july, 2013 xenmobile app and enterprise adolfo montoya lead support readiness specialist

July, 2013 XenMobile App and Enterprise Adolfo Montoya Lead Support Readiness Specialist

2013 Citrix | Confidential Do Not Distribute Document Management CategoryTracking Information Company:Citrix Systems, Inc. Author(s):Adolfo Montoya Owner(s):Worldwide Support Readiness Last modified:8/28/2013 Version:1.0 Length:5 hours

2013 Citrix | Confidential Do Not Distribute Agenda 3 App vs. Enterprise Architectural overview End-user experience Deployment options Troubleshooting

XenMobile App and Enterprise Editions

2013 Citrix | Confidential Do Not Distribute App Edition 5 Use caseClient SideServer Side Mobile application management Federated single sign-on Secure email Secure browsing Automated account provisioning Workflow Policy based interapp security App specific microVPN Unified corporate app store Worx Home Receiver App Controller NetScaler Gateway WorxMail WorxWeb

2013 Citrix | Confidential Do Not Distribute App Edition ShareFile NetScaler DMZ Worx Home Optional SF/WI XenApp XenDesktop XMA Receiver

2013 Citrix | Confidential Do Not Distribute Enterprise Edition Use caseClient SideServer Side All MDM Edition use cases All App Edition use cases Secure document sharing, syncing & editing Worx Enroll Worx Home WorxMail WorxWeb ShareFile Receiver MDM Server NS Gateway App Controller

2013 Citrix | Confidential Do Not Distribute Optional Enterprise Edition Worx Enroll ShareFile NetScaler XMA DMZ SF/WIXNC Worx Home XenApp XenDesktop Receiver XDM

2013 Citrix | Confidential Do Not Distribute MDM Edition App Edition Enterprise Edition Configure, secure & provision mobile devices One-click live chat & support Access SharePoint & network drives Secure mobile web browser App-specific micro VPN Secure mail, calendar and contacts app Enterprise-enable any mobile app Seamless Windows app integration Unified corporate app store Multi-factor single sign-on Secure document sharing, sync & editing Both cloud & on-premises data storage options

2013 Citrix | Confidential Do Not Distribute ShareFile Feature Comparison Features XM-MDM (SF-Standard*) XM-App (SF-Standard*) XM-Enterprise (SF-Enterprise) Read access to File shares and SharePoint AD authentication Data encryption MDX-wrapped client ShareFile Enterprise Features Worx Mail integration, Cloud and customer- managed StorageZones, Editing, Annotations, External Sharing, Windows and Mac Sync, Outlook plug-in, Web-browser access from Sharefile.com, time-expiry, Request file, FTP access, usage reporting, *Note: ShareFile Standard is not a standalone product. Name is used to describe ShareFile features for MDM and App editions

2013 Citrix | Confidential Do Not Distribute XenMobile MDM Edition (Cloud or On-premise) XenMobile MDM Edition (Cloud or On-premise) Citrix Mobility Product Line XenMobile Enterprise Edition (Integrated Solution) XenMobile Enterprise Edition (Integrated Solution) XM Device Manager XM NetScaler Connector ShareFile Standard GoToAssist Integration XenMobile App Edition (Formerly CloudGateway) XenMobile App Edition (Formerly CloudGateway) XM App Controller 2.8 NetScaler Gateway 10.1 StoreFront 2.0 (optional) ShareFile Standard XM MDM Edition XM App Edition ShareFile Enterprise (Cloud or On-premise) GoToAssist Integration

XenMobile App Controller Review

2013 Citrix | Confidential Do Not Distribute What is App Controller? Virtual VM running Linux OS Supported on XenServer 5.6 FP1 or later Hyper-V 2012 VMware ESX 4.x or later Provides access to Web/SaaS Intranet sites MDX-wrapped apps Public store links ShareFile Supports High Availability (Active/Passive) Supports Clustering (Active/Active)

2013 Citrix | Confidential Do Not Distribute What is App Controller? Supports remote access NetScaler Gateway 10.1* Supports Windows apps access StoreFront 1.2 or 2.0 Web Interface 5.4 (IIS) VDI-in-a-Box 5.3 System requirements 2 vCPU 4 GB of RAM Scalability 10,000 concurrent users per App Controller *NetScaler Gateway 10.0 is not compatible with App Controller 2.8

2013 Citrix | Confidential Do Not Distribute Receiver for Web vs. Store Receiver for Web Receiver for Web = Web-browser site Built-in site /Citrix/StoreWeb Beacons are not applicable Provides Provisioning File (e.g. ReceiverConfig.cr)

2013 Citrix | Confidential Do Not Distribute Receiver for Web vs. Store Store Store = Services site Built-in store - /Citrix/Store Beacons are applicable Windows / Mac Receiver for Windows 3.4+ Receiver for Mac 11.7+ iOS / Android Receiver for iOS 5.7+ Receiver for Android 3.3+ Worx Home 8.5

