XenMobile Packet Flow

6,314 views

Published on

The purpose of this document is to illustrate a high level overview of the traffic flow between Enroll / Worx Home / Receiver, Netscaler, XenMobile Device Manager, and XenMobile AppController.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
6,314
On SlideShare
0
From Embeds
0
Number of Embeds
667
Actions
Shares
0
Downloads
491
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

XenMobile Packet Flow

  1. 1. Citrix Systems, Inc. © 2013 Page 1 of 10 XenMobile Packet Flow| Citrix MPG Marketing XenMobile Packet Flow
  2. 2. Citrix Systems, Inc. © 2013 Page 2 of 10 Contents Introduction .............................................................................................................................................. 1 Authentication Sequence with Access Gateway...................................................................................... 2 MDM Enrollment Sequence iOS .............................................................................................................. 3 MDM Enrollment Sequence Android........................................................................................................ 4 External Access Sequence to XMA ......................................................................................................... 5 Internal Access Sequence to AppController ............................................................................................ 7
  3. 3. Citrix Systems, Inc. © 2013 Page 1 of 10 Introduction The purpose of this document is to illustrate a high level overview of the traffic flow between Enroll / Worx Home / Receiver, Netscaler, XenMobile Device Manager, and XenMobile AppController. The AppController sequence assumes that the environment has the following constraints: 1. NetScaler: Is Deployed in the DMZ Has access to Active Directory on port 389 or 636 Has access to XMA on port 443 and 80 2. AppController: Has access to Active Directory on port 389 or 636 3. Users: Have mobile devices that are connected to an external network (Wifi/3or4G) and can communicate directly with XMA on port 443 and 80 The MDM sequence for Android does not require an APNS certificate or a Developer Account. They are exclusively for iOS.
  4. 4. Citrix Systems, Inc. © 2013 Page 2 of 10 Authentication Sequence with Access Gateway 1. User connects to Access Gateway 2. Access Gateway prompts the user to authenticate 3. User enters their Active Directory credentials 4. Access Gateway takes the users credentials and verifies them with Active Directory 5. Active Directory responds with an authentication successful message 6. Access Gateway creates a token SSOs to XMA 7. XMA extracts the users credentials from the token and uses them to verify the user with Active Directory 8. Active Directory responds with an authentication successful message 9. XMA now makes a callback to Access Gateway to verify that the request initiated from there 10. Callback succeeds and the apps are enumerated
  5. 5. Citrix Systems, Inc. © 2013 Page 3 of 10 MDM Enrollment Sequence iOS Step From To Protocol Port Description 1. Mobile Device AppleApp Store HTTP 443 (80?) User downloads and installs Citrix Enroll on their mobile device 2. Enroll XDM HTTPS / SSL 443 User enter credentials 3. Enroll XDM HTTPS / SSL / DNS 8443 If domain is specified in the user dialog, the Worx Home app will verify the Citrix NOC discover.mdm.zenprice.com to verify if XDM server is registered for the domain 4. Enroll XDM HTTP 8443 If not found, user is prompted for XDM server name (FQDN). 