Citrix XenMobile Service

The Citrix Cloud XenMobile Service is a Unified Endpoint Management (UEM) environment for managing devices, apps, and users. With XenMobile you manage device and app policies and deliver any app to users on any device or operating system. Your business information stays protected with strict security for identity, devices, apps, data, and networks.

Citrix hosts the Cloud environment in data centers located throughout the world to deliver high performance, rapid response, and support. With XenMobile Service, you pay a subscription fee instead of purchasing and managing licenses.

Citrix Cloud Operations handles various infrastructure and monitoring tasks, freeing you to focus on the user experience and on managing devices, apps, and policies.

Citrix responsibilities

XenMobile Server nodes

NetScaler Gateway initial integration and configuration

NetScaler Load Balancer

Database

Cloud Connector software configuration

SAML authentication integration with ShareFile

XenMobile site monitoring: Instance, database, enterprise connectivity (LDAP), VPN tunnel (if applicable), public SSL certificate, XenMobile licensing

Customer responsibilities

NetScaler Gateway management and updates

Machines where Cloud Connectors are installed

LDAP/Active Directory

DNS

ShareFile: Initial ShareFile configuration, on-premises StorageZone Controller installation, ShareFile updates

XenMobile configuration: Devices, policies, apps, delivery groups, actions, and client certificates

You connect to XenMobile Service through Cloud Connector, which serves as a channel for communication between Citrix Cloud and your resource locations. Cloud Connector enables cloud management without requiring any complex networking or infrastructure configuration such as VPNs or IPsec tunnels.

Resource locations contain the resources required to deliver services to your subscribers. For XenMobile Services, resource locations are your LDAP, DNS, and PKI servers.

XenMobile Deployment Handbook: Planning a XenMobile deployment involves many considerations. For recommendations, common questions, and use cases for your XenMobile environment, including reference architecture diagrams for XenMobile Service, see the XenMobile Deployment Handbook.

XenMobile Server documentation: The XenMobile Server documentation covers the latest on-premises release of XenMobile Server. For details about using the XenMobile console, see the articles under XenMobile Server. Citrix notifies you when the What’s new articles for XenMobile Service are updated for a new release.

Note these differences between XenMobile Server and XenMobile Service:

• The Remote Support client is not available for XenMobile Service.
• XenMobile Service server-side components are not FIPS 140-2 compliant.
• Citrix does not support syslog integration in XenMobile Service with an on-premises syslog server. Instead, you can download the logs from the Support page in the XenMobile console. When doing so, you must click Download All to get system logs. For details, see View and analyze log files in XenMobile.

The following diagram shows an architectural overview of a XenMobile Service cloud deployment:

Place resource locations where they best meet your business needs, such as in a public cloud, in a branch office, private cloud, or a data center. Factors that determine the choice of location include:

• Proximity to subscribers
• Proximity to data
• Scale requirements
• Security attributes

You can build any number of resource locations. For example, you might:

• Build a resource location in your data center for the head office based on subscribers and applications that require proximity to the data.
• Add a separate resource location for your global users in a public cloud. Alternatively, build separate resource locations in branch offices to provide the applications best served close to the branch workers.
• Add a further resource location on a separate network that provides restricted applications. This setup provides restricted visibility to other resources and subscribers without the need to adjust the other resource locations.

Cloud Connector authenticates and encrypts all communication between Citrix Cloud and your resource locations. Cloud Connector establishes connections to Citrix Cloud. Cloud Connector doesn’t accept incoming connections.

If you require a micro VPN, you must use an on-premises NetScaler with Cloud Connector.

Cloud Connector, along with NetScaler Gateway and your servers for Exchange, web apps, Active Directory, and PKI reside in your data center. Mobile devices communicate with XenMobile Service and your on-premises NetScaler Gateway. The following diagram shows the basic architecture when using Cloud Connector with XenMobile Service. For more information, see Cloud Connector.

The following diagram shows the traffic flow for Cloud Connector.

The following figure shows the onboarding steps. When you are evaluating or purchasing XenMobile Service, the XenMobile Service Operations team provides ongoing onboarding help. The Operations team also communicates with you to ensure that the core XenMobile Services are running and configured correctly.

For a quick overview of XenMobile Service onboarding and configuration, watch this video.

To sign up for a Citrix account and request a XenMobile Service trial, contact your Citrix Sales Representative. When you’re ready to proceed, go to https://onboarding.cloud.com.

After you log in, a screen similar to the following appears. Next to XenMobile Service, click Request Trial.