2013 Citrix | Confidential Do Not Distribute Account Management Connectors

2013 Citrix | Confidential Do Not Distribute Web/SaaS App Launch (Form-fill) Communication Flow App Controller POST https://appc25lb.amc.ctx/Citrix/Store/prelaunch/app HTTP/1.1 User-Agent: CitrixReceiver Windows/6.1 SelfService/3.4.0.33684 (Release) Accept: */* Authorization: CitrixAuth 3AE8D47E126821ED18820861412E59A65E78F0745D0 F194A23A4675B4EEBFB58 Content-Type: Host: appc25lb.amc.ctx Content-Length: 92 Expect: 100-continue Accept-Encoding: gzip, deflate https://appc25lb.amc.ctx/webssouser/websso.do?action= authenticateUser&app=LinkedIn&reqtype=1 HTTP/1.1 200 OK Connection: Keep-Alive Content-Type: text/plain; charset="utf-8" Content-Length: 225 https://appc25lb.amc.ctx/webssouser/websso.do?action= authenticateUser&app=LinkedIn&reqtype=1&tok=uzgzuq VP11cmZ5HBGZICxbbogaOc2SJmhNJC3ufSkh59bCyH p48N671c5DdXjM8rnFRf0WXa3S72jwAyqw9ktYloqo9zY 7Q9Dverh2p9Im1RGpeVLb520gggseFebkeC GET https://appc25lb.amc.ctx/webssouser/websso.do?action= authenticateUser&app=LinkedIn&reqtype=1&tok=uzgzuq VP11cmZ5HBGZICxbbogaOc2SJmhNJC3ufSkh59bCyH p48N671c5DdXjM8rnFRf0WXa3S72jwAyqw9ktYloqo9zY 7Q9Dverh2p9Im1RGpeVLb520gggseFebkeC HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: appc25lb.amc.ctx Connection: Keep-Alive HTTP/1.1 200 OK Connection: close Content-Type: text/html;charset=utf-8 Server: Apache-Coyote/1.1 Date: Sat, 02 Feb 2013 23:35:11 GMT Cache-Control: no-cache, no-store, must-revalidate, proxy-revalidate Set-Cookie: OCAJSESSIONID=F3667612AE29262440D97FC21124 FB6B; Path=/; HttpOnly; Secure Content-Length: 1954 POST https://www.linkedin.com/uas/login-submit HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: https://appc25lb.amc.ctx/webssouser/websso.do?action=authenticateUser&app=LinkedIn&reqtype=1&tok=uzgz uqVP11cmZ5HBGZICxbbogaOc2SJmhNJC3ufSkh59bCyHp48N671c5DdXjM8rnFRf0WXa3S72jwAyqw9ktYloq o9zY7Q9Dverh2p9Im1RGpeVLb520gggseFebkeC Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Host: www.linkedin.com Content-Length: 209 Connection: Keep-Alive Cache-Control: no-cache Cookie: leo_auth_token="LIM:3806491:a:21600:1359755785:bff46f2a2488465426f76ef12155817fcc5d9b84"; visit="v=1&M"; bcookie="v=2&8280d152-ee3e-4b89-ae16-36bc18b56010"; _lipt="0_3SPdwJCAKEKd6iCDOMqnm3hkMlAr8DnGO4OSvk4m_QZsEKzgwUR9t9ELn6m4N4Y03pxdt35wH7 GKJ6mDq2vDIuge9cKi3Y9_neZgk2I89FU7KnIaTmlDicpapZRkxI53xpa85u_QkEezSUi7aPbw1oNqcLSLbsFwn 4TJ_JSerq-84wECaZ-kU-f63- 1lTfgSGFnDGhexnbvrJsRruQzH3VRfJxed6Yk8hgXfL97whxyOc_wzDJLprA8kYZZ8PIYEiAFJkbbhBKxM3Hqri3 mTA-"; __qca=P0-743823709-1352489739221 signin=Sign%2520In&source_app=&sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi&c srfToken=ajax%253A6347512470912353035&session_redirect=&session_password=password123&session_k [email protected] LinkedIn Client

2013 Citrix | Confidential Do Not Distribute Authentication System Basics Auth Service Give me a token for Store Active Directory App Enumeration Store Services Trust Denied (talk to Auth) Denied () Give me a token for Auth How do you want to login? Login using Generic Forms Fill in this form Username= Password=. Here is a Token for Auth Give me a token for Store Here is a Token for Store App Enumeration App Controller Windows Apps, Web, SaaS

2013 Citrix | Confidential Do Not Distribute NetScaler Gateway Single Sign-on NetScaler Gateway Single Sign-on (SSO) or callback is used by StoreFront or App Controller to request NetScaler Gateway for user credentials Callback URL requires a secure connection (HTTPS) back to the AG virtual server who authenticated the user (most cases) Callback URL can be another AG virtual server on the same AG VPX/MPX Example: https://AG-VIP-FQDN/CitrixAuthService/AuthService.asmx (case sensitive)https://AG-VIP-FQDN/CitrixAuthService/AuthService.asmx

2013 Citrix | Confidential Do Not Distribute Before AG SSO happens StoreFront Services or App Controller must trust the incoming Gateway communication However, StoreFront and App Controller differ from what is being checked from NetScaler Gateway Example: StoreFront checks for three different parameters inside the HTTP Header: X-Citrix-Via: this parameter will contain the AG FQDN end-user entered on their web browser or Receiver. (ie. X-Citrix-Via: ag.example.com) X-Forwarded-For: this parameter will contain the SNIP/MIP of Access Gateway. (ie. X- Forwarded-For: 192.168.10.10) Remote Address: this parameter will contain the client IP address. Majority of times, this value is never used by StoreFront

2013 Citrix | Confidential Do Not Distribute Before AG SSO happens App Controller instead, its expecting the AG Header (ie. X-Citrix- Via:ag.example.com) from NetScaler Gateway App Controller does not have a method to check the SNIP/MIP address Example: App Controller checks for one parameter inside the HTTP Header: X-Citrix-Via: this parameter will contain the AG FQDN end-user entered on their web browser or Receiver. (ie. X-Citrix-Via: ag.example.com)

2013 Citrix | Confidential Do Not Distribute What to check? App Controller Ensure External URL matches with the AG URL users will enter on their web browsers or Receiver Callback URL needs to resolve back to the AG that authenticated the end-user

2013 Citrix | Confidential Do Not Distribute AppController Reporting Systems Reporting Systems Create Users What privilege on application? Any app specific security rules? Additional approvals required before creating account? Sync Log Auth Account Management Automatic Provisioning Active Directory

2013 Citrix | Confidential Do Not Distribute Account Management Configure Automatic Provisioning

2013 Citrix | Confidential Do Not Distribute App Controller HA connections App Controller HA Mobile Apps Web & SaaS Apps ShareFile Data Worx Home HTTPS 443 (AppC VIP) Active Standby TCP 9736

