handbook
Starting the Configuration
Click Configure
Configure MDM
Click Configure MDM
Author: Jeroen J.V Lebon 18
Citrix Cloud XenMobile Service Onboarding Handbook
To complete this step, make sure that you have two machines running Windows 2012 R2 or Windows 2016 Server ready to install the Cloud Connector.
Site Name
The site name is used to create the URL for your XenMobile Cloud site and used for device enrollment. Up to 16 characters are supported. For example: http://yoursitename.xm.citrix.com.
Author: Jeroen J.V Lebon 19
Citrix Cloud XenMobile Service Onboarding Handbook
Cloud data center region
Choose a geographic region that is closest to your primary resource location (data center). The chosen region will identify the physical location where each of the XenMobile cloud instances will reside.
OPTIONAL – Limit XenMobile console access to:
Provide a comma-separated whitelist of IP addresses to limit who has access to the XenMobile Server console.
Click Next to complete the request.
Completing the Request
Click Request Site to complete the web form and request your XenMobile Service site.
The XenMobile Rapid Deployment will now begin provisioning the customer site. An email will be sent to the
account holder once the site provisioning is completed.
Author: Jeroen J.V Lebon 20
Citrix Cloud XenMobile Service Onboarding Handbook
Preparing the Citrix XenMobile Service and ShareFile Prerequisites While waiting for the XenMobile Service to be provisioned, be sure to prepare for your XenMobile Service deployment by installing Cloud Connector. Although Citrix hosts and delivers your XenMobile Service solution, some communication and port requirements are required. That setup connects the XenMobile Service infrastructure to corporate services, such as Active Directory.
Citrix Cloud Connector Requirements Citrix uses Cloud Connector to integrate the XenMobile Service architecture into your existing infrastructure. For a Citrix XenMobile Service in production, a minimum availability of 2 cloud connectors is required. In a pilot of Citrix XenMobile Service, 1 cloud connector is sufficient. Cloud Connector supports all XenMobile authentication types.
Server Requirements
A dedicated physical or virtual machine ☐
Windows Server 2012 R2 or Windows Server 2016 ☐
2 vCPUs ☐ 4 GB RAM ☐ 50 GB Hard Disk Space ☐
Active Directory Domain-Joined ☐
Domain/Forest Functional Level – 2008 R2 or Higher ☐
Platform Requirements
.NET: .NET 4.5.1 or later ☐
Internet Connectivity ☐
Clock set to the correct UTC time ☐
Author: Jeroen J.V Lebon 21
Citrix Cloud XenMobile Service Onboarding Handbook
Citrix Cloud Resource Location Setup Resource Locations contain the resources required to deliver services to your subscribers. You manage these resources from Citrix Cloud.
Setting Up the default Resource Location
Select the default resource location My Resource Location (Name can be changed later) or choose to create a new one by selecting New Resource Location.
When you choose a new resource location, the web form prompts you to enter a new name for the new resource location.
Citrix Cloud Connector Setup The Cloud Connector server serves as a channel that authenticates and encrypts all communication between Citrix Cloud and your resources such as Active Directory, DNS, and PKI.
Download Citrix Cloud Connector
To begin, click Download Cloud Connector to download the installation file needed for the setup.
Author: Jeroen J.V Lebon 22
Citrix Cloud XenMobile Service Onboarding Handbook
Installation Requirements
You can only install the Connector onto a domain-joined machine. The installer will not allow the install to occur if it is not on a domain-joined machine.
The machine where you are installing the connector needs to be in sync with UTC time for proper installation and operation.
Switch Enhanced Security Configuration (ESC) off during installation.
Check if the required .NET version is installed. If it isn't, install the required version as described in the Citrix Cloud Connector Requirements table in this document
Copy the installer (CWCConnector.exe) to the server and run it. Make sure your browser allows the download of executable files.
You cannot install the Connector on machine templates cloned across multiple machines. Do a separate install of the Connector onto all machines.
Have outbound access to the internet through TCP port 443 (https).
The following occurs during installation
An initial connectivity check to Citrix Cloud
Prompts for Citrix Cloud administrator user name and password
If you are an administrator to more than 1 customer: You are prompted to choose the customer for whom you wish to associate the Connector installation.
If the customer for which you're installing the Connector has more than 1 resource location: You are prompted to choose the resource location to associate with the Connector installation.
