ARCHITECTURE XenMobile Reference Architecture: XenMobile with NetScaler Configuration Guide for Establishing NS Load Balancing Front End www.citrix.com
Table of Contents Table of Contents... 2 Introduction... 3 Network Flow Diagram... 4 XenMobile Port Table... 4 Load Balancing Configuration on NetScaler... 7 Conclusion... 17 Additional Links... 17 Key Contributors... 17 Disclaimer... 18 XenMobile on NetScaler Reference Architecture Page 2
Introduction Citrix Systems offering of XenMobile is a comprehensive solution portfolio designed to enable customers to experience the benefits of Mobile Device Management while maintaining secure access to applications and desktops. The purpose of this document is to provide reference architecture to place a NetScaler in front of your XenMobile MDM solution. This will allow the XenMobile Device Manager (XDM) to be placed within the walls of your datacenter leaving the NetScaler appliance in the DMZ. This will allow for a secure and scalable rollout of your MDM solution. We will walk through several diagrams to prepare us for the configuration steps near the conclusion of this document. This document covers configuration of the load balancing VIPs and not the overall setup of the NetScaler. For additional resources around the NetScaler and other configurations, please visit the Additional links section at the end of this document. Below (Diagram 1.1) is a basic architecture of the XenMobile environment before the addition of the NetScaler. Diagram 1.1 XenMobile on NetScaler Reference Architecture Page 3
Network Flow Diagram In the basic diagram below, we are showing the key ports within the function of the MDM solution. A full description of the ports required for the solution is laid out in the ports table. A quick summary of the current diagram is that port 80 and 443 are used by ios, Android and Windows devices for communication. With regards to port 8443, Apple ios uses this for over-the-air registration of the device with the XDM. The use of the server FQDN will also make use of this port. This FQDN is key, as this has been registered with the Apple Push Notification Service. Diagram 1.2 INTERNET ZONE CORPORATE DMZ ZONE CORPORATE LAN ZONE (TCP 389/636) LDAP/S Active Directory/LDAP TCP 80 TCP 80 TCP 1433 TCP 443 TCP 443 TCP 8443 NetScaler LB TCP 8443 XenMobile Device Manager HTTPS 443 MS SQL Server Microsoft CA or PKI Entity Diagram 1.2: A basic diagram of the network flow for NetScaler and XenMobile. Note the open internal ports of 80, 443 and 8443. XenMobile Port Table This table is designed to guide the XenMobile Administrator and Network Administrator through the TCP/IP Port requirements for the Device Manager Server and mobile device agent connections. XenMobile Device Manager Firewall Port Requirements TCP Port Description Source Destination 25 By default, the XDM SMTP configuration of the Notification Service uses port 25. However, if your corporate SMTP server uses a different port, XenMobile Device Manager Corporate SMTP Server XenMobile on NetScaler Reference Architecture Page 4
make sure that your corporate firewall does not block that port. Server 80 Over-the-Air (OTA) Enrollment and Agent Setup (Android and Windows Mobile) Over-the-Air (OTA) Enrollment and Agent Setup (Android and Windows Mobile), XDM Web Console, XDM Remote Support Client XDM Server Enterprise App Store connection to Apple itunes App Store (ax.itunes.apple.com). Used for publishing recommended itunes App Store apps from the available ios applications within the Web Console and ios Agent Internet Corporate LAN and Wi-Fi XenMobile Device Manager Server XenMobile Device Manager Server Apple itunes App Store (ax.itunes.apple.com) 80 or 443 XenMobile Device Manager Nexmo SMS Notification Relay outbound connection XenMobile Device Manager Server Nexmo SMS Relay server 389 or 636 LDAP/LDAPS connection from XDM Server to Directory Service Host (Active Directory Global Catalog server or equivalent LDAP directory service host) XenMobile Device Manager Server LDAP / Active Directory Services 443 SSL OTA Enrollment/Agent Setup (Android and Windows Mobile), All Device-related traffic and data connections (ios, Android and Windows Mobile) SSL OTA Enrollment/Agent Setup (Android and Windows Mobile), All Device-related traffic and data connections (ios, Android and Windows Mobile), XDM Web Console Internet Corporate LAN and Wi-Fi XenMobile Device Manager Server 1433 2195 Remote database server connection to separate SQL Server (Optional) Apple APNS (Push Notification Service) outbound connection to gateway.push.apple.com, used for ios device notifications and device policy push XenMobile Device Manager Server XenMobile Device Manager SQL Server Internet (Apple APNS Service Hosts on public IP network17.0.0.0/8) XenMobile on NetScaler Reference Architecture Page 5