The button then changes to Trial Requested. You receive an email to notify you when your trial becomes available.While waiting for the trial, be sure to prepare for your XenMobile Service deployment by reviewing Cloud Connector. Although Citrix hosts and delivers your XenMobile Service solution, some communication and port requirements are required. That setup connects the XenMobile Service infrastructure to corporate services, such as Active Directory.

After you are authorized to access the trial, the button for XenMobile Service changes to Manage, which opens a wizard. Follow the instructions in that wizard to configure your connection to XenMobile Service.

The following diagram shows the first screen that you see when starting a trial.

To complete the setup for Cloud Connector, you need:

• An available subnet address for the XenMobile Service network.
• At least two Windows Server 2012 R2 or Windows Server 2016 machines that are joined to your Active Directory domain. The wizard guides you through installing Cloud Connector on those machines.

For more information, see Cloud Connector.

If you have a ShareFile account that existed before you signed up with Citrix Cloud, you must link that account to Citrix Cloud. To link your account, your email address must be an administrator of the ShareFile account. When you’re ready to proceed, go to https://onboarding.cloud.com.

After you log in, a screen similar to the following appears.

In the ShareFile tile, choose Link Account.

After we confirm your ShareFile account, the following page appears:

Click Link Account to complete the process. You can immediately manage your ShareFile account from within Citrix Cloud.

To enable devices and apps to communicate with XenMobile Service, you open specific ports in your firewalls. The following diagram shows the traffic flow for XenMobile Service.

 

The following tables list the ports that must be open.

Open the following ports to allow user connections from Citrix Secure Hub and Citrix Receiver through NetScaler Gateway to the following components:

• XenMobile
• StoreFront
• Other internal network resources, such as intranet websites

For more information about NetScaler Gateway, see Configuration Settings for your XenMobile Environment in the NetScaler Gateway documentation. For information about IP addresses owned by NetScaler, see How a NetScaler Communicates with Clients and Servers in the NetScaler documentation. That section includes information about the NetScaler IP (NSIP) virtual server IP (VIP) and subnet IP (SNIP) addresses.

TCP port	Description	Source	Destination
53 (TCP and UDP)	Used for DNS connections.	NetScaler Gateway	DNS server
80/443	NetScaler Gateway passes the micro VPN connection to the internal network resource through the second firewall.	NetScaler Gateway	Intranet websites
123 (TCP and UDP)	Used for Network Time Protocol (NTP) services.	NetScaler Gateway	NTP server
389	Used for insecure LDAP connections.	NetScaler Gateway	LDAP authentication server or Microsoft Active Directory
443	Used for connections to StoreFront from Citrix Receiver or Receiver for Web to XenApp and XenDesktop.	Internet	NetScaler Gateway
	Used for connections to XenMobile for web, mobile, and SaaS app delivery.	Internet	NetScaler Gateway
	Used for Cloud Connector communication – LDAP, DNS, PKI & Citrix Receiver enumeration	Cloud Connector Servers	https://*.citrixworkspacesapi.net https://*.cloud.com https://cwsproduction.blob.core.windows.net/downloads https://*.servicebus.windows.net
636	Used for secure LDAP connections.	NetScaler Gateway	LDAP authentication server or Active Directory
1494	Used for ICA connections to Windows-based applications in the internal network. Citrix recommends keeping this port open.	NetScaler Gateway	XenApp or XenDesktop
1812	Used for RADIUS connections.	NetScaler Gateway	RADIUS authentication server
2598	Used for connections to Windows-based applications in the internal network using session reliability. Citrix recommends keeping this port open.	NetScaler Gateway	XenApp or XenDesktop
3268	Used for Microsoft Global Catalog insecure LDAP connections.	NetScaler Gateway	LDAP authentication server or Active Directory
3269	Used for Microsoft Global Catalog secure LDAP connections.	NetScaler Gateway	LDAP authentication server or Active Directory
8443	Used for enrollment, XenMobile Store, and mobile app management (MAM).	NetScaler Gateway	XenMobile
	Secure Ticket Authority (STA) port used for Secure Mail authentication token	NetScaler Gateway	XenMobile
4443	Used for accessing the XenMobile console by an administrator through the browser.	Access point (browser)	XenMobile

Open the following ports to allow XenMobile to communicate in your network.

