XenMobile App and Enterprise

XenMobile App and Enterprise
Adolfo Montoya Lead Support Readiness Specialist July, 2013

Document Management Category Tracking Information Company:
Citrix Systems, Inc. Author(s): Adolfo Montoya Owner(s): Worldwide Support Readiness Last modified: 8/28/2013 Version: 1.0 Length: 5 hours

Agenda App vs. Enterprise Architectural overview End-user experience
Deployment options Troubleshooting

XenMobile App and Enterprise Editions

App Edition Use case Client Side Server Side Worx Home App Controller
Mobile application management Federated single sign-on Secure Secure browsing Automated account provisioning Workflow Policy based interapp security App specific microVPN Unified corporate app store Worx Home App Controller Receiver NetScaler Gateway WorxMail WorxWeb

App Edition DMZ ShareFile XMA Worx Home Optional NetScaler XenApp
XenDesktop SF/WI Receiver DMZ XMA – XenMobile App Controller

Enterprise Edition Use case Client Side Server Side MDM Server
All MDM Edition use cases All App Edition use cases Secure document sharing, syncing & editing Worx Enroll Worx Home WorxMail WorxWeb ShareFile Receiver MDM Server NS Gateway App Controller

Enterprise Edition DMZ ShareFile XDM Optional NetScaler XenApp
XNC XDM Worx Enroll NetScaler Receiver Optional XMA XenApp XenDesktop SF/WI Worx Home DMZ

Feature Overview MDM Edition App Edition Enterprise Edition
Configure, secure & provision mobile devices  One-click live chat & support Access SharePoint & network drives Secure mobile web browser App-specific micro VPN Secure mail, calendar and contacts app Enterprise-enable any mobile app Seamless Windows app integration Unified corporate app store Multi-factor single sign-on Secure document sharing, sync & editing Both cloud & on-premises data storage options Configure, secure & provision mobile devices One-click live chat & support Access SharePoint & network drives Secure mobile web browser App-specific micro VPN Secure mail, calendar and contacts app Enterprise-enable any mobile app Self-service corporate app store Multi-factor single sign-on Secure document sharing, sync & editing Both cloud & on-premise data storage

ShareFile Feature Comparison
Features XM-MDM (SF-Standard*) XM-App XM-Enterprise (SF-Enterprise) Read access to File shares and SharePoint AD authentication Data encryption MDX-wrapped client ShareFile Enterprise Features Worx Mail integration, Cloud and customer-managed StorageZones, Editing, Annotations, External Sharing, Windows and Mac Sync, Outlook plug-in, Web-browser access from Sharefile.com, time-expiry, Request file, FTP access, usage reporting, *Note: ShareFile Standard is not a standalone product. Name is used to describe ShareFile features for MDM and App editions

Citrix Mobility Product Line
XenMobile MDM Edition (Cloud or On-premise) XenMobile App Edition (Formerly CloudGateway) XenMobile Enterprise Edition (Integrated Solution) XM Device Manager XM NetScaler Connector ShareFile Standard GoToAssist Integration XM App Controller 2.8 NetScaler Gateway 10.1 StoreFront 2.0 (optional) ShareFile Standard XM MDM Edition XM App Edition ShareFile Enterprise (Cloud or On-premise) GoToAssist Integration

XenMobile App Controller
Review

What is App Controller? Virtual VM running Linux OS Supported on
XenServer 5.6 FP1 or later Hyper-V 2012 VMware ESX 4.x or later Provides access to Web/SaaS Intranet sites MDX-wrapped apps Public store links ShareFile Supports High Availability (Active/Passive) Supports Clustering (Active/Active) Receiver for Web site - It is the site hosted on Citrix StoreFront that allow users use a web browser to access applications from XenApp, XenDesktop or AppController. It does not hold any delivery controller information such as XML brokers, XML port numbers, or Transport Types. The Beacons technology to identify whether the workstation is inside/outside of the local network (LAN), do not apply here with the Receiver for Web. It only applies for the Stores.

What is App Controller? Supports remote access
NetScaler Gateway 10.1* Supports Windows apps access StoreFront 1.2 or 2.0 Web Interface 5.4 (IIS) VDI-in-a-Box 5.3 System requirements 2 vCPU 4 GB of RAM Scalability 10,000 concurrent users per App Controller Receiver for Web site - It is the site hosted on Citrix StoreFront that allow users use a web browser to access applications from XenApp, XenDesktop or AppController. It does not hold any delivery controller information such as XML brokers, XML port numbers, or Transport Types. The Beacons technology to identify whether the workstation is inside/outside of the local network (LAN), do not apply here with the Receiver for Web. It only applies for the Stores. *NetScaler Gateway 10.0 is not compatible with App Controller 2.8

Receiver for Web vs. Store
Receiver for Web = Web-browser site Built-in site /Citrix/StoreWeb Beacons are not applicable Provides Provisioning File (e.g. ReceiverConfig.cr) Receiver for Web site - It is the site hosted on Citrix StoreFront that allow users use a web browser to access applications from XenApp, XenDesktop or AppController. It does not hold any delivery controller information such as XML brokers, XML port numbers, or Transport Types. The Beacons technology to identify whether the workstation is inside/outside of the local network (LAN), do not apply here with the Receiver for Web. It only applies for the Stores.

Receiver for Web vs. Store
Store = Services site Built-in store - /Citrix/Store Beacons are applicable Windows / Mac Receiver for Windows 3.4+ Receiver for Mac 11.7+ iOS / Android Receiver for iOS 5.7+ Receiver for Android 3.3+ Worx Home 8.5 Citrix Receiver 3.1 or later (Enterprise) is not supported to access StoreFront Services ‘stores’. External access for Legacy PNAgent is not supported for clientless VPN using Citrix Receiver 3.1 (Standard).

Account Management SAML FormFill Connectors
Security Assertion Markup Language (SAML) Used for Web applications that support the SAML protocol for SSO and user account management AppController verifies identity and creates an assertion (token) and forwards to the service provider (SAML application) AppController supports both SAML 1.0 (Identity Provider) and SAML 2.0 (Service Provider) FormFill SSO connector type which: AppController fills in a form with user credentials on the user’s behalf. AppController pushes the form to the user’s browser with a redirect to application Application returns the post login session to user’s browser. Note: When choosing a connector, consider simplicity or ease of setup and security. If the application supports the SAML protocol, and security is most important, use the SAML connector. If the application does not support the SAML protocol, and simplicity is most important, use the FormFill connector.