2196 Apple APNS (Push Notification Service) outbound Server connection to feedback.push.apple.com, used for ios device notifications and device policy push 5223 Apple APNS (Push Notification Service) outbound connection from ios devices connected via Wi-Fi network to *.push.apple.com ios device on Wi-Fi network service Internet 8443 Over-the-Air (OTA) Enrollment for ios Devices only Corporate LAN and Wi-Fi XenMobile Device Manager Server Mobile App Tunnel Ports (Android and Windows App Mobile) to destination internal Application Server Tunnel via the XDM Server (All ports are individually defined for each Mobile AppTunnel used by a Ports Device through a XDM Device Configuration Policy) Internet Application Server via XenMobile Device Manager Server 1 Corporate LAN traffic outbound to DMZ and the Internet is assumed to be allowed. PLEASE NOTE: When using Remote Support or Mobile App tunnel (Android and Windows Mobile), the following traffic needs to be open at the firewall: TCP Port Description Source Destination 8081 Remote Support Console default server inbound connection (depending on the Remote Support Tunnel definition) Remote Support Console XenMobile Device Manager Server 80 or 443 Remote Support Console access to XDM to retrieve device list. Remote Support Console XenMobile Device Manager Server Tunnel port Mobile Application Tunnel access to Application XenMobile Device Server (port configured in the tunnel definition) Manager Server Internal Application Server XenMobile on NetScaler Reference Architecture Page 6
Load Balancing Configuration on NetScaler This section covers the required load balancing configuration on the NetScaler for use with XenMobile. For other links to other possible configurations, please see the Additional Links section at the end of this document. To begin configuration, the first step of this process will be to create the Servers entry in the load balancing section of the NS console. Add the Server Name and the internal IP address that the NetScaler will be routing the traffic to. Create your XenMobile Server that you are load balancing After you have created the entry for the XenMobile server, create your services for the 3 major ports as depicted in the Diagram 1.2. The screen shots below have incorporated the port number into the name for easy reference. All three services will be pointing to the same server. The screen shots only show tabs with information that has been edited. XenMobile on NetScaler Reference Architecture Page 7
Create our Services: Here is the basic setup for the services over port 80. Basic information for the port 80 monitor, all other tabs are configured as default; XenMobile on NetScaler Reference Architecture Page 8
Basic setup of the services for port 443: Configure the monitor for port 443, and all other tabs are configured as default: XenMobile on NetScaler Reference Architecture Page 9
Basic setup of services for port 8443: Configure the services for port 8443, and all tabs are configured as default: The final step will be to create the Virtual Servers using the Load Balancing Services and Server(s) that were previously configured. We have named the Virtual Server with the proper task in line from the port table from above. Configure your virtual servers: XenMobile on NetScaler Reference Architecture Page 10
For the enrollment Virtual Server (port 443), we place a check box next to the proper service that was set up. We then set the Method and Persistence tab for Least Connection and SSLSESSION with a timeout of 2 minutes. The IP address listed will be the address accessible in the DMZ address space. This IP address will be registered with DNS. Please verify that devices on the corporate LAN environment can be routed to this virtual server. Configure your XenMobile_Enroll (443) virtual server with your external/dmz IP address: XenMobile on NetScaler Reference Architecture Page 11
Configure the Method and Persistence as before: The same process will be followed for the creation of the Virtual Server for ports 8443 and 80. XenMobile on NetScaler Reference Architecture Page 12
Configure 8443 (profiles for ios) with same external IP: XenMobile on NetScaler Reference Architecture Page 13
Configure Profiles, Method and Persistence: XenMobile on NetScaler Reference Architecture Page 14
Configure the Virtual Server for port 80 (Console) settings: XenMobile on NetScaler Reference Architecture Page 15
Configure Console, Method and Persistence: XenMobile on NetScaler Reference Architecture Page 16
Conclusion This completes the configuration for front ending the XenMobile MDM environment with NetScaler. Load Balancing of all essential ports for the XenMobile server is complete Additional Links Below is a list of additional links for other configurations: Citrix XenMobile Solutions: http://support.citrix.com/proddocs/topic/cloudgateway/xmob-landing-page-con.html XenMobile MDM edocs: http://support.citrix.com/proddocs/topic/cloudgateway/xmob-mdm-landing-page-con.html Deploying Mobility Solutions Bundle Components: http://support.citrix.com/proddocs/topic/clg-deployment/clg-deployment-cloudgateway-optionscon.html Key Contributors Josh Fleming, Senior Systems Engineer Jon Eugenio, Senior Systems Engineer Florin Lazurca, Senior Architect Author Content Contributor and Reviewer Content Contributor XenMobile on NetScaler Reference Architecture Page 17
Disclaimer THIS DOCUMENT IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS PROVIDED AS IS, WITHOUT EXPRESS OR IMPLIED WARRANTIES OF ANY KIND. Copyright 2013 Citrix Systems Inc. All rights reserved. Reproduction of this material in any manner whatsoever without the express written permission of Citrix Systems Inc. is strictly forbidden. For more information, contact Citrix Systems. Citrix, the Citrix logo, and the Citrix badge are trademarks of Citrix Systems Inc. Microsoft and Windows are registered trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. INTERNAL TRACKING LAST EDIT: 13-MAR-2013 JCE/JF Change: M.S. Edits XenMobile on NetScaler Reference Architecture Page 18