XenMobile Deployment Guide | Vintech Electronic System Pvt Ltd

XenMobile Deployment Guide

Contents
XenMobile Deployment Guide .................................................................................................................................. i
Purpose and Scope .................................................................................................................................................2
XenMobile Components ...........................................................................................................................................2

Page i of 144

Recommended Product Versions ............................................................................................... Error! Bookmark not defined.

Integrating XenMobile with XenDesktop/XenApp ....................................................................................................3
Leveraging Existing WI/PNA Infrastructure ............................................................................................................................. 3
4 Phases to a successful deployment .....................................................................................................................5
Phase 1: Deploying XM Device Manager ................................................................................................................................. 5
Phase 2: Deploying AppController and Receiver ...................................................................................................................... 6
Phase 3: Deploying Access Gateway ........................................................................................................................................ 6
Phase 4: Integrating with XD / XA ............................................................................................................................................ 7
Best practice Deployment flowchart ........................................................................................................................................ 8
Environment Details .................................................................................................................................................9
Required Credentials ................................................................................................................................................................ 9
1: Installing XM Device Manager Server ...............................................................................................................10
2: Integrating XM Device Manager with Active Directory ......................................................................................29
3: Optional - Adding New Applications from the Apple App Store or Google Play Store ......................................38
4: Optional - Adding New local Applications ..........................................................................................................44
5: Configure Policies on XM Device Manager .......................................................................................................49
6 Optional: Creating a Deployment Package .........................................................................................................57
7: Endpoint Configuration ......................................................................................................................................68
8: Wiping Devices ..................................................................................................................................................77
9: Initial/Basic Configuration of Citrix AppController ..............................................................................................82
10: Creating Users, Roles, adding Applications and Assigning Apps ...................................................................91
11: Integrating XM Device Manager with XM AppController ...............................................................................100
12: Configuring Access Gateway .........................................................................................................................104
Import Certificate ..................................................................................................................................................109
Configure AG VIP via the Wizard.........................................................................................................................113
Configure LB-VIP for access to the XMDM .........................................................................................................117
Appendix: .............................................................................................................................................................122
Appendix 1: Application Approval Workflow ........................................................................................................123
Appendix 2: Delegating Administrative task to users...........................................................................................130
Appendix 3: Configuring Split Tunneling SSL VPN Policy ...................................................................................139

Purpose and Scope

The purpose of this document is to walk through basic configurations that will enable a successful
XenMobile deployment in a controlled environment for POCs and Testing.

XenMobile Components
XenMobile is comprised of the following key technology components:
1. XM MDM Client and Receiver are used to enable mobile device management on the device
and to deliver XenMobile enabled applications to the end users
2. XM Device Manager incorporates mobile SSL VPN, application data traffic optimization, device
management, device data encryption and real-time device remote control to safely control
mobile IT environments
3. XM AppController integrates with Active Directory, Share File, Web/SaaS applications and
native mobile apps to deliver enterprise mobility feature
4. Access Gateway allows secure access to enterprise resources from outside of the corporate
network and is an integral part of the XenMobile solution suite
Prerequisite:
You must download and or have the following files available:
1. XenMobile MDM Manager
2. XenMobile Device Manager license
3. AppController VM
4. Netscaler VM
5. APNS Certificate
6. Web Server Certificate for the XM-Device Manager, XM-AppController and Netscaler and the root
certificate

Page 2 of 144

The following diagram illustrates a complete XenMobile deployment

Figure 1 XenMobile Deployment Diagram

In this deployment, users will need to download the latest XM MDM Client and Receiver on the device
and create an account that points to XM AppController via Access Gateway to access XenMobile
delivered applications.

Integrating XenMobile with XenDesktop/XenApp

XenMobile can easily fit into an existing XenDesktop and XenApp deployment to deliver unified
application experience for Windows applications, desktops, Web & SaaS applications and native
mobile apps through Receivers. The following sections describe two separate approaches to
accomplish this integration.

Leveraging Existing WI/PNA Infrastructure

A large majority of the existing XenDesktop/XenApp install base will have Web Interface or PNA Site
optionally fronted by Access Gateway for remote worker use case. In this scenario adding XM
AppController atop the current environment will allow customers to leverage XenMobile features.
Receivers can continue to talk to Web Interface or PNA Site (Standalone or Netscaler) for Windows
applications and can now integrate with XM AppController (optionally through Access Gateway) for
Web, SaaS and Mobile apps.
The following diagram illustrates the recommended deployment architecture at a high-level:

Page 3 of 144

Figure 2 XenMobile with WI/PNA Infrastructure

The benefit with this approach is that it minimizes the number of moving parts and allows customers
to easily augment their current environment with XenMobile components. With this approach, users
will need to configure Receiver to create separate connections - one to their existing WI/PNA site and
another to XM AppController (or Access Gateway for remote use cases) for XenMobile delivered apps.

Page 4 of 144

4 Phases to a successful deployment

Breaking down the POC deployment into 4 phases will make the configuration process easy. Each
phase builds upon the previous one creating a path of least resistance.

Phase 1: Deploying XM Device Manager

The XM Device Manager server is designed to be an edge gateway server that lives in the network
DMZ. It will need to have a static IP address that is reachable from the public Internet, as well as a
registered and published DNS host name so that devices can reach the server during enrollment and
communicate with regularly. It is strongly recommended to use a separate A-record or CNAME record
for any host living in a DMZ for anonymity, as well as best practice to support server high-availability
and recovery.

