Fronting XenMobile MDM with NetScaler
This article focuses on the integration of our MDM and NetScaler product lines
Placing a NetScaler appliance in-front of your device manager will allow for a flexible and secure delivery platform for an optimal MDM solution
http://blogs.citrix.com/2013/03/12/fronting-xenmobile-mdm-with-netscaler/
1. ARCHITECTURE | XenMobile
Reference Architecture:
XenMobile with NetScaler
Configuration Guide for Establishing NS Load Balancing Front End
www.citrix.com
2. Table of Contents
Table of Contents .............................................................................................................................................. 2
Introduction ........................................................................................................................................................ 3
Network Flow Diagram .................................................................................................................................... 4
XenMobile Port Table....................................................................................................................................... 4
Load Balancing Configuration on NetScaler ................................................................................................. 7
Conclusion ........................................................................................................................................................17
Additional Links ...............................................................................................................................................17
Key Contributors .............................................................................................................................................17
Disclaimer .........................................................................................................................................................18
XenMobile on NetScaler Reference Architecture Page |2
3. Introduction
Citrix Systems’ offering of XenMobile is a comprehensive solution portfolio designed to enable
customers to experience the benefits of Mobile Device Management while maintaining secure access
to applications and desktops.
The purpose of this document is to provide reference architecture to place a NetScaler in front of
your XenMobile MDM solution. This will allow the XenMobile Device Manager (XDM) to be
placed within the walls of your datacenter leaving the NetScaler appliance in the DMZ. This will
allow for a secure and scalable rollout of your MDM solution.
We will walk through several diagrams to prepare us for the configuration steps near the conclusion
of this document. This document covers configuration of the load balancing VIPs and not the
overall setup of the NetScaler. For additional resources around the NetScaler and other
configurations, please visit the “Additional links” section at the end of this document. Below
(Diagram 1.1) is a basic architecture of the XenMobile environment before the addition of the
NetScaler.
Diagram 1.1
XenMobile on NetScaler Reference Architecture Page |3
4. Network Flow Diagram
In the basic diagram below, we are showing the key ports within the function of the MDM solution.
A full description of the ports required for the solution is laid out in the ports table. A quick
summary of the current diagram is that port 80 and 443 are used by iOS, Android and Windows
devices for communication.
With regards to port 8443, Apple iOS uses this for over-the-air registration of the device with the
XDM. The use of the server FQDN will also make use of this port. This FQDN is key, as this has
been registered with the Apple Push Notification Service.
Diagram 1.2
INTERNET ZONE CORPORATE DMZ ZONE CORPORATE LAN ZONE
/S
Active Directory/LDAP
P
A
LD
6)
63
9/
38
P
C
(T
TCP 80 TCP 80 TCP 1433
TCP 443 TCP 443
TCP 8443 NetScaler LB TCP 8443
XenMobile Device MS SQL Server
H
TT
Manager
P
S
44
3
Microsoft CA or PKI Entity
Diagram 1.2: A basic diagram of the network flow for NetScaler and XenMobile
XenMobile Port Table
This table is designed to guide the XenMobile Administrator and Network Administrator through
the TCP/IP Port requirements for the Device Manager Server and mobile device agent connections.
XenMobile Device Manager Firewall Port Requirements
TCP
Description Source Destination
Port
By default, the XDM SMTP configuration of
XenMobile
25 the Notification Service uses port 25. However, if Corporate SMTP Server
Device
your corporate SMTP server uses a different port,
Manager
make sure that your corporate firewall does not
XenMobile on NetScaler Reference Architecture Page |4
5. block that port. Server
Over-the-Air (OTA) Enrollment and Agent
Internet
Setup (Android and Windows Mobile)
XenMobile Device
Over-the-Air (OTA) Enrollment and Agent Corporate Manager Server
Setup (Android and Windows Mobile), ZDM Web LAN and
Console, ZDM Remote Support Client Wi-Fi
80
ZDM Server Enterprise App Store connection to
XenMobile
Apple iTunes App Store (ax.itunes.apple.com). Apple iTunes
Device
Used for publishing recommended iTunes App App Store
Manager
Store apps from the available iOS applications (ax.itunes.apple.com)
Server
within the Web Console and iOS Agent
XenMobile
80 or XenMobile Device Manager Nexmo SMS Device Nexmo SMS Relay
443 Notification Relay outbound connection Manager server
Server
LDAP/LDAPS connection from ZDM Server to XenMobile
389 or Directory Service Host (Active Directory Global Device LDAP / Active
636 Catalog server or equivalent LDAP directory service Manager Directory Services
host) Server
SSL OTA Enrollment/Agent Setup (Android and
Windows Mobile), All Device-related traffic and data Internet
connections (iOS, Android and Windows Mobile)
XenMobile Device
443 SSL OTA Enrollment/Agent Setup (Android and
Corporate Manager Server
Windows Mobile), All Device-related traffic and data
LAN and
connections (iOS, Android and Windows Mobile),
Wi-Fi
ZDM Web Console
XenMobile
Remote database server connection to separate SQL Device
1433 SQL Server
Server (Optional) Manager
Server
Apple APNS (Push Notification Service) outbound XenMobile Internet (Apple APNS
2195 connection to gateway.push.apple.com, used for Device Service Hosts on public
iOS device notifications and device policy push Manager IP network17.0.0.0/8)
XenMobile on NetScaler Reference Architecture Page |5
6. Apple APNS (Push Notification Service) outbound Server
2196 connection to feedback.push.apple.com, used for
iOS device notifications and device policy push
iOS device
Apple APNS (Push Notification Service) outbound
on Wi-Fi
5223 connection from iOS devices connected via Wi-Fi
network
network to *.push.apple.com
service
Internet
Over-the-Air (OTA) Enrollment for iOS Devices Corporate XenMobile Device
8443
only LAN and Manager Server
Wi-Fi
Mobile App Tunnel Ports (Android and Windows
App Mobile) to destination internal Application Server
Application Server via
Tunnel via the ZDM Server (All ports are individually Internet XenMobile Device
defined for each Mobile AppTunnel used by a
Ports Device through a ZDM Device Configuration Manager Server
Policy)
1
Corporate LAN traffic outbound to DMZ and the Internet is assumed to be allowed.
