IMG 0775

XenMobile 10 POC Installation using SSL_Bridge

XenMobile 10 is out!
But just for new installations, the upgrade path is expected to be released in the next 6 weeks

As there is nothing out there yet I’ve decided to write up some.
Please bear in mind that I don’t know if developers do really want to set it up like this, use at your own risk. However, it’s working 😉

This environment is set up using NetScaler 10.5 Build 54
My internal Network is 192.168.84.0/24 and the internal dns namespace is cch.local
My DMZ/External Network is 192.168.137.0/24 and the external dns namespace is cch.external & adnlab.de (I had to reuse an official certificate for netscaler gateway) means my external FQDN for MDM is mdm.cch.external and the external FQDN for NetScaler Gateway is login.adnlab.de

Update

  • The internal loadbalancer for MAM should have the same name as the FQDN entered into the XMS Server
  • Using NetScaler 10.5 Build 55 does not require anymore that you create the MDM Loadbalancer manually as it doesn’t run into conflicts anymore

XenMobile Server Setup
1. Download the Appliance from , import it to your hypervisor and start it.

2015-02-20_09h48_08
2. Set a username and password for the local user account

2015-02-20_09h49_23
3. Enter your network information

2015-02-20_09h50_06
4. Random secrets always sound good

2015-02-20_10h02_08
5. Connecting to MSSQL, in my test environment this is on the domain controller.
Important! The Account used for DBAccess must be specified in SamAccountName-Format, means domain\username

2015-02-20_10h02_30
6. Cluster in preparation on more blogs

2015-02-20_10h02_51
7. Important! Specify the external FQDN

2015-02-20_10h03_05
8. enter y to commit the settings

2015-02-20_10h03_51
9. I’m using default ports

2015-02-20_10h03_55
10. As this is just a test environment, I’m going to use the same password for all certificates

2015-02-20_10h05_12
11. We don’t upgrade from an earlier version

2015-02-20_10h12_05
12. Console configuration is finished, now open a webbrowser connecting to https://xms-server:4443 and ignore the SSL certificate warning

2015-02-20_10h12_28
13. Login with the credentials specified during the console initialization

2015-02-20_10h12_45
14. Next

2015-02-20_10h13_32
15. I don’t have a license server in place right now, so skipping this configuration

2015-02-20_10h14_03
16. On the certificate page, click on import

2015-02-20_10h15_41
17. Select a non-chained web certificate for SAML, doesn’t matter if from a public or private PKI

2015-02-20_10h15_54
18. Click OK, we want to replace the certificate

—- missing screenshot ———-
19. Import the APNS certificate if you want to use iOS devices as well

2015-02-20_10h21_52
20. On the next menu, enter your the external FQDN for NetScaler Gateway

2015-02-20_10h22_39
21. Click on Add and enter the callback address and VIP for netscaler gateway (usually the same FQDN as the external)
That address must be reachable from the XenMobile Server

2015-02-20_10h23_21
22. On the next screen, enter your details for connecting to your domain controller

2015-02-20_10h25_09
23. Enter your smtp details if they do exist 😉

2015-02-20_10h25_22
24. Review everthing and save it

2015-02-20_10h25_38
25. Click Start Managing

2015-02-20_10h26_47
26. Click on Configure -> Device Policies -> Add

2015-02-20_10h27_02
27. Search for Passcode

2015-02-20_10h27_19
28. Name the policy

2015-02-20_10h27_58
29. set the parameter for iOS Passcode policy

2015-02-20_10h28_25
30. set the parameter for android password policy

2015-02-20_10h28_37
31. samsung know configuration

2015-02-20_10h29_05
32. windows phone settings

2015-02-20_10h29_54
33. windows tablet password config

2015-02-20_10h30_06
34. this is going to be effective for all users

2015-02-20_10h30_31
35. second policy for deploying the internal CA certificate, search for Credentials

2015-02-20_10h31_12
36. give it a name

2015-02-20_10h31_43
37. import the Microsoft CA Certificate in base64 format

2015-02-20_10h31_57
38. same for android

2015-02-20_10h32_24
39. and for Windows Phone

2015-02-20_10h32_34
40. add it to the deployment group for all users

2015-02-20_10h33_29
41. Go to Configure -> Apps -> click on Add

2015-02-20_10h34_08
42. Select MDX File

2015-02-20_10h34_33
43. I am going to create a App distribution for WorxWeb

2015-02-20_10h35_44
44. Select the wrapped WorxWeb MDX for iOS and set the desired options

2015-02-20_10h44_14
45. Select the wrapped WorxWeb MDX for Android and set the desired options

2015-02-20_10h47_25
46. and import the mdx for Windows Phone 8.1

2015-02-20_10h48_23
47. No workflow

2015-02-20_10h48_33
48. for all users, later this does not push out the app to the user, for pushing the app you must change that directly in the delivery group

NetScaler Setup
2015-02-20_11h21_29
49. Get over to your netscaler and log on

2015-02-20_11h29_18
50. Enable the SSL feature

2015-02-20_11h34_50
51. Import the required certificates
The Internal Wildcard is used for an internal loadbalancer for MAM and the official certificate is used for NetScaler Gateway

2015-02-20_11h40_47
52. I’m going to use the wizard as this is a fresh new netscaler, furthermore it is just for a POC

