Fronting XenMobile MDM with NetScaler
Upcoming SlideShare
Loading in...5
×
 

Fronting XenMobile MDM with NetScaler

on

  • 4,398 views

Fronting XenMobile MDM with NetScaler ...

Fronting XenMobile MDM with NetScaler

This article focuses on the integration of our MDM and NetScaler product lines

Placing a NetScaler appliance in-front of your device manager will allow for a flexible and secure delivery platform for an optimal MDM solution

http://blogs.citrix.com/2013/03/12/fronting-xenmobile-mdm-with-netscaler/

Statistics

Views

Total Views
4,398
Views on SlideShare
4,347
Embed Views
51

Actions

Likes
0
Downloads
318
Comments
0

1 Embed 51

http://condemalagueta.wordpress.com 51

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Fronting XenMobile MDM with NetScaler Fronting XenMobile MDM with NetScaler Document Transcript

  • ARCHITECTURE | XenMobileReference Architecture:XenMobile with NetScalerConfiguration Guide for Establishing NS Load Balancing Front End www.citrix.com
  • Table of ContentsTable of Contents .............................................................................................................................................. 2Introduction ........................................................................................................................................................ 3Network Flow Diagram .................................................................................................................................... 4XenMobile Port Table....................................................................................................................................... 4Load Balancing Configuration on NetScaler ................................................................................................. 7Conclusion ........................................................................................................................................................17Additional Links ...............................................................................................................................................17Key Contributors .............................................................................................................................................17Disclaimer .........................................................................................................................................................18XenMobile on NetScaler Reference Architecture Page |2
  • IntroductionCitrix Systems’ offering of XenMobile is a comprehensive solution portfolio designed to enablecustomers to experience the benefits of Mobile Device Management while maintaining secure accessto applications and desktops.The purpose of this document is to provide reference architecture to place a NetScaler in front ofyour XenMobile MDM solution. This will allow the XenMobile Device Manager (XDM) to beplaced within the walls of your datacenter leaving the NetScaler appliance in the DMZ. This willallow for a secure and scalable rollout of your MDM solution.We will walk through several diagrams to prepare us for the configuration steps near the conclusionof this document. This document covers configuration of the load balancing VIPs and not theoverall setup of the NetScaler. For additional resources around the NetScaler and otherconfigurations, please visit the “Additional links” section at the end of this document. Below(Diagram 1.1) is a basic architecture of the XenMobile environment before the addition of theNetScaler.Diagram 1.1XenMobile on NetScaler Reference Architecture Page |3
  • Network Flow DiagramIn the basic diagram below, we are showing the key ports within the function of the MDM solution.A full description of the ports required for the solution is laid out in the ports table. A quicksummary of the current diagram is that port 80 and 443 are used by iOS, Android and Windowsdevices for communication.With regards to port 8443, Apple iOS uses this for over-the-air registration of the device with theXDM. The use of the server FQDN will also make use of this port. This FQDN is key, as this hasbeen registered with the Apple Push Notification Service.Diagram 1.2 INTERNET ZONE CORPORATE DMZ ZONE CORPORATE LAN ZONE /S Active Directory/LDAP P A LD 6) 63 9/ 38 P C (T TCP 80 TCP 80 TCP 1433 TCP 443 TCP 443 TCP 8443 NetScaler LB TCP 8443 XenMobile Device MS SQL Server H TT Manager P S 44 3 Microsoft CA or PKI Entity Diagram 1.2: A basic diagram of the network flow for NetScaler and XenMobileXenMobile Port TableThis table is designed to guide the XenMobile Administrator and Network Administrator throughthe TCP/IP Port requirements for the Device Manager Server and mobile device agent connections. XenMobile Device Manager Firewall Port RequirementsTCP Description Source DestinationPort By default, the XDM SMTP configuration of XenMobile25 the Notification Service uses port 25. However, if Corporate SMTP Server Device your corporate SMTP server uses a different port, Manager make sure that your corporate firewall does notXenMobile on NetScaler Reference Architecture Page |4
  • block that port. Server Over-the-Air (OTA) Enrollment and Agent Internet Setup (Android and Windows Mobile) XenMobile Device Over-the-Air (OTA) Enrollment and Agent Corporate Manager Server Setup (Android and Windows Mobile), ZDM Web LAN and Console, ZDM Remote Support Client Wi-Fi80 ZDM Server Enterprise App Store connection to XenMobile Apple iTunes App Store (ax.itunes.apple.com). Apple iTunes Device Used for publishing recommended iTunes App App Store Manager Store apps from the available iOS applications (ax.itunes.apple.com) Server within the Web Console and iOS Agent XenMobile80 or XenMobile Device Manager Nexmo SMS Device Nexmo SMS Relay443 Notification Relay outbound connection Manager server Server LDAP/LDAPS connection from ZDM Server to XenMobile389 or Directory Service Host (Active Directory Global Device LDAP / Active636 Catalog server or equivalent LDAP directory service Manager Directory Services host) Server SSL OTA Enrollment/Agent Setup (Android and Windows Mobile), All Device-related traffic and data Internet connections (iOS, Android and Windows Mobile) XenMobile Device443 SSL OTA Enrollment/Agent Setup (Android and Corporate Manager Server Windows Mobile), All Device-related traffic and data LAN and connections (iOS, Android and Windows Mobile), Wi-Fi ZDM Web Console XenMobile Remote database server connection to separate SQL Device1433 SQL Server Server (Optional) Manager Server Apple APNS (Push Notification Service) outbound XenMobile Internet (Apple APNS2195 connection to gateway.push.apple.com, used for Device Service Hosts on public iOS device notifications and device policy push Manager IP network17.0.0.0/8)XenMobile on NetScaler Reference Architecture Page |5