A final connectivity check to ensure Connector-to-cloud communication
Complete the Citrix Cloud Connector Setup
After installation completes, click Test Connection to test the connection between Cloud Connector and Citrix Cloud.
Click Save & Exit when completed. Click Finish to complete the device management portion of the deployment process.
Detailed technical information on the Cloud Connector servers can be found by clicking on the following
URL: https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-connector.html
Author: Jeroen J.V Lebon 23
Citrix Cloud XenMobile Service Onboarding Handbook
Citrix NetScaler Requirements A NetScaler Gateway is required in your resource location if you require a micro VPN for either or both of the following scenarios:
Access to internal network resources for line-of-business applications wrapped with our MDX technology and connecting to internal backend infrastructures.
The use of Citrix Secure Apps, such as Citrix Secure Mail, for making email securely available to your users. Many XenMobile Service production licenses entitle you to 2 VPX 3000 NetScalers. Depending on your deployment scenario, user personas, and functional requirements, a different NetScaler might be required. Contact your sales rep for additional information.
NetScaler Requirements
New Deployment – VPX 3000 series or greater Existing NetScaler deployments are supported – with a new NetScaler Gateway virtual server required
☐
2 - 4 vCPUs ☐
Recommended 4 GB per vCPU ☐ 20 GB Hard Disk Space ☐
NetScaler Platform Requirements
NetScaler Subnet IP Address (SNIP) ☐ NetScaler Management IP Address (NSIP) ☐ NetScaler Internal FQDN ☐
LDAP (Active Directory) Service Account ☐
NetScaler MAM Requirements
NetScaler Public IP Address (VIP) ☐
Public DNS Name – Example: http://mam.company.com ☐
Public SSL certificate 2048-bit key ☐ Proxy Load Balance IP (Internally NOT Routable – RFC1918) ☐
NetScaler ShareFile Requirements
NetScaler Public IP Address (VIP) ☐ Public DNS Name – Example: http://ShareFile.company.com ☐ Public SSL certificate 2048-bit key ☐
ShareFile Public FQDN (http://mycompany.sharefile.com) Requested in SF Trial ☐ ShareFile Storage Zone Controller Internal IP Address
Author: Jeroen J.V Lebon 24
Citrix Cloud XenMobile Service Onboarding Handbook
ShareFile Requirements ShareFile is a cloud-based file sharing service that enables users to easily and securely exchange documents. ShareFile enables users to send large documents by email, securely handle document transfers to third parties, and access a collaboration space from desktops or mobile devices. ShareFile provides users with a variety of ways to work, including a web-based interface, mobile clients, desktop tools, and integration with Microsoft Outlook. ShareFile StorageZones Controller extends the ShareFile software as a service (SaaS) cloud storage by providing your ShareFile account with private data storage.
ShareFile StorageZones Controller Requirements
A dedicated physical or virtual machine ☐
Windows Server 2012 R2 or Windows Server 2016 ☐ 2 vCPUs ☐ 4 GB ☐
50 GB Hard Disk Space ☐
ShareFile StorageZones Controller Server Role Requirements
Web Server (IIS) ☐
Application Development: ASP.NET 4.5.2 ☐
Security: Basic Authentication ☐
Security: Windows Authentication ☐
ShareFile Platform Requirements
The ShareFile installer requires administrative privileges on the Windows Server ☐
ShareFile Admin Username ☐
Customer Infrastructure Components When implementing a Citrix Cloud XenMobile Service infrastructure with secure connectivity to your internal network: The Citrix NetScaler on-premises and the XenMobile Service in the Cloud need to communicate with the internal network resources listed in the below table. You can record your information in the following table for reference during the preparation, onboarding, and Pilot phases.
Infrastructure Components Reference Table
DNS Server IP Address ☐
DNS Server FQDN ☐
Proxy Server for Outgoing Traffic ☐
Proxy Authentication needed? Yes/No ☐ Proxy Server for Incoming Traffic ☐
Proxy Authentication needed? Yes/No ☐
Active Directory Server Internal IP Address ☐ Active Directory Server Internal FQDN ☐ Active Directory Server Port ☐ AD Server SSL Certificate – max 2048-bit key ☐ Active Directory Domain Name ☐ Active Directory User Base DN ☐
Author: Jeroen J.V Lebon 25
Citrix Cloud XenMobile Service Onboarding Handbook
Active Directory Search User ID ☐ Active Directory Search User Password is known and tested ☐ SMTP Server External IP ☐ SMTP Server External FQDN ☐ SMTP Server Port ☐ SMTP Relay User name (if needed) ☐ SMTP Relay User Password is known and tested (if needed) ☐ Exchange Internal IP Address ☐ Exchange Internal FQDN ☐ Exchange Server Port ☐ Exchange Server SSL Cert – max 2048-bit key ☐ SharePoint Server Internal IP (if needed) ☐ SharePoint Server Internal FQDN ☐ SharePoint Server Port ☐ All FQDNs are tested, including reverse lookup Yes/No ☐
Network and Firewall Requirements To enable devices and apps to communicate with XenMobile Service, you open specific ports in your firewalls. The following tables list the ports that must be open.