PLEASE NOTE: When using Remote Support or Mobile App tunnel (Android and Windows
Mobile), the following traffic needs to be open at the firewall:
TCP
Description Source Destination
Port
Remote Support Console default server inbound
Remote Support XenMobile Device
8081 connection (depending on the Remote Support Tunnel
Console Manager Server
definition)
80 or Remote Support Console access to ZDM to Remote Support XenMobile Device
443 retrieve device list. Console Manager Server
Tunnel Mobile Application Tunnel access to Application XenMobile Device Internal Application
port Server (port configured in the tunnel definition) Manager Server Server
XenMobile on NetScaler Reference Architecture Page |6
7. Load Balancing Configuration on NetScaler
This section covers the required load balancing configuration on the NetScaler for use with
XenMobile. For other links to other possible configurations, please see the Additional Links section
at the end of this document. To begin configuration, the first step of this process will be to create
the “Servers” entry in the load balancing section of the NS console. Add the name of the server and
the internal IP address that the NetScaler will be routing the traffic.
Create your “XenMobile Server” that you are load balancing
After you have created the entry for the XenMobile server, create your services for the 3 major ports
as depicted in the Diagram 1.2. The screen shots below have incorporated the port number into the
name for easy reference. All three services will be pointing to the same server. The screen shots
only show tabs with information that has been edited.
XenMobile on NetScaler Reference Architecture Page |7
8. Create our Services:
Here is the basic setup for the services over port 80.
Basic information for the port 80 monitor, all other tabs are configured as default;
XenMobile on NetScaler Reference Architecture Page |8
9. Basic setup of the services for port 443:
Configure the monitor for port 443, and all other tabs are configured as default:
XenMobile on NetScaler Reference Architecture Page |9
10. Basic setup of services for port 8443:
Configure the services for port 8443, and all tabs are configured as default:
The final step will be to create the Virtual Servers using the Load Balancing Services and Server(s)
that were previously configured. We have named the Virtual Server with the proper task in line
from the port table from above.
Configure your virtual servers:
XenMobile on NetScaler Reference Architecture Page |10
11. For the enrollment Virtual Server (port 443), we place a check box next to the proper service that
was setup. We then set the “Method and Persistence” tab for “Least Connection” and
“SSLSESSION” with a timeout of 2 minutes. The IP address listed will be the address accessible in
the DMZ address space. This IP address will be registered with DNS, please verify that devices on
the corporate LAN environment can be routed to this virtual server.
Configure your XenMobile_Enroll (443) virtual server with your external/DMZ IP address:
XenMobile on NetScaler Reference Architecture Page |11
12. Configure the Method and Persistence as before:
The same process will be followed for the creation of the Virtual Server for ports 8443 and 80.
XenMobile on NetScaler Reference Architecture Page |12
13. Configure 8443 (profiles for iOS) with same external IP:
XenMobile on NetScaler Reference Architecture Page |13
17. Conclusion
This completes the configuration for front ending the XenMobile MDM environment with
NetScaler. Load Balancing of all essential ports for the XenMobile server is complete
Additional Links
Below is a list of additional links for other configurations:
Citrix XenMobile Solutions:
http://support.citrix.com/proddocs/topic/cloudgateway/xmob-landing-page-con.html
XenMobile MDM eDocs:
http://support.citrix.com/proddocs/topic/cloudgateway/xmob-mdm-landing-page-con.html
Deploying Mobility Solutions Bundle Components:
http://support.citrix.com/proddocs/topic/clg-deployment/clg-deployment-cloudgateway-options-
con.html
Key Contributors
Josh Fleming, Senior Systems Engineer Author
Jon Eugenio, Senior Systems Engineer Content Contributor and Reviewer
Florin Lazurca, Senior Architect Content Contributor
XenMobile on NetScaler Reference Architecture Page |17