Configuring Settings for Your Citrix Endpoint Management Environment
The Citrix ADC for Citrix Endpoint Management wizard guides you through the configuration of Citrix ADC features for your Citrix Endpoint Management deployment. You can use the wizard to:
Set up a Micro VPN.In this scenario, remote users can access apps and desktops in the internal network.
For Citrix Endpoint Management MAM-only mode, you must use Citrix Gateway for authentication.
For MDM deployments, Citrix recommends Citrix Gateway for mobile device VPN.
For ENT deployments, if a user opts out of MDM enrollment, the device operates in the legacy MAM mode and enrolls using the Citrix Gateway FQDN.
- Configure certificate-based authentication.The default configuration for Citrix Endpoint Management is user name and password authentication. To add another layer of security for enrollment and access to the Citrix Endpoint Management environment, consider using certificate-based authentication.
- 贷款d balance Citrix Endpoint Management servers.Citrix ADC load balancing is required for all Citrix Endpoint Management device modes if you have multiple Citrix Endpoint Management servers or if the Citrix Endpoint Management is inside your DMZ or internal network (and therefore traffic flows from devices to Citrix ADC to Citrix Endpoint Management). In this scenario, the Citrix ADC appliance resides in the DMZ between the user device and the Citrix Endpoint Management servers to load balance encrypted sent data from mobile devices to the Citrix Endpoint Management servers.
- 贷款d balance Microsoft Exchange servers with email filtering.在这个场景中,Citrix ADC电器是元素een the user device and the Citrix Endpoint Management Citrix ADC Connector (XNC), and between the user device and the Microsoft Exchange CAS servers. All requests from user devices go to the Citrix Gateway appliance, which then communicates with the XNC to retrieve information about the device. Depending on the response from the XNC, the Citrix ADC appliance either forwards the request from a whitelisted device to the server in the internal network, or drops the connection from a blacklisted device.
- 贷款d balance ShareFile StorageZones Connectors based on the type of content requested.This scenario prompts you for basic information about your storage zones controller environment and then generates a configuration that does the following:
- 贷款d balances traffic across storage zones controllers.
- Provides user authentication for StorageZones Connectors.
- Validates URI signatures for ShareFile uploads and downloads.
- Terminates SSL connections at the Citrix ADC appliance.
For more information about configuring ShareFile, seeConfigure Citrix ADC for storage zones controller.
Important
Before you use the Citrix Endpoint Management wizard, be sure to refer to these Citrix Endpoint Management Deployment articles for design and deployment information and recommendations:
Citrix Endpoint Management Integration
Integrating with Citrix Gateway and Citrix ADC
SSO and Proxy Considerations for MDX Apps
You can use the Citrix ADC for Citrix Endpoint Management wizard only once. If you want multiple Citrix Endpoint Management instances, such as for test, development, and production environments, you must configure Citrix ADC for the additional environments manually. The following support articles list the commands run by the wizard and provide instructions for running them to create a Citrix ADC instance:
Commands Generated by Citrix Endpoint Management Wizard on Citrix ADC - SSL Bridge
Commands Generated by Citrix Endpoint Management Wizard on Citrix ADC - SSL Offload
License Requirements for Citrix ADC Features
You must install licenses to enable the following Citrix ADC features:
- Citrix Endpoint Management MDM load balancing requires a Citrix ADC standard license.
- ShareFile load balancing with StorageZones requires a Citrix ADC standard license.
- Exchange load balancing requires a Citrix ADC license or an Advanced license with the addition of an Integrated Caching license.
Citrix ADC for Citrix Endpoint Management Wizard
This section provides an example of using the Citrix ADC for Citrix Endpoint Management wizard to:
- Set up micro VPN access for remote user connections to Citrix Endpoint Management-managed resources in your internal network
- Configure certificate-based authentication. For information about obtaining and installing a public SSL certificate, seeInstalling and Managing Certificates.
