Question and Answers
Citrix Endpoint Management, using technology formerly called XenMobile
This article contains frequently asked questions about MicroVPN with XenMobile App or Enterprise editions and NetScaler Gateway deployments.
- Q: What are the recommended versions of components for MicroVPN?
- 问:什么是MicroVPN吗?
- Q: What mobile platforms support MicroVPN?
- Q: How do I connect to my corporate network by using MicroVPN?
- Q: How do I enable MicroVPN in NetScaler Gateway?
- Q: How do I enable MicroVPN on Mobile Apps?
- Q: Is Split Tunneling in NetScaler Gateway supported with MicroVPN?
- Q: Is Split DNS feature of NetScaler Gateway supported with MicroVPN?
- Q: Is Intranet IP addresses of the NetScaler Gateway supported with MicroVPN?
- Q: What is MicroVPN Reverse Split Tunnel mode?
- Q: Which versions support MicroVPN Reverse split tunnel mode?
- Q: How is MicroVPN Reverse Split tunnel mode configured in Secure Browse mode?
- Q: How is MicroVPN Reverse Split tunnel mode configured in Full tunnel mode?
Q:What are the recommended versions of components for MicroVPN?
A:Customers who want to deploy XenMobile for remote users and leverage MicroVPN technology must use the correct combination of components. The following matrix lists the recommended versions of the various components:
Mobile Platform |
MicroVPN Supported OS Version |
Citrix Secure Hub |
XenMobile Server |
NetScaler Software Release |
Android |
Android 4.0 and later |
10.x and later |
XenMobile Server 10 or later | NetScaler Gateway 10.5 build 54.9 or later |
iOS |
iOS 6 and later |
10.x and later |
XenMobile Server 10 or later |
NetScaler Gateway 10.5 build 54.9 or later |
Windows Phone |
8.1 and later |
10.x and later |
XenMobile Server 10 or later |
NetScaler Gateway 10.5 build 54.9 or later |
Note: Previous releases of XenMobile App Controller (such as 9.0 or 8.7) also support MicroVPN.
To access Secure Mail and Secure Web from an Android device through NetScaler Gateway, the device must be running from Android OS 4.1 to 5.1.
问:什么是MicroVPN吗?
A: It is an on-demand application VPN connection that is initiated by Secure Hub on mobile devices to access corporate network sites or resources. Usually, Secure Hub client starts the MicroVPN connection when end-users open a mobile app such as Secure Mail or Secure Web, that requires corporate network access.
MicroVPN can leverage two sub-components to access securely Web portals: Secure Browse or Full Tunnel. Both of these options are configurable on either XenMobile Server 10 or App Controller components.
Note: Windows Phone 8.1 only supports MicroVPN (Secure Browse) feature.
Q: What mobile platforms support MicroVPN?
A: Currently, only Android, iOS and Windows Phone 8.1 platforms with the latest Secure Hub client support this technology. See the table inAnswerto know the latest Secure Hub recommended.
Q: How do I connect to my corporate network by using MicroVPN?
A: For iOS devices, when mobile users open a mobile application such as Secure Mail or Secure Web that requires corporate network access, you might see the following prompt:
For Android devices, when launching Secure Mail or Secure Web, you might see the following prompt:
Q: How do I enable MicroVPN in NetScaler Gateway?
A: The following prerequisites are required to ensure MicroVPN works successfully with NetScaler Gateway:
Ensure that you have NetScaler Gateway Universal licenses installed.
Ensure that you set the NetScaler Gateway virtual server to SmartAccess mode.
Ensure that you have Clientless Access set to ON and Clientless Access URL Encoding to Clear.
Ensure that Interception is set to Transparent in the NetScaler Gateway Global Settings or Session Profile.
Ensure that the DNS suffix is configured on the NetScaler Gateway appliance.
Ensure that you have enabled Secure Browse.
For example:
From Web Graphical User Interface (GUI)
Transparent Interception
NetScaler 10.1
NetScaler10.5
Secure Browse
NetScaler 10.1
NetScaler10.5
From Command Line Interface
For XenMobile Server
add vpn sessionAction XM-AppC-CVPN-Receiver-Prof -splitTunnel ON -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -wihome "https://xm.example.ctx:8443" -ntDomain amc -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl https://xm.example.ctx:8443
Note: Ensure to add the port :8443 at the end of the XenMobile Server 10 URL.
For App Controller
add vpn sessionAction XM-AppC-CVPN-Receiver-Prof -splitTunnel ON -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -wihome "https://xm.example.ctx" -ntDomain amc -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl https://xm.example.ctx
Q: How do I enable MicroVPN on Mobile Apps?
A: On the App Controller Web GUI consolehttps://appcontrollerFQDN:4443/ControlPoint, ensure that you have set network access toTunneled to Internal Networkfor MDX-wrapped mobile apps. This setting is available under mobile apps policies.
