Unable to access the Store on the Mobile device if XenMobile is behind firewall

Unable to access the Store on the Mobile device if XenMobile is behind firewall

book

Article ID: CTX209120

calendar_today

Updated On:

Description

When trying device enrollment in MDM+MAM mode, user was unable to reach the Store

 

Resolution

Firewall Team confirmed  that, there were traffic drops observed on Paulo Alto Firewall for XenMobile Server. Since the Firewall used was an Application level firewall it was dropping the traffic, as its configured to allow only the PCI compliant  HTTP and SSL traffic( but not HTTP traffic with Customer headers).
 
And as the custom headers in MAM communication had word “Citrix” Firewall team can see drops for HTTP traffic with word “Citrix”. After allowing exception/relaxation for same, once tested Customer were able to enroll the device and reach the Store and even successfully install the Xen Mobile App published via the Store.
 
 

Problem Cause

Upon checking on XenMobile console, it was  observed that enrollment was successful (i.e. MDM communication) however, communication fails when device tries to connect to XMS for the Store (i.e. MAM communication).
 
Looking at parallel traces on NetScaler along with XMS, it was observed the NetScaler SNIP (IP address: 10.98.80.34) is sending “/Citrix/Roaming/accounts” (via Firewall interface) to fetch store information that contains all the published Apps, to XMS server (IP address: 10.98.94.81).
 
Here is the snippet of above conversation.
User-added image

However, this packet (IP id: 0Xd225) is not observed reaching to the XMS

User-added image

However it was observed, other communication like MDM enrollment (HTTP request) traffic reaching XMS, and receiving response.
 
As it’s seen the HTTP request in packet#397547, wherein NetScaler SNIP is sending request to XMS IP with IP Id# 0Xd1e8

User-added image
 
And same reached XMS server as expected (IP id#0Xd1e8):

User-added image

 
Based on above observations it seems evident that MAM HTTP request (“/Citrix/Roaming/accounts”) is getting lost post going out of NS interface. NS traces show packet marked as TX on the interface.

User-added image

The difference between the MDM and MAM mode is mainly with respect to additional HTTP Headers added in the request (X-Citrix-Gateway, X-Citrix-Via, X-Citrix-Via-VIP, X-Forwarded for)
 
As XMS was behind Paulo Alto firewall, suggested customer to check with firewall team to confirm in case Firewall  is looking / modifying HTTP data which might be affecting communication at MAM level.