5. Enroll XDM HTTP 8443 If found, user is prompted for password 6. XDM LDAP server LDAP / LDAPS 389 / 636 / 3289 User credentials are verified against LDAP server 7. Enroll XDM SSL 8443 If successful, device is connected through a persistent, long-lived HTTPS connection (Root CA and MDM profile) 8. XDM LDAP server LDAP / LDAPS 389 / 636 / 3289 XDM server verified user group membership against LDAP server 9. XDM Enroll SSL 8443 User must accept profiles pushed down to the user via HTTPS connection to server (Root CA and MDM profile) 10. XDM APNS APNS 2195 XDM server initiates connection to APNS network to tell the device to wake up 11. APNS Enroll SSL 5223 12. Enroll XDM HTTPS / SSL 443 XDM server tells device to call home to the XDM server 13. XDM APNS APNS 2196 XDM server requests acknowledgement of acceptance and status of request via APNS network 14. XDM Worx Home HTTPS / SSL 443 Based on AD group membership, policies, applications and files are pushed to the device thru the HTTPS connection 15. XDM APNS APNS 2196 XDM server requests acknowledgement of acceptance and status of request via APNS network
  6. 6. Citrix Systems, Inc. © 2013 Page 4 of 10 MDM Enrollment Sequence Android Step From To Protocol Port Description 1. Mobile Device Google Play Store HTTP 80 User downloads and installs Citrix Worx Homeon their mobile device 2. Worx Home XDM HTTP / HTTPS / SSL 443 User enter credentials 3. Worx Home XDM HTTP / HTTPS / SSL / DNS 443 / 53 If domain is specified in the user dialog, the connect app will verify the Citrix. NOC discover.mdm.zenprise.com to verify if XDM server is registered for the domain 4. Worx Home XDM HTTP / HTTPS / SSL 443 If not found, user is prompted for XDM server name (FQDN). No HTTPS:// needed in server-name. 5. Worx Home XDM HTTP / HTTPS / SSL 443 If found, user is prompted for password 6. XDM LDAP server LDAP / LDAPS 389 / 636 / 3289 User credentials are verified against LDAP server 7. Worx Home XDM HTTP / HTTPS / SSL 443 If successful, device is connected through a persistent, long-lived HTTPS connection 8. XDM LDAP server LDAP / LDAPS 389 / 636 / 3289 XDM server verified user group membership against LDAP server 9. XDM Worx Home HTTPS / SSL 443 Based on AD group membership, policies, applications and files are pushed to the device through the HTTPS connection 10. XDM Worx Home HTTP / HTTPS / SSL Any port Geo Locate is requested to the device through the persistent HTTPs connection from the server to the device 11. No network activity The device attempts to obtain a GPS lock via the onboard GPS chip. The user must have location service enabled for this to work 12. Worx Home XDM HTTPS / SSL 443 If the device retrieves a lock, it sends the request back to the XDM. XDM does NOT do cell tower location 13. XDM Worx Home HTTPS / SSL 443 Wipe of the device is sent from the server to the device via the HTTPS connection initiated by the device 14. Worx Home XDM HTTP / HTTPS / SSL Any port The Worx Home app verifies that command was received via the HTTPS connection, ensure the server received the acknowledgement and wipes the device
  7. 7. Citrix Systems, Inc. © 2013 Page 5 of 10 External Access Sequence to XMA Step From To Protocol Port Description 1. Mobile Device Apple App Store HTTP 80 User downloads and installs Receiver on their mobile device 2. Receiver Access Gateway HTTPS / SSL 443 User clicks Add Account and connects to Access Gateway 3. Access Gateway Receiver HTTPS / SSL 443 Access Gateway (AG) verifies that the user is requesting a valid resource and then prompts the user to authenticate 4. Receiver Access Gateway HTTPS / SSL 443 User authenticates using their AD credentials (and OTT if it exists) 5. Access Gateway Active Directory LDAP / LDAPS 389 / 636 AG verifies credentials by checking with AD 6. Access Gateway XMA HTTPS / SSL 443 AG creates a token and SSOs to XMA 7. XMA Active Directory LDAP / LDAPS 389 / 636 XMAuses the token to authenticate the user against Active Directory 8. XMA Access Gateway HTTPS / SSL 443 XMAthen makes a callback to AG to verify that the authentication request originated at AG 9. Receiver XMA HTTPS / SSL 443 If