  • Apple APNS (Push Notification Service) outbound Server2196 connection to feedback.push.apple.com, used for iOS device notifications and device policy push iOS device Apple APNS (Push Notification Service) outbound on Wi-Fi5223 connection from iOS devices connected via Wi-Fi network network to *.push.apple.com service Internet Over-the-Air (OTA) Enrollment for iOS Devices Corporate XenMobile Device8443 only LAN and Manager Server Wi-Fi Mobile App Tunnel Ports (Android and WindowsApp Mobile) to destination internal Application Server Application Server viaTunnel via the ZDM Server (All ports are individually Internet XenMobile Device defined for each Mobile AppTunnel used by aPorts Device through a ZDM Device Configuration Manager Server Policy)1Corporate LAN traffic outbound to DMZ and the Internet is assumed to be allowed.PLEASE NOTE: When using Remote Support or Mobile App tunnel (Android and WindowsMobile), the following traffic needs to be open at the firewall:TCP Description Source DestinationPort Remote Support Console default server inbound Remote Support XenMobile Device8081 connection (depending on the Remote Support Tunnel Console Manager Server definition)80 or Remote Support Console access to ZDM to Remote Support XenMobile Device443 retrieve device list. Console Manager ServerTunnel Mobile Application Tunnel access to Application XenMobile Device Internal Applicationport Server (port configured in the tunnel definition) Manager Server ServerXenMobile on NetScaler Reference Architecture Page |6
  • Load Balancing Configuration on NetScalerThis section covers the required load balancing configuration on the NetScaler for use withXenMobile. For other links to other possible configurations, please see the Additional Links sectionat the end of this document. To begin configuration, the first step of this process will be to createthe “Servers” entry in the load balancing section of the NS console. Add the name of the server andthe internal IP address that the NetScaler will be routing the traffic. Create your “XenMobile Server” that you are load balancingAfter you have created the entry for the XenMobile server, create your services for the 3 major portsas depicted in the Diagram 1.2. The screen shots below have incorporated the port number into thename for easy reference. All three services will be pointing to the same server. The screen shotsonly show tabs with information that has been edited.XenMobile on NetScaler Reference Architecture Page |7
  • Create our Services:Here is the basic setup for the services over port 80. Basic information for the port 80 monitor, all other tabs are configured as default;XenMobile on NetScaler Reference Architecture Page |8
  • Basic setup of the services for port 443: Configure the monitor for port 443, and all other tabs are configured as default:XenMobile on NetScaler Reference Architecture Page |9
  • Basic setup of services for port 8443: Configure the services for port 8443, and all tabs are configured as default:The final step will be to create the Virtual Servers using the Load Balancing Services and Server(s)that were previously configured. We have named the Virtual Server with the proper task in linefrom the port table from above. Configure your virtual servers:XenMobile on NetScaler Reference Architecture Page |10
  • For the enrollment Virtual Server (port 443), we place a check box next to the proper service thatwas setup. We then set the “Method and Persistence” tab for “Least Connection” and“SSLSESSION” with a timeout of 2 minutes. The IP address listed will be the address accessible inthe DMZ address space. This IP address will be registered with DNS, please verify that devices onthe corporate LAN environment can be routed to this virtual server. Configure your XenMobile_Enroll (443) virtual server with your external/DMZ IP address:XenMobile on NetScaler Reference Architecture Page |11
  • Configure the Method and Persistence as before:The same process will be followed for the creation of the Virtual Server for ports 8443 and 80.XenMobile on NetScaler Reference Architecture Page |12
  • Configure 8443 (profiles for iOS) with same external IP:XenMobile on NetScaler Reference Architecture Page |13
  • Configure Profiles, Method and Persistence:XenMobile on NetScaler Reference Architecture Page |14
  • Configure the Virtual Server for port 80 (Console) settings:XenMobile on NetScaler Reference Architecture Page |15
  • Configure Console, Method and Persistence:XenMobile on NetScaler Reference Architecture Page |16
  • ConclusionThis completes the configuration for front ending the XenMobile MDM environment withNetScaler. Load Balancing of all essential ports for the XenMobile server is completeAdditional LinksBelow is a list of additional links for other configurations:Citrix XenMobile Solutions:http://support.citrix.com/proddocs/topic/cloudgateway/xmob-landing-page-con.htmlXenMobile MDM eDocs:http://support.citrix.com/proddocs/topic/cloudgateway/xmob-mdm-landing-page-con.htmlDeploying Mobility Solutions Bundle Components:http://support.citrix.com/proddocs/topic/clg-deployment/clg-deployment-cloudgateway-options-con.htmlKey ContributorsJosh Fleming, Senior Systems Engineer AuthorJon Eugenio, Senior Systems Engineer Content Contributor and ReviewerFlorin Lazurca, Senior Architect Content ContributorXenMobile on NetScaler Reference Architecture Page |17
  • DisclaimerTHIS DOCUMENT IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN TYPOGRAPHICALERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS PROVIDED AS IS, WITHOUT EXPRESSOR IMPLIED WARRANTIES OF ANY KIND.Copyright © 2013 Citrix Systems Inc. All rights reserved. Reproduction of this material in any manner whatsoeverwithout the express written permission of Citrix Systems Inc. is strictly forbidden. For more information, contact CitrixSystems.Citrix, the Citrix logo, and the Citrix badge are trademarks of Citrix Systems Inc. Microsoft and Windows are registeredtrademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks and trade namesmay be used in this document to refer to either the entities claiming the marks and names or their products.INTERNAL TRACKING LAST EDIT: 12-MAR-2013 JF/JCEXenMobile on NetScaler Reference Architecture Page |18