Citrix TechEdge 2014 - Troubelshooting Top Issues with XenMobile Enterprise Edition

4,933 views

Published on

XenMobile Enterprise Edition includes multiple Citrix components which can result in many different integration issues. In this session we will review the top integration issues and discuss the recommended troubleshooting and prevention steps for each issue.

What you will learn:
- Device Manager and App Controller integration best practices
- NetScaler configuration troubleshooting - SSL Bridge vs. SSL Offloading
- Device Manager enrollment - using a 3rd party certificate

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,933
On SlideShare
0
From Embeds
0
Number of Embeds
50
Actions
Shares
0
Downloads
293
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide
  • Good afternoon everyone and welcome to the afternoon sessions at TechEdge.
  • Here are the core components which a XenMobile Enterprise solution would usually consist of.

    The device represents an external mobile device, be it a tablet or a smartphone. On the device, the user has downloaded Worx Home, to be able to access the XenMobile environment. Worx Home is a single unified app, supporting both XenMobile Device Management enrollment of the device as well as a Mobile applications management mode, with the ability to deliver apps to the device. Worx Home can be seen as the orchestrator app which allows users to gain access to both their work apps and data, and these apps can be mobile, web, saas and even windows apps, as well as managing encryption keys, providing micro-VPN sessions and managing MDX policies.
    As the device is usually in an untrusted network, using a 3G, 4G or a public Wi-Fi network, we would place a NetScaler to handle the traffic between the external environment and the internal one. The NetScaler load balancer is used to load balance multiple device manager servers as well as handle the external connection, allowing the MDM server to be placed in the internal network. The NetScaler is also used to provide a SSL VPN gateway, allowing user authentication at the perimeter.
    We also have the AppController on the internal network for applications management which is where you’d deploy the Worx applications, configure the application policies and decide who gets access to which applications through AD membership entitlement rules.

    Now in terms of authentication flow, on first use (next slide)
  • the user will enter either their email address which will drive an autodiscovery to identify which is the right backend MDM server the user will connect to or the user can insert the server URL details themselves. Another option is to use an invitation URL which the user can click on which will open up the logon page.
    Regardless of the enrollment method used, the user will provide their credentials to allow the MDM server to identify the user. This could be the AD username and password or could be a one time passcode, something that will allow the MDM server to identify who the user is.
  • This will drive a connection to NetScaler load balancer. Specifically here we have two SSL virtual servers, one over port 443 and the other over port 8443. With XenMobile 8.6, we now have the ability to allow the NetScaler load balancer to handle the SSL offload of the connection, with the load balancer terminating the connection and creating a new connection over port 80 to the XDM server, which now reside within the internal network.

    Another benefit of this configuration is that with SSL offload on the NetScaler, this reduces the load on the XDM servers by saving a lot of CPU processing time, allowing for better scalability and also making the NetScaler the de-facto authentication point for all XenMobile traffic.
  • The traffic flow to the XenMobile Device Manager containing the user credentials allows XenMobile Device Manager to identify and authenticate the user. Once the user has been authenticated through an LDAP connection, the device manager will enroll the device and keep track of that device, using a device certificate, post enrollment which is installed on the user’s device.

    Once the device is enrolled the Device manager will create an internal mapping between the user LDAP identity and the device identity verified by the device certificate as part of the enrollment. This mapping will allow any policies associated with that user account to be deployed to the device as well as any applications and additional security settings, including the NetScaler Gateway Virtual Server URL.

    After MDM enrollment, Worx Home will try to authenticate to the NetScaler Gateway Virtual server, which is protecting access to the XenMobile App Controller and all Worx applications, using the gateway URL it received from the XenMobile device manager after enrollment.
  • The gateway will utilize the user credentials received from Worx Home to authenticate the user. With XenMobile 8.6, we introduced multi-domain support for App Controller and it is actually the NetScaler Gateway which will be responsible for authenticating the users for each of the different domains specified.
  • After the NetScaler validates the user’s identity, the NetScaler triggers an internal request to App Controller, along with the user’s ID and domain.
    The App Controller will look up the user’s group membership on AD, to identify what set of apps the user is entitled to and uses this information to populate a built-in web store with the list of applications that the user has access to.
  • Citrix TechEdge 2014 - Troubelshooting Top Issues with XenMobile Enterprise Edition

