AppController 2.6 2014-03-18 13:21:56 UTC 2014 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement
Contents AppController 2.6... 6 About This Release... 8 Getting Started... 9 Key Features... 10 What's New... 12 AppController Compatibility with Citrix Products... 13 Icons in the AppController Management Console... 14 Known Issues... 15 System Requirements... 18 AppController Management Console Requirements... 20 Plan... 21 AppController Pre-Installation Checklist... 22 Deploy... 31 Deploying AppController in Your Network... 32 Deploying AppController in an Appliance Failover Configuration... 34 Install and Setup... 35 Downloading the Virtual Image for AppController... 37 Installing AppController on XenServer... 38 Installing AppController by Using VMware ESXi... 39 Installing AppController on Microsoft Hyper-V... 40 Setting the AppController IP Address for the First Time... 41 Configuring AppController for the First Time... 42 Configuring a Web Proxy Server in AppController... 45 Configuring and Synchronizing with Active Directory... 46 Configuring StoreFront for Mobile Devices... 48 Licensing... 51 Obtaining Your License Files... 52 Manage... 53 Configuring Appliance Failover on AppController... 54 2
How AppController Appliance Failover Works... 55 Configuring Appliance Failover... 56 Configuring the Primary and Secondary AppController Virtual Machines... Migrating an Appliance Failover Pair to AppController 2.5... 59 Backing Up and Restoring Snapshots in an Appliance Failover Pair... 60 Configuring Certificates in AppController... 62 Installing a Signed Server Certificate and Private Key on AppController 64 Overview of the Certificate Signing Request... 65 To create a Certificate Signing Request... 66 To import a signed server certificate to AppController... 67 To install a certificate and private key from a Windows-based computer 68 Installing Root Certificates on AppController... 69 To view the details of a certificate... 70 To export a certificate... 71 Configuring Certificates for SAML Applications... 72 To install a certificate for an application... 74 Configuring Roles in AppController... 75 Adding or Removing Roles... 76 To edit a role... 78 Viewing Members of Active Directory Groups... 79 To assign applications to roles... 80 To remove applications from a role... 81 Configuring Categories to Manage Applications... 82 Configuring Applications for Single Sign-On... 83 List of Application Connector Types... 84 Configuring Additional Parameters in Application Connectors... 88 List of Application Connectors with Additional Parameters... 89 Building Your Own Application Connectors... 98 Building Enterprise Applications... 99 To build a SAML connector... 102 To build an HTTP Federated Formfill connector... 103 Configuring Applications for User Account Management... 104 Configuring Workflows for User Account Management... 105 To create and manage workflows in the management console 106 To configure workflow email settings... 108 To configure settings to create user accounts... 109 To synchronize application users with Active Directory... 112 57 3
Configuring Single Sign-On by Using Application Connectors... 113 Searching for Applications... 116 Allowing Users to Reset Application Passwords... 117 Configuring ShareFile for User Access... 118 To configure ShareFile settings... 120 Locking and Erasing Applications and Data... 122 Locking and Unlocking Applications on User Devices... 124 Erasing Application Data and Documents on the User Device... 125 To delete a user device from AppController... 126 Adding Web Links in AppController... 127 To configure a Web link... 128 Maintaining and Upgrading Applications and Web Links... 129 To disable or enable an application... 130 Mobile Apps... 131 Adding Mobile Apps to AppController... 132 How Mobile Apps Work... 133 Configuring MDX Policies for ios-based Apps in AppController... 136 Configuring MDX Policies for Android-Based Apps in AppController... 143 To upload Android and ios mobile apps... 151 To configure settings for ios mobile apps... 152 To configure settings for Android mobile apps... 153 To edit mobile app settings... 154 Upgrading a Mobile App in AppController... 155 Providing Access to @Work Apps... 156 System Requirements for @Work Apps... 157 Configuring MDX Policies for @Work Apps... 158 Retrieving Mobile App Names and Descriptions... 159 To retrieve app information... 160 Connect Users... 161 Sending AppController Application Lists to Citrix Receiver... 162 To configure AppController to connect to StoreFront... 164 Connecting Users to Citrix Receiver... 165 Downloading the Receiver Configuration File... 166 Configuring Connections to Enterprise Web Applications Through Access Gateway... Configuring Applications and Trust Settings for Access Gateway... 168 Maintain... 170 Creating Snapshots of the AppController Configuration... 172 167 4
To export a snapshot... 173 To import a snapshot... 174 Updating AppController... 175 To update AppController... 176 Managing Citrix Receiver Updates... 177 To change the administrator password... 178 Changing System Settings by Using the Command-Line Console... 179 To view the AppController date and time... 182 To view the system disk usage... 183 Enabling or Disabling SSH Access... 184 To reset the AppController server certificate... 185 To restart or shut down AppController by using the command-line console 186 Monitor... 187 Monitoring AppController by Using the Dashboard... 188 To configure a syslog server in AppController... 189 To transfer logs to a network server... 190 Troubleshooting AppController by Using the Command-Line Console... 191 Capturing Network Settings for Troubleshooting... 192 Creating a Support Bundle for AppController... 193 Configuring Logs by Using the Command-Line Console... 195 5