Web/SaaS App Launch (Form-fill)
Communication Flow POST HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Host: Content-Length: 209 Connection: Keep-Alive Cache-Control: no-cache Cookie: leo_auth_token="LIM: :a:21600: :bff46f2a f76ef fcc5d9b84"; visit="v=1&M"; bcookie="v=2&8280d152-ee3e-4b89-ae16-36bc18b56010"; _lipt="0_3SPdwJCAKEKd6iCDOMqnm3hkMlAr8DnGO4OSvk4m_QZsEKzgwUR9t9ELn6m4N4Y03pxdt35wH7GKJ6mDq2vDIuge9cKi3Y9_neZgk2I89FU7KnIaTmlDicpapZRkxI53xpa85u_QkEezSUi7aPbw1oNqcLSLbsFwn4TJ_JSerq-84wECaZ-kU-f63-1lTfgSGFnDGhexnbvrJsRruQzH3VRfJxed6Yk8hgXfL97whxyOc_wzDJLprA8kYZZ8PIYEiAFJkbbhBKxM3Hqri3mTA-"; __qca=P POST HTTP/1.1 User-Agent: CitrixReceiver Windows/6.1 SelfService/ (Release) Accept: */* Authorization: CitrixAuth 3AE8D47E126821ED E59A65E78F0745D0F194A23A4675B4EEBFB58 Content-Type: <no type> Host: appc25lb.amc.ctx Content-Length: 92 Expect: 100-continue Accept-Encoding: gzip, deflate LinkedIn <form name="loginForm" action=" method="post" onsubmit="return false;"> <input type="hidden" name="signin" value="Sign%20In"/> <input type="hidden" name="source_app" value=""/> <input type="hidden" name="sourceAlias" value="0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi"/> <input type="hidden" name="csrfToken" value="ajax%3A "/> <input type="hidden" name="session_redirect" value=""/> <input type="hidden" name="session_password" value="password123"/> <input type="hidden" name="session_key" </form> </body> </html> GET HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: appc25lb.amc.ctx Connection: Keep-Alive HTTP/ OK Connection: close Content-Type: text/html;charset=utf-8 Server: Apache-Coyote/1.1 Date: Sat, 02 Feb :35:11 GMT Cache-Control: no-cache, no-store, must-revalidate, proxy-revalidate Set-Cookie: OCAJSESSIONID=F AE D97FC21124FB6B; Path=/; HttpOnly; Secure Content-Length: 1954 HTTP/ OK Connection: Keep-Alive Content-Type: text/plain; charset="utf-8" Content-Length: 225 App Controller 1- Client device with Citrix Receiver sends a POST message to AppController to launch LinkedIn app. Specifically, it asks for /webssouser/websso.do?action=authenticateUser&app=LinkedIn&reqtype=1 2- AppController will return a websso.do token so the client can request SSO credentials for the web app – ie. webssouser/websso.do?action=authenticateUser&app=LinkedIn&reqtype=1&tok=uzgzuqVP11cmZ5HBGZICxbbogaOc2SJmhNJC3ufSkh59bCyHp48N671c5DdXjM8rnFRf0WXa3S72jwAyqw9ktYloqo9zY7Q9Dverh2p9Im1RGpeVLb520gggseFebkeC 3- (not shown on slide) – Client device will send a POST message to AppController to ensure the app is available. If everything is OK, AppController will reply back with this message – ie. <?xml version="1.0" encoding="UTF-8"?> <sessionState enumeration="full"></sessionState> 4- Next, client device would send a GET request with the token supplied by AppController to request the SSO credentials for LinkedIn (assuming that credentials have been supplied previously to AppController.) Ie. - GET HTTP/1.1 5- AppController would response back with session cookie – ie. Set-Cookie: OCAJSESSIONID=F AE D97FC21124FB6B; Path=/; HttpOnly; Secure and it would reply back with the HTML form the client device needs to post to LinkedIn to login. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" " <html xmlns=" <head> <link href="/webssouser/WebSSOStyleSheet.css" rel="stylesheet" type="text/css" /> <title>AppController</title> <script type="text/javascript" src="/webssouser/js/util.js"></script> <script type="text/javascript"> var path = '/webssouser/FormSubmitHelp.jsp?app=LinkedIn'; var width = screen.width; var height = screen.height; helpWindow(path,width,height); </script> <script language="javascript"> var captchaObj = 'null'; function callFunction(){ if(captchaObj==null||captchaObj=='null'||captchaObj==''){ document["loginForm"].submit(); } function enter1(e){ if((window.Event ? e.which : e.keyCode) == 13) { subFunction(); function subFunction(){ var captchaName = 'null'; var captchaValue = document.getElementById(captchaName+'_id').value; if(captchaValue==null || captchaValue == ''){ alert('Enter security code') document.getElementById(captchaName+'_id').focus() return false; }else{ document.loginForm.submit(); function reloadWindow() window.reloadWindow(); </head> <body onload="callFunction()"> <form name="loginForm" action=" method="post" onsubmit="return false;"> <input type="hidden" name="signin" value="Sign%20In"/> <input type="hidden" name="source_app" value=""/> <input type="hidden" name="sourceAlias" value="0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi"/> <input type="hidden" name="csrfToken" value="ajax%3A "/> <input type="hidden" name="session_redirect" value=""/> <input type="hidden" name="session_password" value="password123"/> <input type="hidden" name="session_key" </form> </body> </html> 6- (not shown on slide) – Client device will revalidate the authentication token to ensure the user stills logged in and valid to launch the app. GET HTTP/1.1 AppController will response back with the following packet: <dsclm:claimsPrincipal xmlns:dsclm=" authMethod="Citrix Common Forms 1.0" isAuthenticated="true" name="amontoya"></dsclm:identity><dsclm:claims><dsclm:claim original="32a290eb-7521-cd c3a239" issuer="32a290eb-7521-cd c3a239" valueType="string" value="S " type=" original="32a290eb-7521-cd c3a239" issuer="32a290eb-7521-cd c3a239" valueType="string" value="amontoya" type="uri:citrix.deliveryservices.claim.directoryproperties"><dsclm:properties><dsclm:property value="adolfo montoya" name="displayName"></dsclm:property></dsclm:properties></dsclm:claim></dsclm:claims></dsclm:claimsPrincipal> 7- Client device makes an internal call to open the default browser (Internet Explorer for example) and sends a POST to the LinkedIn site – ie. POST HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Host: Content-Length: 209 Connection: Keep-Alive Cache-Control: no-cache Cookie: leo_auth_token="LIM: :a:21600: :bff46f2a f76ef fcc5d9b84"; visit="v=1&M"; bcookie="v=2&8280d152-ee3e-4b89-ae16-36bc18b56010"; _lipt="0_3SPdwJCAKEKd6iCDOMqnm3hkMlAr8DnGO4OSvk4m_QZsEKzgwUR9t9ELn6m4N4Y03pxdt35wH7GKJ6mDq2vDIuge9cKi3Y9_neZgk2I89FU7KnIaTmlDicpapZRkxI53xpa85u_QkEezSUi7aPbw1oNqcLSLbsFwn4TJ_JSerq-84wECaZ-kU-f63-1lTfgSGFnDGhexnbvrJsRruQzH3VRfJxed6Yk8hgXfL97whxyOc_wzDJLprA8kYZZ8PIYEiAFJkbbhBKxM3Hqri3mTA-"; __qca=P 8- User is presented with the LinkedIn portal. Client