Page 5 of 144

Phase 2: Deploying AppController and Receiver

Deploying AppController and Receiver in a controlled environment is only accessible on the internal
network. Deployment on an internal network allows us to focus on the success of application delivery
without the distraction of dealing with DMZ firewalls or XenApp or XenDesktop integration.

Phase 3: Deploying Access Gateway

Phase 3 adds Access Gateway to the successfully deployed AppController and Receiver. This allows access from
the internet to all the applications already tested internally. Access Gateway deployments have their own set of
challenges which are different from deploying AppController. It is suggested that users approach this as a
separate project altogether. Deploying Access Gateway in the DMZ will most likely involve other individuals and
or departments within an Enterprise.

Page 6 of 144

Phase 4: Integrating with XD / XA

The last phase is to include already existing XenDesktop or XenApp into the deployment.
There are two possible approaches:
First, the easier approach, is to configure the Receiver on the endpoint to connect to the
existing Web Interface server. In this case the Receiver has two stores configured. The user is
required to switch between stores depending on what application he or she would like to
access.

The second approach requires the deployment of StoreFront. With StoreFront all application
delivery services are aggregated through a single StoreFront service. In this case users will
have all their applications available through a single store, no switching is required.

Page 7 of 144

Best practice Deployment flowchart

Page 8 of 144

Environment Details
This section is used to describe the lab environment and the virtual machines that are used.
Machine
XenServer
Active Directory
AppController
Access Gateway (on Netscaler
VPX)
XenMobile Device Manager

Details
Hosts virtual machines
Virtual Machine providing directory services
Virtual Machine
Hardware providing secure remote access to CG
Virtual Machine providing Mobile Device Management

Required Lab Credentials

Below is the login credentials required to connect to the workshop system and complete the
lab exercises.
Machine

Username

Password

Hostname

default is
password

https://filmdmapp.finolexind.com:4443

XM Device
Manager

default is
Administrator
Finadmin/domain
user ID

Netscaler VPX

default is nsroot

default is
nsroot

IPAddress

AD-Domain
Controller
AppController

https://mobile.finolexwater.com/zdm/login.jsp

Page 9 of 144

NSIP:
SNIP
AG-VIP:
LB-VIP:

1: Installing XM Device Manager Server

Step by step guidance
Estimated time to complete this: 25 minutes.
Step
1.

2.

Action
Download the following files to the XenMobile Device Manager
1. Download Java SE 7 JDK (JDK Download Edition) update 11 and later
http://www.oracle.com/technetwork/java/javase/downloads/index.html
2. Download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction
Policy Files
http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download432124.html
3. XenMobile Device Manager installer from
http://download.citrix.com/downloads.html
4. The XenMobile Device Manager license file
5. The APNS Certificate
Open the folder where you downloaded Java 7 too
Run the jdk-7xx-windows-x64 installer

Page 10 of 144

Step
3.

4.

Action
Click Next three times
Then click Continue

Click the Java icon on the task bar to display the Java FX SDK Setup window.
Click Next two times
Then click Close

Page 11 of 144

Step

5.

6.

Action
5 Close the registration window that automatically opens.
Open the folder containing JCE-7 policy files
Copy files local_policy.jar and US_export_policy.jar

Paste the two files into:

C:\Program Files\Java\jre7\lib\security
C:\Program Files\Java\jdk1.7.0_XX\jre\lib\security
Click Replace files in the destination when prompted

Page 12 of 144

Step
7.

8.

Action
Open the folder containing XenMobile MDM installer
Run the XenMobile Device Manager installer

Click OK

Page 13 of 144

Step
9.

10.

Action
Click Next

Click I Agree

Page 14 of 144

Step
11.

12.

Action
Click Next

Leave the default destination folder as is

Click Install

Page 15 of 144

Step
13.

Action
The PostgreSQL installer is displayed
Click Next three times

Page 16 of 144

Step
14.

Action
Enter the following in the PostgreSQL Service configuration window:
Account password: ctx@1234 (or the password of your Choice)
Verify password: ctx@1234 (or the password of your Choice)
Click Next
Click Yes to allow the installer to create an account for you
Click No when prompted to replace the password with a random password

Page 17 of 144

Step
15.

Action
Enter the following in the PostgreSQL Initialize database cluster window:
Password: ctx@1234 (or the password of your Choice)
Password (again): ctx@1234 (or the password of your Choice)
Click Next four times using the default functions
Then click Finish

16.

Click corresponding to the License file field

Browse for license.crt in XenMobile MDM folder on the Desktop

Page 18 of 144

Step
17.

Action
Click Open

18.

Click Next

Page 19 of 144

Step
19.

Action
Enter the following in the Configure database connection window:
User name: postgres
Password: ctx@1234 (or the password of your Choice)
Click Check the connection > Create > OK > Next

20.

Click Next

Page 20 of 144

Step
21.

Action
Click Next

22.

Click Next

Page 21 of 144

Step
23.

Action
Click Next

24.

Click Next

Page 22 of 144

Step
25.