AppController 2.6 Citrix AppController delivers access to web, SaaS, Android, and ios apps, as well as integrated ShareFile data and documents. Users access their applications through Citrix Receiver or Receiver for Web sites. With AppController, you can provide the following benefits for each application type: SaaS applications. Active Directory-based user identity creation and management, with SAML-based single sign-on (SSO) Intranet web applications. HTTP form-based SSO by using password storage ios and Android native applications. Unified store to which you can install MDX applications, and security management for MDX policies, encompassing @WorkMail and @WorkWeb ShareFile access. Integrated enterprise data access with synchronization with Receiver, seamless SAML SSO, and Active Directory-based ShareFile service user account management In This Section The topics in this section provide information about deploying, configuring, and managing AppController 2.6. About this Release System Requirements Plan Deploy Install and Setup Contains information about the release of AppController 2.6, including AppController features, deployment considerations, what's new, Citrix Receiver compatibility, and known issues. Provides system requirements for AppController and for the AppController management console. Provides information on evaluating and planning your installation of AppController by using the AppController Pre-Installation Checklist. Provides deployment information for AppController, including an appliance failover pair. Provides information about how to install AppController on XenServer and VMware ESXi. Includes information about configuring the AppController IP address and configuring additional AppController settings. 6
AppController 2.6 Licensing Manage Connect Users Maintain Monitor Describes how licensing works in AppController. Provides information on configuring appliance failover, certificates, roles, application connectors, mobile apps and mobile app policy settings, Mobile App Suite with @WorkMail and @WorkWeb and data management by using ShareFile, groups, and categories. This section also provides information about configuring applications for user account management, information about configuring web links for Web addresses that do not require SSO, configuring mobile links to apps in the Google Play Store and the Apple App Store. You can also manage the device inventory. Provides information about connecting users to applications in AppController by using StoreFront, Access Gateway, and Receiver. Provides information about configuring AppController system settings by using the management console and command-line console. This section also provides information about upgrading AppController, applying application connector updates, and using snapshots of the AppController configuration. Provides information about user and application access in AppController. This section also provides information about troubleshooting AppController by using support bundles, logs, and network utilities, such as PING and traceroute. 7
About This Release CloudGateway enables the delivery of web, SaaS, Android- and ios-based applications, and ShareFile data, along with Windows-based applications from XenApp and virtual desktops from XenDesktop. You manage web, SaaS, Android- and ios-based application configuration and policy settings by using AppController, with the following capabilities: Centralized user account creation and management for web and SaaS applications, and ShareFile access that provides users with a seamless single sign-on (SSO) experience. The use of Active Directory as the identity repository. Active Directory is then used as the basis for authorizing users to external applications and services. A unified enterprise app store to enable the publishing and distribution of Android- and ios-based applications for authorized users to download and install on mobile devices. Centralized policy controls to secure the applications and data, with easy removal of user accounts, erase and lock of Citrix-delivered applications and data, and consolidated auditing and reporting of application access. You can configure applications and ShareFile access by using the AppController web-based management console. Within the management console, you can configure the following: Roles that include Active Directory groups Applications for SSO only Applications for SSO, user account management, and the creation of new user accounts Applications for Android and ios devices, including @WorkMail and @WorkWeb applications Approval workflows for creating user accounts Categories to organize applications in Citrix Receiver HTTP Federated Formfill connectors SAML 1.1 or 2.0 connectors that support the identity provider (IdP) flow Role-based management and delivery of mobile applications Role-based ShareFile document management with support for Storage Zones Device inventory that lists user devices that connect to AppController This section introduces AppController 2.6, announces what's new in this release, discusses compatibility between AppController and Citrix Receiver, and lists known issues for AppController. 8
Getting Started As you plan to deploy AppController, you should take the following considerations into account: AppController network settings, including the IP address, default gateway, DNS servers, NTP servers, web proxy, and Active Directory. The deployment of web, SaaS, Android, and ios applications that users need to access, including applications that you host in your internal network or applications that reside on the Internet. The applications include @WorkMail and @WorkWeb. The deployment of AppController only, in which users can connect to their web, SaaS, and mobile Android and ios applications directly from AppController. The deployment of AppController for appliance failover, in which you deploy two AppController virtual machines (VMs) to fail over if one VM fails. The deployment of AppController with StoreFront that allows user access to Windows-based applications from XenApp and to virtual desktops from XenDesktop. The deployment of Access Gateway with AppController and StoreFront that allows remote users to connect to network resources. An AppController configuration that includes ShareFile to allow users to easily view, edit, synchronize, and share files from any devices with document-level control. This release of AppController supports ShareFile Storage Zones. For more information, see the ShareFile documentation in Citrix edocs. Before you install AppController, review the following topics for information about getting started with AppController. AppController Pre-Installation Checklist Deploying AppController Installing AppController 2.6 Provides planning information to review and a list of tasks to complete before you install AppController in your network. Provides information about deploying AppController by itself, or with StoreFront and Access Gateway, and in an appliance failover configuration. Provides information about installing AppController on XenServer and VMware ESXi. Also provides information about configuring AppController by using the command-line console and configuring network settings in the management console. 9