Authentication System – Basics
App Controller “App Enumeration” “App Enumeration” Store Services Denied (talk to Auth) Windows Apps, Web, SaaS… Trust Give me a token for Store Give me a token for Store Username=… Password=…. Login using ‘Generic Forms’ Give me a token for Auth Here is a Token for Store How do you want to login? Here is a Token for Auth Denied (…) Fill in this form Active Directory Auth Service Foundation for “always on” SmartAccess claims-based approach covers “who you are”, “where you are”, “what device you’re using” etc input into policy decisions regarding access rights Foundation for CloudGateway, BYOID link external BYO identities to corporate identities (AD or lightweight non-AD accounts) authenticate/federate in to corporate identity, apply access policies, federate out to SaaS etc Foundation for mixed on-premise and cloud hosting corporate authentication and access policies kept on premise cloud hosted apps trust corporate auth / policy hub

NetScaler Gateway Single Sign-on
NetScaler Gateway Single Sign-on (SSO) or callback is used by StoreFront or App Controller to request NetScaler Gateway for user credentials Callback URL requires a secure connection (HTTPS) back to the AG virtual server who authenticated the user (most cases) Callback URL can be another AG virtual server on the same AG VPX/MPX Example: (case sensitive)

Before AG SSO happens… StoreFront Services or App Controller must trust the incoming Gateway communication However, StoreFront and App Controller differ from what is being checked from NetScaler Gateway Example: StoreFront checks for three different parameters inside the HTTP Header: X-Citrix-Via: this parameter will contain the AG FQDN end-user entered on their web browser or Receiver. (ie. X-Citrix-Via: ag.example.com) X-Forwarded-For: this parameter will contain the SNIP/MIP of Access Gateway. (ie. X-Forwarded-For: ) Remote Address: this parameter will contain the client IP address. Majority of times, this value is never used by StoreFront

Before AG SSO happens… App Controller instead, it’s expecting the AG Header (ie. X-Citrix- Via:ag.example.com) from NetScaler Gateway App Controller does not have a method to check the SNIP/MIP address Example: App Controller checks for one parameter inside the HTTP Header: X-Citrix-Via: this parameter will contain the AG FQDN end-user entered on their web browser or Receiver. (ie. X-Citrix-Via: ag.example.com)

What to check? App Controller
Ensure External URL matches with the AG URL users will enter on their web browsers or Receiver Callback URL needs to resolve back to the AG that authenticated the end-user

Account Management Automatic Provisioning Active Directory
What privilege on application? Any app specific security rules? Additional approvals required before creating account? Sync Auth Create Users AppController Log Reporting Systems Identity-based provisioning Provision and deliver apps and data based on user and user role Automatically provision new and de-provision terminated users leveraging standard in-house directory management processes. Automated workflows allow quick, easy user account creation and installation, updates and deletion for all apps using existing directories and security mechanisms. Ensure only authorized users have accounts for 3rd-party SaaS apps. Provide single sign-on to SaaS apps so users never have to know their username and passwords Reduce help desk calls thanks to users no longer having to remember passwords AppC synchronizes with AD and automatically picks up new users added to groups Min 15-min Sync interval (configurable) or manual sync Automatic provisioning of apps associated with your role De-provision users as well

Account Management Configure Automatic Provisioning

App Controller HA connections
Mobile Apps Active HTTPS 443 (AppC VIP) Web & SaaS Apps TCP 9736 Worx Home Standby ShareFile Data Simple typical topology with a pair of NetScalers in HA mode, connecting to a StoreFront Server Group and the StoreFront members could be connecting to a back-end XenApp/XenDesktop infrastructure for apps/desktops, SQL database for app subscription information and AppController device(s) for Web/SaaS apps. Note: From the scalability standpoint, there is no hard-code limitation on the number of servers that can be members of a Server Group in StoreFront.

App Controller HA Define Role Preference
Primary Secondary Define VIP, Peer IP and Shared Key IP address for VIP IP address of secondary AppController Enter shared key that both App Controllers will share to trust each other Enable/Disable Appliance Failover Show current status of Appliance Failover Appliance failover settings can be only configured via the console and not via /ControlPoint. You must have two AppControllers to setup Appliance Failover.

Considerations App Controller in appliance failover does not require a load balancer – ie. NetScaler App Controller synchronizes the following information User passwords database Web/SaaS/Mobile/ShareFile information Devices Workflows SSL certificates Once appliance failover occurs, the new active App Controller will send an ARP broadcast updating the MAC address of the VIP

App Controller Device Registration
What is it? Requirement to have more control over ‘Apps’ deployed to mobile devices Receiver needs to communicate with App Controller either directly, or through NetScaler Gateway Receiver ‘checks in’ to the App Controller when it starts Management functions are: Device Registration Device Lock or Wipe Device Update

DMS Device Management Service: Runs on App Controller – and processes requests from Receiver clients Upon a successful registration, it returns a Device ID which is used by receiver in subsequent requests

Workflows What is it? Workflow is also known as “Application Provisioning” End-users request app access to their direct manager or an ‘approver’ App Controller will contact employee’s manager or approver via Workflows can be applied to: Web/SaaS apps iOS/Android mobile apps It only works with Citrix Receiver connections to a store Mobile Apps Web & SaaS Apps 16:40: ctx_find_ag_type: AG connect.citrix.com returned status code 302 16:40: This client is accessing enterprise edition gateway (AGEE). 16:40: html_version= , ns_version=

Mail server configuration is requiered
SMTP port 25

Manager vs. Approvers Two ways to support approvals
Send to employee manager (up to 3 levels) Send to approver If manager approval is selected make sure employee’s manager is defined on Active Directory Additional approvers can be anyone from Active Directory

Workflow approvals via Email
How does it work? Employee

How does it work? Manager

How does it work? Employee

Receiver for Windows 3.3 vs. 3.4+
Receiver for Windows 3.3 will show the Request option next to the app, versus version 3.4 will pop-up a window asking user to Send Request for approval.

Considerations Workflow requests to Managers / Approvers may take between 1-15 minutes approx. Not supported via Receiver for Web sites If one of the Managers or Approvers do not accept (or respond) the app request, the end-user cannot subscribe to the app Preferably use the latest Citrix Receivers (mobile or desktop) Receiver for Windows 3.4 or later Receiver for Mac 11.7 or later Receiver for iOS or later Receiver for Android 3.3 or later AppController has a queuing system that reads requests at 15 minutes interval.

