Allowing Access from Mobile Devices with Citrix Mobile Productivity Apps

The Citrix ADC for XenMobile wizard configures the settings required to allow users to connect from supported devices through Citrix Gateway to mobile apps and resources in the internal network. Users connect by using Secure Hub (previously, Secure Hub), which establishes a Micro VPN tunnel. When users connect, a VPN tunnel opens to Citrix Gateway and then is passed to XenMobile in the internal network. Users can then access their web, mobile, and SaaS apps from XenMobile.

To ensure that users consume a single Universal license when connecting to Citrix Gateway with multiple devices simultaneously, you can enable session transfer on the virtual server. For details, seeConfiguring Connection Types on the Virtual Server.

If you need to change your configuration after using the Citrix ADC for XenMobile wizard, use the sections in this article for guidance. Before changing settings, make sure that you understand the implications of your changes. For more information, refer to theXenMobile Deploymentarticles.

Configuring Secure Browse in Citrix Gateway

You can change Secure Browse as part of global settings or as part of a session profile. You can bind the session policy to users, groups, or virtual servers. When you configure Secure Browse, you must also enable clientless access. However, clientless access does not require you to enable Secure Browse. When you configure clientless access, setClientless Access URL EncodingtoClear.

To configure Secure Browse globally:

1. In the configuration utility, on theConfigurationtab, in the navigation pane, expandCitrix Gatewayand then clickGlobal Settings.
2. In the details pane, underSettings, clickChange global settings.
3. In theGlobal Citrix Gateway Settingsdialog box, on theSecuritytab, clickSecure Browseand then clickOK.

To configure Secure Browse in a session policy and profile:

1. In the configuration utility, on theConfigurationtab, in the navigation pane, expandCitrix Gateway > Policiesand then clickSession.
2. In the details pane, do one of the following:
   • If you are creating a new session policy, clickAdd.
   • If you are changing an existing policy, select a policy and then clickOpen.
3. In the policy, create a profile or modify an existing profile. To do so, do one of the following:
   • Next toRequest Profile, clickNew.
   • Next toRequest Profile, clickModify.
4. On theSecuritytab, next toSecure Browse, clickOverride Globaland then selectSecure Browse.
5. Do one of the following:
   • If you are creating a new profile, clickCreate, set the expression in the policy dialog box, clickCreate,and then clickClose.
   • If you are modifying an existing profile, after making the selection, clickOKtwice.

To configure traffic policies for Secure Web in Secure Browse mode:

Use the following steps to configure traffic policies to route Secure Web traffic through a proxy server in Secure Browse mode.

1. In the configuration utility, on theConfigurationtab, expandCitrix Gateway > Policiesand then clickTraffic.
2. In the right pane, click theTraffic Profilestab and then clickAdd.
3. InName, enter a name for the profile, selectTCPas theProtocol, and leave the rest of the settings as-is.
4. ClickCreate.
5. Click theTraffic Profilestab and then clickAdd.
6. InName, enter a name for the profile and then selectHTTPas theProtocol. This Traffic Profile is for both HTTP and SSL. Clientless VPN traffic is HTTP traffic by design, regardless of the destination port or service type. Thus, you specify both SSL and HTTP traffic asHTTPin the traffic profile.
7. InProxy, enter the IP address of the proxy server. InPort, enter the port number of the proxy server.
8. ClickCreate.
9. Click theTraffic Policiestab and then clickAdd.

10. Enter theNameof the traffic policy and, forRequest Profile,选择Traffic Profile you created in Step 3. Enter the followingExpressionand then clickCreate:

    REQ.HTTP.HEADER HOST contains ActiveSyncServer || REQ.HTTP.HEADER User-Agent CONTAINS WorxMail || REQ.HTTP.HEADER User-Agent CONTAINS com.zenprise || REQ.HTTP.HEADER User-Agent CONTAINS Citrix Secure Hub || REQ.HTTP.URL CONTAINS AGServices || REQ.HTTP.URL CONTAINS StoreWeb 

    That rule performs a check based on the host header. To bypass the active sync traffic from the proxy, replaceActiveSyncServerwith the appropriate active sync server name.