2013 Citrix | Confidential Do Not Distribute App Controller HA Define Role Preference Primary Secondary Define VIP, Peer IP and Shared Key IP address for VIP IP address of secondary AppController Enter shared key that both App Controllers will share to trust each other Enable/Disable Appliance Failover Show current status of Appliance Failover

2013 Citrix | Confidential Do Not Distribute Considerations App Controller in appliance failover does not require a load balancer ie. NetScaler App Controller synchronizes the following information User passwords database Web/SaaS/Mobile/ShareFile information Devices Workflows SSL certificates Once appliance failover occurs, the new active App Controller will send an ARP broadcast updating the MAC address of the VIP

2013 Citrix | Confidential Do Not Distribute App Controller Device Registration What is it? Requirement to have more control over Apps deployed to mobile devices Receiver needs to communicate with App Controller either directly, or through NetScaler Gateway Receiver checks in to the App Controller when it starts Management functions are: 1.Device Registration 2.Device Lock or Wipe 3.Device Update

2013 Citrix | Confidential Do Not Distribute DMS Device Management Service: Runs on App Controller and processes requests from Receiver clients Upon a successful registration, it returns a Device ID which is used by receiver in subsequent requests

2013 Citrix | Confidential Do Not Distribute Workflows What is it? Workflow is also known as Application Provisioning End-users request app access to their direct manager or an approver App Controller will contact employees manager or approver via email Workflows can be applied to: Web/SaaS apps iOS/Android mobile apps It only works with Citrix Receiver connections to a store Web & SaaS Apps Mobile Apps

2013 Citrix | Confidential Do Not Distribute

Manager vs. Approvers Two ways to support approvals Send email to employee manager (up to 3 levels) Send email to approver If manager approval is selected make sure employees manager is defined on Active Directory Additional approvers can be anyone from Active Directory

2013 Citrix | Confidential Do Not Distribute Workflow approvals via Email How does it work? Employee

2013 Citrix | Confidential Do Not Distribute Workflow approvals via Email How does it work? Manager

2013 Citrix | Confidential Do Not Distribute Workflow approvals via Email How does it work? Employee

2013 Citrix | Confidential Do Not Distribute Receiver for Windows 3.3 vs. 3.4+ Receiver for Windows 3.3 Receiver for Windows 3.4+

2013 Citrix | Confidential Do Not Distribute Considerations Workflow email requests to Managers / Approvers may take between 1-15 minutes approx. Not supported via Receiver for Web sites If one of the Managers or Approvers do not accept (or respond) the app request, the end-user cannot subscribe to the app Preferably use the latest Citrix Receivers (mobile or desktop) Receiver for Windows 3.4 or later Receiver for Mac 11.7 or later Receiver for iOS 5.7.1 or later Receiver for Android 3.3 or later

XenMobile App Controller Version 2.8

2013 Citrix | Confidential Do Not Distribute Whats New? Integration with XenMobile MDM server Integration with GoToAssist Integration with StoreFront Integration with NetScaler Gateway 10.1 Worx Store Branding End-user experience

Remote Access Scenarios (NetScaler Gateway 10.1)

2013 Citrix | Confidential Do Not Distribute NG + App Controller only Ideal for Enterprise customers that want application management Customers create Enterprise MDX-app store Clientless access (CVPN) is required NetScaler Gateway needs Universal Licenses Ideal for Enterprise customers that application and device management, plus unified store Clientless access (CVPN) is required NetScaler Gateway needs Universal Licenses Ideal for Enterprise customers that want application and device management Customers create Enterprise MDX-app store Clientless access (CVPN) is required NetScaler Gateway needs Universal Licenses NG + AppController + MDM NG + App Controller + MDM + StoreFront

2013 Citrix | Confidential Do Not Distribute Mobile Platforms Worx Home for iOS / Worx Home for Android

2013 Citrix | Confidential Do Not Distribute Remote Access iOS Worx Home for iOS includes the following header info User-Agent = CitrixReceiver VpnCapable (for MicroVPN) X-Citrix-Gateway: https://NetScaler- Gateway-FQDNhttps://NetScaler- Gateway-FQDN POST /cgi/login HTTP/1.1 Host: agdara.amc.ctx X-Citrix-Gateway: https://agdara.amc.ctx User-Agent: CitrixReceiver/com.zenprise.zpmdmbeta iOS/8.5.0 (build 8.5.0.163) CitrixReceiver-iPad CFNetwork Darwin VpnCapable Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-us CONTENT_LENGTH: 28 Content-Type: application/x-www-form-urlencoded Content-Length: 28 Connection: keep-alive CONTENT_TYPE: application/x-www-form-urlencoded

2013 Citrix | Confidential Do Not Distribute Remote Access iOS Worx Home name is included in other parts of communication GET /vpn/index.html HTTP/1.1 Host: agdara.amc.ctx Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: Worx%20Home/8.5.0.163 CFNetwork/609.1.4 Darwin/13.0.0 Accept-Language: en-us Accept: */*

2013 Citrix | Confidential Do Not Distribute Remote Access Android Worx Home for Android includes the following header info User-Agent = CitrixReceiver VpnCapable (for MicroVPN) X-Citrix-Gateway: https://NetScaler- Gateway-FQDNhttps://NetScaler- Gateway-FQDN No Worx Home name in User-Agent! POST /cgi/login HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded Accept-Language: en-US, en User-Agent: CitrixReceiver/1.0 Android/4.3 JWR66V VpnCapable Cookie: pwcount=0; X-Citrix-Gateway: https://agdara.amc.ctx Content-Length: 28 Host: agdara.amc.ctx Connection: Keep-Alive Accept-Encoding: gzip