Open ports from Internal Network to Citrix Cloud
TCP port Description Source IP Destination Destination IP
443 Cloud Connector
https://*.citrixworkspacesapi.net https://*.cloud.com https://*.sharefile.com https://cwsproduction.blob.core.wind ows.net/downloads https://*.servicebus.windows.net
☐
4443 Administrative Console
https://*.citrixworkspacesapi.net https://*.cloud.com https://*.citrix.com https://*.blob.core.windows.net
☐
Open ports from Internet to DMZ
TCP port Description Source IP Destination Destination IP
443 XenMobile Client Device
NetScaler Gateway IP ☐
443 XenMobile Client Device
NetScaler VIP ShareFile ☐
443 ShareFile Public IP CTX208318 NetScaler VIP ShareFile ☐
443 StoreFront Receiver NetScaler Gateway IP ☐
Open ports from DMZ to Internal
TCP port Description Source IP Destination Destination IP
389 or 636 NetScaler NSIP (or, if using a load balancer, SNIP)
LDAP/Active Directory IP ☐
Author: Jeroen J.V Lebon 26
Citrix Cloud XenMobile Service Onboarding Handbook
53 (UDP) NetScaler SNIP DNS Server IP ☐
443 NetScaler SNIP Exchange (EAS) Server IP ☐
80/443 NetScaler SNIP Internal Web Apps/Services ☐
443 NetScaler SNIP ShareFile StorageZones Controller IP
☐
123 NetScaler SNIP NTP server ☐
1494 NetScaler SNIP XenApp or XenDesktop ☐
1812 NetScaler NSIP RADIUS Authentication Server
☐
2598 NetScaler SNIP XenApp or XenDesktop ☐
3268 NetScaler NSIP Secure Global Catalog Server ☐
3269 NetScaler NSIP Global Catalog Server ☐
Open ports from Internal to DMZ
TCP port Description Source IP Destination Destination IP
443 Admin Client NetScaler NSIP ☐
Open ports from DMZ to Internet
TCP port Description Source IP Destination Destination IP
8443 NetScaler SNIP XenMobile Cloud ☐
443 NetScaler Gateway Launch Darkly ☐
Open ports from Internal to Internet
TCP port Description Source IP Destination Destination IP
443 Exchange (EAS) Server IP
XenMobile Push Notification Listener (us-east-1.mailboxlistener.xm.citrix.com) (eu-west-1.mailboxlistener.xm.citrix.com) (ap-southeast-1.mailboxlistener.xm.citrix.com)
☐
443 ShareFile StorageZones Controller IP
ShareFile Control Plane CTX208318 ☐
Open ports from Corporate WIFI to Internet
TCP port Description Source IP Destination Destination IP
5223 XenMobile Client Device
Apple APNS Servers 17.0.0.0/8 ☐
5228 XenMobile Client Device
Google Cloud Messaging android.apis.google.com ☐
5229 XenMobile Client Device
Google Cloud Messaging android.apis.google.com ☐
5230 XenMobile Client Device
Google Cloud Messaging android.apis.google.com ☐
443 XenMobile Client Device
Windows Push Notification Service
*.notify.windows.com ☐
443 XenMobile Client Device
Apple iTunes App Store ax.itunes.apple.com *.mzstatic.com vpp.itunes.apple.com
☐
Author: Jeroen J.V Lebon 27
Citrix Cloud XenMobile Service Onboarding Handbook
443 XenMobile Client Device
Google Play play.google.com ☐
443 / 80 XenMobile Client Device
Microsoft App Store login.live.com *.notify.windows.com
☐
443 XenMobile Client Device
XenMobile AutoDiscovery Service
discovery.mdm.zenprise.com ☐
8443 / 443 XenMobile Client Device
XenMobile Service ☐
443 ShareFile StorageZones Controller IP
ShareFile Control Plane CTX208318 ☐
Port requirement for Auto Discovery Service connectivity
This port configuration ensures that Android devices connecting from Secure Hub for Android can access the Citrix Auto Discovery Service (ADS) from within the internal network. The ability to access the ADS is important when downloading any security updates made available through the ADS.