Key Features The most typical deployment configuration for AppController is to locate AppController in the secure network. Users can connect to AppController to access applications, as well as ShareFile data and documents. The key features of AppController are: Access to web and SaaS applications that includes: Federated support for SAML 1.1 and SAML 2.0 applications Password storage and formfill support for password-based web applications User account management from Active Directory group membership for SaaS applications User account management workflows that allow users to request application accounts and for individuals in your organization to approve the requests Access to Android and ios mobile applications that includes: The ability to publish Android and ios applications that users can download and install on their mobile devices from Citrix Receiver, including @WorkMail and @WorkWeb Security controls for Android and ios applications to ensure application and data security Management of mobile applications on user devices through Receiver which enables you to control the mobile applications without managing the mobile device Access to ShareFile that includes: Creation and deletion of user accounts within ShareFile by using Active Directory rules Seamless data access for authorized users from Receiver Choice of storage location per folder: ShareFile-managed cloud storage or an on-premises Storage Zone, enabling you to optimize performance and address data sovereignty and compliance requirements Centralized device listing for users that allows you to erase application and ShareFile data on lost or stolen devices Device inventory that includes: The ability to view all devices that have connected to AppController The ability to erase and stop erasing data on the user device The ability to lock and unlock the user device 10
Key Features The ability to remove devices from the list 11
What's New AppController 2.6 supports the following new features: Certificate support. When you log on to AppController for the first time in the web-based management console to configure the initial settings, you can add or create certificates on the Active Directory settings page. This option appears only when configuring settings in the management console the first time you log on. When you log on subsequently to the management console, you can configure certificates by using the Certificates link on the Settings tab. Microsoft Hyper-V support. You can install the AppController 2.6 virtual machine on Windows Server 2012 with Hyper-V enabled or on Microsoft Hyper-V Server 2012. Migration support to AppController 2.6. You can upgrade to AppController 2.6 from AppController 2.0 or from AppController 2.5. Secure connections to Active Directory. When you log on to AppController for the first time in the management console to configure the initial settings, you can configure secure connections to Active Directory on the Active Directory settings page. When you log on subsequently to the management console, you can change Active Directory settings by using the Active Directory link on the Settings tab. ShareFile updates. In previous AppController versions, when you configured ShareFile, the domain sharefile.com was automatically appended to the domain name. In this release, the domain sharefile.com does not automatically append to the ShareFile domain name. You must enter the entire ShareFile domain name. Support for mobile links. You can configure mobile links to retrieve the name and description of apps automatically from the Apple App Store. For apps available through the Google Play Store, you enter the name, description and URL of the app. When you configure mobile links, links appear in Receiver with the Play Store or App Store name. Web proxy user name format. When you configure the web proxy, you can use either the SAMAccount format or the User Principal Name (UPN) as the user name. 12
AppController Compatibility with Citrix Products AppController works with the following Citrix products: Citrix product Access Gateway 10 Release versions 71.6104.e and 73.5002.e StoreFront 1.2 Compatibility with Citrix Receiver AppController supports the following versions of Citrix Receiver. Users can connect from the internal network or from an external network. If users connect from the Internet, you must have Access Gateway deployed in the DMZ. Receiver Release versions Receiver for Windows 3.4 Receiver for Mac 11.7 Receiver for ios 5.7 Receiver for Android 3.3 Receiver for Web 1.1, 1.2, and 1.3 If users connect remotely with Receiver for Web Version 1.1, the connection must route through Access Gateway. 13
Icons in the AppController Management Console The AppController management console includes icons that users click to perform different tasks. The following table defines each icon. Ico n Icon Name Enable Disabl e Edit Remov e Sync Upgrad e Role details Lock Unlock Erase Stop erasing Apps Workfl ow details User Definition Indicates that an app is disabled. When clicked, enables the app. Indicates that an app is enabled. When clicked, disables the app. Used to edit a role or application. Used to remove an application, remove an application from a role, or to remove a category, workflow, or user device. Used to synchronize application users with Active Directory for accounts that are configured for user account management. Also opens a Storage Zone dialog box in Roles to enable you to find a particular storage zone and provide credentials. Used to upgrade a mobile application with a new version. In Roles, you can view the Active Directory groups that belong to a configured role or you can delete the role. Used to lock a user device. Used to unlock a user device after you have locked it. Used to erase data and documents from a device. Used to stop the process of erasing data and documents from the device. In Workflows, shows the apps with which the workflow is associated, if any. In Workflows, lets you view the levels of manager approval and additional approvers for a configured workflow. In Roles, lets you view members of the Active Directory groups. 14
