Unable to access the Store on the Mobile device if XenMobile is behind firewall
Article ID: CTX209120
Updated On:
Description
When trying device enrollment in MDM+MAM mode, user was unable to reach the Store
Resolution
Firewall Team confirmed that, there were traffic drops observed on Paulo Alto Firewall for XenMobile Server. Since the Firewall used was an Application level firewall it was dropping the traffic, as its configured to allow only the PCI compliant HTTP and SSL traffic( but not HTTP traffic with Customer headers).
And as the custom headers in MAM communication had word “Citrix” Firewall team can see drops for HTTP traffic with word “Citrix”. After allowing exception/relaxation for same, once tested Customer were able to enroll the device and reach the Store and even successfully install the Xen Mobile App published via the Store.
Looking at parallel traces on NetScaler along with XMS, it was observed the NetScaler SNIP (IP address: 10.98.80.34) is sending “/Citrix/Roaming/accounts” (via Firewall interface) to fetch store information that contains all the published Apps, to XMS server (IP address: 10.98.94.81).
Here is the snippet of above conversation.
However, this packet (IP id: 0Xd225) is not observed reaching to the XMS
However it was observed, other communication like MDM enrollment (HTTP request) traffic reaching XMS, and receiving response.
As it’s seen the HTTP request in packet#397547, wherein NetScaler SNIP is sending request to XMS IP with IP Id# 0Xd1e8
And same reached XMS server as expected (IP id#0Xd1e8):
Based on above observations it seems evident that MAM HTTP request (“/Citrix/Roaming/accounts”) is getting lost post going out of NS interface. NS traces show packet marked as TX on the interface.
The difference between the MDM and MAM mode is mainly with respect to additional HTTP Headers added in the request (X-Citrix-Gateway, X-Citrix-Via, X-Citrix-Via-VIP, X-Forwarded for)
As XMS was behind Paulo Alto firewall, suggested customer to check with firewall team to confirm in case Firewall is looking / modifying HTTP data which might be affecting communication at MAM level.
And as the custom headers in MAM communication had word “Citrix” Firewall team can see drops for HTTP traffic with word “Citrix”. After allowing exception/relaxation for same, once tested Customer were able to enroll the device and reach the Store and even successfully install the Xen Mobile App published via the Store.
Problem Cause
Upon checking on XenMobile console, it was observed that enrollment was successful (i.e. MDM communication) however, communication fails when device tries to connect to XMS for the Store (i.e. MAM communication).Looking at parallel traces on NetScaler along with XMS, it was observed the NetScaler SNIP (IP address: 10.98.80.34) is sending “/Citrix/Roaming/accounts” (via Firewall interface) to fetch store information that contains all the published Apps, to XMS server (IP address: 10.98.94.81).
Here is the snippet of above conversation.
However, this packet (IP id: 0Xd225) is not observed reaching to the XMS
However it was observed, other communication like MDM enrollment (HTTP request) traffic reaching XMS, and receiving response.
As it’s seen the HTTP request in packet#397547, wherein NetScaler SNIP is sending request to XMS IP with IP Id# 0Xd1e8
And same reached XMS server as expected (IP id#0Xd1e8):
Based on above observations it seems evident that MAM HTTP request (“/Citrix/Roaming/accounts”) is getting lost post going out of NS interface. NS traces show packet marked as TX on the interface.
The difference between the MDM and MAM mode is mainly with respect to additional HTTP Headers added in the request (X-Citrix-Gateway, X-Citrix-Via, X-Citrix-Via-VIP, X-Forwarded for)
As XMS was behind Paulo Alto firewall, suggested customer to check with firewall team to confirm in case Firewall is looking / modifying HTTP data which might be affecting communication at MAM level.
Was this article helpful?
Yes
No
Powered by