Note: ADS connections might not support your proxy server.
In this scenario, allow the ADS connection to bypass the proxy server.
Certificate Pinning Prerequisites
If you want to enable certificate pinning, complete the following prerequisites:
Collect XenMobile Server and NetScaler certificates. The certificates must be in PEM format and must be a public certificate and not the private key.
Contact Citrix Support and place a request to enable certificate pinning. During this process, you are asked for your certificates.
Certificate pinning requires that devices connect to ADS before the device enrolls. This requirement ensures that the latest security information is available to Secure Hub. For Secure Hub to enroll a device, the device must reach the ADS. Therefore, opening ADS access within the internal network is critical to enabling devices to enroll. To allow access to the ADS for Secure Hub for Android, open port 443 for the following FQDN and IP addresses:
Port requirement for Auto Discovery Service connectivity
FQDN IP Address Port IP and Port Usage
discovery.mdm.zenprise.com 52.5.138.94 443 Secure Hub - ADS Communication
discovery.mdm.zenprise.com 52.1.30.122 443 Secure Hub - ADS Communication
ads.xm.cloud.com 34.194.83.188 443 Secure Hub - ADS Communication
ads.xm.cloud.com 34.193.202.23 443 Secure Hub - ADS Communication
Google/Apple/Microsoft Requirements
Apple
Apple Push Certificate http://identity.apple.com ☐
Google Play Account https://accounts.google.com/signup ☐
Google Play Device ID
http://support.citrix.com/proddocs/topic/xenmobile-10/xmob-settings-google-play-credentials.html On a device with no sim (dial pad), install the Device ID app:
Author: Jeroen J.V Lebon 28
Citrix Cloud XenMobile Service Onboarding Handbook
https://play.google.com/store/apps/details?id=com.redphx.deviceid
Microsoft
Windows Store developer account
https://msdn.microsoft.com/en-us/library/windows/apps/jj863494.aspx ☐
Windows Store Publisher ID. https://msdn.microsoft.com/en-us/library/windows/apps/hh967786.aspx ☐ Enterprise certificate from Symantec
https://msdn.microsoft.com/library/windows/apps/jj206943.aspx ☐
Public SSL certificate for AutoDiscovery
http://docs.citrix.com/en-us/xenmobile/server/provision-devices/autodiscovery.html
☐
Application Enrollment Token (AET)
https://msdn.microsoft.com/en-us/library/windows/apps/jj735576%28v=vs.105%29.aspx
☐
For more detailed information on the supported Mobile Platforms for XenMobile Service, please visit
https://docs.citrix.com/en-us/xenmobile/xenmobile-service/platform-support.html.
Deployment Use Cases Below are the various deployment use cases which are feasible with Citrix Cloud XenMobile Service.
Citrix Cloud XenMobile Service and NetScaler Gateway on Enterprise
Citrix Cloud XenMobile Service and NetScaler Gateway on Enterprise for Mobile App Management
Citrix Cloud XenMobile Service and NetScaler Gateway on Enterprise for Mobile App Management with ShareFile for Enterprise File Sharing
Citrix Cloud XenMobile Service for Mobile Device Management
For more detailed information on the deployment use cases, refer to Citrix Support Article
https://support.citrix.com/article/CTX223709 or this white paper: https://citrix.sharefile.com/d-
sba63ccb1290430ca.
Author: Jeroen J.V Lebon 29
Citrix Cloud XenMobile Service Onboarding Handbook
Deployment Scenarios
Scenario Use Case Example
Standard Service
BYOD or company issued Low Security/privacy requirements Native email View/edit email attachments -or- Company owned, shared device “Kiosk,” for example, an iPad used by warehouse workers for inventory
Advanced Service
BYOD or company issued Medium Security/privacy requirements Secure email View/edit email attachments Already have a solution for EFSS Need secure off-the-shelf apps Looking into developing own mobile apps
Premium Service
BYOD or company issued High security/privacy requirements Secure email View/edit email attachments Need to solve EFSS Need secure off-the-shelf apps Need to secure several internally developed mobile apps Can’t store any data on mobile device
Author: Jeroen J.V Lebon 30
Citrix Cloud XenMobile Service Onboarding Handbook
XenMobile Service MDM Pilot Test Cases Example This section lists the test cases and categories specific to device management. The test results should be recorded here for future reference and audit purposes.