XenMobile App Controller
Version 2.8

What’s New? Integration with XenMobile MDM server
Integration with GoToAssist Integration with StoreFront Integration with NetScaler Gateway 10.1 Worx Store Branding End-user experience

Remote Access Scenarios (NetScaler Gateway 10.1)

NG + App Controller only
NG + AppController + MDM NG + App Controller + MDM + StoreFront Ideal for Enterprise customers that want application management Customers create Enterprise MDX-app store Clientless access (CVPN) is required NetScaler Gateway needs Universal Licenses Ideal for Enterprise customers that want application and device management Customers create Enterprise MDX-app store Clientless access (CVPN) is required NetScaler Gateway needs Universal Licenses Ideal for Enterprise customers that application and device management, plus unified store Clientless access (CVPN) is required NetScaler Gateway needs Universal Licenses There are essentially three scenarios where customers can have configured and deployed CloudGateway with NetScaler Access Gateway. Each scenario will have it’s own configuration Session Policies and Clientless Access.

Worx Home for iOS / Worx Home for Android
Mobile Platforms Worx Home for iOS / Worx Home for Android

Remote Access iOS Worx Home for iOS includes the following header info
User-Agent = CitrixReceiver VpnCapable (for MicroVPN) X-Citrix-Gateway: POST /cgi/login HTTP/1.1 Host: agdara.amc.ctx X-Citrix-Gateway: User-Agent: CitrixReceiver/com.zenprise.zpmdmbeta iOS/8.5.0 (build ) CitrixReceiver-iPad CFNetwork Darwin VpnCapable Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-us CONTENT_LENGTH: 28 Content-Type: application/x-www-form-urlencoded Content-Length: 28 Connection: keep-alive CONTENT_TYPE: application/x-www-form-urlencoded Citrix Receiver for Android and iOS are the only Mobile Receivers on CloudGateway 2.0+ release that support both HTTP header values. On the right-hand side, an HTTP header value with Citrix Receiver for iOS.

Remote Access iOS Worx Home name is included in other parts of communication GET /vpn/index.html HTTP/1.1 Host: agdara.amc.ctx Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: Worx%20Home/ CFNetwork/ Darwin/13.0.0 Accept-Language: en-us Accept: */*

Remote Access Android Worx Home for Android includes the following header info User-Agent = CitrixReceiver VpnCapable (for MicroVPN) X-Citrix-Gateway: No Worx Home name in User-Agent! POST /cgi/login HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded Accept-Language: en-US, en User-Agent: CitrixReceiver/1.0 Android/4.3 JWR66V VpnCapable Cookie: pwcount=0; X-Citrix-Gateway: Content-Length: 28 Host: agdara.amc.ctx Connection: Keep-Alive Accept-Encoding: gzip

Worx Home vs. Receiver Feature Worx Home / Enroll Receiver
MDM Registration AppC Registration GoToAssist remote support Provisioning File -based account discovery MDX apps access HDX apps access Secure Browse support MicroVPN support

Email-based Account discovery NetScaler Gateway FQDN
Remote Access How do I configure my mobile client? Mobile Receivers Provisioning File -based Account discovery NetScaler Gateway FQDN Worx Home 8.5 (iOS/Android) iOS 5.8 Android 3.4 Win8/RT 1.3

Deployment Modes Types of deployment
Local connections only Local and remote connections via NetScaler Gateway StoreFront integration may be used in some scenarios Note: Worx Home client is unable to communicate with StoreFront store

XenMobile Deployments
NG + AppController only App Controller NetScaler Gateway Internet DMZ LAN

Remote Access AppController Configuration Define Deployment
Enable = Yes Display name Callback URL = External URL = Logon type Domain only Security token only Domain and security token Important: For callback URL, you only need to enter the FQDN of Access Gateway without the Authentication Service path (e.g. /CitrixAuthService/AuthService.asmx). The AppController will automatically append the path once you click on Save. For callback URL, the URL may differ from the External URL due to AppController being on the LAN network. In some use cases, the AppController will not be able to contact the Access Gateway external FQDN. You need to create a ‘dummy’ internal Access Gateway vserver such that AppController can contact Access Gateway and perform Single Sign-on. Note: No need to configure the ‘dummy’ vserver with any configuration. We only need a Server Certificate bound to the vserver.

Remote Access Simplified Wizard Two ways to initiate the wizard
NetScaler Gateway > Enterprise Store

Deployment type > NetScaler Gateway* *Assuming you don’t have any virtual servers

Deployment type > NetScaler Gateway

Remote Access Simplified Wizard Select XenMobile
Enter App Controller FQDN

What gets created? Simplified Wizard Virtual Server name IP address
Mode = SmartAccess

What gets created? Simplified Wizard SSL certificate

What gets created? Simplified Wizard LDAP authentication policy

What gets created? Simplified Wizard
Three session policies bound to the virtual server Receiver connections Receiver for Web connections Access Gateway Plugin connections

What gets created? Simplified Wizard Native Receiver connection policy

Native Receiver connection profile Split Tunnel = OFF Session Time-out (mins) = 1440 (1 day) Clientless Access = ON Clientless Access URL Encoding = Clear Single Sign-on to Web Applications = checked

Native Receiver connection profile ICA Proxy = OFF Web Interface Address = Single Sign-on Domain = domain Need to be defined manually if you don’t want UPN auth Account Services Address =

Receiver for Web connection policy

Receiver for Web connection profile Home Page = Clientless Access = ON Plug-in Type = Java Single Sign-on to Web Applications = checked

Receiver for Web connection profile ICA Proxy = OFF Web Interface Address = Single Sign-on Domain = domain Need to be defined manually if you don’t want UPN auth

Access Gateway Plug-in connection policy

Access Gateway Plug-in connection profile Home Page = Split Tunnel = OFF Clientless Access = Allow Clientless Access URL Encoding = Clear Plug-in Type = Windows/Mac OS X Single Sign-on to Web Applications = checked

Access Gateway Plug-in connection profile ICA Proxy = OFF Web Interface Address = Single Sign-on Domain = domain Need to be defined manually if you don’t want UPN auth Account Services Address =

Two clientless access policies get created Receiver connections Anything else – ie. Receiver connections, Receiver for Web

Receiver connections clientless access policy

What gets created? Simplified Wizard Rewrite tab Nothing selected

What gets created? Simplified Wizard Finding URLs tab Nothing selected

What gets created? Simplified Wizard Client Cookies tab
Nothing selected

Receiver for Web connections clientless access policy

What gets created? Simplified Wizard Rewrite tab
URL Rewrite = ns_cvpn_default_inet_url_label

What gets created? Simplified Wizard Finding URLs tab Nothing selected

What gets created? Simplified Wizard Client Cookies tab
Cookies created

Pattern set for App Controller cookies CsrfToken = index 1 ASP.NET_SessionId = index 2 CtxsPluginAssistantState = index 3 CtxsAuthId = index 4

Secure Ticket Authority defined for WorxMail

What gets created? Simplified Wizard Clientless Access domains defined
Allowed Domains App Controller FQDN

Finally, AppController URL binding at the AG virtual server level (not Global!)

