Citrix Gateway and XenMobile

When you configure Citrix Gateway using XenMobile, you establish the authentication mechanism for remote device access to the internal network. This functionality enables apps on a mobile device to access corporate servers in the intranet. XenMobile creates a micro VPN from the apps on the device to Citrix Gateway.

You configure Citrix Gateway for use with XenMobile by exporting a script from XenMobile that you run on Citrix Gateway.

Prerequisites for using the Citrix Gateway configuration script

Citrix ADC requirements:

• Citrix ADC (minimum version 11.0, Build 70.12).
• Citrix ADC IP address is configured and has connectivity to the LDAP server, unless LDAP is load balanced.
• Citrix ADC子网(剪)配置IP地址,has connectivity to the necessary back end servers, and has public network access over port 8443/TCP.
• DNS can resolve public domains.
• Citrix ADC is licensed with Platform/Universal or Trial licenses. For information, seehttps://support.citrix.com/article/CTX126049.
• A Citrix Gateway SSL certificate is uploaded and installed on the Citrix ADC. For information see,https://support.citrix.com/article/CTX136023.

XenMobile requirements:

• XenMobile Server (minimum version 10.6).
• LDAP server is configured.

Configure authentication for remote device access to the internal network

1. In the XenMobile console, click the gear icon in the upper-right corner of the console. TheSettingspage appears.

2. Under服务器, clickCitrix Gateway. TheCitrix Gatewaypage appears. In the following example, a Citrix Gateway instance exists.

   

3. Configure these settings:

   • Authentication:Select whether to enable authentication. The default isON.
   • Deliver user certificate for authentication:Select whether you want XenMobile to share the authentication certificate with Secure Hub, to enable the Citrix Gateway to handle client certificate authentication. The default isOFF.
   • Credential Provider:In the list, click the credential provider to use. For more information, seeCredential Providers.

4. ClickSave.

Add a Citrix Gateway instance

After you save the authentication settings, you add a Citrix Gateway instance to XenMobile.

1. In the XenMobile console, click the gear icon in the upper-right corner of the console. TheSettingspage opens.

2. Under服务器, clickCitrix Gateway. TheCitrix Gatewaypage appears.

3. ClickAdd. TheAdd New Citrix Gatewaypage appears.

   

4. Configure these settings:

   • Name:Type a name for the Citrix Gateway instance.
   • Alias:Optionally include an alias name for the Citrix Gateway.
   • External URL:Citrix Gatewa类型公开访问的URLy. For example,https://receiver.com.
   • Logon Type:Choose a logon type. Types includeDomain only,Security token only,Domain and security token,Certificate,Certificate and domain, andCertificate and security token. The default setting for thePassword Requiredfield changes based on theLogon Typeyou select. The default isDomain only.

   If you have multiple domains, useCertificate and domain. For more information about configuring multiple-domain authentication with XenMobile and Citrix Gateway, seeConfigure authentication for multiple domains.

   If you useCertificate and security token, some additional configuration is required on Citrix Gateway to support Secure Hub. For information, seeConfiguring XenMobile for Certificate and Security Token Authentication.

   For more information, seeAuthenticationin the Deployment Handbook.

   • Password Required:Select whether you want to require password authentication. The default varies based on theLogon Typechosen.
   • Set as Default:Select whether to use this Citrix Gateway as the default. The default isOFF.
   • Export Configuration Script:Click the button to export a configuration bundle that you upload to Citrix Gateway to configure it with XenMobile settings. For information, see “Configure an on-premises Citrix Gateway for use with XenMobile Server” after these steps.
   • Callback URLandVirtual IP:Save your settings before adding these fields. For information, seeAdd a callback URL and Citrix Gateway VPN virtual IPin this article.

5. ClickSave.

   The new Citrix Gateway is added and appears in the table. To edit or delete an instance, click the name in the list.