Known Issues Prerequisite Important: When you add users to Active Directory, you must enter the first name, last name, and email in the user properties. If you do not configure users in Active Directory with this information, AppController cannot synchronize these individuals. When users attempt to start an app, users receive a message that they are not authorized to use the app. Also, an administrator email should be part of the base DN. If the administrator email is not part of the base DN, then first time use of AppController will fail. Important Notes 1. User account requests by using the workflow template with the AppController workflow feature is not supported for users who connect with Receiver for Web. 2. User account requests by using the subscription workflow template with the AppController workflow feature is not supported on Receiver for Mac 11.4. Users need to upgrade to Receiver for Mac 11.6 or 11.7. 3. The internal URL redirection feature, in which Receiver checks a keyword to determine if the URL requires a connection with the Access Gateway Plug-in, is not available with Receiver for Web. The feature is supported only with Receiver for Windows Versions 3.1, 3.2, 3.3, or 3.4 4. Upgrades are not supported from AppController 1.0 or from AppController 1.1 to AppController 2.6. You can upgrade from AppController 2.0 or 2.5 to AppController 2.6. If you installed a private release for either AppController 2.0 or 2.5, you can upgrade to Version 2.6. 5. If you configure proxy servers to use both HTTP and HTTPS, AppController uses the secure proxy server for all application connectors. If you configure only HTTP, or only HTTPS, AppController uses the proxy server for all application connectors. 6. AppController contains the management console. To open the management console, in a Web browser, enter https://<appcontrollerfqdn:4443/controlpoint. The default user name is administrator and the password is password. Installing AppController You can find installation instructions for AppController in Citrix edocs at Installing AppController 2.6. 15
Known Issues Migrating to AppController 2.6 From Earlier AppController Versions You cannot upgrade from AppController 1.0 or 1.1 to Version 2.6. You can upgrade from Version 2.0 or 2.5 to Version 2.6. Before you start the upgrade, do the following: 1. Take a snapshot of the virtual machine (VM) in the XenCenter or vsphere console. 2. Make sure that AppController has an active network connection with valid credentials to Active Directory. If you do not have an active network connection to Active Directory, the upgrade fails and reverts back to the previous version. 3. After the upgrade is complete, either close and then open the web browser, or clear the browser cache. If your configuration is large, the upload might take several minutes. Do not interrupt the upgrade process before it is complete. When the upgrade file successfully uploads, you receive a prompt to restart AppController. If you choose to restart AppController at a later time, you need to restart by using the command-line console. For more information about upgrading AppController, see Updating AppController. For information about upgrading an appliance failover pair, see Backing Up and Restoring Snapshots in an Appliance Failover Pair. 16
Known Issues Known Issues 1. If users open multiple tabs and download large files in @WorkWeb on an Android device, the browser might stop responding. Users can close tabs or force stop the application to correct the problem. [#351336] 2. If users open web sites on multiple tabs in @WorkWeb, when users switch between tabs the web page might not appear correctly. [#352316] 3. If you configure ShareFile settings in AppController Versions 2.0 or 2.5 and then upgrade to AppController 2.6, the ShareFile configuration does not work. When the upgrade is complete, you must edit and save the ShareFile configuration with the full ShareFile domain URL. [#365208] 4. If you configured workflows in AppController 2.0, when you upgrade to AppController 2.6, the workflow description is blank after the upgrade. This issue does not occur when you upgrade from Version 2.5 to 2.6. [# 366139] 5. When you configure the ShareFile SAML connector, you must use the fully qualified domain name (FQDN) instead of the domain name. If you do not use the FQDN, creating the connector fails. [#366692] 6. If you configure a web proxy in AppController and then delete the configuration, AppController continues to use the proxy settings. After deleting the web proxy configuration, restart AppController. [#366989] 7. If you configure a web proxy server and use a single quotation mark (') in the password, proxy authentication fails. [#367392] 8. Single sign-on to the Yammer application fails unless users select the Remember me check box when they log on for the first time. [#368159] 9. If you configure the WebEx application for SSO, when users log on with Receiver and start the Web Ex application, SSO fails and users receive the error message "HTTP Status 400 - Invalid path /mw0306lc/mywebex/login/login was requested." [#368188] 17
AppController System Requirements You can install AppController on the following: XenServer 5.6 with a minimum of Service Pack 1 XenServer 6.0 Microsoft Server 2012 with Hyper-V enabled Microsoft Hyper-V Server 2012 VMware ESXi 4.x VMware ESXi 5.0.1 VMware ESXi 5.1 XenServer, Hyper-V, and VMware ESXi must provide adequate virtual computing resources to AppController as listed in the following table. XenServer and VMware ESXi Requirements XenServer and VMware ESXi must provide adequate virtual computing resources to AppController as listed in the following table. Memory Virtual CPU (VCPU) Virtual Network Interfaces 1 4 GB 2 VCPUs Microsoft Hyper-V Requirements Microsoft Hyper-V must provide adequate virtual computing resources to AppController as listed in the following table. Disk space (this is maximum disk size to which the AppController disk can increase) Memory VCPU 2 Virtual Network interfaces (available for each AppController VM) 50 GB 4 GB 1 18
System Requirements Active Directory When you add users to Active Directory, you must enter the first name, last name, and email in the user properties. If you do not configure users in Active Directory with this information, AppController cannot synchronize these individuals. When users attempt to start an app, users receive a message that they are not authorized to use the app. 19