NG + AppController + MDM NetScaler Gateway XM Device Manager App Controller Internet DMZ LAN

Remote Access XDM Configuration
Define App Controller Webservice configuration Host Name = IP address or FQDN Shared Key = alphanumeric value – ie. Citrix or Citrix1234 Enable App Controller = checked Important: For callback URL, you only need to enter the FQDN of Access Gateway without the Authentication Service path (e.g. /CitrixAuthService/AuthService.asmx). The AppController will automatically append the path once you click on Save. For callback URL, the URL may differ from the External URL due to AppController being on the LAN network. In some use cases, the AppController will not be able to contact the Access Gateway external FQDN. You need to create a ‘dummy’ internal Access Gateway vserver such that AppController can contact Access Gateway and perform Single Sign-on. Note: No need to configure the ‘dummy’ vserver with any configuration. We only need a Server Certificate bound to the vserver.

Remote Access AppController Configuration
Define XenMobile Configuration Host = XDM FQDN Port = 80 or 443 Shared Key = alphanumeric value – ie. Citrix or citrix123 Instance Path = /zdm (default) Allow secure access = Yes/No Require Device Manager Enrollment = Yes/No Important: For callback URL, you only need to enter the FQDN of Access Gateway without the Authentication Service path (e.g. /CitrixAuthService/AuthService.asmx). The AppController will automatically append the path once you click on Save. For callback URL, the URL may differ from the External URL due to AppController being on the LAN network. In some use cases, the AppController will not be able to contact the Access Gateway external FQDN. You need to create a ‘dummy’ internal Access Gateway vserver such that AppController can contact Access Gateway and perform Single Sign-on. Note: No need to configure the ‘dummy’ vserver with any configuration. We only need a Server Certificate bound to the vserver.

NG + AppController + MDM + StoreFront (A) NetScaler Gateway XM Device Manager App Controller StoreFront 2.0 Internet DMZ LAN

Remote Access AppController Configuration Define Windows Apps
Host = StoreFront FQDN Port = 80 or 443 Relative Path = /Citrix/<StoreName>/PNAgent/config.xml Allow secure access = Yes/No Important: For callback URL, you only need to enter the FQDN of Access Gateway without the Authentication Service path (e.g. /CitrixAuthService/AuthService.asmx). The AppController will automatically append the path once you click on Save. For callback URL, the URL may differ from the External URL due to AppController being on the LAN network. In some use cases, the AppController will not be able to contact the Access Gateway external FQDN. You need to create a ‘dummy’ internal Access Gateway vserver such that AppController can contact Access Gateway and perform Single Sign-on. Note: No need to configure the ‘dummy’ vserver with any configuration. We only need a Server Certificate bound to the vserver.

Remote Access StoreFront Configuration Define NetScaler Gateway
Display Name NetScaler Gateway URL = External Gateway URL Version 10.0 (build 69.4) or later 9.x 5.x Subnet IP address = (optional) Logon Type Domain Security Token Domain and Security Token SMS authentication Smart card Callback URL = External Gateway URL Important: For callback URL, you only need to enter the FQDN of Access Gateway without the Authentication Service path (e.g. /CitrixAuthService/AuthService.asmx). The AppController will automatically append the path once you click on Save. For callback URL, the URL may differ from the External URL due to AppController being on the LAN network. In some use cases, the AppController will not be able to contact the Access Gateway external FQDN. You need to create a ‘dummy’ internal Access Gateway vserver such that AppController can contact Access Gateway and perform Single Sign-on. Note: No need to configure the ‘dummy’ vserver with any configuration. We only need a Server Certificate bound to the vserver.

Remote Access StoreFront Configuration
Define Secure Ticket Authority (STA) XenApp XenDesktop Important: For callback URL, you only need to enter the FQDN of Access Gateway without the Authentication Service path (e.g. /CitrixAuthService/AuthService.asmx). The AppController will automatically append the path once you click on Save. For callback URL, the URL may differ from the External URL due to AppController being on the LAN network. In some use cases, the AppController will not be able to contact the Access Gateway external FQDN. You need to create a ‘dummy’ internal Access Gateway vserver such that AppController can contact Access Gateway and perform Single Sign-on. Note: No need to configure the ‘dummy’ vserver with any configuration. We only need a Server Certificate bound to the vserver.

Enable Remote Access to the store No VPN tunnel Full VPN tunnel

Remote Access NetScaler Configuration
Define Secure Ticket Authority (STA) XenApp XenDesktop Important: For callback URL, you only need to enter the FQDN of Access Gateway without the Authentication Service path (e.g. /CitrixAuthService/AuthService.asmx). The AppController will automatically append the path once you click on Save. For callback URL, the URL may differ from the External URL due to AppController being on the LAN network. In some use cases, the AppController will not be able to contact the Access Gateway external FQDN. You need to create a ‘dummy’ internal Access Gateway vserver such that AppController can contact Access Gateway and perform Single Sign-on. Note: No need to configure the ‘dummy’ vserver with any configuration. We only need a Server Certificate bound to the vserver.

Remote Access NG + AppController + MDM + StoreFront Pros Cons
Single NetScaler Gateway VIP Single store access Cons Follow me apps do not work on Worx Home Follow me apps for Windows do not work Mobile devices Desktop platforms

NG + AppController + MDM + StoreFront (B) Receiver (Win/Mac) NetScaler Gateway StoreFront 2.0 XM Device Manager WorxHome (iOS Android) App Controller Internet DMZ LAN

Define Deployment (NetScaler) Enable = Yes Display name Callback URL = External URL = Logon type Domain only Security token only Domain and security token Important: For callback URL, you only need to enter the FQDN of Access Gateway without the Authentication Service path (e.g. /CitrixAuthService/AuthService.asmx). The AppController will automatically append the path once you click on Save. For callback URL, the URL may differ from the External URL due to AppController being on the LAN network. In some use cases, the AppController will not be able to contact the Access Gateway external FQDN. You need to create a ‘dummy’ internal Access Gateway vserver such that AppController can contact Access Gateway and perform Single Sign-on. Note: No need to configure the ‘dummy’ vserver with any configuration. We only need a Server Certificate bound to the vserver.

Define Deployment (StoreFront) Enable = Yes Authentication Server = OFF Web address = Important: For callback URL, you only need to enter the FQDN of Access Gateway without the Authentication Service path (e.g. /CitrixAuthService/AuthService.asmx). The AppController will automatically append the path once you click on Save. For callback URL, the URL may differ from the External URL due to AppController being on the LAN network. In some use cases, the AppController will not be able to contact the Access Gateway external FQDN. You need to create a ‘dummy’ internal Access Gateway vserver such that AppController can contact Access Gateway and perform Single Sign-on. Note: No need to configure the ‘dummy’ vserver with any configuration. We only need a Server Certificate bound to the vserver.