Action
Enter the following parameters:
Keystore password: ctx@1234 (or the password of your Choice)
Confirm keystore password: ctx@1234 (or the password of your Choice)
Click Next
Repeat this step for the next two screens

Page 23 of 144

Step
26.

27.

Action
Enter the following parameters:
Keystore password: ctx@1234 (or the password of your Choice)
Confirm keystore password: ctx@1234 (or the password of your Choice)
IP address or FQDN: mobile.finoexwater.com
Click Next

Click the corresponding to the Certificate file path field

Page 24 of 144

Step
28.

29.

Action
Browse for the APNS Certificate
Click Open

Enter the Private key password: ctx@1234 (or the password of your Choice)
Click Next

Page 25 of 144

Step
30.

31.

Action
The Minimum Port and Maximum Port will auto-fill
Click Next

Enter the following parameters:

User name: Finadmin
Password: ctx@1234 (or the password of your Choice)
Confirm password: ctx@1234 (or the password of your Choice)
Click Check the user name > OK (on error message) > Next

Page 26 of 144

Step
32.

33.

Action
Click Finish

Wait until the configuration is complete

Click Close once the configuration is finished

Page 27 of 144

Step
34.

35.

Action
Wait for the installation to complete
Click Next

The installation is now complete

Click Finish

Page 28 of 144

2: Integrating XM Device Manager with Active Directory

Overview
After installing the XM Device Manager, proceed to connecting your directory services for associating
user groups that will be permitted to enroll mobile devices. This is accomplished via the web console.
These brief steps will guide you through setting up the LDAP/Active Directory connector and associating
user groups to manage devices and users.

Step by step guidance

Estimated time to complete this lab: 10 minutes.
1.

Open Internet Explorer and navigate to https://192.9.210.53/zdm Ignore the

certificate warning and continue to the site. Log into the XenMobile Device Manager
console:
Username: finadmin
Password: ctx@1234

2.

Click Get Started in the wizard

Page 29 of 144

3.

If you have the XenMobile AppController deployed select the checkbox in front of
Yes, and click Next

4.

At the Base Package dialog click Next

Page 30 of 144

5.

Build your base packet according to your requirements by dragging the icons from
the left to the right

Page 31 of 144

6.

For example:
Passcode Policy

7.
8.

Click Next to continue

In the Active Directory dialog click on Yes, to configure your Active Directory User
directory
Select LDAP as the directory type
Click Next

9.

Page 32 of 144

10.

Enter the following for each parameter:

Directory Type: Microsoft Active Directory
Primary Host [: Port:]: 192.9.210.12
Root context: DC=Finolexind,DC=com
Example: DC=training,DC=lab
Search user: finadmin@finolexind.com
Password: Admin Password
Domain alias: finoelxind.com
XenMobile lockout limit: 5
Global Catalog TCP port: 3268
User Search By: sAMAccountName (The default is userPrincipalName.
Change to sAMAccountName)
Click Check

11. 2 An informational message that the binding was successful is displayed.

Click OK
Then click Next

Page 33 of 144

12.

Leave preconfigured LDAP attributes as is

Click Next

13.

Click New group

Select Administrators from the LDAP group category drop-down
Select Administrator from the Roles category drop-down
Select XenMobile, FILSales from the Roles category drop-down

Page 34 of 144

14.

Click New group again

Select another group, for example FILSales from the Roles category drop-down
Select User from the Roles category drop-down
Click Next

15.

Repeat steps 13 & 14 to add Domain Users with User as Role

Repeat steps 13 & 14 to add more groups as needed
Click Finish

16.

Page 35 of 144

17.
18.
19.

Optionally you can test the enrollment at this point. If no devices are enrolled click
Skip
Close the Startup Wizard by clicking on Go To Device Manager
Check Microsoft Active Directory
Click Enable
Check Microsoft Active Directory again
Click Define by default

20.

Notice that the Microsoft Active Directory connection is now Enabled and by Default
Click Close and Log Out of the XM Device Manager Console

Page 36 of 144

21.

Log back into the XenMobile Device Manager console using the following:
Username: some-user@your-domain.xxx
Password: Users Domain Password

22.

Notice how this users Role limits their capabilities on the self-service portal
Log Out of the XM Device Manager Console

Page 37 of 144

3: Optional - Adding New Applications from the Apple

App Store or Google Play Store
Overview
XenMobile Device Manager allows administrators to deploy applications to devices through the
web console.

Step by step guidance

Estimated time to complete this lab: 10 minutes.
Step
1.

Action
Log on to the Device Manager at https://192.9.210.53/zdm with the following
credentials:
Username: finadmin
Password: ctx@1234

Page 38 of 144

Step
2.

3.

Action
Click the Applications tab

Click New in the upper left hand corner

Select New external iOS app

Page 39 of 144

Step
4.

5.

Action
Enter the following parameter:
URL: https://itunes.apple.com/us/app/gotomypc-remotedesktop/id417742726?mt=8
Click Go
Click Add

Notice how GoToMyPC is available under All Applications

Page 40 of 144

Step
6.

Action
Click New in the upper left hand corner
Select New external APK application

Page 41 of 144

Step
7.

8.

Action
Enter the following parameters in the Add an external APK application window:
Application store: GooglePlay
URL:
https://play.google.com/store/apps/details?id=com.citrixonline.gotomypc&
hl=en
Click Go
Click Add

Notice how GoToMyPC is available under All applications

Page 42 of 144

Step
9.

