Citrix XenMobile and the Mobile Solutions Bundle: Lessons Learned from the Field


Published on

Citrix Consulting has recently conducted a few large projects with XenMobile and the Mobile Solutions Bundle. This presentation contains some of the important lessons learned from these field projects. If you would like to learn the “top 10 gotchas” that the project teams faced while implementing XenMobile, then this presentation is for you!

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Copyright Nick Rintalan, Citrix Consulting. Developed after the first 3 big CCS projects with XM and/or MSB.
  • ZP = ZenPriseCGW = CloudGateway
  • requires command line tools to be installed on the MacNot exactly documented, but we’re actively working on thisAndroid can use the “debug” or private key to sign appsThe JDK keytool and ‘jarsigner’ are required if using a private key
  • Apple/iOS devices make Android seem pretty easy ;)
  • Citrix XenMobile and the Mobile Solutions Bundle: Lessons Learned from the Field

    1. 1. Citrix XenMobile and theMobile Solutions Bundle:Lessons Learned from the FieldNick Rintalan, Senior Architect, Citrix ConsultingMay 3, 2013
    2. 2. Agenda• Citrix Mobility Products – Quick Review• Versions “In Play”• Top 10 Lessons Learned from the FieldᵒWhere do these lessons come from?ᵒThe first few big CCS projects involving the XenMobile and the MobileSolutions Bundle• Resources & References
    3. 3. Citrix Mobility Products (as of April 2013)• XenMobile MDM Edition (MDM Only = formerly Zenprise)• Mobile Solutions Bundle (MDM+MAM = ZP + CGW)
    4. 4. Which Versions Are In Play?• XenMobile Device Manager 8.0.1• AppController 2.6• StoreFront 1.2• NetScaler 10.0.735002e• @WorkMail/Web 1.0x and 1.1x• Citrix Mobile Connect/Enroll 8.0.1• Citrix Receiver 3.4/5.7.1/3.360 (Win/iOS/Android)
    5. 5. Top 10 Lessons Learned
    6. 6. 10 – XM vs. MSB• XenMobile and the Mobile Solutions Bundle are not one in the same• Why?ᵒXenMobile MDM = XDM (and maybe NetScaler)ᵒMSB = XDM, AppController, StoreFront and NetScaler (and optionallyShareFile)ᵒMSB also includes the @work apps (more on this later, but app wrapping canbe a bit trickier than one might think…it’s easy once everything is in place)• Make sure to scope projects involving the entire MSB with more timeᵒAn in-depth XM POC may take a few daysᵒAn all-inclusive MSB POC can take a couple weeks
    7. 7. 9 – Certs and More Certs• Almost every component in the MSB architecture requires SSLcertificates to function properlyᵒStoreFront, AppController, NetScaler and XenMobile Device Manager (XDM)ᵒWildcard certs make life a lot easier• Get the requests for certs in earlyᵒAlso important to differentiate what needs an “external” cert from a public CA “internal” cert from an internal CA• Also of note – XDM requires persistence and terminates the SSLconnection (not NS!), which is why “SSL_BRIDGE” is used to loadbalance and provide HA for multiple XDM serversᵒWe are still looking into alternative strategies with SSL Offload
    8. 8. 8 – High Availability• Each MSB component has a slightly different form of HAᵒStorefront multi-server deployment with remote SQL DB for app subscriptionsᵒAppController appliance failover pairᵒXDM “clustering” (more on this in a minute)ᵒNetScaler HA• Extra IPs are required for NS and AppController, so make sure thenetworking team knows about these well in advanceᵒAppController HA works very similar to Windows NLB if you are familiar(Network Load Balancing)• Also of note – XDM does not officially support database mirroringfor its SQL database (only clustering in the current release)
    9. 9. 7 – AppController Multi-Tenancy• Current version of AppC (2.6) does not support multiple domains orforestsᵒThis means a pair of AppControllers are required for each tenant that residein a separate domain or forest• A future version will support multi-tenancy and multiple domains
    10. 10. 6 – XDM Clustering• XDM uses Tomcat clustering for High AvailabilityᵒThis is not the same as Failover Clustering (formerly Microsoft ClusteringServices)• In order to enable HA, one has to manually edit a config file oneach XDM server• Sends multicast traffic to/from each XDM serverᵒSaw an issue with this at one customer since their switch was blockingmulticast and broadcast traffic – a change to the switch was required
    11. 11. 5 – App Prep Tool and @Work App Wrapping• The (Citrix) App Preparation Tool only runs on Mac OS X (10.7 orhigher) at this timeᵒMake sure a Mac is available prior to the start of the POC or engagement!• An Apple Developer Enterprise license is required to wrap appsᵒSee slide notes or References/Resources for more details• Any mobile application (not just custom or 3rd party apps) needs tobe wrapped with the App Prep ToolᵒThis means the Citrix @work apps included!ᵒThe wrapping itself is a fairly simple process, but is required to sign anddistribute the apps (legally)ᵒAlso provides the MDX logic so we can apply “container” policies
    12. 12. 4 – NetScaler is Your Friend• NetScaler will be an integral part of almost every MSB deploymentᵒProvides load balancing for StoreFront and XDMᵒAccess Gateway functionality (ICA Proxy)ᵒMicro-VPN feature = NS SSL VPNᵒSession policies required for mobile and native ReceiversᵒThe new XenMobile NetScaler Connector (XNC) performs ActiveSyncfiltering via HTTP Callout, Caching and SSL Offload• Note XNC is used for native email as opposed to @WorkMail (i.e. native iOSemail client or Touchdown on Android)• Very scalable solution with the Caching feature of NS (Ent+ licensing)• See Resources/References for more details on XNC
    13. 13. 3 – Exchange Web Services vs. ActiveSync• The 1.0.x version of @WorkMail for iOS used Exchange WebServices (EWS)• The new 1.1.x version of @WorkMail for iOS uses ActiveSync (AS)ᵒThis means it’s critical to ensure AS is enabled in the Exchange environmentᵒThis move from EWS to AS allows us to support push-enabled mail• Android has used AS from the beginning
    14. 14. 2 – APNS and Port 8443• A certificate for the Apple Push Notification Service (APNS) isrequired if you have any iOS devicesᵒThis is hosted by Apple in their cloud – cannot be on-premᵒYou need the APNS cert when installing XDMᵒUses ports 2195, 2196 and 5223 (XDM  *• Port 8443 must be open on the EXTERNAL firewall as wellᵒRequired for Over-the-Air (OTA) enrollment of iOS devicesᵒCannot be proxied through 443 – must be 8443!ᵒAndroid (and Windows Mobile) use ports 80/443 by the way (not 8443)
    15. 15. 1 – Bandwidth & Scalability• If using the @work apps and Micro-VPN feature of NS, bandwidthfor each device will increase significantlyᵒMicro-VPN essentially means full SSL VPN tunnel!ᵒMuch more resource intensive compared to basic LB services or ICAProxy, which most of us are familiar with• How significant is “significant”?ᵒWe’ve seen an increase of 3-5x compared to traditional LB or ICA proxytrafficᵒMake sure to size your NetScaler pairs appropriately for the use caseᵒPreliminary sizing guidance is being created as we speak
    16. 16. Resources & References
    17. 17. Resources & References• XDM High Availability (Tomcat Clustering)ᵒ• Load Balancing/HA of XDM with NetScalerᵒ• Apple Developer Enterprise Licensing Programᵒ• XNCᵒ• StoreFront Planning Guideᵒ
    18. 18. Work better. Live better.