    1. 1. Troubleshooting XenMobile Enterprise Karen Sciberras and Adolfo Montoya May 2014 Deep dive Authentication Flow
    2. 2. © 2014 Citrix. Confidential.2 Agenda Authentication flow from Worx Home to Worx Store Single Sign-on process between NetScaler Gateway and App Controller ‘Step-up’ authentication for Worx apps
    3. 3. XenMobile Enterprise Authentication flows
    4. 4. © 2014 Citrix. Confidential.4 Authentication flow Device Worx Home MDM MAM NetScaler Load Balancer Gateway Active Directory XDM App Controller
    5. 5. © 2014 Citrix. Confidential.5 Authentication flow
    6. 6. © 2014 Citrix. Confidential.6 Authentication flow App Controller XDM Device Worx Home MDM MAM NetScaler Load Balancer Gateway Active Directory Load Balancer HTTPS 443 HTTPS 8443 SSL Offload vServer 1 SSL Offload vServer 2 HTTP 80 HTTP 80
    7. 7. © 2014 Citrix. Confidential.7 Authentication flow App Controller XDM Device Worx Home MDM MAM NetScaler Load Balancer Gateway Active Directory User mapped to Device Identity
    8. 8. © 2014 Citrix. Confidential.8 Authentication flow Active Directory App Controller XDM Device Worx Home MDM MAM NetScaler Load Balancer Gateway Active Directory
    9. 9. © 2014 Citrix. Confidential.9 Authentication flow App Controller XDM Device Worx Home MDM MAM Worx Mail MDX Apps Worx Web Office HD NetScaler Load Balancer Gateway Active Directory
    10. 10. © 2014 Citrix. Confidential.10 Troubleshooting Obtaining XenMobile Device Manager logs • Accessing helper.jsp console
    11. 11. © 2014 Citrix. Confidential.11 Troubleshooting
    12. 12. © 2014 Citrix. Confidential.12 Troubleshooting Obtaining XenMobile Device Manager logs • Accessing helper.jsp console Worx Home Logs • Same process to obtain MDX logs
    13. 13. © 2014 Citrix. Confidential.13 Troubleshooting
    14. 14. © 2014 Citrix. Confidential.14 Troubleshooting Obtaining XenMobile Device Manager logs • Accessing helper.jsp console Worx Home Logs • Same process to obtain MDX logs Reading Worx Home logs • MDM and MAM logs
    15. 15. © 2014 Citrix. Confidential.15
    16. 16. NetScaler Gateway and XM App Controller How Single Sign-on Works
    17. 17. © 2014 Citrix. Confidential.17 How Single Sign-on works? App Controller Device Worx Home MDM MAM NetScaler Load Balancer Gateway Active Directory Active Directory Username / Password Validate Credentials Credentials Valid! Is user valid? Start SSO Process
    18. 18. © 2014 Citrix. Confidential.18 How Single Sign-on works? App Controller Device Worx Home MDM MAM NetScaler Load Balancer Gateway HTTP Header X-Citrix-Via HTTP Header X-Citrix- Gateway HTTP Header X-Citrix-Via-VIP Gateway trusted! Perform Single Sign-on
    19. 19. © 2014 Citrix. Confidential.19 What are these HTTP Headers for? XenMobile App Controller needs to trust NetScaler Gateway incoming communication HTTP headers are very important! Client-side (Worx Home) HTTP Headers: • X-Citrix-Gateway: NetScaler Gateway FQDN NetScaler-side HTTP Headers: • X-Citrix-Via: NetScaler Gateway FQDN • X-Citrix-Via-VIP: NetScaler Gateway VIP
    20. 20. © 2014 Citrix. Confidential.20 Why HTTP Headers? X-Citrix-Via HTTP Header These values provide key information to App Controller to process trust verification X-Citrix-Via value needs to match with External URL POST /Citrix/StoreWeb/Authentication/Login HTTP/1.1 Host: appc.amc.ctx ……. X-Citrix-Via: ag.amc.ctx X-Citrix-Via-VIP: 172.16.0.63 X-Forwarded-For: 10.12.59.17 X-Citrix-Via = External URL!
    21. 21. © 2014 Citrix. Confidential.21 Why HTTP Headers? X-Citrix-Via-VIP HTTP Header X-Citrix-Via-VIP HTTP header is valuable for multiple NetScaler Gateway setup Assists App Controller which NetScaler Gateway VIP to contact for SSO POST /Citrix/StoreWeb/Authentication/Login HTTP/1.1 Host: appc.amc.ctx ……. X-Citrix-Via: ag.amc.ctx X-Citrix-Via-VIP: 172.16.0.63 X-Forwarded-For: 10.12.59.17
    22. 22. © 2014 Citrix. Confidential.22 What to check? NetScaler and App Controller (App Controller) Ensure External URL is correct(NetScaler) Ensure WIHome contains App Controller URL for RfWeb site
    23. 23. Step-up Authentication Policy
    24. 24. © 2014 Citrix. Confidential.24 Benefits New MDX application policy introduced with App Controller 2.9 Allows users authenticate through particular NetScaler Gateway vServer Configured on a per application basis Users are asked to enter additional credentials, such as an RSA token
    25. 25. © 2014 Citrix. Confidential.25 Troubleshooting
    26. 26. © 2014 Citrix. Confidential.26 Further Reading Worx Home - User Authentication and Communication Flow - http://www.citrix.com/tv/#videos/9438 XenMobile: WorxWeb Single Sign On with NetScaler - http://blogs.citrix.com/2013/12/24/xenmobile-worxweb-single-sign-on-with-netscaler/ XenMobile 8.6 - Understanding Authentication Timeout Values - http://support.citrix.com/article/CTX139600 Enrollment Process for XenMobile - http://support.citrix.com/article/CTX139029 Myth Buster: NetScaler Gateway MicroVPNs – multiple tunnels? - http://blogs.citrix.com/2013/09/13/myth-buster-netscaler-gateway-microvpns-multiple-tunnels/ XenMobile Logs Collection Guide - http://support.citrix.com/article/CTX139421
    27. 27. © 2014 Citrix. Confidential.27 Take Aways Authentication process from server URL to Worx Store Using helper.jsp console to obtain XenMobile Device Manager logs Obtain Worx Home and MDX application logs from Worx Home Reading a log file How does Single Sign-on works between NSG and App Controller Different HTTP headers used Step-up Authentication
    28. 28. © 2014 Citrix. Confidential.28 @XMtipster | @XMinformer
    29. 29. © 2014 Citrix. Confidential.29 WORK BETTER. LIVE BETTER.

    ×