XenMobile 10 MDM SSL Offload Configuration

XenMobile 10 MDM SSL Offload Configuration

book

Article ID: CTX218327

calendar_today

Updated On:

Description

A Citrix XenMobile environment is typically configured with a NetScaler appliance that front ends and load balances the MDM traffic which it passes on to the XenMobile Servers in the backend. This NetScaler can be configured to handle this traffic in either SSL Bridge or SSL Offload mode. Though SSL Bridge is the recommended method, in certain scenarios SSL Offload may be preferred. This article provides the SSL Offload configuration information.

Notes:

  • The information in this article applies only to XenMobile version 10.x for XenMobile version 9.x related information refer to CTX200063 - XenMobile 9.0 MDM SSL Offload Configuration.
  • Citrix NetScaler provides a XenMobile deployment wizard which is recommended for XenMobile MDM load balancing configuration. Refer to Citrix eDocs for a complete list of supported NetScaler versions that are equipped with the XenMobile wizard. Refer to the following article for additional information: FAQ: XenMobile 10 and NetScaler Gateway Integration
  • Citrix XenMobile does not support backend traffic re-encryption in SSL Offload mode. The backend traffic to XenMobile Server must be HTTP (80). Refer to the following article for additional information: Supported Architectures Between NetScaler and XenMobile Server

Instructions

Steps

  1. Enable port 80 on XenMobile Server.
  2. Export XenMobile Server CA certificate.
  3. Separate Device CA and Root CA certificate.
  4. Import Device CA and Root CA certificate into NetScaler.
  5. Configure NetScaler for XenMobile MDM SSL Offload.

Instructions

Step 1: Enable port 80 on XenMobile Server

  1. Login to the XenMobile Server via CLI.

  2. Enter the Configuration Menu:

    User-added image

  3. Enter the Firewall Menu:

    User-added image

  4. Enable port 80:

    User-added image

  5. Log out from the CLI.

  6. Validate HTTP connectivity to XenMobile Server by browsing to – “http://XMS_IP/zdm/login_xdm_uc.jsp”.

  7. Perform the above steps on individual cluster nodes.

Step 2: Export XenMobile Server CA certificate

  1. Login to the XenMobile Server via Web console (https://XMS_IP:4443).

  2. Browse to the Certificates section under Settings.

  3. Select and export the “cacerts.pem” certificate.

    User-added image

Step 3: Separate Device CA and Root CA certificate

  1. The “cacerts.pem” file contains two separate certificates, the Devices CA certificate and Root CA certificate which need to be exported to separate files.

    User-added image

  2. Save the first section of “cacerts.pem” file to a new file as Device-CA.cer.

  3. Save the second section of “cacerts.pem” file to a new file as Root-CA.cer.

Step 4: Import Device CA and Root CA certificate into NetScaler

  1. Login to the NetScaler using the web browser (http://NSIP).

  2. Navigate to Traffic Management > SSL > Certificates and install both the both the certificates individually.

    User-added image

  3. In the Certificates pane, select the Devices-CA certificate and click Action > Link and choose the Root-CA certificate.

Step 5: Configure NetScaler for XenMobile MDM SSL Offload

  1. Login to the NetScaler using the web browser (http://NSIP).

  2. Browse to the XenMobile option under the Configuration tab.

  3. Select XenMobile 10 and click Get Started.

    User-added image

  4. Choose Load Balance XenMobile Servers and Continue.

    User-added image

  5. Select HTTP Communication to XenMobile Server.

    User-added image

  6. Assign the Server (SSL Listener) public certificate when prompted.

  7. Assign the Device-CA certificate when prompted.

  8. Validate the Server and Device-CA certificate chain and complete the remaining configuration.

    User-added image

  9. Save NetScaler configuration and test device enrollment.

Issue/Introduction

XenMobile 10 MDM SSL Offload Configuration.
Powered by Wolken Software