- Configure load balancing for Citrix Endpoint Management servers.
To use the wizard:
- In the configuration utility, click theConfiguration选项卡,然后单击Citrix Endpoint Management.
- Select your Citrix Endpoint Management version and then clickGet Started.
Select the check boxes for the features you want to configure. Keep in mind that you can use this wizard only once, so you’ll must perform subsequent configuration manually. These instructions assume that you select the following settings:Access through Citrix Gateway(for Citrix Endpoint Management running in ENT or MAM modes)贷款d Balance Citrix Endpoint Management Servers
On theCitrix Gateway Settingspage, enter values for the external facingCitrix Gateway IP Address,Port, andVirtual Server Name.
On theServer Certificate for Citrix Gatewaypage, from theCertificate Filedrop-down menu, choose the certificate file fromLocalorAppliance.If your certificate is on a local machine:
If your certificate is on the appliance:
In theAuthentication Settingspage, in thePrimary authentication methodfield, selectClient Certificate.
This automatically selectsUse existing certificate policyandCert Authin the next two fields. The following steps assume that you already have a certificate policy.
If you must create a certificate policy, clickCreate certificate policyand complete the settings. On theCitrix Endpoint Management Certificatescreen, choose an existing server certificate or install a new certificate. If you’re running multiple Citrix Endpoint Management servers, you add a certificate for each one. ForServer Logon Name Attribute, specifyuserPrincipalNameorsamAccountName, per your requirements.
SelectClick here to change the CA certificateand then in theBrowselist, navigate to the CA certificate you want.
With the client certificate as your primary authentication type, you have the option of configuring LDPA (or RADIUS) as the secondary authentication type.
To use client certificate authentication only, leaveSecond authentication methodasNoneand then clickContinue.
To use client certificate + domain (LDAP) authentication, changeSecond authentication methodtoLDAPand configure the authentication server settings.
On theDevice certificatescreen, if the certificate is not already installed, you must export this certificate from the Citrix Endpoint Management console: From the console, click the gear icon in the upper-right corner to open theSettingsscreen.
ClickCertificateand then choose the CA certificate from the list.
ClickExport.
Return to the Citrix ADC wizard and select the certificate you exported (downloaded) to install it.
ClickContinue.
The Citrix Endpoint Management IP addresses that you’ve configured appear.
Configure theCitrix Endpoint Management App Management Settings.
- Enter theCitrix Endpoint Management FQDN.这是负载平衡FQDN for MAM.
- Enter a MAM-onlyInternal Load Balancing IP Addressfor the virtual server that load balances Citrix Endpoint Management servers. Citrix Gateway communicates with the Citrix Endpoint Management through this MAM load balancing virtual IP.
- This is an SSL offload deployment, so selectHTTPinCommunication with Citrix Endpoint Management Server.
- TheSplit DNS mode for MicroVPNfield automatically sets toBOTH.
If your deployment requires split tunneling, selectEnable split tunneling.Configure Intranet Application Binding, next, if you enable split tunneling.
By default, Secure Web access is tunneled to the internal network, which means that Secure Web uses a per-application VPN tunnel back to the internal network for all network access and the Citrix ADC appliance uses split tunnel settings.
To configure interception rules for user connections on Citrix Gateway, you must configureIntranet Application Binding.Click+to add a binding.
Complete the parameters for allowing network access and then clickCreate.
Add the Citrix Endpoint Management certificate. This is used for the MAM load balancing virtual server.
UnderCitrix Endpoint Management Servers, clickAdd Serverto add theCitrix Endpoint Management IP Addressto bind to the load balancing virtual IP.
On the Citrix ADC dashboard, confirm that Citrix Gateway and Citrix Endpoint Management load balancing are configured as follows.
If you use sAMAccount attributes in the user certificates as an alternative to User Principal Name (UPN), configure the certificate profile as described inManually Configuring Citrix Gateway for Client Certificate Authentication.