2013 Citrix | Confidential Do Not Distribute Worx Home vs. Receiver FeatureWorx Home / EnrollReceiver MDM Registration AppC Registration GoToAssist remote support Provisioning File Email-based account discovery MDX apps access HDX apps access Secure Browse support MicroVPN support

2013 Citrix | Confidential Do Not Distribute Remote Access How do I configure my mobile client? Mobile ReceiversProvisioning File Email-based Account discovery NetScaler Gateway FQDN Worx Home 8.5 (iOS/Android) iOS 5.8 Android 3.4 Win8/RT 1.3

2013 Citrix | Confidential Do Not Distribute Deployment Modes Types of deployment Local connections only Local and remote connections via NetScaler Gateway StoreFront integration may be used in some scenarios Note: Worx Home client is unable to communicate with StoreFront store

2013 Citrix | Confidential Do Not Distribute XenMobile Deployments NG + AppController only Internet LAN DMZ NetScaler Gateway App Controller

2013 Citrix | Confidential Do Not Distribute Remote Access AppController Configuration Define Deployment Enable = Yes Display name Callback URL = https://AGFQDNhttps://AGFQDN External URL = https://AGFQDNhttps://AGFQDN Logon type Domain only Security token only Domain and security token

2013 Citrix | Confidential Do Not Distribute Remote Access Simplified Wizard Two ways to initiate the wizard NetScaler Gateway > Enterprise Store

2013 Citrix | Confidential Do Not Distribute Remote Access Simplified Wizard Two ways to initiate the wizard Deployment type > NetScaler Gateway* *Assuming you dont have any virtual servers

2013 Citrix | Confidential Do Not Distribute Remote Access Simplified Wizard Two ways to initiate the wizard Deployment type > NetScaler Gateway

2013 Citrix | Confidential Do Not Distribute Remote Access Simplified Wizard Select XenMobile Enter App Controller FQDN

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard Virtual Server name IP address Mode = SmartAccess

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard SSL certificate

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard LDAP authentication policy

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard Three session policies bound to the virtual server Receiver connections Receiver for Web connections Access Gateway Plugin connections

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard Native Receiver connection policy

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard Native Receiver connection profile Split Tunnel = OFF Session Time-out (mins) = 1440 (1 day) Clientless Access = ON Clientless Access URL Encoding = Clear Single Sign-on to Web Applications = checked

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard Native Receiver connection profile ICA Proxy = OFF Web Interface Address = https://AppC-FQDNhttps://AppC-FQDN Single Sign-on Domain = domain Need to be defined manually if you dont want UPN auth Account Services Address = https://AppC-FQDNhttps://AppC-FQDN

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard Receiver for Web connection policy

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard Receiver for Web connection profile Home Page = https://AppC-FQDN/Citrix/StoreWebhttps://AppC-FQDN/Citrix/StoreWeb Clientless Access = ON Plug-in Type = Java Single Sign-on to Web Applications = checked

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard Receiver for Web connection profile ICA Proxy = OFF Web Interface Address = https://AppC- FQDN/Citrix/StoreWebhttps://AppC- FQDN/Citrix/StoreWeb Single Sign-on Domain = domain Need to be defined manually if you dont want UPN auth

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard Access Gateway Plug-in connection policy

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard Access Gateway Plug-in connection profile Home Page = https://AppC-FQDN/Citrix/StoreWebhttps://AppC-FQDN/Citrix/StoreWeb Split Tunnel = OFF Clientless Access = Allow Clientless Access URL Encoding = Clear Plug-in Type = Windows/Mac OS X Single Sign-on to Web Applications = checked

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard Access Gateway Plug-in connection profile ICA Proxy = OFF Web Interface Address = https://AppC- FQDN/Citrix/StoreWebhttps://AppC- FQDN/Citrix/StoreWeb Single Sign-on Domain = domain Need to be defined manually if you dont want UPN auth Account Services Address = https://AppC-FQDNhttps://AppC-FQDN

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard Two clientless access policies get created Receiver connections Anything else ie. Receiver connections, Receiver for Web

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard Receiver connections clientless access policy

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard Rewrite tab Nothing selected

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard Finding URLs tab Nothing selected

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard Client Cookies tab Nothing selected

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard Receiver for Web connections clientless access policy

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard Rewrite tab URL Rewrite = ns_cvpn_default_inet_url_label

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard Finding URLs tab Nothing selected

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard Client Cookies tab Cookies created

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard Pattern set for App Controller cookies CsrfToken = index 1 ASP.NET_SessionId = index 2 CtxsPluginAssistantState = index 3 CtxsAuthId = index 4

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard Secure Ticket Authority defined for WorxMail https://AppC-FQDN https://AppC-FQDN

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard Clientless Access domains defined Allowed Domains App Controller FQDN

2013 Citrix | Confidential Do Not Distribute What gets created? Simplified Wizard Finally, AppController URL binding at the AG virtual server level (not Global!)

2013 Citrix | Confidential Do Not Distribute XenMobile Deployments NG + AppController + MDM Internet LAN DMZ App Controller XM Device Manager NetScaler Gateway

2013 Citrix | Confidential Do Not Distribute Remote Access XDM Configuration Define App Controller Webservice configuration Host Name = IP address or FQDN Shared Key = alphanumeric value ie. Citrix or Citrix1234 Enable App Controller = checked

2013 Citrix | Confidential Do Not Distribute Remote Access AppController Configuration Define XenMobile Configuration Host = XDM FQDN Port = 80 or 443 Shared Key = alphanumeric value ie. Citrix or citrix123 Instance Path = /zdm (default) Allow secure access = Yes/No Require Device Manager Enrollment = Yes/No

2013 Citrix | Confidential Do Not Distribute XenMobile Deployments NG + AppController + MDM + StoreFront (A) Internet LAN DMZ App Controller XM Device Manager NetScaler Gateway StoreFront 2.0