Remote Access AppController Configuration Define Windows Apps
Host = StoreFront FQDN Port = 80 or 443 Relative Path = /Citrix/<StoreName>/PNAgent/config.xml Allow secure access = Yes/No Important: For callback URL, you only need to enter the FQDN of Access Gateway without the Authentication Service path (e.g. /CitrixAuthService/AuthService.asmx). The AppController will automatically append the path once you click on Save. For callback URL, the URL may differ from the External URL due to AppController being on the LAN network. In some use cases, the AppController will not be able to contact the Access Gateway external FQDN. You need to create a ‘dummy’ internal Access Gateway vserver such that AppController can contact Access Gateway and perform Single Sign-on. Note: No need to configure the ‘dummy’ vserver with any configuration. We only need a Server Certificate bound to the vserver.

Remote Access StoreFront Configuration Define Delivery Controller
Display Name Type = AppController Server = AppC FQDN Port = 443

Remote Access StoreFront Configuration Define NetScaler Gateway
Display Name NetScaler Gateway URL = External Gateway URL Version 10.0 (build 69.4) or later 9.x 5.x Subnet IP address = (optional) Logon Type Domain Security Token Domain and Security Token SMS authentication Smart card Callback URL = External Gateway URL

Define Secure Ticket Authority (STA) XenApp XenDesktop

Enable Remote Access to the store No VPN tunnel Full VPN tunnel

Create a virtual server in SmartAccess mode Clientless access will be used for StoreFront and App Controller

Remote Access NetScaler Configuration Create three session policies
Desktop Receiver policy = redirects Win/Mac Receiver users to StoreFront store Receiver for Web policy = redirects Win/Mac/mobile users to StoreFront’s Receiver for Web site Worx Home policy = redirects iOS/Android Worx Home users to AppController’s store

Desktop Receiver policy expression (REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS Windows) || (REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS Mac)

Remote Access NetScaler Configuration Desktop Receiver profile
Clientless Access = ON Clientless Access URL Encoding = Clear Single Sign-on to Web Applications = checked

Default Authorization Action = ALLOW Secure Browse = uncheck

ICA Proxy = OFF Web Interface Access = Single Sign-on Domain = domain Account Services Address =

Receiver for Web site policy expression REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.HTTP.HEADER Referer EXISTS

Remote Access NetScaler Configuration Receiver for Web site profile
Home Page = Clientless Access = ON Clientless Access URL Encoding = Obscure Single Sign-on to Web Applications = checked

Default Authorization Action = ALLOW Secure Browse = uncheck

ICA Proxy = OFF Web Interface Address = Single Sign-on Domain = domain

Remote Access NetScaler Configuration Worx Home policy expression
(REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER User-Agent CONTAINS zenprise)|| (REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver/1.0) The reason we defined CitrixReceiver/1.0 is because Worx Home for Android 8.5 doesn’t provide the new User-Agent info inside the HTTP header. This will be fixed in a later release.

Remote Access NetScaler Configuration Worx Home profile
Split Tunnel = OFF/ON Session Time-out (mins) = 1440 (1 day) Clientless Access = ON Clientless Access URL Encoding = Clear Plug-in Type = Windows/Mac OS X (MicroVPN) Single Sign-on to Web Applications = checked

Default Authorization Action = ALLOW Secure Browse = checked

ICA Proxy = OFF Web Interface Address = Single Sign-on Domain = domain Account Services Address =

Verify you have two Clientless Access policies Receiver/Worx Home connections Anything else – ie. Receiver for Web, Receiver/Worx Home connections

Clientless Access domains defined Allowed Domains App Controller FQDN StoreFront FQDN Bind FQDNs via CLI (recommended) bind patset ns_cvpn_default_inet_domains appc28.amc.ctx bind patset ns_cvpn_default_inet_domains storefrontlb.amc.ctx

Define Secure Ticket Authority (STA) XenApp XenDesktop

Finally, AppController URL binding at the AG virtual server level (not Global!)

Remote Access NG + AppController + MDM + StoreFront Pros Cons
Single NetScaler Gateway VIP Follow me apps for Windows will work for Win/Mac Cons Follow me apps do not work on Worx Home Mobile devices

“Can I push MDX / Web and SaaS apps to mobile devices?”
Answer is YES. Let’s explain in the next slide…

Integration with XenMobile Device Manager
New option on App Controller Require app installation Works with App Controller and XenMobile Device Manager integration Require app installation option can automatically subscribe/install Web/SaaS and MDX apps

Host = IP address or FQDN of MDM server Port = 80 or 443 Shared Key = alphanumeric value – e.g. Citrix123 Instance Path = /zdm Require Device Manager Enrollment = recommended

Overview App Controller will upload all MDX, public store apps, Web/SaaS to MDM server Securely – HTTPS 443 Non-secure – HTTP 80 App Controller will upload the NetScaler URL or AppC URL for Worx Home User requests access to MDX app, MDM will push it to the mobile device XDM 443 80 or 443 XMA

What is being uploaded? If Require Device Management enrollment = Yes From App Controller to Device Manager POST /zdm/cxf/wsapi/configuration/mdmrequired HTTP/1.1 Accept: application/json Content-Type: application/json Authorization: Basic YWRtaW46Y2l0cml4 User-Agent: Jakarta Commons-HttpClient/3.0.1 Host: ftlvxmdm.amc.ctx Content-Length: 31 {"errorcode":0,"required":true} XDM Enrollment Required? Yes / No 80 or 443 XMA

What is being uploaded? If Require Device Management enrollment = Yes OK done! From Device Manager to App Controller HTTP/ OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=FFAEE9B40D6E797859A03C275E80B999; Path=/zdm/; HttpOnly Date: Fri, 09 Aug :55:16 GMT Content-Type: application/json Content-Length: 53 {"response":"mdm_required_flag properly set to true"} XDM 80 or 443 XMA

What is being uploaded? If Google Play credentials saved in App Controller From App Controller to Device Manager POST /zdm/cxf/wsapi/configuration/gplaycredentials HTTP/1.1 Accept: application/json Content-Type: application/json Authorization: Basic YWRtaW46Y2l0cml4 User-Agent: Jakarta Commons-HttpClient/3.0.1 Host: ftlvxmdm.amc.ctx Content-Length: 125 {"gplay_credentials":{"store_login":“username","store_password":“password","android_id":“androidID"}} XDM Google Play Credentials 80 or 443 XMA

What is being uploaded? If Google Play credentials saved in App Controller OK done! From Device Manager to App Controller HTTP/ OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=6B D06A6D51BFED315486D8089; Path=/zdm/; HttpOnly Date: Fri, 09 Aug :58:39 GMT Content-Type: application/json Content-Length: 40 {"response":"Credential properly saved"} XDM 80 or 443 XMA