10.

Action
Click New in the upper left hand corner
Select New external APK application

Enter the following parameters in the Add an external APK application window:
Application store: GooglePlay
URL:
https://play.google.com/store/apps/details?id=com.citrix.Receiver&hl=en
Click Go
Click Add

Page 43 of 144

4: Optional - Adding New local Applications

Overview
XenMobile Device Manager allows administrators to deploy applications to devices through the
web console.

Step by step guidance

Estimated time to complete this lab: 10 minutes.
1.

Click New in the upper left hand corner

Select New app

2.

Click Browse

Page 44 of 144

3.

Browse for the your-mobile-app.ipa file (in our example GoToMeeting)

Click Open

4.

Click Import

Page 45 of 144

5.

Notice how a new Internal version of GoToMeeting is available

6.

Click New in the upper left hand corner

Select New app

7.

Click Browse

Page 46 of 144

8.

Browse for your-mobile-app.apk (In our example GoToMeeting)

Click Open

9.

Keep all default parameters as is

Click Import

Page 47 of 144

10.

Notice how a new Internal version of GoToMeeting.apk is available

Page 48 of 144

5: Configure Policies on XM Device Manager

Overview
XM Device Manager empowers enterprise organizations to apply device configurations,
settings, and security parameters to multiple devices.

Step by step guidance

Estimated time to complete this lab: 10 minutes.

Step
1.

Action
Click the Policies tab

Page 49 of 144

Step
2.

Action
Expand iOS in the left panel
Select Configurations
Check/highlight Passcode configuration
Click Edit

3.

Click the Policy tab

Page 50 of 144

Step
4.

5.

Action
In the Policy tab, enter the following parameter:
Minimum length codes: 4
Click Update

In the right panel, click New Configuration > Profiles and Settings > Restrictions

Page 51 of 144

Step
6.

Action
In the General tab, enter the following parameters
Identifier: Camera
Display name: Camera Restriction
Organization: Citrix (Change from ZenPrise Support)
Description: Restrict Device from Using Camera

Page 52 of 144

Step
7.

Action
In the Restrictions tab, enter the following:
Allow use of camera: <uncheck>
Click Create

8.

Expand Android in the left panel

Click Configurations from the drop-down

Page 53 of 144

Step
9.

Action
Check the Passcode configuration
Click Edit

10. C In the Password Complexity tab, enter the following

Minimum length codes: 4
Click Update

Page 54 of 144

Step
11.

12.

Action
Click New Configurations
Then click Samsung > Restrictions

In the General tab, type in the following parameters:

Name: Camera Restriction
Description: Restrict Device From Using Camera

Page 55 of 144

Step
13.

14.

Action
In the Hardware controls tab, enter the following
Allow Camera: <uncheck>
Click Create

Notice how the Camera Restriction policy for Samsung devices is now available

Page 56 of 144

6 Optional: Creating a Deployment Package

Overview
Additional Policies created can be combined into targeted Deployment Packages. Administrators can
now manage multiple devices and users simultaneously with device Configuration Policies and
Deployment Packages.

Step by step guidance

Estimated time to complete this lab: 10 minutes.
Step
1.

Action
Click the Deployment tab

Page 57 of 144

2.

Right click on the iOS Base Package

Click Delete
Click Yes

3.

Click New package in the upper left hand corner

Then click New iOS package

Page 58 of 144

4.

Type a package name

Click Next

5.

Expand Active Directory and your-domain

Check the group to which you want to apply the Package
Click Next

Page 59 of 144

6.

Under Application Push -> External iOS app select your-apps and click
Under Application Push -> External iOS app select your-apps and click

7.

Under configurations, browse for Passcode

Click then click Next

Page 60 of 144

8.

Keep all default parameters as is

Click Next

9.

Click Next

Page 61 of 144

10.

Review the package summary

Click Finish

11.

Right click on the Android Base Package

Click Delete
Click Yes

Page 62 of 144

12.

Click New Package in the top left corner

Then click New Android package

13.

Type Android Training Package as the package name

Click Next

Page 63 of 144

14.

Expand Active Directory and your-domain

Select the group to which you want to deploy the package
Click Next

15.

Select the following resources to deploy:

Under Enterprise Application Store -> External APK app, and select
Your applications
Under Application Push -> Installation files, select GoToMeeting
Click

Page 64 of 144

16.

Under MDM Policies, select Connection Timers, Passcode and Schedule

Click then click Next

17.

Keeps options default parameters as is

Click Next

Page 65 of 144

18.

Click Next

19.

Review the Package summary

Click Finish

Page 66 of 144

20.

Click Deploy
Click Yes

Page 67 of 144

7: Endpoint Configuration
Overview
This step-by-step guide will demonstrate how to configure XM MDM Client for iOS on an iPad.
Note: If the device is enrolled with another MDM solution, the enrollment will fail. To
continue, you must un-enroll from your existing MDM solution.

Step by step guidance

Estimated time to complete this lab: 10 minutes.
Step
1.

Action
Open the App Store on your iOS device
Search for Citrix Mobile Enroll
Tap on Citrix Mobile Enroll
Tap install

Page 68 of 144

2.

Launch the Enroll app

Tap Enroll

3.

Enter a user name

Tap Next

Page 69 of 144

4.