11. Click theTraffic Policiestab and then clickAdd. Enter theNameof the traffic policy and, forRequest Profile,选择Traffic Profile created in Step 6. Enter the followingExpressionand then clickCreate:

    (REQ.HTTP.HEADER User-Agent CONTAINS Mozilla

    REQ.HTTP.HEADER User-Agent CONTAINS com.citrix.browser

    REQ.HTTP.HEADER User-Agent CONTAINS WorxWeb) && REQ.TCP.DESTPORT == 80

12. Click theTraffic Policiestab and then clickAdd. Enter theNameof the Traffic Policy and, forRequest Profile,选择Traffic Profile created in Step 6. Enter the followingExpressionand then clickCreate:

    (REQ.HTTP.HEADER User-Agent CONTAINS Mozilla

    REQ.HTTP.HEADER User-Agent CONTAINS com.citrix.browser

    REQ.HTTP.HEADER User-Agent CONTAINS WorxWeb) && REQ.TCP.DESTPORT == 443

13. Navigate toCitrix Gateway > Virtual Servers,选择virtual server in the right pane, and then clickEdit.
14. On thePoliciesrow, click+.
15. From theChoose Policymenu, selectTraffic.
16. ClickContinue.
17. UnderPolicy Binding, across fromSelect Policy, click>.
18. Select the Policy you created in Step 10 and then clickOK.
19. ClickBind.
20. UnderPolicies, clickTraffic Policy.
21. UnderVPN Virtual Server Traffic Policy Binding, clickAdd Binding.
22. UnderPolicy Binding, next to theSelect Policymenu, click>to view the policy list.
23. Select the policy you created in Step 11 and then clickOK.
24. ClickBind.
25. UnderPolicies, clickTraffic Policies.
26. UnderVPN Virtual Server Traffic Policy Binding, clickAdd Binding.
27. UnderPolicy Binding, next to theSelect Policymenu, click>to view the policy list.
28. Select the policy you created in Step 12 and then clickOK.
29. ClickBind.
30. ClickClose.
31. ClickDone.

Be sure to configure the Secure Web (WorxWeb) app in the XenMobile console. Go toConfigure > Apps,选择Secure Web app, clickEdit, and then make these changes:

• On theApp informationpage, changeInitial VPN ModetoSecure Browse.
• On theiOSpage, changeInitial VPN ModetoSecure Browse.
• On theAndroidpage, changePreferred VPN ModetoSecure Browse.

Configure application and MDX token time-outs

When users log on from an iOS or Android device, an application token or an MDX token is issued. The token is similar to the Secure Ticket Authority (STA).

You can set the number of seconds or minutes the tokens are active. If the token expires, users cannot access the requested resource, such as an application or a webpage.

Token time-outs are global settings. When you configure the setting, it applies to all users who log on to Citrix Gateway.

1. In the configuration utility, on theConfigurationtab, in the navigation pane, expandCitrix Gatewayand then clickGlobal Settings.
2. In the details pane, underSettings, clickChange global settings.
3. In theGlobal Citrix Gateway Settingsdialog box, on theClient Experiencetab, clickAdvanced Settings.
4. On theGeneraltab, inApplication Token Timeout (sec)enter the number of seconds before the token expires. The default is100seconds.
5. InMDX Token Timeout (mins), enter the number of minutes before the token expires and then clickOK. The default is10minutes.

Disable Endpoint Analysis for mobile devices

If you configure endpoint analysis, you need to configure the policy expressions so that the endpoint analysis scans do not run on Android or iOS mobile devices. Endpoint analysis scans are not supported on mobile devices.

If you bind an endpoint analysis policy to a virtual server, you must create a secondary virtual server for mobile devices. Do not bind preauthentication or post-authentication policies to the mobile device virtual server.