2015-02-20_11h42_20
53. Do not select the wizard for Loadbalance MDM, otherwise the wizard will crash as it tries to add the same server ip multiple times
Do just select the wizard for NetScaler Gateway

2015-02-20_11h43_47
54. set the vSrv Name and VIP

2015-02-20_11h44_26
55. select the public certificate

2015-02-20_11h47_03
56. enter your active directory LDAP details

2015-02-20_11h57_24
57. use an new internal name and make sure that DNS is pointing to the used IP. NetScaler must be able to resolve the FQDN

2015-02-20_11h58_10
58. Select the internal certificate

2015-02-20_11h58_58
59. add the IP of your XenMobile 10 Server using port 8443

2015-02-20_11h59_29
60. The Wizzard didn’t activated the NetScaler Gateway Feature, right click it -> Enable

2015-02-20_12h01_47
61. Now we need to create the vServer for MDM. As you can see, the Server is already added and that’s where the MDM wizzard would crash

2015-02-20_12h09_27
62. Create a new service group on Traffic Management -> Loadbalancing -> Service Groups

2015-02-20_12h16_55
63. We are going to create a SSL_Bridge Service for MDM Port 443

2015-02-20_12h17_25
64. Click on Service Group Members

2015-02-20_12h18_31
65. Choose existing server, selecting your XMS IP and enter 443 as port

2015-02-20_12h18_52
66. Click on Service Group to Monitor binding

2015-02-20_12h44_45
67. Select tcp and bind it as monitor

2015-02-20_12h46_46
68. We are going to redo the steps for port 443 but for port 8443, add another service group type SSL_Bridge

2015-02-20_12h47_12
69. Select again your XMS IP but this time enter 8443

2015-02-20_12h47_47
70. and bind a tcp monitor

2015-02-20_12h48_03
71. Your final result on Service Groups should look like this, if a service group is down directly after creating is, try to refresh as sometimes the GUI is faster then the first check

2015-02-20_12h48_33
72. Switch over to Traffic Management -> Loadbalancing -> Virtual Server and click on add

2015-02-20_13h18_37
73. create a new server using the ip getting resolved for your external MDM FQDN for port 443

2015-02-20_13h18_58
74. Click on Load Balancing Service Group Binding

2015-02-20_13h19_12
75. select the service group for MDM on port 443 created earlier

2015-02-20_13h19_47
76. click on done

2015-02-20_13h20_11
77. Add another vServer, but this time this is going be used for port 8443

2015-02-20_13h20_22
78. Bind a service group

2015-02-20_13h20_56
79. and select the service group being used for 8443

2015-02-20_13h21_17
80. click on done

2015-02-20_13h22_59
81. Your final result on the virtual server configuration should look like this

2015-02-20_13h38_52
82. as last step you need to add the external FQDN being rewritten by netscaler gateway, otherwise you wont be able to open the worxstore. Click on NetScaler Gateway -> Global Settings -> Configure Domains for Clientless Access

2015-02-20_13h39_20
83. and add your external FQDN of MDM there
the FQDN of your MAM Loadbalancer should be here in too

Result

2015-02-20_13h53_18
and it “worx”!

——————————————————

Appendix
I forgot to include the Screenshots for the APNS and SAML certificate
2015-02-20_13h25_08
1. on the XMS click on Configure -> Settings -> Certificate

2015-02-20_13h25_36
2. Click on Import

2015-02-20_13h26_49
3. Select Keystore, PKCS#12, Use as APNS and select your APNS Certificate provided by Apple

2015-02-20_13h27_33
4. Click again on import
Select Keystore, PKCS#12, Use as SAML and select non-chained webserver certificate

Dieser Beitrag hat 6 Kommentare

  1. Hello, this is a very good tutorial.

    Since NetScaler now provide wizard for XenMobile integration. Do we still need to perform step 82 and 83 in this tutorial? Because i follow Robin Hobo tutorial on Installing and Configuring NexMobile (including NetScaler, using wizard) and MDM functions fine but i cannot access Worx Store with error message : “Please contact support for accessing your app” … I suppose it has something to do with step 82 and 83

    1. Hi Dwianto,

      Netscaler Gateway must rewrite the URL sent out by XMS for the WorxStore, otherwise there is no access token.
      In other words, your symptoms are typical for missing rewrites, means go ahead an add the official URL of your XMS to the steps 82 and 83 if not done by the wizard already

  2. can we install my poc without using netscaler ?
    and i don’t have any certificate unless internally, can you show us how to generate it ?
    can you also to show us how did you enroll your device ?

    your tutorial is very helpful, thank you very much.

    1. Hi Youssef,

      sorry, I was quite busy in the last time.
      Yes, you can run XenMobile without NetScaler in place but you will lose the mVPN functionality.

      The device can be enrolled using WorxHome entering the FQDN of the XMS server

  3. In step 52 why is private wildcard certificate really neccessary for MAM load balancer? Can we use external Cert for XMS if according to your updated status : FQDN of MAM loadbalancer must be exactly the same as for XMS?

    1. Hi Igor,
      It must be a valid trusted certificate for the client device. At the point of writing, it was possible to deploy the internal CA certificate on MDM. Due enhancements it seems that this is not working anymore as the device hits the load balancer before the root certificate is distributed. My recommendation is to use a public certificate on the MAM loadbalancer (the same you may use on the XMS Server)

      Mauricio

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

*

Suche