Enter the MDM server FQDN (If NetScaler Gateway is deployed the MDM Server
FQDN is the public IP address of your NetScaler LB-VIP)
Tap Next

Page 70 of 144

5.

Enter the password for the AD user

When prompted, tap Continue to Verify Server Identity

Page 71 of 144

6.

Tap Install Company Profile

Page 72 of 144

7.

Tap Install
Tap Install when prompted with the Unverified Profile Warning box
Enter your passcode
Click Done after the profile is installed.

Page 73 of 144

8.

I Tap Install Device Profile

Page 74 of 144

9.

Tap Install > Install Now

Enter your passcode
Tap Install when prompted to install the Mobile Device Management profile.
Click Done after the profile has been installed.

Page 75 of 144

10.

Tap Complete Enrollment

11.

Once the enrollment is complete you will be prompted to install the applications
you configured in your Deployment Package

Page 76 of 144

8: Wiping Devices
Overview
XenMobile Device Manager allows administrators to view device specifications as well as wipe,
lock, and disable devices remotely.

Step by step guidance

Estimated time to complete this lab: 10 minutes.
Step
1.

Action
Log on to your XM Device Manager https://mobile.finolexwater.com/zdm

Page 77 of 144

Step
2.

3.

Action
Click the Dashboard tab
You will see a new device registered under New Devices Last 24 Hours
Click the arrow corresponding to New Devices Last 24 Hours

This brings you to the Devices tab

Double-click the new registered device in the right pane

Page 78 of 144

Step
4.

Action
Under the General tab, notice the devices specifications

5.

Under the Properties tab, administrators can view the Network and Security
information about the device

6.

Under the iOS Profiles tab, administrators can view the profiles pushed onto a device

Page 79 of 144

Step
7.

8.

Action
Under the Certificates tab, administrators can view the certificates on the device

Under the Deployment tab, administrators can monitor the status of packages

Page 80 of 144

Step
9.

Action
Click X
You will return back to the Devices tab
Make sure that the newly registered device is checked
Click Security
Then click Selective wipe

10.

Click Yes
Move back to your iPad
Watch the apps delivered from the MDM server disappear, while all personal apps
remain untouched

Page 81 of 144

9: Initial/Basic Configuration of Citrix

AppController
Step by step guidance
Estimated time to complete this lab: 15 minutes.

Step
1.

2.

Action
Within XenCenter start the AppController vm and select the Console tab to log in to
the AppController CLI
Username: admin
Password: password
The Main Menu is displayed
Enter 0 to perform Express Setup

Page 82 of 144

Step
3.

Action
Enter 1 to configure the IP Address, Subnet Mask
Configure AppController with the following:
IP Address: 192.9.210.43
Subnet Mask: 255.255.255.0 (Press enter to leave it at /24)

4.

Enter 2 to configure the Default Gateway

Configure the Default Gateway

Page 83 of 144

Step
5.

6.

Action
Enter 5 to Commit Changes
Enter Y to restart AppController

Open a browser and go to https://192.9.210.43:4443 to access the Web Admin

Console. Ignore the certificate warning and continue to the site.
NOTE: You are taken to the /ControlPoint/index.html site. You can type the full path if
you would like. However, the URL is case sensitive.
Log on with
Username: Administrator
Password: password

Page 84 of 144

Step
7.

Action
You will be presented with the following screen. First we are going to run through the
Configure wizard.
You will be prompted to change the Administrator password. Type
Current password: password
New password: New-Password
Confirm password: New-Password
Click Next

8.

Enter the following parameters for the System settings:

Hostname: FILMDMAPP1.FINOLEXIND.COM
Leave the remaining fields as they are and click Next

Page 85 of 144

Step
9.

Action
Enter the following parameters for the Active Directory configuration:
Server: 192.9.210.12 (this is the IP address of your Domain Controller)
Domain name: FINOLEXIND.COM
Service account: finadmin@finolexind.com
Password: YOUR-DOMAIN-PASSWORD
Confirm password: YOUR-DOMAIN-PASSWORD
Click Next

Page 86 of 144

Step
10.

Action
Enter the following parameters for the NTP Server Configuration:
NTP server: (general best practice is to use the DC as time server)
Time Zone: (pick the appropriate time zone)
DNS suffixes: finolexind.com
Primary IP address: 192.9.210.11
Click Next

Page 87 of 144

Step
11.

12.

Action
Enter the following information for your Workflow Email Settings:
Email Server: (the IP address of your mail server)
Port: 25
Email: (the from account for sending workflow emails)
This will enable workflow application request and manager authorization process.
Click Next

A summary of all your defined settings will be displayed. Click Save

Page 88 of 144

Step
13.

14.

Action
When the Confirm pop up is displayed, click Yes to continue
The AppController logs off when settings are saved and users/groups are retrieved
from Active Directory

15.

Log back into the AppController

Username: Administrator
Password: NEW-Password
Click Settings

16.

Select Certificates from the left menu

Page 89 of 144

Step
17.

Action
Click Import and then select Server (.pfx) from the Import drop-down menu

18.
19.

Browse to your AppController certificate

Enter the password for your Certificate at the Password prompt and click OK

20.

