Citrix Endpoint Management

Integrating with NetScaler Gateway and Citrix ADC

When integrated with Citrix Endpoint Management, NetScaler Gateway provides an authentication mechanism for remote device access to the internal network for MAM devices. The integration enables Citrix mobile productivity apps to connect to corporate servers in the intranet through a micro VPN. Citrix Endpoint Management creates a micro VPN from the apps on the device to NetScaler Gateway. NetScaler Gateway provides a micro VPN path for access to all corporate resources and provides strong multifactor authentication support.

When a user opts out of MDM enrollment, devices enroll using the NetScaler Gateway FQDN.

Citrix Cloud Operations manages Citrix ADC load balancing.

Design Decisions

The following sections summarize the many design decisions to consider when planning a NetScaler Gateway integration with Citrix Endpoint Management.

Certificates

Decision details:

  • Do you require a higher degree of security for enrollment and access to the Citrix Endpoint Management environment?
  • Is LDAP not an option?

Design guidance:

The default configuration for Citrix Endpoint Management is user name and password authentication. To add another layer of security for enrollment and access to the Citrix Endpoint Management environment, consider using certificate-based authentication. You can use certificates with LDAP for two-factor authentication, providing a higher degree of security without needing an RSA server.

If you don’t allow LDAP and use smart cards or similar methods, configuring certificates allows you to represent a smart card to Citrix Endpoint Management. Users then enroll using a unique PIN that Citrix Endpoint Management generates for them. After a user has access, Citrix Endpoint Management creates and deploys the certificate later used to authenticate to the Citrix Endpoint Management environment.

Citrix Endpoint Management supports Certificate Revocation List (CRL) only for a third party Certificate Authority. If you have a Microsoft CA configured, Citrix Endpoint Management uses NetScaler Gateway to manage revocation. When you configure client certificate-based authentication, consider whether you need to configure the NetScaler Gateway Certificate Revocation List (CRL) setting Enable CRL Auto Refresh. This step makes sure that the user of a device enrolled in MAM only can’t authenticate using an existing certificate on the device. Citrix Endpoint Management reissues a new certificate, because it doesn’t restrict a user from generating a user certificate if one is revoked. This setting increases the security of PKI entities when the CRL checks for expired PKI entities.

Dedicated or shared NetScaler Gateway VIPs

Decision details:

  • Do you currently use NetScaler Gateway for Citrix Virtual Apps and Desktops?
  • Will Citrix Endpoint Management use the same NetScaler Gateway as Citrix Virtual Apps and Desktops?
  • What are the authentication requirements for both traffic flows?

Design guidance:

When your Citrix environment includes Citrix Endpoint Management, plus Virtual Apps and Desktops, you can use the same NetScaler Gateway virtual server for both. Because of the potential versioning conflicts and environment isolation, a dedicated NetScaler Gateway is recommended for each Citrix Endpoint Management environment.

If you use LDAP authentication, Citrix Secure Hub can authenticate to the same NetScaler Gateway with no issues. If you use certificate-based authentication, Citrix Endpoint Management pushes a certificate in the MDX container and Citrix Secure Hub uses the certificate to authenticate with NetScaler Gateway.

You might consider this work around, which allows you to use the same FQDN for two NetScaler Gateway VIPs. You can create two NetScaler Gateway VIPs with the same IP address. The one for Citrix Secure Hub uses the standard 443 port and the one for Citrix Virtual Apps and Desktops (which deploys the Citrix Workspace app) uses port 444. Then, one FQDN resolves to the same IP address. For this work around, you might need to configure StoreFront to return an ICA file for port 444, instead of the default, port 443. This workaround doesn’t require users to enter a port number.

NetScaler Gateway time-outs

Decision details:

  • How do you want to configure the NetScaler Gateway time-outs for Citrix Endpoint Management traffic?

Design guidance:

NetScaler Gateway includes the settings Session time-out and Forced time-out. For details, see Recommended configurations. Keep in mind that there are different time-out values for background services, NetScaler Gateway, and for accessing applications while offline.

Enrollment FQDN

Important:

To change the enrollment FQDN requires a new SQL Server database and an Citrix Endpoint Management server rebuild.

Citrix Secure Web traffic

Decision details:

  • Will you restrict Citrix Secure Web to internal web browsing only?
  • Will you enable Citrix Secure Web for both internal and external web browsing?

Design guidance:

If you plan to use Citrix Secure Web for internal web browsing only, the NetScaler Gateway configuration is straightforward. However, if Citrix Secure Web can’t reach all internal sites by default, you might need to configure firewalls and proxy servers.

If you plan to use Citrix Secure Web for both internal and external browsing, you must enable the SNIP to have outbound internet access. IT generally views enrolled devices (using the MDX container) as an extension of the corporate network. Thus, IT typically wants Citrix Secure Web connections to come back to NetScaler Gateway, go through a proxy server, and then go out to the Internet. By default, Citrix Secure Web access tunnels to the internal network. Citrix Secure Web uses a per-application VPN tunnel back to the internal network for all network access and NetScaler Gateway uses split tunnel settings.

For a discussion of Citrix Secure Web connections, see Configuring User Connections.