the authentication is successful, Receiver then makes a GET request for the store information (.cr file) 10. XMA Receiver HTTPS / SSL 443 XMAvalidates the endpoint, registers the device (Receiver), pushes down the .cr file 11. XMA Active Directory HTTPS / SSL 389 / 636 / 443 XMAchecks that the user belongs to the correct role i.e group in AD and sends the list of resources (app icons for each resource) down to the Receiver 12. XMA Receiver HTTPS / SSL 443 13. Receiver XMA HTTPS / SSL 443 User subscribes to a resource such as a native mobile app 14. XMA Receiver HTTP 80 XMAmakes note of this subscription and then sends down the app to the mobile device 15. Receiver XMA HTTPS / SSL 443 User subscribes to a Web/SaaS SSO (Formfill) application 16. XMA Receiver HTTPS / SSL 443 XMAmakes note of this subscription and then prompts the user to provide Web/SaaS application credentials
  8. 8. Citrix Systems, Inc. © 2013 Page 6 of 10 17. Receiver XMA HTTPS / SSL 443 XMAsaves credentials in its local database 18. XMA Receiver HTTPS / SSL 443 XMAissues a redirect to the endpoint device with the required form 19. Receiver Application HTTPS / SSL 443 Endpoint submits the token to the Web/SaaS application and is signed on 20. Receiver XMA HTTPS / SSL 443 User subscribes to a Web/SaaS SSO (SAML) application 21. XMA Receiver HTTPS / SSL 443 XMAmakes note of this subscription 22. XMA XMA HTTPS / SSL 443 XMAsaves Web/SaaS app username in its local database 23. XMA Receiver HTTPS / SSL 443 XMAissues a SAML token with a redirect to the endpoint device 24. Receiver Application HTTPS / SSL 443 Endpoint submits the token to the Web/SaaS application and is signed on
  9. 9. Citrix Systems, Inc. © 2013 Page 7 of 10 Policies, apps, and file Internal Access Sequence to XMA Step From To Protocol Port Description 1. Mobile Device XMA HTTP 80 User downloads and installs Receiver on their mobile device 2. Receiver XMA HTTPS / SSL 443 User clicks Add Account and connects to XMA 3. XMA Receiver HTTPS / SSL 443 XMAverifies that the user is requesting a valid resource and then prompts the user to authenticate 4. Receiver XMA HTTPS / SSL 443 User authenticates using their AD credentials against Active Directory 5. XMA Active Directory LDAP / LDAPS 389 / 636 6. Receiver XMA HTTPS / SSL 443 If the authentication is successful, Receiver requests for the store information (.cr file) 7. Receiver XMA HTTPS / SSL 443 XMAvalidates the endpoint, registers the device (Receiver), and pushes down the .cr file 8. XMA Active Directory HTTPS / SSL 389 / 636 / 443 XMAverifies the user’s role group in AD and sends a list of resources to the Receiver 9. XMA Receiver HTTPS / SSL 443 10. Receiver XMA HTTP 80 User subscribes to a resource such as a native mobile app 11. XMA Receiver HTTP 80 XMAmakes note of this subscription and then sends down the app to the mobile device 12. Receiver XMA HTTPS / SSL 443 User subscribes to a Web/SaaS SSO (Formfill) application 13. XMA Receiver HTTPS / SSL 443 XMAmakes note of this subscription and then prompts the user to provide Web/SaaS application credentials 14. Receiver XMA HTTS / SSL 443 XMAsaves credentials in its local database 15. XMA Receiver HTTPS / SSL 443 XMAissues a redirect to the endpoint device with the required form 16. Receiver Application HTTPS / SSL 443 Endpoint submits the token to the Web/SaaS application and is signed on
  10. 10. Citrix Systems, Inc. © 2013 Page 8 of 10 17. Receiver XMA HTTPS / SSL 443 User subscribes to a Web/SaaS SSO (SAML) application 18. XMA Receiver HTTPS / SSL 443 XMAmakes note of this subscription 19. XMA XMA HTTPS / SSL 443 XMAsaves Web/SaaS app username in its local database 20. XMA Receiver HTTPS / SSL 443 XMAissues a SAML token with a redirect to the endpoint device 21. Receiver Application HTTPS / SSL 443 Endpoint submits the token to the Web/SaaS application and is signed on

×