2013 Citrix | Confidential Do Not Distribute Remote Access AppController Configuration Define Windows Apps Host = StoreFront FQDN Port = 80 or 443 Relative Path = /Citrix/ /PNAgent/config.xml Allow secure access = Yes/No

2013 Citrix | Confidential Do Not Distribute Remote Access StoreFront Configuration Define NetScaler Gateway Display Name NetScaler Gateway URL = External Gateway URL Version 10.0 (build 69.4) or later 9.x 5.x Subnet IP address = (optional) Logon Type Domain Security Token Domain and Security Token SMS authentication Smart card Callback URL = External Gateway URL

2013 Citrix | Confidential Do Not Distribute Remote Access StoreFront Configuration Define Secure Ticket Authority (STA) XenApp XenDesktop

2013 Citrix | Confidential Do Not Distribute Remote Access StoreFront Configuration Enable Remote Access to the store No VPN tunnel Full VPN tunnel

2013 Citrix | Confidential Do Not Distribute Remote Access NetScaler Configuration Define Secure Ticket Authority (STA) XenApp XenDesktop

2013 Citrix | Confidential Do Not Distribute Remote Access NG + AppController + MDM + StoreFront Pros Single NetScaler Gateway VIP Single store access Cons Follow me apps do not work on Worx Home Follow me apps for Windows do not work Mobile devices Desktop platforms

2013 Citrix | Confidential Do Not Distribute XenMobile Deployments NG + AppController + MDM + StoreFront (B) Internet LAN DMZ App Controller XM Device Manager NetScaler Gateway StoreFront 2.0 Receiver (Win/Mac) WorxHome (iOS Android)

2013 Citrix | Confidential Do Not Distribute Remote Access AppController Configuration Define Deployment (NetScaler) Enable = Yes Display name Callback URL = https://AGFQDNhttps://AGFQDN External URL = https://AGFQDNhttps://AGFQDN Logon type Domain only Security token only Domain and security token

2013 Citrix | Confidential Do Not Distribute Remote Access AppController Configuration Define Deployment (StoreFront) Enable = Yes Authentication Server = OFF Web address = https://SF-FQDNhttps://SF-FQDN

2013 Citrix | Confidential Do Not Distribute Remote Access AppController Configuration Define Windows Apps Host = StoreFront FQDN Port = 80 or 443 Relative Path = /Citrix/ /PNAgent/config.xml Allow secure access = Yes/No

2013 Citrix | Confidential Do Not Distribute Remote Access StoreFront Configuration Define Delivery Controller Display Name Type = AppController Server = AppC FQDN Port = 443

2013 Citrix | Confidential Do Not Distribute Remote Access StoreFront Configuration Define NetScaler Gateway Display Name NetScaler Gateway URL = External Gateway URL Version 10.0 (build 69.4) or later 9.x 5.x Subnet IP address = (optional) Logon Type Domain Security Token Domain and Security Token SMS authentication Smart card Callback URL = External Gateway URL

2013 Citrix | Confidential Do Not Distribute Remote Access StoreFront Configuration Define Secure Ticket Authority (STA) XenApp XenDesktop

2013 Citrix | Confidential Do Not Distribute Remote Access StoreFront Configuration Enable Remote Access to the store No VPN tunnel Full VPN tunnel

2013 Citrix | Confidential Do Not Distribute Remote Access NetScaler Configuration Create a virtual server in SmartAccess mode Clientless access will be used for StoreFront and App Controller

2013 Citrix | Confidential Do Not Distribute Remote Access NetScaler Configuration Create three session policies Desktop Receiver policy = redirects Win/Mac Receiver users to StoreFront store Receiver for Web policy = redirects Win/Mac/mobile users to StoreFronts Receiver for Web site Worx Home policy = redirects iOS/Android Worx Home users to AppControllers store

2013 Citrix | Confidential Do Not Distribute Remote Access NetScaler Configuration Desktop Receiver policy expression (REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User- Agent CONTAINS Windows) || (REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User- Agent CONTAINS Mac)

2013 Citrix | Confidential Do Not Distribute Remote Access NetScaler Configuration Desktop Receiver profile Clientless Access = ON Clientless Access URL Encoding = Clear Single Sign-on to Web Applications = checked

2013 Citrix | Confidential Do Not Distribute Remote Access NetScaler Configuration Desktop Receiver profile Default Authorization Action = ALLOW Secure Browse = uncheck

2013 Citrix | Confidential Do Not Distribute Remote Access NetScaler Configuration Desktop Receiver profile ICA Proxy = OFF Web Interface Access = https://SF-FQDNhttps://SF-FQDN Single Sign-on Domain = domain Account Services Address = https://SF- FQDNhttps://SF- FQDN

2013 Citrix | Confidential Do Not Distribute Remote Access NetScaler Configuration Receiver for Web site policy expression REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS

2013 Citrix | Confidential Do Not Distribute Remote Access NetScaler Configuration Receiver for Web site profile Home Page = https://SF- FQDN/Citrix/StoreWebhttps://SF- FQDN/Citrix/StoreWeb Clientless Access = ON Clientless Access URL Encoding = Obscure Single Sign-on to Web Applications = checked

2013 Citrix | Confidential Do Not Distribute Remote Access NetScaler Configuration Receiver for Web site profile Default Authorization Action = ALLOW Secure Browse = uncheck

2013 Citrix | Confidential Do Not Distribute Remote Access NetScaler Configuration Receiver for Web site profile ICA Proxy = OFF Web Interface Address = https://SF- FQDNhttps://SF- FQDN Single Sign-on Domain = domain

2013 Citrix | Confidential Do Not Distribute Remote Access NetScaler Configuration Worx Home policy expression (REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User- Agent CONTAINS zenprise)|| (REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver/1.0)