TCP port	Description	Source	Destination
443	Used for enrollment and agent setup for Android and Windows Mobile.	Internet	XenMobile
	Used for enrollment and agent setup for Android and Windows devices, and the XenMobile web console.	Internal LAN and WiFi
5223	Used for APNs outbound connections from iOS devices on Wi-Fi networks to *.push.apple.com.	iOS devices on WiFi networks	Internet (APNs hosts using the public IP address 17.0.0.0/8)
8443	Used for enrollment of iOS and Windows Phone devices.	Internet	XenMobile
		LAN and WiFi

This port configuration ensures that Android devices connecting from Secure Hub for Android can access the Citrix Auto Discovery Service (ADS) from within the internal network. The ability to access the ADS is important when downloading any security updates made available through the ADS.

Note: ADS connections might not support your proxy server. In this scenario, allow the ADS connection to bypass the proxy server.

If you want to enable certificate pinning, do the following prerequisites:

• Collect XenMobile Server and NetScaler certificates. The certificates must be in PEM format and must be a public certificate and not the private key.
• Contact Citrix Support and place a request to enable certificate pinning. During this process, you are asked for your certificates.

Certificate pinning requires that devices connect to ADS before the device enrolls. This requirement ensures that the latest security information is available to Secure Hub for the environment in which the device is enrolling. For Secure Hub to enroll a device, the device must reach the ADS. Therefore, opening ADS access within the internal network is critical to enabling devices to enroll.

To allow access to the ADS for Secure Hub for Android, open port 443 for the following FQDN and IP addresses:

FQDN	IP address
discovery.mdm.zenprise.com	54.225.219.53
	54.243.185.79
	107.22.184.230
	107.20.173.245
	184.72.219.144
	184.73.241.73
	54.243.233.48
	204.236.239.233
	107.20.198.193

The XenMobile Service (the Service) design uses industry best practices to achieve cloud scale and a high degree of service availability.

The Citrix goal is to maintain at least 99.9% availability in any 30 calendar day period. You can monitor service interruptions and scheduled maintenance on an ongoing basis at http://status.cloud.com.

Limitations

The calculation of this Service Level Goal doesn’t include loss of availability from the following causes:

• Customer failure to follow configuration requirements for the service documented on https://docs.citrix.com.
• Caused by any component not managed by Citrix including, but not limited to the following:
  • Customer controlled physical and virtual machines
  • Customer installed and maintained operating systems
  • Customer installed and controlled networking equipment or other hardware
  • Customer defined and controlled security settings, group policies, and other configuration policies
  • Public cloud provider failures, ISP failures, or other failures external to the control of Citrix.
• Service disruption because of reasons beyond the control of Citrix, including natural disaster, war, acts of terrorism, or government action.

Citrix Cloud manages the control plane for XenMobile environments, including the XenMobile Server, NetScaler load balancer, and a MySQL database. The cloud service integrates with a customer data center using Citrix Cloud Connector. XenMobile Service customers who use Cloud Connector typically manage NetScaler Gateway in their data centers.

The following figure illustrates the service and its security boundaries.

The information in this section:

• Is intended to provide an introduction to and overview of the security functionality of Citrix Cloud.
• Defines the division of responsibility between Citrix and customers for securing the Citrix Cloud deployment.
• Is not intended to serve as configuration and administration guidance for Citrix Cloud or any of its components or services.

The control plane has limited read-access to user and group objects from a customer directory and other services such as DNS. The control plane accesses those services over Citrix Cloud Connector, which uses secure HTTPS connections.

Company data, such as email, intranet, and web-app traffic, flows directly between a device and the application servers over NetScaler Gateway. NetScaler Gateway is deployed in the customer data center.

The control plane stores metadata needed for managing user devices and their mobile applications. The service itself consists of a mix of multi- and single-tenant components. However, per the service architecture, customer metadata is always stored separately for each tenant and secured by using unique credentials.

The service handles the following types of credentials:

• User credentials: User credentials are transmitted from the device to the control plane over an HTTPS connection. The control plane validates these credentials with a directory in the customer directory over a secure connection.
• Administrator credentials: Administrators authenticate against Citrix Cloud, which uses the sign-on system from Citrix Online. This process generates a one-time signed JSON Web Token (JWT), which gives the administrator access to the service.
• Active Directory credentials: The control plane requires bind-credentials to read user meta-data from Active Directory. These credentials are encrypted using AES-256 encryption and saved in a per-tenant database.

Citrix recommends that you consult the published best practices documentation for deploying NetScaler Gateway within your environments.

See the following resources for more security information:

• Citrix Security Site: http://www.citrix.com/security
• Citrix Cloud Documentation: Secure Deployment Guide for the Citrix Cloud Platform
• Secure Deployment Guide for NetScaler: http://support.citrix.com/article/CTX129514