What is being uploaded? Uploading apps From App Controller to Device Manager POST /zdm/cxf/wsapi/package/10cbccea-8d27-4cc9-86ed-d43e7078bc8b HTTP/1.1 Accept: application/json Content-Type: application/json Authorization: Basic YWRtaW46Y2l0cml4 User-Agent: Jakarta Commons-HttpClient/3.0.1 Host: ftlvxmdm.amc.ctx Content-Length: 323 {"application":{"options":{"remove_when_mdm_removed":true,"prevent_backup_data":false},"id":"10cbccea-8d27-4cc9-86ed-d43e7078bc8b","type":"IPA","install_once":true,"required":false,"url":" XDM Uploading MDX / Web / SaaS 80 or 443 XMA

What is being uploaded? Uploading apps If app already exists – HTTP 500 Error Otherwise, HTTP 200 OK Already have it! XDM From Device Manager to App Controller HTTP/ Internal Server Error Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=88D CD4A A02C22D; Path=/zdm/; HttpOnly Date: Fri, 09 Aug :58:39 GMT Content-Type: application/json Content-Length: 64 Connection: close {"error":{"description":"Package ID already exists","code":201}} 80 or 443 XMA

What is being uploaded? Upload NetScaler Gateway URL If remote access is disabled, then, AppC URL is provided XDM From App Controller to Device Manager POST /zdm/cxf/wsapi/configuration/appcfqdn HTTP/1.1 Accept: application/json Content-Type: application/json Authorization: Basic YWRtaW46Y2l0cml4 User-Agent: Jakarta Commons-HttpClient/3.0.1 Host: ftlvxmdm.amc.ctx Content-Length: 25 {"fqdn":"agdara.amc.ctx"} AppC / NetScaler FQDN 80 or 443 XMA

What is being uploaded? Upload NetScaler Gateway URL If remote access is disabled, then, AppC URL is provided FQDN Set! XDM From Device Manager to App Controller HTTP/ OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=2C4B7B47E B700F DBB0; Path=/zdm/; HttpOnly Date: Fri, 09 Aug :58:40 GMT Content-Type: application/json Content-Length: 50 {"response":"fqdn properly set to agdara.amc.ctx"} 80 or 443 XMA

Integration with GTA Support email = help desk email address
Support phone = help desk phone number GoToAssist Chat = GoToAssist token for chat services GoToAssist Ticket = GoToAssist ticket generated from portal

Branding Your Store

Receiver Email Template
Do not use this option for Worx Home! The Provisioning File (.cr) is only compatible with Citrix Receiver (mobile or desktop)

Google Play Store Apps To allow App Controller download data from Google Play store Typo on App Controller UI Type on Android phone dial- pad *#*#8255#*#*

Secure Browse vs. MicroVPN

Secure Browse MicroVPN WorxWeb
Client-side rewrite feature to access intranet sites Available on Receiver for iOS or later Must use NetScaler Gateway 10 (build or later) On-demand application VPN tunnel between mobile device and NetScaler Gateway Available on Receiver for Android 3.1 or later and Receiver for iOS 5.7 Supported with Worx Home and MDX-apps Must use NetScaler Gateway 10 (build or later) Native iOS/Android mobile browser application Securely connects to corporate network using on-demand MicroVPN tunnel Must use NetScaler Gateway 10 (build or later)

How do I connect to intranet sites?
WorxWeb installed? Worx Home iOS? Worx Home Android? iOS / Android No No No Yes Yes Yes Connect via Micro-VPN Needs WorxWeb Connect via Webkit If mobile users want to connect securely to intranet sites, there are three choices Secure Browse and Micro-VPN. All of them play an important role depending on how they connect per use-case basis.

Secure Browse NetScaler Gateway Configuration
By default, Secure Browse is enabled on NetScaler Global Settings Session Policy

Secure Browse Example If the intranet resource being accessed was “ and the FQDN of the AG-vserver was “ the rewritten request would look like: CR will rewrite the HOST header (and if required the referrer header) before sending the request out to AGEE. CR also needs to inject AGEE session cookie and any other cookie that was set by AGEE into the request header. Example: If the resource being accessed was “ FQDN of the AG-vserver was “ and the cookies set by AGEE were NSC_AAAC and NSC_FSSO; then the request that the CR sends will look something like this: GET /SecureBrowse/http/onebug.citrite.net HTTP/1.1 Accept: */* Accept-Language: en-US User-Agent: <Appropriate User Agent> Host: agee.citrix.com Connection: Keep-Alive Cookie: NSC_AAAC=d306120bc4438c ab76a3ac9d0096ea d5f4f58455e445a4a42; NSC_FSSO=1

Secure Browse Example Initial request from Citrix Receiver to NetScaler Gateway: GET HTTP/1.1 Host: ag10716b.adolfolab.ctx User-Agent: CitrixReceiver Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate Cookie: NSC_AAAC=8479f0c77ce505f3430c90be66fa d5f4f58455e445a4a42; NSC_FSSO=1; pwcount=2 Connection: keep-alive Proxy-Connection: keep-alive If the intranet resource being accessed was “ and the FQDN of the AG-vserver was “ the rewritten request would look like: CR will rewrite the HOST header (and if required the referrer header) before sending the request out to AGEE. CR also needs to inject AGEE session cookie and any other cookie that was set by AGEE into the request header. Example: If the resource being accessed was “ FQDN of the AG-vserver was “ and the cookies set by AGEE were NSC_AAAC and NSC_FSSO; then the request that the CR sends will look something like this: GET /SecureBrowse/http/onebug.citrite.net HTTP/1.1 Accept: */* Accept-Language: en-US User-Agent: <Appropriate User Agent> Host: agee.citrix.com Connection: Keep-Alive Cookie: NSC_AAAC=d306120bc4438c ab76a3ac9d0096ea d5f4f58455e445a4a42; NSC_FSSO=1

Secure Browse Example If Secure Browse is enabled, NetScaler Gateway will respond with the following: HTTP/ OK Content-Length: 23 Cache-control: no-cache, no-store Pragma: no-cache Content-Type: text/plain SB:SecureBrowse RW:cvpn If the intranet resource being accessed was “ and the FQDN of the AG-vserver was “ the rewritten request would look like: CR will rewrite the HOST header (and if required the referrer header) before sending the request out to AGEE. CR also needs to inject AGEE session cookie and any other cookie that was set by AGEE into the request header. Example: If the resource being accessed was “ FQDN of the AG-vserver was “ and the cookies set by AGEE were NSC_AAAC and NSC_FSSO; then the request that the CR sends will look something like this: GET /SecureBrowse/http/onebug.citrite.net HTTP/1.1 Accept: */* Accept-Language: en-US User-Agent: <Appropriate User Agent> Host: agee.citrix.com Connection: Keep-Alive Cookie: NSC_AAAC=d306120bc4438c ab76a3ac9d0096ea d5f4f58455e445a4a42; NSC_FSSO=1