AppController Management Console Requirements To use the management console effectively, keep the following minimum display requirements and recommendations in mind: Citrix recommends using a Firefox, Chrome, or Internet Explorer 9 browser. The management console display size is 1024 x 800. When running the management console on a laptop, hide all toolbars to provide more screen space for the console. In Internet Explorer or Firefox browsers, to view the management console as full screen, press F11. 20
Planning Your AppController Deployment Before you install AppController, you should collect and record configuration information in order to complete a successful installation. If users connect to their applications from an external network, such as the Internet, you must deploy Access Gateway in the DMZ. Access Gateway authenticates users and then routes the connection to the secure network. This section includes a checklist that helps you define the information you need about the following: Active Directory settings Applications for single sign-on (SSO) Authentication through StoreFront Appliance failover Mobile apps Network connectivity Ports Role and category names ShareFile settings User devices 21
AppController Pre-Installation Checklist This checklist lists the tasks you should complete and the configuration values you should note before you install AppController 2.6. Citrix recommends that you print and complete this checklist. The checklist has an extra column that you can use to check off each task as you complete it and to record information. For instructions about installing and configuring AppController, see Installing AppController 2.6. 22
AppController Pre-Installation Checklist AppController Basic Network Connectivity Note the AppController host name. Configure up to two DNS servers. Note the IP address of AppController. Reserve one IP address if you install one instance of AppController. Reserve three IP addresses if you configure appliance failover on AppController. Note the IP address for the Network Time Protocol (NTP) server. If your deployment supports remote access to AppController, note the following: One public IP address One external DNS entry for Access Gateway Note: You only need an external DNS entry if you deploy Access Gateway in your network. AppController resides in the internal network. If users connect to applications in the secure network from the Internet, Access Gateway must reside in the DMZ. Note the default gateway IP address. Note the web proxy server IP address, port, proxy host list, and the administrator user name and password. Note: You can user either the samaccountname or the User Principal Name (UPN) when configuring the user name for the web proxy. Certificates AppController requires secure server, root, and SAML certificates for communication with other Citrix products and SAML applications. When you configure AppController for the first time, you can add or create certificates on the Active Directory page in the initial settings wizard. Create a Certificate Signing Request (CSR) and submit to a Certificate Authority (CA) for signing. 23
AppController Pre-Installation Checklist Install a signed, secure SSL server certificate that is used for secure connections to the management console and for communicating with StoreFront. Install a secure SSL server certificate for communicating between AppController and applications that require an SSL certificate for user account management. Install a secure SAML certificate for communication between AppController and SAML applications that require an SSL certificate, such as GoogleApps. Communication Open the following ports to allow communication with AppController. Active Directory port 389. Open port 636 if you use secure LDAP. Open port 3268 for an LDAP connection to the Microsoft Global Catalog. Open port 3269 for a secure LDAP connection to the Microsoft Global Catalog. Open the following ports to allow administrator and user access: Administration ports AppController command-line console, port 22 AppController management console, port 4443 User connections Remote connections through Access Gateway, port 443 DNS name resolution, port 53 SMTP mail server connection, port 25 Active Directory Settings You use Active Directory to obtain groups. When you obtain groups, you can create roles and then assign applications to the role. 24
AppController Pre-Installation Checklist Note the Active Directory IP address and port. If you use port 636, install a root certificate from a CA on AppController. Note the Active Directory domain name. Note the Base DN. This is the directory level under which users are located; for example, cn=users,dc=ace,dc=com. Note: If your Active Directory database is large, you can configure multiple Base DNs to which AppController binds and in which the server searches to find user objects. For example, you can use the following: ou=finance,dc=ace,dc=com; ou=sales,dc=acedc=com Note the Active Directory service account. The Active Directory service account is the account that AppController uses to query Active Directory. Note the service account password. If you configure user account management for the application, the service account contains the required privileges to create user accounts for the application. (Optional) Note a user account for testing. This is an Active Directory account that you can use to log on and test SSO. Mail Server Settings You can configure a mail server on AppController through which AppController can send notification emails. Typically, AppController uses these emails during a workflow to secure approvals or to notify users of new accounts and passwords that you configure AppController to create for them. You configure the mail server settings when you first install AppController and configure network settings in the management console. You can change mail server settings at any time by using the Settings tab in the management console. Note the mail server name, such as mail.mycompany.com. Note the email address from which AppController sends emails. 25