Push Notifications for Citrix Secure Mail

Decision details:

  • Will you use push notifications?

Design guidance for iOS:

If your NetScaler Gateway configuration includes Secure Ticket Authority (STA) and split tunneling is off: NetScaler Gateway must allow traffic from Citrix Secure Mail to the Citrix listener service URLs. Those URLs are specified in push notifications for Citrix Secure Mail for iOS.

Design guidance for Android:

Use Firebase Cloud Messaging (FCM) to control how and when Android devices need to connect to Citrix Endpoint Management. With FCM configured, any security action or deploy command triggers a push notification to Citrix Secure Hub to prompt the user to reconnect to the Citrix Endpoint Management server.

HDX STAs

Decision details:

  • What STAs to use if you integrate HDX application access?

Design guidance:

HDX STAs must match the STAs in StoreFront and must be valid for the Virtual Apps and Desktops site.

Citrix Files and ShareFile

Decision details:

  • Will you use a storage zones controller in the environment?
  • What Citrix Files VIP URL will you use?

Design guidance:

If you include a storage zones controller in your environment, make sure that you correctly configure the following:

  • Citrix Files Content Switch VIP (used by the Citrix Files Control Plane to communicate with the storage zones controller servers)
  • Citrix Files Load Balancing VIPs
  • All required policies and profiles

For information, see the documentation for Storage zones controller.

SAML IdP

Decision detail:

  • If SAML is required for Citrix Files, do you want to use Citrix Endpoint Management as the SAML IdP?

Design guidance:

The recommended best practice is to integrate Citrix Files with Citrix Endpoint Management, a simpler alternative to configuring SAML-based federation. Citrix Endpoint Management provides Citrix Files with:

  • Single sign-on (SSO) authentication of Citrix mobile productivity apps users
  • User account provisioning based on Active Directory
  • Comprehensive access control policies.

The Citrix Endpoint Management console enables you to do Citrix Files configuration and to monitor service levels and license usage.

There are two types of Citrix Files clients: Citrix Files for Citrix Endpoint Management (also known as wrapped Citrix Files) and Citrix Files mobile clients (also known as unwrapped Citrix Files). To understand the differences, see How Citrix Files for Citrix Endpoint Management Clients differ from Citrix Files mobile clients.

You can configure Citrix Endpoint Management and Citrix Files to use SAML to provide SSO access to:

  • Citrix Files apps that are MAM SDK enabled or wrapped by using the MDX Toolkit
  • Non-wrapped Citrix Files clients, such as the website, Outlook plug-in, or sync clients

If you want to use Citrix Endpoint Management as the SAML IdP for Citrix Files, make sure that the proper configurations are in place. For details, see SAML for SSO with Citrix Files.

ShareConnect direct connections

Decision detail:

  • Will users access a host computer from a computer or mobile device running ShareConnect using direct connections?

Design guidance:

ShareConnect enables users to connect securely to their computers through iPads, Android tablets, and Android phones to access their files and applications. For direct connections, Citrix Endpoint Management uses NetScaler Gateway to provide secure access to resources outside of the local network. For configuration details, see ShareConnect.

Enrollment FQDN for each management mode

Management mode Enrollment FQDN
MDM+MAM with mandatory MDM enrollment Citrix Endpoint Management server FQDN
MDM+MAM with optional MDM enrollment Citrix Endpoint Management server FQDN or NetScaler Gateway FQDN
MAM-only Citrix Endpoint Management server FQDN
MAM-only (legacy) NetScaler Gateway FQDN

Deployment Summary

If you have many Citrix Endpoint Management instances, such as for test, development, and production environments, you must configure NetScaler Gateway for the additional environments manually. When you have a working environment, take note of the settings before trying to configure NetScaler Gateway manually for Citrix Endpoint Management.

A key decision is whether to use HTTPS or HTTP for communication to the Citrix Endpoint Management server. HTTPS provides secure back-end communication, as traffic between NetScaler Gateway and Citrix Endpoint Management is encrypted. The re-encryption impacts Citrix Endpoint Management server performance. HTTP provides better Citrix Endpoint Management server performance. Traffic between NetScaler Gateway and Citrix Endpoint Management is not encrypted. The following tables show the HTTP and HTTPS port requirements for NetScaler Gateway and Citrix Endpoint Management.

HTTPS

Citrix typically recommends SSL Bridge for NetScaler Gateway MDM virtual server configurations. For NetScaler Gateway SSL Offload use with MDM virtual servers, Citrix Endpoint Management supports only port 80 as the back-end service.

Management mode NetScaler Gateway load balancing method SSL re-encryption Citrix Endpoint Management server port
MAM SSL Offload Enabled 8443
MDM+MAM MDM: SSL Bridge N/A 443, 8443
MDM+MAM MAM: SSL Offload Enabled 8443

HTTP

Management mode NetScaler Gateway load balancing method SSL re-encryption Citrix Endpoint Management server port
MAM SSL Offload Enabled 8443
MDM+MAM MDM: SSL Offload Not supported 80
MDM+MAM MAM: SSL Offload Enabled 8443

For diagrams of NetScaler Gateway in Citrix Endpoint Management deployments, see Architecture.

Integrating with NetScaler Gateway and Citrix ADC