Secure Browse Example If Secure Browse is disabled, NetScaler Gateway will respond with the following: HTTP/ OK Content-Length: 23 Cache-control: no-cache, no-store Pragma: no-cache Content-Type: text/plain RW:cvpn If the intranet resource being accessed was “ and the FQDN of the AG-vserver was “ the rewritten request would look like: CR will rewrite the HOST header (and if required the referrer header) before sending the request out to AGEE. CR also needs to inject AGEE session cookie and any other cookie that was set by AGEE into the request header. Example: If the resource being accessed was “ FQDN of the AG-vserver was “ and the cookies set by AGEE were NSC_AAAC and NSC_FSSO; then the request that the CR sends will look something like this: GET /SecureBrowse/http/onebug.citrite.net HTTP/1.1 Accept: */* Accept-Language: en-US User-Agent: <Appropriate User Agent> Host: agee.citrix.com Connection: Keep-Alive Cookie: NSC_AAAC=d306120bc4438c ab76a3ac9d0096ea d5f4f58455e445a4a42; NSC_FSSO=1

Secure Browse Example Citrix Receiver will start the rewrite on the client-side: GET HTTP/1.1 Host: ag10716b.adolfolab.ctx User-Agent: Mozilla/5.0 (iPad; CPU OS 5_1_1 like Mac OS X) AppleWebKit/ (KHTML, like Gecko) Mobile/9B206 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 X-Citrix-Gateway: ag10716b.adolfolab.ctx CitrixSecureBrowserIOS: YES Cookie: NSC_AAAC=8479f0c77ce505f3430c90be66fa d5f4f58455e445a4a42;NSC_FSSO=1;pwcount=2; Accept-Language: en-us Accept-Encoding: gzip, deflate Connection: keep-alive Proxy-Connection: keep-alive If the intranet resource being accessed was “ and the FQDN of the AG-vserver was “ the rewritten request would look like: CR will rewrite the HOST header (and if required the referrer header) before sending the request out to AGEE. CR also needs to inject AGEE session cookie and any other cookie that was set by AGEE into the request header. Example: If the resource being accessed was “ FQDN of the AG-vserver was “ and the cookies set by AGEE were NSC_AAAC and NSC_FSSO; then the request that the CR sends will look something like this: GET /SecureBrowse/http/onebug.citrite.net HTTP/1.1 Accept: */* Accept-Language: en-US User-Agent: <Appropriate User Agent> Host: agee.citrix.com Connection: Keep-Alive Cookie: NSC_AAAC=d306120bc4438c ab76a3ac9d0096ea d5f4f58455e445a4a42; NSC_FSSO=1

Considerations Secure Browse will work as long as you have Clientless Access (CVPN) enabled on NetScaler If CVPN is disabled, Secure Browse will not work If Secure Browse is disabled, Citrix Receiver will use CVPN to connect to resources

MicroVPN

MicroVPN On-demand application VPN tunnel between mobile device and NetScaler Gateway Platforms supported Android iOS MDX-apps support WorxMail WorxWeb Receivers that support Microvpn Worx Home 8.5 Receiver for Android 3.1 or later Receiver for iOS 5.7 or later Micro-VPN was first introduced on AGEE build along with Receiver for Android 3.1 and iOS 5.7 releases.

MicroVPN How does it work?
Receiver POST Credentials to NetScaler Gateway POST HTTP/1.1 Host: mycitrixdemo.net User-Agent: CitrixReceiver/com.citrix.ReceiveriPad iOS/5.7 (build 170) CitrixReceiver-iPad CFNetwork Darwin VpnCapable Content-Length: 24 Accept: */* X-Citrix-Gateway:

MicroVPN How does it work?
The fact that Receiver sends a VPN Capable User-Agent: CitrixReceiver/com.citrix.ReceiveriPad iOS/5.7 (build 170) CitrixReceiver-iPad CFNetwork Darwin VpnCapable Access Gateway returns the /cgi/setclient? For iOS: HTTP/ Object Moved Location: /cgi/setclient?iosc Set-Cookie: NSC_AAAC=55f4f4d9926e4b6533f603324b45fa1f0311fe8c345525d5f4f58455e445a4a42;Secure;HttpOnly;Path=/ For Android: HTTP/ Object Moved Location: /cgi/setclient?andr Set-Cookie: NSC_AAAC=55f4f4d9926e4b6533f603324b45fa1f0311fe8c345525d5f4f58455e445a4a42;Secure;HttpOnly;Path=/

Troubleshooting App Controller

Troubleshooting Troubleshooting menu from console Network Utilities
Advanced logging tracing Support Bundle to log collection and traces

Troubleshooting Troubleshooting menu available under the new console Main Menu (option 3)

Troubleshooting Troubleshooting Menu Network Utilities Logs
PING, ARP, Routing Table and others Logs Admins can review the last 1000 lines of log Provides advanced logging settings for specific modules Support Bundle Collects all AppController logs, core dumps and network traces

Troubleshooting Network Menu Network information Show Routing Table
Show ARP Table PING Traceroute DNS lookup Network Trace

Troubleshooting Network Information
Displays detailed information of network adapters IP address Subnet mask MAC address MTU size Adapter state (UP/DOWN)

Troubleshooting Routing Table
Displays routes information associated with AppController

Troubleshooting ARP Table
Displays Address Resolution Protocol (ARP) information associated with AppController

Troubleshooting PING Test by sending ICMP packets from AppController VM to a destination host

Troubleshooting Traceroute
Test by sending ICMP packets from AppController VM to a destination host and count the number of hops

Troubleshooting DNS Lookup
Test Domain Name Resolution (DNS) from AppController to destination host

Troubleshooting Network Trace
Capture network traces in pcap format on one or more interfaces Supports filtering options Press Enter to stop network tracing Network traces can only be extracted via the Support Bundle

Troubleshooting Logs Menu
Advanced logging settings to trace specific AppController modules For more information, please refer to Option 5 displays the last 1000 lines of logging entries

Troubleshooting Support Bundle Menu
Provide Admins collection all AppController logs and network traces in a compressed file (.ZIP) Admins have the choice to encrypt the Support Bundle (optional) To extract the Support Bundle Upload via FTP Upload via SCP

Troubleshooting Generate Support Bundle
Admins have the option to encrypt or not the Support Bundle Support Bundle filename will contain date/time, IP address and compression format extension (.ZIP)

Troubleshooting Upload Support Bundle
Admins have the option to upload it via FTP or SCP For more information on how to upload it via FTP, please refer to Admins have to enter FTP server hostname and location where to upload the file

Troubleshooting Upload Support Bundle via FTP
Admins have to enter FTP server hostname, user credentials and location where to upload the file

Troubleshooting Support Bundle Contents Sas_core – core dumps
Sas_log – management, system, debug, informational logs Sas_trace – network traces Sys_info – AppController system information ARP entries Disk space usage Interface configuration Routing table Running processes Var_log – authentication, daemon, kernel, mail, system and user logs

XenMobile App and Enterprise

Similar presentations

Presentation on theme: "XenMobile App and Enterprise"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

XenMobile App and Enterprise

Similar presentations

Presentation on theme: "XenMobile App and Enterprise"— Presentation transcript:

Similar presentations

About project

Feedback