AppController Pre-Installation Checklist Note the mail server IP address and SMTP port number. Note the user name and password if the mail server requires authentication before sending emails. Roles Roles in AppController represent a set of one or more groups in Active Directory. You can control the list of applications that users can view based on their group membership in Active Directory. When adding a role, you select the groups from Active Directory to include in the role. Then, you can add applications to the roles to provide access to a specific group of users. When you configure applications in AppController, you select the role. If you do not select a role for the app, AppController uses the default role AllUsers. Important: You must create a role before you configure ShareFile settings. The role should contain the same number of members for which you obtain licenses. For example, if you have 100 licenses, the role should contain the same amount of users. If you use the AllUsers role, which might have more Active Directory accounts than licenses, synchronizing accounts in ShareFile and AppController might fail. If you previously selected the AllUsers role or a role with too many Active Directory accounts, you must manually remove the role from ShareFile and then add the new role. List the names of roles you want to add in AppController. Categories You can group applications into categories, such as Finance, Sales, and Marketing. Users see the categories when they log on with Citrix Receiver. Users can open their applications from the category. List the category names you want to create for Receiver. Application Information You can configure single sign-on (SSO) to applications in AppController. List the names of SAML applications for your organization. List the names of Formfill applications for your organization. List the names of mobile apps to upload to AppController, including @WorkMail and @WorkWeb apps. 26
AppController Pre-Installation Checklist Note the logon Web address of applications that do not have a default Web address, such as Google Apps. Use test credentials to test SSO to applications. Note the total number of users accessing applications. SAML Application Information You can use the following table to enter information for your SAML applications. Note the name of your SAML apps. Note the supported SAML version. Note the ACS URL. Note the Entity ID. Note the RelayState URL. Note any additional parameters (and values expected) required as part of the SAML assertion. Mobile App Management for ios Apps You can use the following guidelines for preparing MDX apps for ios. You must use a Mac OS X computer running Version 10.7 or 10.8 for ios apps. Obtain the Citrix App Preparation Tool available from the Citrix Downloads page. Obtain an Apple account from the Apple developer registration site. Obtain a Distribution Certificate from Apple. When your provisioning profile is approved, the enterprise certificate should appear automatically in the devices organizer in Xcode. Obtain the ios Distribution Provisioning Profile from the Apple Developer web site. Mobile App Management for Android Apps You can use the following guidelines for preparing MDX apps for Android. You must use a Mac OS X computer running Version 10.7 or 10.8 for Android apps. 27
AppController Pre-Installation Checklist Obtain and install the Java Development Kit (JDK) Version 1.6. Obtain and install the Android Software Development Kit (SDK). Obtain and install the Android APK Tool. Obtain a digitally signed certificate with a private key that is held by the application's developer. For more information about the certificate, see Signing Your Applications on the Android Developers web site. Mobile Links You can configure mobile links to retrieve the name and description of apps from Google Play or the Apple App Store. When you configure mobile links, the apps appear in Receiver with the Google Play or App Store name. List the mobile apps for which you want to retrieve information from Google Play or the App Store. Web Links You can configure web addresses in AppController. The links can be to Internet sites, or to intranet sites in the internal network. The links appear in Receiver when users log on. List the web sites to which you want to allow user access. Data Management You can configure ShareFile in AppController to provide user access to documents and data. In previous AppController versions, when you configured ShareFile, the domain sharefile.com was automatically appended to the domain name. In this release, the domain sharefile.com does not automatically append to the ShareFile domain name. You must enter the entire ShareFile domain name. Note the full ShareFile domain name. Note the roles from Active Directory that provide user access. Note the service account user name and password for user management. Note the Storage Zone names for ShareFile user access. 28
AppController Pre-Installation Checklist List the versions of Citrix Receiver that are specific to user devices. Appliance Failover You can configure two AppController VMs for appliance failover. If the primary AppController fails, the secondary AppController can accept user connections. Each AppController VM must be in the same subnet. You can configure appliance failover by using the command line on the Console tab in XenCenter. For more information about configuring appliance failover, see Configuring Appliance Failover on AppController. Identify the primary AppController IP address and subnet. Identify the secondary AppController IP address and subnet. Configure a virtual IP address on the primary AppController. Configure the SSL handshake between AppController VMs. Connect Users You can configure AppController to authenticate users. When users connect by using Citrix Receiver to AppController, they receive the mobile, web, and SaaS apps you configure in AppController. Users can also connect to StoreFront which provides the additional capability of access to published applications in XenApp and virtual desktops. If users need to connect to apps hosted in your internal network from a remote location, you can route user connections through Access Gateway. Note the access method, AppController, StoreFront, or Access Gateway for user connections. Note the StoreFront URL. Note the Access Gateway host name and URL. Logging You can configure a syslog server or transfer the logs to a server in the internal network. Note the IP address or fully qualified domain name (FQDN) and port of the syslog server. Note the server name to which you want to transfer logs. 29
