fronting xenmobile mdm with netscaler
DESCRIPTION
Fronting XenMobile MDM with NetScaler This article focuses on the integration of our MDM and NetScaler product lines Placing a NetScaler appliance in-front of your device manager will allow for a flexible and secure delivery platform for an optimal MDM solution http://blogs.citrix.com/2013/03/12/fronting-xenmobile-mdm-with-netscaler/TRANSCRIPT
ARCHITECTURE | XenMobile
www.citrix.com
Reference Architecture:
XenMobile with NetScaler
Configuration Guide for Establishing NS Load Balancing Front End
XenMobile on NetScaler Reference Architecture Page |2
Table of Contents
Table of Contents .............................................................................................................................................. 2
Introduction ........................................................................................................................................................ 3
Network Flow Diagram .................................................................................................................................... 4
XenMobile Port Table ....................................................................................................................................... 4
Load Balancing Configuration on NetScaler ................................................................................................. 7
Conclusion ........................................................................................................................................................ 17
Additional Links ............................................................................................................................................... 17
Key Contributors ............................................................................................................................................. 17
Disclaimer ......................................................................................................................................................... 18
XenMobile on NetScaler Reference Architecture Page |3
Introduction
Citrix Systems’ offering of XenMobile is a comprehensive solution portfolio designed to enable
customers to experience the benefits of Mobile Device Management while maintaining secure access
to applications and desktops.
The purpose of this document is to provide reference architecture to place a NetScaler in front of
your XenMobile MDM solution. This will allow the XenMobile Device Manager (XDM) to be
placed within the walls of your datacenter leaving the NetScaler appliance in the DMZ. This will
allow for a secure and scalable rollout of your MDM solution.
We will walk through several diagrams to prepare us for the configuration steps near the conclusion
of this document. This document covers configuration of the load balancing VIPs and not the
overall setup of the NetScaler. For additional resources around the NetScaler and other
configurations, please visit the “Additional links” section at the end of this document. Below
(Diagram 1.1) is a basic architecture of the XenMobile environment before the addition of the
NetScaler.
Diagram 1.1
XenMobile on NetScaler Reference Architecture Page |4
Network Flow Diagram
In the basic diagram below, we are showing the key ports within the function of the MDM solution.
A full description of the ports required for the solution is laid out in the ports table. A quick
summary of the current diagram is that port 80 and 443 are used by iOS, Android and Windows
devices for communication.
With regards to port 8443, Apple iOS uses this for over-the-air registration of the device with the
XDM. The use of the server FQDN will also make use of this port. This FQDN is key, as this has
been registered with the Apple Push Notification Service.
Diagram 1.2
NetScaler LB
XenMobile Device
ManagerMS SQL Server
Microsoft CA or PKI Entity
CORPORATE DMZ ZONE CORPORATE LAN ZONE
TCP 80
TCP 443
TCP 8443
Active Directory/LDAP
(TCP 3
89/636) L
DAP/S
TCP 1433
HTTPS 443
INTERNET ZONE
TCP 8443
TCP 443
TCP 80
Diagram 1.2: A basic diagram of the network flow for NetScaler and XenMobile
XenMobile Port Table
This table is designed to guide the XenMobile Administrator and Network Administrator through
the TCP/IP Port requirements for the Device Manager Server and mobile device agent connections.
XenMobile Device Manager Firewall Port Requirements
TCP
Port Description Source Destination
25
By default, the XDM SMTP configuration of
the Notification Service uses port 25. However, if
your corporate SMTP server uses a different port,
make sure that your corporate firewall does not
XenMobile
Device
Manager
Corporate SMTP Server
XenMobile on NetScaler Reference Architecture Page |5
block that port. Server
80
Over-the-Air (OTA) Enrollment and Agent
Setup (Android and Windows Mobile) Internet
XenMobile Device
Manager Server Over-the-Air (OTA) Enrollment and Agent
Setup (Android and Windows Mobile), ZDM Web
Console, ZDM Remote Support Client
Corporate
LAN and
Wi-Fi
ZDM Server Enterprise App Store connection to
Apple iTunes App Store (ax.itunes.apple.com).
Used for publishing recommended iTunes App
Store apps from the available iOS applications
within the Web Console and iOS Agent
XenMobile
Device
Manager
Server
Apple iTunes
App Store
(ax.itunes.apple.com)
80 or
443
XenMobile Device Manager Nexmo SMS
Notification Relay outbound connection
XenMobile
Device
Manager
Server
Nexmo SMS Relay
server
389 or
636
LDAP/LDAPS connection from ZDM Server to
Directory Service Host (Active Directory Global
Catalog server or equivalent LDAP directory service
host)
XenMobile
Device
Manager
Server
LDAP / Active
Directory Services
443
SSL OTA Enrollment/Agent Setup (Android and
Windows Mobile), All Device-related traffic and data
connections (iOS, Android and Windows Mobile)
Internet
XenMobile Device
Manager Server SSL OTA Enrollment/Agent Setup (Android and
Windows Mobile), All Device-related traffic and data
connections (iOS, Android and Windows Mobile),
ZDM Web Console
Corporate
LAN and
Wi-Fi
1433 Remote database server connection to separate SQL
Server (Optional)
XenMobile
Device
Manager
Server
SQL Server
2195
Apple APNS (Push Notification Service) outbound
connection to gateway.push.apple.com, used for
iOS device notifications and device policy push
XenMobile
Device
Manager
Internet (Apple APNS
Service Hosts on public
IP network17.0.0.0/8)
XenMobile on NetScaler Reference Architecture Page |6
2196
Apple APNS (Push Notification Service) outbound
connection to feedback.push.apple.com, used for
iOS device notifications and device policy push
Server
5223
Apple APNS (Push Notification Service) outbound
connection from iOS devices connected via Wi-Fi
network to *.push.apple.com
iOS device
on Wi-Fi
network
service
8443 Over-the-Air (OTA) Enrollment for iOS Devices
only
Internet
XenMobile Device
Manager Server Corporate
LAN and
Wi-Fi
App
Tunnel
Ports
Mobile App Tunnel Ports (Android and Windows
Mobile) to destination internal Application Server
via the ZDM Server (All ports are individually
defined for each Mobile AppTunnel used by a
Device through a ZDM Device Configuration
Policy)
Internet
Application Server via
XenMobile Device
Manager Server
1Corporate LAN traffic outbound to DMZ and the Internet is assumed to be allowed.