Configure Citrix Gateway for use with XenMobile Server

To configure an on-premises Citrix Gateway for use with XenMobile, you perform the following general steps, detailed in this article:

1. Download a script and related files from XenMobile Server. See the readme file provided with the script for the latest detailed instructions.

2. Verify that your environment meets the prerequisites.

3. Update the script for your environment.

4. Run the script on Citrix ADC.

5. Test the configuration.

The script configures these Citrix Gateway settings required by XenMobile:

• Citrix Gateway virtual servers needed for MDM and MAM
• Session policies for the Citrix Gateway virtual servers
• XenMobile Server details
• Authentication Policies and Actions for the Citrix Gateway virtual server. The script describes the LDAP configuration settings.
• Traffic actions and policies for the proxy server
• Clientless access profile
• Static local DNS record on Citrix ADC
• Other bindings: Service policy, CA certificate

The script doesn’t handle the following configuration:

• Exchange load balancing
• Citrix Files load balancing
• ICA Proxy configuration
• SSL Offload

To download, update, and run the script

1. If you’re adding a Citrix Gateway, clickExport Configuration Scripton theAdd New Citrix Gatewaypage.

   

   Or, if you add a Citrix Gateway instance and clickSave之前您导出脚本:回归Settings > Citrix Gateway, select the Citrix ADC, clickExport Configuration Script, and then clickDownload.

   

   After you clickExport Configuration Script, XenMobile creates a .tar.gz script bundle. The script bundle includes:

   • Readme file with detailed instructions
   • Script that contains the Citrix ADC CLI commands used to configure the required components in Citrix ADC
   • Public Root CA certificate and the Intermediate CA certificate of XenMobile Server (these certificates, for SSL offload, are not needed for the current release)
   • Script that contains the Citrix ADC CLI commands used to remove the Citrix ADC configuration

2. Edit the script (NSGConfigBundle_CREATESCRIPT.txt) to replace all placeholders with details from your environment.

   

3. Run your edited script in the Citrix ADC bash shell, as described in the readme file included in the script bundle. For example:

   /netscaler/nscli -U :: batch -f "/var/NSGConfigBundle_CREATESCRIPT.txt"

   

   When the script completes, the following lines appear.

   

Test the configuration

1. Validate that the Citrix Gateway Virtual Server shows a state ofUP.

   

2. Validate that the Proxy Load Balancing Virtual Server shows a state ofUP.

   

3. Open a web browser, connect to the Citrix Gateway URL, and attempt to authenticate. If the authentication fails, this message appears: HTTP Status 404 - Not Found

4. Enroll a device and ensure it gets both MDM and MAM enrollment.

Add a callback URL and Citrix Gateway VPN virtual IP

After adding the Citrix Gateway instance, you can add a callback URL and specify a Citrix Gateway virtual IP address. These settings are optional, but can be configured for extra security, especially when the XenMobile Server is in the DMZ.

1. InSettings > Citrix Gateway, select the Citrix Gateway and then clickEdit.

2. In the table, clickAdd.

3. ForCallback URLtype the fully qualified domain name (FQDN). The callback URL verifies that a request originated from Citrix Gateway.

   Ensure that the callback URL resolves to an IP address that is reachable from the XenMobile Server. The callback URL can be an external Citrix Gateway URL or some other URL.

4. Type the Citrix GatewayVirtual IPaddress and then clickSave.

Configure authentication for multiple domains

If you have multiple XenMobile Server instances, such as for test, development, and production environments, you configure Citrix Gateway for the additional environments manually. (You can use the Citrix ADC for XenMobile wizard only one time.)

Citrix Gateway configuration

To configure Citrix Gateway authentication policies and a session policy for a multi-domain environment:

1. In the Citrix Gateway configuration utility, on theConfigurationtab, expandCitrix Gateway > Policies > Authentication.
2. In the navigation pane, clickLDAP.

3. Click to edit the LDAP profile. Change the服务器Logon Name AttributetouserPrincipalName或者您想要使用的属性搜索. Make a note of the attribute that you specify so you have it when configuring LDAP settings in the XenMobile console.