AppController Pre-Installation Checklist Note the user name and password of the server to which you want to transfer logs. 30
Deploying AppController AppController works with Access Gateway and StoreFront to allow users to connect to web, SaaS, mobile applications, and Windows-based applications and desktops. You install AppController in your internal network. In this deployment, users can connect directly to AppController to obtain their Web, SaaS, Android- and ios-based apps, along with documents from ShareFile. If you also deploy StoreFront, users connect to StoreFront to obtain their Windows-based apps and desktops. StoreFront communicates with AppController to deliver apps and documents. You can deploy AppController with Access Gateway to allow remote users to connect to apps in the internal network. You install the Access Gateway in the DMZ and then configure the appliance for user connections. You can also deploy AppController for appliance failover. In this deployment, two AppController virtual machines (VMs) work together to provide uninterrupted service to users. If one VM becomes unavailable for any reason, the other VM takes over and services user requests. This section illustrates how you can deploy the AppController VM on XenServer or VMware ESXi in your internal network. It also illustrates the AppController appliance failover configuration. 31
Deploying AppController in Your Network You can deploy the AppController virtual machine (VM) on XenServer or VMware ESXi located in your internal network. Users can connect to AppController from an external connection (the Internet) or from the internal network. If users connect from the Internet or a remote location, the connection must route through Access Gateway. AppController resides in the internal network behind the firewall. The following figure shows how you can deploy AppController in an enterprise network. User connections from the Internet route through Access Gateway directly to AppController. The figure also shows how users connect from the internal network directly to AppController. Users can then access web, SaaS, and native mobile apps located in the internal network. Figure 1. AppController Network Deployment You can include StoreFront in your deployment, which allows users access to published applications from XenApp and virtual desktops from XenDesktop, along with apps configured in AppController. When users log on with Citrix Receiver, all of their apps appear in the store. The following figure shows how you can deploy Access Gateway, AppController, and StoreFront in your network. Figure 2. CloudGateway Deployment with Access Gateway, AppController, and StoreFront 32
Deploying AppController in Your Network 33
Deploying AppController in an Appliance Failover Configuration You can deploy two AppController virtual machines (VM) in an appliance failover pair. An appliance failover configuration prevents downtime and ensures that the services provided by AppController remain available, even if one AppController VM is not working. The following figure shows an appliance failover deployment where one AppController VM is not receiving connections. Figure 1. AppController Appliance Failover Deployment 34
Installing AppController 2.6 The AppController virtual machine (VM) runs on Citrix XenServer, Microsoft Hyper-V, or VMware ESXi. You can use XenCenter or vsphere management consoles to install AppController 2.6. Before installing AppController, you must do the following: Install XenServer or VMware ESXi on a computer with adequate hardware resources. Install XenCenter or vsphere on a separate computer. The computer that hosts XenCenter or vsphere connects to XenServer or VMware ESXi host through the network. Install Windows Server 2008 R2 or Windows Server 2012 with Hyper-V enabled, role enabled, on a computer with adequate system resources. While installing the Hyper-V role, be sure to specify the network interface cards (NICs) on the server that Hyper-V will use to create the virtual networks. You can reserve some NICs for the host. This section details the following steps for installing AppController on XenServer, Hyper-V, or VMware: Downloading the virtual image. Installing the VM on XenServer and setting the properties for AppController in XenCenter. Installing AppController on VMware ESXi and using vsphere to allocate virtual hardware components to AppController, such as memory and virtual CPUs. Installing AppController on Hyper-V. Configuring the IP address, default gateway, DNS servers, and Network Time Protocol (NTP) servers for AppController by using the XenCenter or vsphere command-line console. When you finish configuring AppController network settings by using the command-line console, you log on to the AppController management console. Then, you configure the following network settings: Active Directory configuration from which you obtain groups for AppController Administrator settings AppController network settings, such as IP address, DNS servers, and the time zone NTP server settings Workflow email settings After you configure AppController system settings, you can then synchronize AppController with Active Directory. When you synchronize, AppController retrieves the groups and 35
Install and Setup members of the groups from the specified Base DN in Active Directory. 36
Downloading the Virtual Image for AppController You can download the AppController virtual image from My Citrix. The virtual image contains the package that you need in order to install AppController on XenServer, Hyper-V, or VMware ESXi. For the XenServer installation, the virtual image is a file with the file name extension of.xva. For the Hyper-V installation, the virtual image is a file with the file name extension of.zip. For the VMware installation, the virtual image is a file with the file name extension of.ova. To download the virtual image 1. Log on to My Citrix and then click Downloads. 2. Under Select a Product, click Mobile Solutions Bundle and then in Select Download type, click Product Software. 3. Click Find. 4. On the Mobile Solutions Bundle page, scroll down the page to AppController and then select one of the following packages: To upgrade AppController from Version 2.0 or 2.6, click Download next to AppController Upgrade from AppC 2.0 to AppC 2.5, AppC 2.5 to AppC 2.6 and AppC 2.0 to AppC 2.6 and then save the package to your computer. To install AppController on XenServer, click Download next to AppController 2.6 Virtual appliance for XenServer and then save the package to your computer. To install AppController on Microsoft Hyper-V, click Download next to AppController 2.6 Virtual Appliance for Hyper-V and then save the package to your computer. To install AppController on VMware, click Download next to AppController 2.6 Virtual appliance for VMware and then save the package to your computer. After the image downloads to your computer, you then install the image on XenServer, Hyper-V, or VMware. After installation, you set the properties for AppController in your hypervisor. 37