For XenMobile Server 10, access the unified Web GUI console viahttps://XenMobileServerFQDN:4443. Ensure that you have set the network access to Tunneled to Internal Network for MDX-wrapped mobile apps. This setting is available under mobile apps policies:
Q: Is Split Tunneling in NetScaler Gateway supported with MicroVPN?
A: Yes. If you enable Split Tunnel in the session profile or at a global level and you configure the Intranet Applications correctly with the subnet or host machines with the TCP protocol, then only corporate network traffic is sent through the tunnel. All other network traffic will go outside the tunnel.
For Intranet Applications, ensure that the interception used is TRANSPARENT. Note that MicroVPN does not support UDP socket connections from an iOS app wrapped with MDX.
Example:
Enable Split Tunnel
NetScaler10.1
NetScaler10.5
Intranet Applications Configuration
Defining explicit hosts
add vpn intranetApplication DNS-Web ANY 172.16.0.2 -destPort 1-65535 -interception TRANSPARENT
add vpn intranetApplication Exchange ANY 172.16.0.31 -destPort 1-65535 -interception TRANSPARENT
Defining a subnet
add vpn intranetApplication "Internal Resources" ANY 172.16.0.0 -netmask 255.255.0.0 -destPort 1-65535 -interception TRANSPARENTBinding Intranet Applications to virtual server
bind vpn vserver ag -intranetApplication "Internal Resources"
bind vpn vserver ag -policy CLT_LESS_172.16.0.96 -priority 80 -gotoPriorityExpression END -type REQUEST -intranetApplication "Internal Resources"
bind vpn vserver ag -policy CLT_LESS_RF_172.16.0.96 -priority 100 -gotoPriorityExpression END -type REQUEST -intranetApplication "Internal Resources"
Example:
Adding Intranet Applications to virtual server from the GUI:
For more information on how to configure Intranet Applications, seeConfiguring Client Interception.
Q: Is Split DNS feature of NetScaler Gateway supported with MicroVPN?
A: Split DNS is honored on Secure Hub for iOS and Android only.
Q: Is Intranet IP addresses of the NetScaler Gateway supported with MicroVPN?
A: Intranet IP Addresses are supported with MicroVPN. Mobile devices will leverage the IP Address assigned by the NetScaler to contact backend resources.
Note: NetScaler ADC configuration utility is now integrated with Citrix XenMobile. For more information on configuration utility changes in NetScaler 10.5, refer to Citrix Documentation -Configuration Utility Changes.
Q:What is MicroVPN Reverse Split Tunnel mode?
MicroVPN Reverse split tunnel mode is a configuration which supports an exclusion list of IP addresses which would not be tunnelled to the NetScaler but would be sent out using the local area network (LAN) of the device. For more detailed information about Reverse Split Tunnel mode, check outhttp://docs.citrix.com/en-us/netscaler-gateway/11/vpn-user-config/configure-plugin-connections/ng-plugin-split-tunneling-tsk.html
Q :Which versions support MicroVPN Reverse split tunnel mode?
Both iOS and Android are supported
Q:How is MicroVPN Reverse Split tunnel mode configured in Secure Browse mode?
步骤1:配置隧道再保险verse mode on the NetScaler Gateway
配置反向模式分割隧道feature, navigate to Policies -> Session Policy. Choose the Secure Hub Policy and navigate to Client Experience -> Split Tunnel. Select REVERSE.
步骤2:配置MDX政策
XenMobile 10.3.5 or later introduces a new MDX policy titled "Reverse Split Tunnel Mode Exclusion List”. This is configured with the 'Exclusion' range based on a comma-separated list of DNS suffixes and FQDN, which defines the URLs for which traffic must be sent out on the local area network (LAN) of the device and would not be sent to the NetScaler.
Q:How is MicroVPN Reverse Split tunnel mode configured in Full tunnel mode?
步骤1:配置隧道再保险verse mode on the NetScaler Gateway
配置反向模式分割隧道feature, navigate to Policies -> Session Policy. Choose the Secure Hub Policy, select Action and then navigate to Client Experience -> Split Tunnel. Select REVERSE.
Step 2: Configure the Exclusion range on the NetScaler Gateway
This is configured on the NetScaler Gateway and the configuration will be respected by the MDX applications. In this scenario, the ‘Exclusion” range is based on IP address ranges, for which traffic must be sent out on the local area network (LAN) of the device and would not be sent to the NetScaler.
To configure this setting, refer to the section within this KB article:Q: Is Split Tunneling in NetScaler Gateway supported with MicroVPN?->Intranet Applications Configuration
Note: There is no need to configure any MDX policy on the XenMobile Server for full tunnel mode VPN.
