XenMobile Deployment Prerequisites

XenMobile Deployment Prerequisites

Before you deploy the XenMobile solution and install the components, make sure you have the right prerequisites and system requirements. This effort will prepare you to configure the network settings, open ports in your firewall, install certificates and licenses, and configure authentication.

This section details the deployment information you need to gather and includes the XenMobile Solution Pre-Installation Checklist to guide you through the recommended settings.

Gathering Information Before You Deploy XenMobile Components

Before you install XenMobile components in your network, you need the right prerequisites. These prerequisites include:

1. Network settings. These settings include IP addresses, ports, DNS, Network Time Protocol (NTP) and SMTP servers, and the IP address or fully qualified domain name (FQDN) of a load balancer.

2. Hardware and sizing requirements. These include Windows Servers, hypervisors, and NetScaler Gateway requirements. The NetScaler Gateway appliance you select (VPX, MDX, or SDX) determines the maximum number of user connections to your XenMobile deployment.

3. Certificates. These include server, root, intermediate, Apple Push Notification Service (APNS), and certificates for wrapping mobile apps with the MDX Toolkit.

4. Licenses. Licenses are required for XenMobile MDM Edition and NetScaler Gateway.

5. Active Directory settings. These settings are required for XenMobile MDM Edition and for XenMobile App Edition.

6. Authentication method Before deploying XenMobile components, it's important to decide on an authentication method. For example, you should decide if you are implementing the Worx PIN that you configure in App Controller. The Worx PIN caches Active Directory credentials and works with client certificate authentication. Authentication settings can enable LDAP, RADIUS, one-time passwords, client certificate authentication, and two-factor authentication. If users connect to internal web sites, you need to configure authentication for NetScaler Gateway and SharePoint to allow single sign-on (SSO) to work.

7. Load balancers. Load balancers manage connections to your XenMobile deployment. You might also need to plan for packet inspection appliances to monitor network traffic entering your internal network.

8. Email server and data synchronization settings These settings include Exchange Server and ActiveSync configurations for XenMobile MDM Edition and WorxMail.

9. Databases. These databases include either Microsoft SQL Server or Postgres for XenMobile MDM Edition. The Postgres database comes with XenMobile MDM Edition and installs when you install Device Manager.

Gathering Network Information

You need to identify the following network settings and configure appropriate server settings before you install the XenMobile components in your network:

1. IP addresses for each XenMobile component. For example, for NetScaler Gateway, you need the system IP (NSIP) and the subnet IP (SNIP) addresses.

2. Opening the appropriate ports in your firewall to allow network traffic to communicate with each component.

3. Domain Name Servers (DNS) for name resolution with users inside your network and users who connect from remote locations. You might need different IP addresses for each DNS server.

4. Network Time Protocol (NTP) server. The NTP server synchronizes the time between all of your network components. Citrix recommends that you use an NTP server for your XenMobile deployment.

5. SMTP server for email. When you configure an SMTP server, you need the fully qualified domain name (FQDN) of the email server, such as mail.mycompany.com. You also need to identify the port, the email addresses used for the send function, and user email addresses and passwords.

The XenMobile Pre-Installation checklist includes a section where you can write down all of your network settings. You might need to coordinate with other team members to configure the ports and servers you need for the XenMobile deployment.

Obtaining and Installing Certificates 

Certificates are used to create secure connections and authenticate users. XenMobile MDM requires a certificate from the Apple Push Notification Service (APNS). XenMobile MDM also uses its own PKI service or obtains certificates from the Microsoft Certificate Authority (CA) for client certificates.

All Citrix products support wildcard and SAN certificates. For most deployments, you only need two wildcard or SAN certificates. You can use the following formats:

1. External - *.mycompany.com

2. Internal - *.myinternaldomain.net

For NetScaler Gateway and App Controller, Citrix recommends obtaining server certificates from a public CA, such as Verisign, DigiCert, or Thawte. You can create a Certificate Signing Request (CSR) from the NetScaler Gateway configuration utility or the App Controller management console. After you create the CSR, submit it to the CA for signing. When the CA returns the signed certificate, you can install the certificate on NetScaler Gateway or App Controller.

For more information about installing certificates, see the following topics in Citrix eDocs:

1. NetScaler Gateway: Installing and Managing Certificates

2. App Controller: Configuring Certificates in App Controller

3. Device Manager: Requesting an APNS Certificate

Configuring Client Certificates for Authentication

NetScaler Gateway supports the use of client certificates for authentication. Users logging on to a NetScaler Gateway virtual server can also be authenticated based on the attributes of the client certificate that is presented to the virtual server. Client certificate authentication can also be used with another authentication type, such as LDAP or RADIUS, to provide two-factor authentication.

To authenticate users based on the client-side certificate attributes, client authentication should be enabled on the virtual server and the client certificate should be requested. You must bind a root certificate to the virtual server on NetScaler Gateway.

When users log on to the NetScaler Gateway virtual server, after authentication, the user name information is extracted from the specified field of the certificate. Typically, this field is Subject:CN. If the user name is extracted successfully, the user is then authenticated. If the user does not provide a valid certificate during the Secure Sockets Layer (SSL) handshake or if the user name extraction fails, authentication fails.

You can authenticate users based on the client certificate by setting the default authentication type to use the client certificate. You can also create a certificate action that defines what is to be done during the authentication based on a client SSL certificate.

Determining Your Hardware, Hypervisor, and Sizing Requirements

Each XenMobile component has specific hardware, hypervisor, or sizing requirements:

1. User devices. This hardware requirement includes the number and types of devices that enroll when you deploy Device Manager, such as iPads or Android phones.

2. Hardware or hypervisor. These requirements include the hardware resources to support your number of users and devices. You install App Controller and NetScaler VPX on a hypervisor, such as XenServer. You can also deploy the physical NetScaler or NetScaler Gateway appliance. The number of users who connect determines the NetScaler Gateway appliance model you select, or the number of App Controller instances you install on the hypervisor. 

Your hypervisor, such as XenServer, must contain enough disk space and memory to support multiple instances of App Controller or NetScaler VPX.

3. Sizing. The number of devices that connect to XenMobile components. For example, if Device Manager supports 5,000 devices, the Device Manager server needs from 2 through 4 CPUs, a minimum of 4 gigabytes (GB) of memory, and 24 GB of disk space.

This section describes detailed hardware or hypervisor requirements for each XenMobile component.

NetScaler Gateway Requirements

To determine which of the following NetScaler Gateway models suit the needs of your organization, you need to consider how many users will connect. You can use the following guidelines:

1. NetScaler SDX - a hardware platform on which virtual instances on NetScaler and NetScaler Gateway can run. NetScaler SDX can handle up to 62,500 user connections. For more information, see the NetScaler documentation in Citrix eDocs.

2. NetScaler Gateway MPX - a physical appliance that can handle up to 7,500 user connections.

3. NetScaler Gateway VPX - a virtual machine that can handle up to 875 user connections.