2013 Citrix | Confidential Do Not Distribute Remote Access NetScaler Configuration Worx Home profile Split Tunnel = OFF/ON Session Time-out (mins) = 1440 (1 day) Clientless Access = ON Clientless Access URL Encoding = Clear Plug-in Type = Windows/Mac OS X (MicroVPN) Single Sign-on to Web Applications = checked

2013 Citrix | Confidential Do Not Distribute Remote Access NetScaler Configuration Worx Home profile Default Authorization Action = ALLOW Secure Browse = checked

2013 Citrix | Confidential Do Not Distribute Remote Access NetScaler Configuration Worx Home profile ICA Proxy = OFF Web Interface Address = https://AppC-FQDNhttps://AppC-FQDN Single Sign-on Domain = domain Account Services Address = https://AppC- FQDNhttps://AppC- FQDN

2013 Citrix | Confidential Do Not Distribute Remote Access NetScaler Configuration Verify you have two Clientless Access policies Receiver/Worx Home connections Anything else ie. Receiver for Web, Receiver/Worx Home connections

2013 Citrix | Confidential Do Not Distribute Remote Access NetScaler Configuration Clientless Access domains defined Allowed Domains App Controller FQDN StoreFront FQDN Bind FQDNs via CLI (recommended) bind patset ns_cvpn_default_inet_domains appc28.amc.ctx bind patset ns_cvpn_default_inet_domains storefrontlb.amc.ctx

2013 Citrix | Confidential Do Not Distribute Remote Access NetScaler Configuration Define Secure Ticket Authority (STA) XenApp XenDesktop

2013 Citrix | Confidential Do Not Distribute Remote Access NetScaler Configuration Finally, AppController URL binding at the AG virtual server level (not Global!)

2013 Citrix | Confidential Do Not Distribute Remote Access NG + AppController + MDM + StoreFront Pros Single NetScaler Gateway VIP Follow me apps for Windows will work for Win/Mac Cons Follow me apps do not work on Worx Home Mobile devices

2013 Citrix | Confidential Do Not Distribute Can I push MDX / Web and SaaS apps to mobile devices?

2013 Citrix | Confidential Do Not Distribute Integration with XenMobile Device Manager New option on App Controller Require app installation Works with App Controller and XenMobile Device Manager integration Require app installation option can automatically subscribe/install Web/SaaS and MDX apps

2013 Citrix | Confidential Do Not Distribute Integration with XenMobile Device Manager Host = IP address or FQDN of MDM server Port = 80 or 443 Shared Key = alphanumeric value e.g. Citrix123 Instance Path = /zdm Require Device Manager Enrollment = recommended

2013 Citrix | Confidential Do Not Distribute Integration with XenMobile Device Manager Overview App Controller will upload all MDX, public store apps, Web/SaaS to MDM server Securely HTTPS 443 Non-secure HTTP 80 App Controller will upload the NetScaler URL or AppC URL for Worx Home User requests access to MDX app, MDM will push it to the mobile device XDM 80 or 443 443 XMA

2013 Citrix | Confidential Do Not Distribute Integration with XenMobile Device Manager What is being uploaded? If Require Device Management enrollment = Yes From App Controller to Device Manager POST /zdm/cxf/wsapi/configuration/mdmrequired HTTP/1.1 Accept: application/json Content-Type: application/json Authorization: Basic YWRtaW46Y2l0cml4 User-Agent: Jakarta Commons-HttpClient/3.0.1 Host: ftlvxmdm.amc.ctx Content-Length: 31 {"errorcode":0,"required":true} XDM 80 or 443 XMA Enrollment Required? Yes / No

2013 Citrix | Confidential Do Not Distribute Integration with XenMobile Device Manager What is being uploaded? If Require Device Management enrollment = Yes From Device Manager to App Controller HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=FFAEE9B40D6E797859A03C275E80B999; Path=/zdm/; HttpOnly Date: Fri, 09 Aug 2013 14:55:16 GMT Content-Type: application/json Content-Length: 53 {"response":"mdm_required_flag properly set to true"} XDM 80 or 443 XMA OK done!

2013 Citrix | Confidential Do Not Distribute Integration with XenMobile Device Manager What is being uploaded? If Google Play credentials saved in App Controller From App Controller to Device Manager POST /zdm/cxf/wsapi/configuration/gplaycredentials HTTP/1.1 Accept: application/json Content-Type: application/json Authorization: Basic YWRtaW46Y2l0cml4 User-Agent: Jakarta Commons-HttpClient/3.0.1 Host: ftlvxmdm.amc.ctx Content-Length: 125 {"gplay_credentials":{"store_login":username","store_password":p assword","android_id":androidID"}} XDM 80 or 443 XMA Google Play Credentials

2013 Citrix | Confidential Do Not Distribute Integration with XenMobile Device Manager What is being uploaded? If Google Play credentials saved in App Controller From Device Manager to App Controller HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=6B7578836D06A6D51BFED315486D8089; Path=/zdm/; HttpOnly Date: Fri, 09 Aug 2013 14:58:39 GMT Content-Type: application/json Content-Length: 40 {"response":"Credential properly saved"} XDM 80 or 443 XMA OK done!

2013 Citrix | Confidential Do Not Distribute Integration with XenMobile Device Manager What is being uploaded? Uploading apps From App Controller to Device Manager POST /zdm/cxf/wsapi/package/10cbccea-8d27-4cc9-86ed-d43e7078bc8b HTTP/1.1 Accept: application/json Content-Type: application/json Authorization: Basic YWRtaW46Y2l0cml4 User-Agent: Jakarta Commons-HttpClient/3.0.1 Host: ftlvxmdm.amc.ctx Content-Length: 323 {"application":{"options":{"remove_when_mdm_removed":true,"prevent_b ackup_data":false},"id":"10cbccea-8d27-4cc9-86ed- d43e7078bc8b","type":"IPA","install_once":true,"required":false,"url":"http s://appc28.amc.ctx:443/lscs/mobileapps/10cbccea-8d27-4cc9-86ed- d43e7078bc8b/WorxMail-Release-1.2-162.ipa?SID=7175718355373095794"}} XDM 80 or 443 XMA Uploading MDX / Web / SaaS

2013 Citrix | Confidential Do Not Distribute Integration with XenMobile Device Manager What is being uploaded? Uploading apps If app already exists HTTP 500 Error Otherwise, HTTP 200 OK From Device Manager to App Controller HTTP/1.1 500 Internal Server Error Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=88D0391354052CD4A12901521A02C22D; Path=/zdm/; HttpOnly Date: Fri, 09 Aug 2013 14:58:39 GMT Content-Type: application/json Content-Length: 64 Connection: close {"error":{"description":"Package ID already exists","code":201}} XDM 80 or 443 XMA Already have it!