Pilot MDM Test Matrix Secure Hub Version iOS = Android= Windows=
XenMobile Service Version 10.x
NetScaler Version 10.x
Test Cases Category Expected Result Result
From Secure Hub, enroll using an Enrollment URL Invitation and a one-time PIN number From Secure Hub, enroll to the XM Service using Active Directory credentials
Enrollment The ability to use a unique URL to enroll into the system without requiring AD credentials
☐ ☐
The ability to enroll into the XenMobile Service and have policies and profiles sent down automatically
☐ ☐
The ability to use a single app on each platform to enroll and subsequently control MDM policies
☐ ☐
Via the XM Service Administration console, define and deploy policies that will secure the device
Security Policies The ability to provision security policies, such as enforcing a passcode and setting restrictions
☐ ☐
Via the XM Service Administration console, define and deploy policies that will aid the user and simplify the configuration of the device
Provisioning Policies
The ability to provision Wi-Fi, VPN, Email and Proxy policies ☐ ☐
The ability to issue certificates to the device, including user-based certificates that can be used as credentials
☐ ☐
The ability to deliver apps (in-house or from a public App Store) to the device.
☐ ☐
Via the XM Service Administration console, understand the current state of a device
Operational Supportability/ Administration
The ability to determine device status, inventory, software inventory and MDM policy deployment status
☐ ☐
The ability to locate devices ☐ ☐
Test the support functionality within Secure Hub
Support The ability to use Secure Hub to determine why the device might be out of compliance
☐ ☐
The ability to automatically collect logs from the device and send to the helpdesk
☐ ☐
The ability to initiate a live chat session with a helpdesk operator
☐ ☐
Via the XM Service Administration console, remotely de-provision devices
De-provisioning The ability to perform a selective wipe remotely and to remove from the device the provisioned policies, apps and data
☐ ☐
The ability to perform a full wipe (factory reset) ☐ ☐
The ability to revoke a device to remove the provisioned profiles, apps and data and prevent the device from being enrolled again
☐ ☐
Author: Jeroen J.V Lebon 31
Citrix Cloud XenMobile Service Onboarding Handbook
XenMobile Secure Productivity Apps/MDX Pilot Test Cases Example This section lists the test cases and categories specific to device management. The test results should be recorded here for future reference and audit purposes.
Pilot XenMobile Secure Productivity Apps/MDX Test Matrix
Secure Hub Version iOS = Android= Windows=
XenMobile Service Version 10.x
NetScaler Version 10.x
Test Success Criteria iOS Android Win10
Post Enrollment Gateway Logon
When Secure Hub ‘flips’ from enrollment to NetScaler Gateway, the user should not need to re-enter credentials ☐ ☐ ☐ ☐ N/A N/A
Citrix PIN Creation User should be prompted to create a 6-digit Citrix PIN ☐ ☐ ☐ ☐ N/A N/A
XenMobile Store User can access XenMobile Store from within Secure Hub and is entitled to Secure Web, Secure Mail, Secure Tasks, Secure Edit, Secure Notes and ShareFile
☐ ☐ ☐ ☐ N/A N/A
Secure App Installs Secure Web, Secure Mail, Secure Tasks, Secure Edit, Secure Notes and ShareFile can all be installed ☐ ☐ ☐ ☐ N/A N/A
Collect Secure Hub Logs
Swipe right within Secure Hub to the Support Page and then tap Secure Hub ☐ ☐ ☐ ☐ N/A N/A
Inactivity Timer <15 Minutes
Launch Secure Web and authenticate if required. Leave device unattended for 10 minutes, then attempt to access Secure Web. Secure Web should open without requiring Citrix PIN
☐ ☐ ☐ ☐ N/A N/A
Inactivity Timer >15 Minutes
Launch Secure Web and authenticate if required. Leave device unattended for 18 minutes, then attempt to access Secure Web. Secure Web should prompt for Citrix PIN before opening.
☐ ☐ ☐ ☐ N/A N/A
MDX App Wipe After admin sends an MDX App Wipe command via the console, user data is removed from all Secure Apps ☐ ☐ ☐ ☐ N/A N/A