Installing AppController on XenServer After you download the virtual image (VM) from My Citrix, install AppController on XenServer. After installation, set the properties for AppController in XenCenter. To install AppController on XenServer 1. Start XenCenter on your computer. 2. In the navigation pane, click the name of the XenServer on which you want to install AppController and then connect. 3. On the File menu, click Import. 4. In the Import wizard, in Filename, browse to the location to which you saved the.xva image file and then click Open. 5. Follow the instructions in the wizard to import the AppController image. After you click Finish in the wizard, you can click the Logs tab to view the status of the import process. When the import process is complete, you want to configure the initial settings for AppController by using the command-line console. For more information, see Setting the AppController IP Address for the First Time. To set the properties for AppController When you import AppController, the number of virtual CPUs (VCPUs) is set to 2. You cannot change this setting. The default memory setting is 4096. You can leave the memory setting or change it by using the Memory tab in XenCenter. 38
Installing AppController by Using VMware ESXi To install AppController on VMware ESXi, you must first install VMware on a computer with adequate hardware resources. To perform the AppController installation, you use vsphere. You install vsphere on a remote computer that can connect to the VMware host through the network. After you install AppController, you can create virtual hardware components on VMware and then use vsphere to allocate them to AppController. When you install AppController on VMware ESXi, you use the vsphere client. You select the OVF template to start the Deploy OVF Wizard. Follow the directions in the wizard to import the AppController OVA (.ova) file. You provide a name for AppController and then configure additional settings to import the file to VMWare ESXi. After the import is complete, you set the AppController properties in vsphere. These settings include: Allow the virtual machine to start and stop automatically with the system. Set the startup order for AppController. Set the memory size to 4096. Set the number of VCPUs to 2. For more information about VMWare ESXi and the vsphere client, see the manufacturer's documentation. 39
Installing AppController on Microsoft Hyper-V To install AppController on Microsoft Hyper-V, you must first install Microsoft Server 2012 with Hyper-V enabled or Microsoft Hyper-V Server 2012 on a computer with adequate hardware resources. To perform the AppController installation, you use the Hyper-V Manager, which is a Microsoft Management Console (MMC) snap-in. Hyper-V Manager is installed automatically when you enable the Hyper-V role. You download a compressed ZIP file to install AppController on Microsoft Hyper-V. You extract the files and then use Hyper-V Manager to install AppController. Note: Make sure that you extract the files in the ZIP folder into a different folder before you specify the path to the folder. After you import the virtual machine, you need to configure the virtual network adapter by associating the adapter to the virtual networks created by Hyper-V. AppController 2.6 requires one virtual network adapter. In Hyper-V Manager, you select the server on which you want to install AppController and then import the virtual machine. When the import starts, your are prompted to specify the path of the folder that contains the AppController software files. After the import is complete, you set the AppController properties in Hyper-V Manager. These settings include: Allow the virtual machine to start and stop automatically with the system. Set the startup order for AppController. Set the memory size to 4096. Set the number of VCPUs to 2. For more information about Microsoft Hyper-V and the Hyper-V Manager, see the manufacturer's documentation. 40
Setting the AppController IP Address for the First Time After importing the AppController image, you need to configure the IP address. The IP address is the management address at which you can access AppController through a web browser or by using a Secure Shell (SSH) client, such as PuTTY. You can access the AppController command-line interface through the XenCenter console to specify an IP address, subnet mask, default gateway, Domain Name Servers (DNS) and a Network Time Protocol (NTP) server. The default IP address for AppController is 10.20.30.40. To change the IP address for AppController 1. In XenCenter, select the AppController virtual machine and then click the Console tab. 2. At the console logon prompt, enter the administrator credentials. The default user name for the console is administrator and the default password is password. 3. At a command prompt, press 0 to select Express Setup. 4. Select the appropriate number to change the IP address, subnet mask, default gateway, DNS servers, and NTP server. Note: Citrix recommends using an NTP server to set the date and time on AppController. 5. Press 5 to commit the changes. When you commit the changes, you are prompted to restart AppController. Review your settings and then select y to commit the changes. After AppController restarts, you can then access the management console by using the new IP address in a web browser. To open the management console, type https://appcontrolleripaddress:4443/controlpoint in the address bar of the web browser. For example, type https:// 10.20.30.40:4443/ControlPoint. The user name is administrator and the password is password. When you connect to AppController, you must use HTTPS. If you attempt to connect with HTTP, the connection fails. 41