PLEASE NOTE: When using Remote Support or Mobile App tunnel (Android and Windows
Mobile), the following traffic needs to be open at the firewall:
TCP
Port Description Source Destination
8081
Remote Support Console default server inbound
connection (depending on the Remote Support Tunnel
definition)
Remote Support
Console
XenMobile Device
Manager Server
80 or
443
Remote Support Console access to ZDM to
retrieve device list.
Remote Support
Console
XenMobile Device
Manager Server
Tunnel
port
Mobile Application Tunnel access to Application
Server (port configured in the tunnel definition)
XenMobile Device
Manager Server
Internal Application
Server
XenMobile on NetScaler Reference Architecture Page |7
Load Balancing Configuration on NetScaler
This section covers the required load balancing configuration on the NetScaler for use with
XenMobile. For other links to other possible configurations, please see the Additional Links section
at the end of this document. To begin configuration, the first step of this process will be to create
the “Servers” entry in the load balancing section of the NS console. Add the name of the server and
the internal IP address that the NetScaler will be routing the traffic.
Create your “XenMobile Server” that you are load balancing
After you have created the entry for the XenMobile server, create your services for the 3 major ports
as depicted in the Diagram 1.2. The screen shots below have incorporated the port number into the
name for easy reference. All three services will be pointing to the same server. The screen shots
only show tabs with information that has been edited.
XenMobile on NetScaler Reference Architecture Page |8
Create our Services:
Here is the basic setup for the services over port 80.
Basic information for the port 80 monitor, all other tabs are configured as default;
XenMobile on NetScaler Reference Architecture Page |9
Basic setup of the services for port 443:
Configure the monitor for port 443, and all other tabs are configured as default:
XenMobile on NetScaler Reference Architecture Page |10
Basic setup of services for port 8443:
Configure the services for port 8443, and all tabs are configured as default:
The final step will be to create the Virtual Servers using the Load Balancing Services and Server(s)
that were previously configured. We have named the Virtual Server with the proper task in line
from the port table from above.
Configure your virtual servers:
XenMobile on NetScaler Reference Architecture Page |11
For the enrollment Virtual Server (port 443), we place a check box next to the proper service that
was setup. We then set the “Method and Persistence” tab for “Least Connection” and
“SSLSESSION” with a timeout of 2 minutes. The IP address listed will be the address accessible in
the DMZ address space. This IP address will be registered with DNS, please verify that devices on
the corporate LAN environment can be routed to this virtual server.
Configure your XenMobile_Enroll (443) virtual server with your external/DMZ IP address:
XenMobile on NetScaler Reference Architecture Page |12
Configure the Method and Persistence as before:
The same process will be followed for the creation of the Virtual Server for ports 8443 and 80.
XenMobile on NetScaler Reference Architecture Page |13
Configure 8443 (profiles for iOS) with same external IP:
XenMobile on NetScaler Reference Architecture Page |14
Configure Profiles, Method and Persistence:
XenMobile on NetScaler Reference Architecture Page |15
Configure the Virtual Server for port 80 (Console) settings:
XenMobile on NetScaler Reference Architecture Page |16
Configure Console, Method and Persistence:
XenMobile on NetScaler Reference Architecture Page |17
Conclusion
This completes the configuration for front ending the XenMobile MDM environment with
NetScaler. Load Balancing of all essential ports for the XenMobile server is complete
Additional Links
Below is a list of additional links for other configurations:
Citrix XenMobile Solutions:
http://support.citrix.com/proddocs/topic/cloudgateway/xmob-landing-page-con.html
XenMobile MDM eDocs:
http://support.citrix.com/proddocs/topic/cloudgateway/xmob-mdm-landing-page-con.html
Deploying Mobility Solutions Bundle Components:
http://support.citrix.com/proddocs/topic/clg-deployment/clg-deployment-cloudgateway-options-
con.html
Key Contributors
Josh Fleming, Senior Systems Engineer Author
Jon Eugenio, Senior Systems Engineer Content Contributor and Reviewer
Florin Lazurca, Senior Architect Content Contributor
XenMobile on NetScaler Reference Architecture Page |18
Disclaimer
THIS DOCUMENT IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN TYPOGRAPHICAL
ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS PROVIDED AS IS, WITHOUT EXPRESS
OR IMPLIED WARRANTIES OF ANY KIND.
Copyright © 2013 Citrix Systems Inc. All rights reserved. Reproduction of this material in any manner whatsoever
without the express written permission of Citrix Systems Inc. is strictly forbidden. For more information, contact Citrix
Systems.
Citrix, the Citrix logo, and the Citrix badge are trademarks of Citrix Systems Inc. Microsoft and Windows are registered
trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks and trade names
may be used in this document to refer to either the entities claiming the marks and names or their products.
INTERNAL TRACKING LAST EDIT: 12-MAR-2013 JF/JCE