When you configure the policy expression in a preauthentication policy, you add the User-Agent string to exclude Android or iOS. When users log on from one of these devices and you exclude the device type, endpoint analysis does not run.

For example, you create the following policy expression to check if the User-Agent contains Android, if the application virus.exe does not exist, and to end the process keylogger.exe if it is running by using the preauthentication profile. The policy expression might look like this:

REQ.HTTP.HEADER User-Agent NOTCONTAINS Android && CLIENT.APPLICATION.PROCESS(keylogger.exe) contains

CLIENT.APPLICATION.PROCESS (virus.exe) contains

After you create the preauthentication policy and profile, bind the policy to the virtual server. When users log on from an Android or iOS device, the scan does not run. If users log on from a Windows-based device, the scan does run.

For more information about configuring preauthentication policies, seeConfiguring Endpoint Polices.

Support DNS queries by using DNS suffixes for Android devices

When users establish a Micro VPN connection from an Android device, Citrix Gateway sends split DNS settings to the user device. Citrix Gateway supports split DNS queries based on the split DNS settings you configure. Citrix Gateway can also support split DNS queries based on DNS suffixes you configure on the appliance. If users connect from an Android device, you must configure DNS settings on Citrix Gateway.

Split DNS works in the following manner:

• If you set split DNS toLocal, the Android device sends all DNS requests to the local DNS server.
• If you set split DNS toRemote, all DNS requests are sent to the DNS servers configured on Citrix Gateway (remote DNS server) for resolution.
• If you set split DNS toBoth, the Android device checks for the DNS request type.
  • If the DNS request type is not “A,” it sends the DNS request packet to both local and remote DNS servers.
  • If the DNS request type is “A,” the Android plug-in extracts the query FQDN and matches that FQDN against the DNS suffix list configured on the Citrix ADC appliance. If the DNS request’s FQDN matches, the DNS request is sent to the remote DNS server. If FQDN does not match, the DNS request is sent to local DNS servers.

The following table summarizes split DNS working based on type A record and suffix list.

Split DNS setting	Is it a type A record?	Is it on the suffix list?	Where the DNS request is sent
Local	both Yes or No	both Yes or No	Local
Remote	both Yes or No	both Yes or No	Remote
Both	No	NA	Both
Both	Yes	Yes	Remote
Both	Yes	No	Local

To configure a DNS suffix:

1. In the configuration utility, on theConfigurationtab, in the navigation pane, expandCitrix Gateway > Policiesand then clickSession.
2. In the details pane, on thePoliciestab, select a session policy and then clickOpen.
3. Next toRequest Profile, clickModify.
4. On theNetwork Configurationtab, clickAdvanced.
5. Next toIntranet IP DNS Suffix, clickOverride Global, type the DNS suffix and then clickOKthree times.

To configure split DNS globally on Citrix Gateway:

1. In the configuration utility, on theConfigurationtab, in the navigation pane, expandCitrix Gatewayand then clickGlobal Settings.
2. In the details pane, underSettings, clickChange global settings.
3. On theClient Experiencetab, clickAdvanced Settings.
4. On theGeneraltab, inSplit DNS, selectBoth,Remote, orLocaland then clickOK.

To configure split DNS in a session policy on Citrix Gateway:

1. In the configuration utility, on theConfigurationtab, in the navigation pane, expandCitrix Gateway > Policies, and then clickSession.
2. In the details pane, on thePoliciestab, clickAdd.
3. InName, type a name for the policy.
4. Next toRequest Profile, clickNew.
5. InName, type a name for the profile.
6. On theClient Experiencetab, clickAdvanced Settings.
7. On theGeneraltab, next toSplit DNS, clickOverride Global, selectBoth,Remote, orLocaland then clickOK.
8. In theCreate Session Policydialog box, next toNamed Expressions, selectGeneral, selectTrue, clickAdd Expression, clickCreate,and then clickClose.