Select the newly imported certificate and click on Make Active on the right side and
click Yes when the Activation when prompted

NOTE: You will be logged out. Simply log back into the AppController to continue with
the lab

Page 90 of 144

10: Creating Users, Roles, adding Applications

and Assigning Apps
Step by step guidance
Estimated time to complete this lab: 20 minutes.
1.

2.

Log back into the AppController Management Console

Username: Administrator
Password:ctx@1234
Once you are logged in, click Roles in the top menu

3.

At the bottom left hand corner of the screen, click Add role

4.

In the Add Role dialog enter the following information

Role name: Example Sales
Click Next

Page 91 of 144

5.

Use the search box on the left side to search for Sales. Move the Sales-Group group
from Available groups to Role members using the single right arrow button. Click
Save

6.
7.

Repeat steps 3 - 5 to create additional Roles

Click on the Apps & Docs tab

Page 92 of 144

8.

Click the categories drop-down and then click + above All categories

Enter the following parameters for Add Category:

Name: Sales Apps
Description: Applications only available to those in the Sales department
Click Save

9.

Click on Web & SaaS App in the left panel and then click the large green plus sign

Page 93 of 144

10.

Type Salesforce in the search bar

Click on Add next to Salesforce

11.

From the Category drop-down menu select Sales Apps

From the Assigned Role drop down menu select Sales and deselect All Users
Click Next

Page 94 of 144

12.

(see additional exercise section for workflow enabled application configuration)

Click Next

13.

Click Save

14.

Repeat step 9-13 to add additional applications

Page 95 of 144

15.

To upload MDX wrapped applications select either iOS MDX or Android MDX in the
left panel
Click on the
sign on the right

16.

In the Upload Mobile App Dialog browse to your MDX wrapped application
Click on Next

17.

Complete the Upload Wizard and configure the policy settings according to Company
Policy
Click Save

Page 96 of 144

18.

To assign applications from the Apple App Store or Google play. You first muct fetch
the application URL from iTunes / Google Play
Within a browser search for the application name + itunes for IOS devices or
application name + google play

19.

Most likely the first result will be the App URL you need to copy into the
AppController

Page 97 of 144

20.

Click on the URL

Copy the URL from the address bar into your clipboard

21.

In the AppController UI within AppS & Docs click on Public App Store in the left pane
Click on the

sign on the right side

Page 98 of 144

22.

In the Configure App dialog enter the following

App Name: Enter the App Name
URL: Paste the iTunes / Google Play URL from the Address Bar into the URL field
Click on Fetch Details
Select the appropriate Category and Assigned Role
Click Save

23.

Page 99 of 144

11: Integrating XM Device Manager with XM

AppController
Overview
XenMobile Device Manager can be integrated with the AppController so applications that are
published on AppController are enumerated in WorxHome

Step by step guidance

Estimated time to complete this lab: 10 minutes.
Step
1.

Action
Log on to the Device Manager at https://your-XMDM-IP/zdm with the following
credentials:
Username: administrator
Password: Your-Password

Page 100 of 144

Step
2.

3.

Action
Click on Options in the upper right corner

In the left Panel select AppC WebService API and enter your AppController
information in the right key. Make note of the shared key you enter here, the same
key has to be entered on the AppController.
Click Close

Page 101 of 144

Step
4.

Action
Log on to the AppController WebUI at https://filmdmapp.finolexind.com:4443
Click on Settings
Click on XenMobile MDM
Click on Edit

Page 102 of 144

Step
5.

Action
Enter the following information
Host: mobile.finolexwater.com
Port: 80
Shared Key: The same shared key as you configured on the MDM server
Click Save

Page 103 of 144

12: Configuring Access Gateway

Step by step guidance
Estimated time to complete this lab: 20 minutes.

Step
1.
2.

Action
After importing the NetScaler VM onto your Hypervisor configure the basic IP settings
from the console
From the console enter the following information for your NetsCaler
NetScalers IPv4 address: (The Netscaler management IP aka NSIP)
Netmask:
Gateway:

3.

Enter 4 to save the config changes. The NetScaler will reboot.

4.

Configure the SNIP at the Startup Wizard

Connect to the NetScaler via the Webinterface at 192.9.210.45
Login to NetScaler ADC with
Username: nsroot
Password: nsroot

Page 104 of 144

Step
5.

Action
Open Internet Explorer and navigate to http://192.9.210.45
Log in to the NetScaler Configuration Utility
Username: nsroot
Password: nsroot

Page 105 of 144

Step
6.

Action
At the Wizard prompt enter the following information and click Continue when
done:
Subnet IP aka SNIP:
The SNIP is the IP address that the NetScaler uses for all internal bound
communication (See Diagram #1)
Hostname: (enter the FQDN, not the short name)
DNS server: (IP address of your DNS server)

Page 106 of 144

Step
7.

Action
Upload and apply the NetScaler License
Click on Browse to upload the License file
Browse to your license file and click Upload
The NetScaler will reboot once completed

Page 107 of 144

Step
8.

Action
Enable needed features
Enable Load Balancing
Enable SSL
Enable NetScaler Gateway
Expand Traffic Management
Right click on Load Balancing and click on Enable Feature
Repeat the same steps for SSL within Traffic Management
Repeat the same steps for Global Settings within NetScaler Gateway

Page 108 of 144

Step
9.

