Embed Size (px)
DESCRIPTION
Citrix Consulting has recently conducted a few large projects with XenMobile and the Mobile Solutions Bundle. This presentation contains some of the important lessons learned from these field projects. If you would like to learn the “top 10 gotchas” that the project teams faced while implementing XenMobile, then this presentation is for you!
Citation preview
Citrix XenMobile and the
Mobile Solutions Bundle: Lessons Learned from the Field
Nick Rintalan, Senior Architect, Citrix Consulting
May 3, 2013
Agenda
• Citrix Mobility Products – Quick Review
• Versions “In Play”
• Top 10 Lessons Learned from the Fieldᵒ Where do these lessons come from? ᵒ The first few big CCS projects involving the XenMobile and the Mobile
Solutions Bundle
• Resources & References
Citrix Mobility Products (as of April 2013)
• XenMobile MDM Edition (MDM Only = formerly Zenprise)
• Mobile Solutions Bundle (MDM+MAM = ZP + CGW)
Which Versions Are In Play?
• XenMobile Device Manager 8.0.1
• AppController 2.6
• StoreFront 1.2
• NetScaler 10.0.735002e
• @WorkMail/Web 1.0x and 1.1x
• Citrix Mobile Connect/Enroll 8.0.1
• Citrix Receiver 3.4/5.7.1/3.360 (Win/iOS/Android)
Top 10 Lessons Learned
10 – XM vs. MSB
• XenMobile and the Mobile Solutions Bundle are not one in the same
• Why?ᵒ XenMobile MDM = XDM (and maybe NetScaler)ᵒ MSB = XDM, AppController, StoreFront and NetScaler (and optionally
ShareFile)ᵒ MSB also includes the @work apps (more on this later, but app wrapping can
be a bit trickier than one might think…it’s easy once everything is in place)
• Make sure to scope projects involving the entire MSB with more timeᵒ An in-depth XM POC may take a few daysᵒ An all-inclusive MSB POC can take a couple weeks
9 – Certs and More Certs
• Almost every component in the MSB architecture requires SSL certificates to function properlyᵒ StoreFront, AppController, NetScaler and XenMobile Device Manager (XDM)ᵒ Wildcard certs make life a lot easier
• Get the requests for certs in earlyᵒ Also important to differentiate what needs an “external” cert from a public CA vs.
an “internal” cert from an internal CA
• Also of note – XDM requires persistence and terminates the SSL connection (not NS!), which is why “SSL_BRIDGE” is used to load balance and provide HA for multiple XDM serversᵒ We are still looking into alternative strategies with SSL Offload
8 – High Availability
• Each MSB component has a slightly different form of HAᵒ Storefront multi-server deployment with remote SQL DB for app subscriptionsᵒ AppController appliance failover pairᵒ XDM “clustering” (more on this in a minute)ᵒ NetScaler HA
• Extra IPs are required for NS and AppController, so make sure the networking team knows about these well in advanceᵒ AppController HA works very similar to Windows NLB if you are familiar
(Network Load Balancing)
• Also of note – XDM does not officially support database mirroring for its SQL database (only clustering in the current release)
7 – AppController Multi-Tenancy
• Current version of AppC (2.6) does not support multiple domains or forestsᵒ This means a pair of AppControllers are required for each tenant that reside
in a separate domain or forest
• A future version will support multi-tenancy and multiple domains
6 – XDM Clustering
• XDM uses Tomcat clustering for High Availabilityᵒ This is not the same as Failover Clustering (formerly Microsoft Clustering
Services)
• In order to enable HA, one has to manually edit a config file on each XDM server
• Sends multicast traffic to/from each XDM serverᵒ Saw an issue with this at one customer since their switch was blocking
multicast and broadcast traffic – a change to the switch was required
5 – App Prep Tool and @Work App Wrapping
• The (Citrix) App Preparation Tool only runs on Mac OS X (10.7 or higher) at this timeᵒ Make sure a Mac is available prior to the start of the POC or engagement!
• An Apple Developer Enterprise license is required to wrap appsᵒ See slide notes or References/Resources for more details
• Any mobile application (not just custom or 3rd party apps) needs to be wrapped with the App Prep Toolᵒ This means the Citrix @work apps included!ᵒ The wrapping itself is a fairly simple process, but is required to sign and
distribute the apps (legally)ᵒ Also provides the MDX logic so we can apply “container” policies
4 – NetScaler is Your Friend
• NetScaler will be an integral part of almost every MSB deploymentᵒ Provides load balancing for StoreFront and XDMᵒ Access Gateway functionality (ICA Proxy)ᵒ Micro-VPN feature = NS SSL VPNᵒ Session policies required for mobile and native Receiversᵒ The new XenMobile NetScaler Connector (XNC) performs ActiveSync
filtering via HTTP Callout, Caching and SSL Offload• Note XNC is used for native email as opposed to @WorkMail (i.e. native iOS
email client or Touchdown on Android)• Very scalable solution with the Caching feature of NS (Ent+ licensing)• See Resources/References for more details on XNC
3 – Exchange Web Services vs. ActiveSync
• The 1.0.x version of @WorkMail for iOS used Exchange Web Services (EWS)
• The new 1.1.x version of @WorkMail for iOS uses ActiveSync (AS)ᵒ This means it’s critical to ensure AS is enabled in the Exchange environmentᵒ This move from EWS to AS allows us to support push-enabled mail
• Android has used AS from the beginning
2 – APNS and Port 8443
• A certificate for the Apple Push Notification Service (APNS) is required if you have any iOS devicesᵒ This is hosted by Apple in their cloud – cannot be on-premᵒ You need the APNS cert when installing XDMᵒ Uses ports 2195, 2196 and 5223 (XDM *.push.apple.com)
• Port 8443 must be open on the EXTERNAL firewall as wellᵒ Required for Over-the-Air (OTA) enrollment of iOS devicesᵒ Cannot be proxied through 443 – must be 8443!ᵒ Android (and Windows Mobile) use ports 80/443 by the way (not 8443)
1 – Bandwidth & Scalability
• If using the @work apps and Micro-VPN feature of NS, bandwidth for each device will increase significantlyᵒ Micro-VPN essentially means full SSL VPN tunnel!ᵒ Much more resource intensive compared to basic LB services or ICA
Proxy, which most of us are familiar with
• How significant is “significant”?ᵒ We’ve seen an increase of 3-5x compared to traditional LB or ICA proxy
trafficᵒ Make sure to size your NetScaler pairs appropriately for the use caseᵒ Preliminary sizing guidance is being created as we speak
Resources & References
Resources & References
• XDM High Availability (Tomcat Clustering)ᵒ http://support.citrix.com/proddocs/topic/xmob-dm-8/xmob-dm-manage-ha-wrapper-con.html
• Load Balancing/HA of XDM with NetScalerᵒ http://blogs.citrix.com/2013/03/12/fronting-xenmobile-mdm-with-netscaler/
• Apple Developer Enterprise Licensing Programᵒ https://developer.apple.com/programs/start/ios/
• XNCᵒ http://blogs.citrix.com/2013/04/15/top-10-reasons-why-citrix-xenmobile-mdm-and-netscaler-s
olution-is-the-way-to-go/
• StoreFront Planning Guideᵒ http://support.citrix.com/article/CTX136547
Work better. Live better.