2013 Citrix | Confidential Do Not Distribute Integration with XenMobile Device Manager What is being uploaded? Upload NetScaler Gateway URL If remote access is disabled, then, AppC URL is provided From App Controller to Device Manager POST /zdm/cxf/wsapi/configuration/appcfqdn HTTP/1.1 Accept: application/json Content-Type: application/json Authorization: Basic YWRtaW46Y2l0cml4 User-Agent: Jakarta Commons-HttpClient/3.0.1 Host: ftlvxmdm.amc.ctx Content-Length: 25 {"fqdn":"agdara.amc.ctx"} XDM 80 or 443 XMA AppC / NetScaler FQDN

2013 Citrix | Confidential Do Not Distribute Integration with XenMobile Device Manager What is being uploaded? Upload NetScaler Gateway URL If remote access is disabled, then, AppC URL is provided From Device Manager to App Controller HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=2C4B7B47E6617751B700F1471068DBB0; Path=/zdm/; HttpOnly Date: Fri, 09 Aug 2013 14:58:40 GMT Content-Type: application/json Content-Length: 50 {"response":"fqdn properly set to agdara.amc.ctx"} XDM 80 or 443 XMA FQDN Set!

2013 Citrix | Confidential Do Not Distribute Integration with GTA Support email = help desk email address Support phone = help desk phone number GoToAssist Chat = GoToAssist token for chat services GoToAssist Ticket = GoToAssist ticket generated from portal

2013 Citrix | Confidential Do Not Distribute Branding Your Store

2013 Citrix | Confidential Do Not Distribute Receiver Email Template Do not use this option for Worx Home! The Provisioning File (.cr) is only compatible with Citrix Receiver (mobile or desktop)

2013 Citrix | Confidential Do Not Distribute Google Play Store Apps To allow App Controller download data from Google Play store Typo on App Controller UI Type on Android phone dial- pad *#*#8255#*#*

Secure Browse vs. MicroVPN

2013 Citrix | Confidential Do Not Distribute Secure Browse Client-side rewrite feature to access intranet sites Available on Receiver for iOS 5.6.1 or later Must use NetScaler Gateway 10 (build 69.4 or later) Native iOS/Android mobile browser application Securely connects to corporate network using on-demand MicroVPN tunnel Must use NetScaler Gateway 10 (build 69.4 or later) On-demand application VPN tunnel between mobile device and NetScaler Gateway Available on Receiver for Android 3.1 or later and Receiver for iOS 5.7 Supported with Worx Home and MDX-apps Must use NetScaler Gateway 10 (build 69.4 or later) MicroVPN WorxWeb

2013 Citrix | Confidential Do Not Distribute How do I connect to intranet sites? WorxWeb installed? iOS / Android Worx Home iOS? Connect via Micro- VPN Needs WorxWeb Connect via Webkit Worx Home Android? Yes No Yes No Yes No

2013 Citrix | Confidential Do Not Distribute Secure Browse NetScaler Gateway Configuration By default, Secure Browse is enabled on NetScaler Global Settings Session Policy

2013 Citrix | Confidential Do Not Distribute Secure Browse Example

2013 Citrix | Confidential Do Not Distribute Secure Browse Example Initial request from Citrix Receiver to NetScaler Gateway: GET https://ag10716b.adolfolab.ctx/AGServices/rewriteMode HTTP/1.1 Host: ag10716b.adolfolab.ctx User-Agent: CitrixReceiver Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate Cookie: NSC_AAAC=8479f0c77ce505f3430c90be66fa643300904253245525d5f4f58455e445a4a42; NSC_FSSO=1; pwcount=2 Connection: keep-alive Proxy-Connection: keep-alive

2013 Citrix | Confidential Do Not Distribute Secure Browse Example If Secure Browse is enabled, NetScaler Gateway will respond with the following: HTTP/1.1 200 OK Content-Length: 23 Cache-control: no-cache, no-store Pragma: no-cache Content-Type: text/plain SB:SecureBrowse RW:cvpn

2013 Citrix | Confidential Do Not Distribute Secure Browse Example If Secure Browse is disabled, NetScaler Gateway will respond with the following: HTTP/1.1 200 OK Content-Length: 23 Cache-control: no-cache, no-store Pragma: no-cache Content-Type: text/plain RW:cvpn

2013 Citrix | Confidential Do Not Distribute Secure Browse Example Citrix Receiver will start the rewrite on the client-side: GET https://ag10716b.adolfolab.ctx/SecureBrowse/http/web.cloud.ctx:8080/index.html HTTP/1.1 Host: ag10716b.adolfolab.ctx User-Agent: Mozilla/5.0 (iPad; CPU OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B206 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 X-Citrix-Gateway: ag10716b.adolfolab.ctx CitrixSecureBrowserIOS: YES Cookie: NSC_AAAC=8479f0c77ce505f3430c90be66fa643300904253245525d5f4f58455e445a4a42;NSC_FSSO=1;pwcount=2; Accept-Language: en-us Accept-Encoding: gzip, deflate Connection: keep-alive Proxy-Connection: keep-alive