Action
Import Certificate
First you must create a private key
The private key is required to install a valid certificate issued by the Certificate
Authority (CA). The certificate that you receive from the CA is valid only with the
private key used to create the CSR.
You can create two types of private keys on Access Gateway: RSA and DSA.
An RSA private key is the most commonly used private key. It provides strong
encryption and security for Access Gateway. Citrix recommends using an RSA
private key on the Access Gateway.
A DSA private key is an older type of private key. It also provides encryption and
is paired with the server certificate.
To create an RSA private key
In the configuration utility, in the navigation pane, click SSL
In the details pane, under SSL Keys, click Create RSA Key
In Key Filename, type the name of the private key or click Browse to navigate to
an existing file
In Key Size (Bits), type the size of the private key
In Key Format, select PEM or DER. Citrix recommends PEM format for the
certificate
In PEM Encoding Algorithm, select DES or DES3
In PEM Passphrase and Verify Passphrase, type the password, click Create and
then click Close
Note: To assign a passphrase, the Key Format must be PEM and you must select
the encoding algorithm

Page 109 of 144

Step
10.

Action
Create a Certificate Signing Request (CSR)
In the configuration utility, in the navigation pane, click SSL
In the details pane, under SSL Certificates, click Create CSR (Certificate Signing
Request
Select the private key created in the previous step

Complete the settings for the certificate and then click Create

Page 110 of 144

Step
11.

Action
Export the previously created CSR for signing
Click on Manage Certificates / Keys / CSRs
Select Run and Trust on all Java dialogs
Select the previously generated CSR and click on Download and save the file to
your local PC

Submit the CSR to your Certificate authority for signing

NOTE: the certificate HAS TO BE exported as Base 64 encoded certificate

Page 111 of 144

Step
12.

Action
Import the signed certificate
On NetScaler expand Traffic Management SSL and click on Certificates
Click on Install

Enter a name for the certificate

In the Install Certificate dialog browse to the signed certificate
Select the same key used for the CSR
Enter the password for the key

Page 112 of 144

Step
13.

Action
Configure AG VIP via the Wizard
Click on NetScaler Gateway

Click on Configure NetScaler Gateway for Enterprise Store

Configure the following settings

Name: Name for the Page
VIP 113 of 144
IP Address: Enter the 192.9.210.53 (The AG-VIP is the public reachable IP

Step
14.

Action
From the Certificate dropdown select the certificate you imported earlier
Click Continue

Page 114 of 144

Step
15.

Action
Configure your LDAP settings. Select Configure New and enter the applicable
information
Click Continue

Page 115 of 144

Step
16.

Action
Configure your AppController
Enter the FQDN of your xmob.finolexind.com
Click Done

Page 116 of 144

Step
17.

Action
Configure LB-VIP for access to the XMDM
Configure the Services for port 80, 443 & 8443
Expand Traffic Management Load Balancing
Click on Services
Click on Add

Page 117 of 144

Step
18.

Action
Configure the following settings
Service Name: 80
Server: The IP address of your XMDM server
Protocol: SSL_BRIDGE
Port: 80
Available Monitors: tcp (Move from the left to the right)

Repeat Step 2 & 3 for 443 and 8443

Service Name: 443
Server: The IP address of your XMDM server
Protocol: SSL_BRIDGE
Port: 443
Available Monitors: tcp (Move from the left to the right)
Service Name: 8443
Server: The IP address of your XMDM server
Protocol: SSL_BRIDGE
Port: 8443
Available Monitors: tcp (Move from the left to the right)

Page 118 of 144

Step
19.

20.

Action
If your XMDM is already configured your services should show as Up

Configure the Virtual Server and bind the services

In the left pane click on Virtual Servers
In the right pane click on Add

Page 119 of 144

Step
21.

Action
Configure the following settings
Name: LB-SRV-80
IP Address: Enter the public reachable IP address for your LB-VIP
Protocol: SSL_BRIDGE
Port: 80
Active Services: Select Service for port 80

Repeat step 6 with the following information

Configure the following settings
Name: LB-SRV-443
IP Address: Enter the public reachable IP address for your LB-VIP
Protocol: SSL_BRIDGE
Port: 443
Active Services: Select Service for port 443
Name: LB-SRV-8443
IP Address: Enter the public reachable IP address for your LB-VIP
Protocol: SSL_BRIDGE
Port: 8443
Active Services: Select Service for port 8443

Page 120 of 144

Step
22.

Action
If your ports are already configured to forward to the IP all services should show as
Up

You can test this by browsing to the public IP http://mobile.finolexwater.com/ZDM

and you should see your XMDM logon screen
NOTE: The DNS entry for the Public reachable address pointing to the AG-VIP has to
be the FQDN of the Netscaler matching the certificate installed
The DNS entry for the public reachable address pointing at the LB-VIP has to be the
FQDN of the XMDM server matching the certificate installed

Page 121 of 144

Appendix:
The appendix contains additional optional exercises to deepen the hands-on experience with
the XenMobile solution.

Page 122 of 144

Appendix 1: Application Approval Workflow

Overview
In this exercise you will configure Workflow Approval for Applications

Step by step guidance

Estimated time to complete this lab: 30 minutes.
1.

2.

Log back into the AppController Management Console

Username: Administrator
Password: Citrix123 (or the password of your Choice)
Once you are logged in, click Workflow in the top menu

3.