   

4. Repeat those steps for each LDAP policy. A separate LDAP policy is required for each domain.
5. In the session policy bound to the Citrix Gateway virtual server, navigate toEdit session profile > Published Applications. Make sure thatSingle Sign-On Domainis blank.

XenMobile Server configuration

To configure LDAP for a multi-domain XenMobile environment:

1. In the XenMobile console, go toSettings > LDAPand add or edit a directory.

   

2. Provide the information.

   • InDomain Alias, specify each domain to use for user authentication. Separate the domains with a comma and don’t use spaces between the domains. For example:domain1.com,domain2.com,domain3.com

   • Ensure that theUser search byfield matches the服务器Logon Name Attributespecified in the Citrix Gateway LDAP policy.

   

Drop inbound connection requests to specific URLs

If the Citrix Gateway in your environment is configured for SSL offload, you might prefer that the gateway drop inbound connection requests for specific URLs.

If you prefer that extra security, configure the two MDM load balancer virtual servers (one for port 443 and one for port 8443) on Citrix Gateway. Use the following information as a template for your settings.

Important:

The following updates are only for a Citrix Gateway configured for SSL offload.

1. Create a pattern set with the nameXMS_DropURLs.

   add policy patset XMS_DropURLs 

2. Add the following URLs to the new pattern set. Customize this list as required.

   bind policy patset XMS_DropURLs /zdm/shp/console -index 6 bind policy patset XMS_DropURLs /zdm/login_xdm_uc.jsp -index 5 bind policy patset XMS_DropURLs /zdm/helper.jsp -index 4 bind policy patset XMS_DropURLs /zdm/log.jsp -index 3 bind policy patset XMS_DropURLs /zdm/login.jsp -index 2 bind policy patset XMS_DropURLs /zdm/console -index 1 

3. Create a policy to drop all traffic to these URLs, unless the connection request originates from the specified subnet.

   add responder policy XMS_DROP_pol “CLIENT.IP.SRC.IN_SUBNET(192.168.0.0/24).NOT && HTTP.REQ.URL.CONTAINS_ANY(”XMS_DropURLs”)” DROP -comment "Allow only subnet 192.168.0.0/24 to access these URLs. All other connections are DROPed" 

4. Bind the new policy to both MDM load balancer virtual servers (ports 443 and 8443).

   bind lb vserver _XM_LB_MDM_XenMobileMDM_443 -policyName XMS_DROP_pol -priority 100 -gotoPriorityExpression END -type REQUEST bind lb vserver _XM_LB_MDM_XenMobileMDM_8443 -policyName XMS_DROP_pol -priority 100 -gotoPriorityExpression END -type REQUEST 

5. Block MAM URL access through the browser

   Accessing the MAM URL directly through the browser prompts the users to enter their Active Directory credentials. While it acts as a tool for users to validate their credentials, some users might treat it as a security violation. The following section helps you restrict the browser access to the MAM URL (NetScaler Gateway VIP), using the Responder Policy feature on NetScaler.

   Create one of the following Responder Policy and bind it to your NetScaler Gateway Virtual Server:

   • add responder policy Resp_Brow_Pol "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"Mozilla\")&&HTTP.REQ.URL.PATH_AND_QUERY.EQ(\"/vpn/index.html\")" DROP

   • add responder policy Resp_Brow_Pol_CR "!HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")&&HTTP.REQ.URL.PATH_AND_QUERY.EQ(\"/vpn/index.html\")" DROP

   • add responder policy Resp_Brow_Pol_CR "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT&&HTTP.REQ.URL.PATH_AND_QUERY.EQ(\"/vpn/index.html\")" DROP

   Bind to NetScaler Gateway Virtual Server usingbind vpn vserver _XM_XenMobileGateway -policy Resp_Brow_Pol_CR -priority 100 -gotoPriorityExpression END -type REQUEST

   Note:

   _XM_XenMobileGatewayis an example name of a NetScaler Gateway Virtual Server.