2013 Citrix | Confidential Do Not Distribute Considerations Secure Browse will work as long as you have Clientless Access (CVPN) enabled on NetScaler If CVPN is disabled, Secure Browse will not work If Secure Browse is disabled, Citrix Receiver will use CVPN to connect to resources

MicroVPN

2013 Citrix | Confidential Do Not Distribute MicroVPN On-demand application VPN tunnel between mobile device and NetScaler Gateway Platforms supported Android iOS MDX-apps support WorxMail WorxWeb Receivers that support Microvpn Worx Home 8.5 Receiver for Android 3.1 or later Receiver for iOS 5.7 or later

2013 Citrix | Confidential Do Not Distribute MicroVPN How does it work? Receiver POST Credentials to NetScaler Gateway POST https://50-23-246-210.mycitrixdemo.net/cgi/login HTTP/1.1 Host: 50-23-246-210.mycitrixdemo.net User-Agent: CitrixReceiver/com.citrix.ReceiveriPad iOS/5.7 (build 170) CitrixReceiver- iPad CFNetwork Darwin VpnCapable Content-Length: 24 Accept: */* X-Citrix-Gateway: https://50-23-246-210.mycitrixdemo.net

2013 Citrix | Confidential Do Not Distribute MicroVPN How does it work? The fact that Receiver sends a VPN Capable User-Agent: CitrixReceiver/com.citrix.ReceiveriPad iOS/5.7 (build 170) CitrixReceiver-iPad CFNetwork Darwin VpnCapable Access Gateway returns the /cgi/setclient? For iOS: HTTP/1.1 302 Object Moved Location: /cgi/setclient?iosc Set-Cookie: NSC_AAAC=55f4f4d9926e4b6533f6033 24b45fa1f0311fe8c345525d5f4f58455 e445a4a42;Secure;HttpOnly;Path=/ For Android: HTTP/1.1 302 Object Moved Location: /cgi/setclient?andr Set-Cookie: NSC_AAAC=55f4f4d9926e4b6533f6033 24b45fa1f0311fe8c345525d5f4f58455e 445a4a42;Secure;HttpOnly;Path=/

Troubleshooting App Controller

2013 Citrix | Confidential Do Not Distribute Troubleshooting Troubleshooting menu from console Network Utilities Advanced logging tracing Support Bundle to log collection and traces

2013 Citrix | Confidential Do Not Distribute Troubleshooting Troubleshooting menu available under the new console Main Menu (option 3)

2013 Citrix | Confidential Do Not Distribute Troubleshooting Troubleshooting Menu Network Utilities PING, ARP, Routing Table and others Logs Admins can review the last 1000 lines of log Provides advanced logging settings for specific modules Support Bundle Collects all AppController logs, core dumps and network traces

2013 Citrix | Confidential Do Not Distribute Troubleshooting Network Menu Network information Show Routing Table Show ARP Table PING Traceroute DNS lookup Network Trace

2013 Citrix | Confidential Do Not Distribute Troubleshooting Network Information Displays detailed information of network adapters IP address Subnet mask MAC address MTU size Adapter state (UP/DOWN)

2013 Citrix | Confidential Do Not Distribute Troubleshooting Routing Table Displays routes information associated with AppController

2013 Citrix | Confidential Do Not Distribute Troubleshooting ARP Table Displays Address Resolution Protocol (ARP) information associated with AppController

2013 Citrix | Confidential Do Not Distribute Troubleshooting PING Test by sending ICMP packets from AppController VM to a destination host

2013 Citrix | Confidential Do Not Distribute Troubleshooting Traceroute Test by sending ICMP packets from AppController VM to a destination host and count the number of hops

2013 Citrix | Confidential Do Not Distribute Troubleshooting DNS Lookup Test Domain Name Resolution (DNS) from AppController to destination host

2013 Citrix | Confidential Do Not Distribute Troubleshooting Network Trace Capture network traces in pcap format on one or more interfaces Supports filtering options Press Enter to stop network tracing Network traces can only be extracted via the Support Bundle

2013 Citrix | Confidential Do Not Distribute Troubleshooting Logs Menu Advanced logging settings to trace specific AppController modules For more information, please refer to http://kb.citrite.net/article/CTX128435 http://kb.citrite.net/article/CTX128435 Option 5 displays the last 1000 lines of logging entries

2013 Citrix | Confidential Do Not Distribute Troubleshooting Support Bundle Menu Provide Admins collection all AppController logs and network traces in a compressed file (.ZIP) Admins have the choice to encrypt the Support Bundle (optional) To extract the Support Bundle Upload via FTP Upload via SCP

2013 Citrix | Confidential Do Not Distribute Troubleshooting Generate Support Bundle Admins have the option to encrypt or not the Support Bundle Support Bundle filename will contain date/time, IP address and compression format extension (.ZIP)

2013 Citrix | Confidential Do Not Distribute Troubleshooting Upload Support Bundle Admins have the option to upload it via FTP or SCP For more information on how to upload it via FTP, please refer to http://support.citrix.com/article/CTX128 855 http://support.citrix.com/article/CTX128 855 Admins have to enter FTP server hostname and location where to upload the file

2013 Citrix | Confidential Do Not Distribute Troubleshooting Upload Support Bundle via FTP Admins have to enter FTP server hostname, user credentials and location where to upload the file

2013 Citrix | Confidential Do Not Distribute Troubleshooting Support Bundle Contents Sas_core core dumps Sas_log management, system, debug, informational logs Sas_trace network traces Sys_info AppController system information ARP entries Disk space usage Interface configuration Routing table Running processes Var_log authentication, daemon, kernel, mail, system and user logs

Work better. Live better.

july, 2013 xenmobile app and enterprise adolfo montoya lead support readiness specialist

Documents

app editions

contacts app enterprise

citrix confidential

xmapp sfstandard

cloudgateway xm app

xmenterprise sfenterprise

mdm edition use cases

enterprise editions