At the left hand corner of the screen, click Add Workflow

Page 123 of 144

4.

Type a Name in the Workflow name field

5.

In the Levels of manager approval field, select 1 level for approval from the
immediate manager. Level 2 or 3 will result in the ,managers managers will be
additional approvers

Page 124 of 144

6.

Notice the new Workflow created

7.

Under the Apps & Docs tab, click on Web & SaaS App in the left panel
Click the large green plus sign

Page 125 of 144

8.

Select Salesforce from the App Catalog

Page 126 of 144

9.

Make the appropriate changes to the settings

Click Next

Page 127 of 144

10.

Check Requires approval

Select Salesforce from the dropdown
Click Next

Page 128 of 144

11.

Apply final policy settings as applicable

Click Save

12.

You are done configuring Workflows for Applications

Page 129 of 144

Appendix 2: Delegating Administrative task to

users
Overview
In this exercise you will bind different administrative access privileges to users within the
organization

Privileges Categories
1. AppMngnt: Add Application, View Application Details, Modify Application
Details, Fetch Application, Sync Application, Delete Application, Reset Password,
Save User Credentials, Create User Account, Delete User Account, Disable User
Account, Enable User Account, Reconcile User Account, Unreconcile User
Account, Clear Use Account password
2. UsrMgmt: Unlock User Account, Reset AD Password, View User Details, View
User Details By Filter
3. RoleMgmt: Add Role, View Role By Name, View Roles By Filter, Delete Role,
Modify Role
4. ConnectorMgmt: Add Connector, View Connector, Delete Connector, Upload
Connector Library
5. WorkFlowMgmt: Add Connector, View Connector, Delete Connector, Upload
Connector Library
6. PrivMgmt: Add Delegated Admin, Modify Delegated Admin Details, View
Delegated Admins, Delete Delegated Admin, Create DA Role, Delete DA Role,
Modify DA Role
7. ConfigMgmt: View Config Details, Modify Config Details, Add Category, Delete
Category, Import Certificate, Delete Certificate
8. MasterListMgmt: View Master User List, Modify Master User List, Save Master

Step by step guidance

Estimated time to complete this lab: 25 minutes.
Step

Action

Page 130 of 144

Step

Action
Navigate to the Win7Client console tab.
Open Internet Explorer and enter https://filmdmapp.fionlexind.com:4443/admin in
the address bar. Log in using the following credentials:
User Name: Administrator
Password: ctx@1234 (or the password of your Choice)

Page 131 of 144

Step

Action
Expand the Delegated Administration in the left panel

Page 132 of 144

Step

Action
Select Delegated Admins
Click Add in the bottom left corner. In the User List window, highlight Manager, Boss
then click Add. When prompted to add, click Yes

Page 133 of 144

Step

Action
Click Delegated Admin Roles in the left panel
local_policy.jar

Click Add in the bottom left corner. In the Add Role window, enter the following:
Name: Help Desk
Description: Help Desk Support
US_export_policy.jar
Click Create

local_policy.jar

US_export_policy.jar

Page 134 of 144

Step

Action
Highlight Help Desk from the Role category
Click Bind Privileges located at the bottom of the screen. In the List of Privileges
window, highlight UserMgmt then click Bind. When prompted, click Yes

Page 135 of 144

Step

Action
Check Modify and Monitor. Then, click OK
Click Logout at the top right corner

Page 136 of 144

Step

Action
Log back in to the admin page using the following credentials:
User Name: Administrator
Password: ctx@1234 (or the password of your Choice)
Domain: <Leave as is>
View: Manager Users

Double-click on the manager@training.lab

Page 137 of 144

Step

Action
See the management options available for Manager

Page 138 of 144

Appendix 3: Configuring Split Tunneling SSL VPN Policy

Overview
Split Tunneling is a SSL VPN feature of Netscaler AGEE. Split tunneling allows administrators to
set a criteria for how the client directs traffic: through the VPN tunnel or through its local
network. Other scenarios may exist where all traffic must be directed through the VPN tunnel
due to security reasons.

Step by step guidance

Estimated time to complete this lab: 25 minutes.
Step

Action
From the Win7Client VM console, open Internet Explorer and navigate to
http://192.9.210.45
Log in using the following credentials:
User Name: nsroot
Password: nsroot

Page 139 of 144

Click Access Gateway > Policies > Session. Click the Profile tab at the top. Double-click
prof_native and click the Client Experience tab. Under Split Tunnel, select ON from
the drop-down menu
Click OK

Page 140 of 144

In the left panel, expand Resources. Click Intranet Applications

Click Add on the bottom left corner. Enter the following parameters:
Name: Split Tunnel
Interception Mode: Transparent
Select the Specify an IP Address Range radio button
IP Start: 192.9.210.1
IP End: 192.9.210.254
Click Create then Close

Page 141 of 144

Click DNS Suffix in the left panel

Click Add in the bottom left corner. Enter finolxind.com as the DNS Suffix
Click Create then Close

Page 142 of 144

Click Virtual Servers from the left panel

Highlight mobile.finolexwater.com
Click Open on the bottom left corner. Click the Intranet Applications tab. Highlight
Split Tunnel and then click Add >
Click OK

Click Access Gateway in the left panel. Click Active user sessions
You can now monitor your session traffic and split traffic connections

Page 143 of 144