Citrix Endpoint Management integration
This article covers what to consider when planning how Citrix Endpoint Management is to integrate with your existing network and solutions. For example, if you’re already using NetScaler Gateway for Citrix Virtual Apps and Desktops:
- Do you want to use the existing NetScaler Gateway instance or a new, dedicated instance?
- Do you want to integrate with Citrix Endpoint Management the HDX apps that are published using StoreFront?
- Do you plan to use Citrix Files with Citrix Endpoint Management?
- Do you have a Network Access Control solution that you want to integrate into Citrix Endpoint Management?
NetScaler Gateway
NetScaler Gateway is required for Citrix Endpoint Management. NetScaler Gateway provides a micro VPN path for access to all corporate resources and provides strong multifactor authentication support.
You can use existing NetScaler Gateway instances or set up new ones for Citrix Endpoint Management. The following sections note the advantages and disadvantages of using existing or new, dedicated NetScaler Gateway instances.
Shared NetScaler Gateway MPX with a NetScaler Gateway VIP created for Citrix Endpoint Management
Advantages:
- Uses a common NetScaler Gateway instance for all Citrix remote connections: Citrix Virtual Apps, full VPN, and clientless VPN.
- Uses the existing NetScaler Gateway configurations, such as for certificate authentication and for accessing services like DNS, LDAP, and NTP.
- Uses a single NetScaler Gateway platform license.
Disadvantages:
- It is more difficult to plan for scale when you handle two different use cases on the same NetScaler Gateway.
- Sometimes you need a specific NetScaler Gateway version for a Citrix Virtual Apps use case. That same version might have known issues for Citrix Endpoint Management. Or Citrix Endpoint Management might have known issues for the NetScaler Gateway version.
- If a NetScaler Gateway exists, you cannot run the NetScaler for XenMobile wizard a second time to create the NetScaler Gateway configuration for Citrix Endpoint Management.
- Except when Platinum licenses are used for NetScaler Gateway 11.1 or later: User access licenses installed on NetScaler Gateway and required for VPN connectivity are pooled. Because those licenses are available to all NetScaler Gateway virtual servers, services other than Citrix Endpoint Management can potentially consume them.
Dedicated NetScaler Gateway VPX/MPX instance
Advantages:
Citrix recommends using a dedicated instance of NetScaler Gateway.
- Easier to plan for scale and separate Citrix Endpoint Management traffic from a NetScaler Gateway instance that might already be resource constrained.
- Avoids issues when Citrix Endpoint Management and Citrix Virtual Apps need different NetScaler Gateway software versions. The recommendation generally is to use the latest compatible NetScaler Gateway version and build for Citrix Endpoint Management.
- Allows Citrix Endpoint Management configuration of NetScaler Gateway through the built-in NetScaler for XenMobile wizard.
- Virtual and physical separation of services.
Disadvantages:
- Requires setup of extra services on NetScaler Gateway to support Citrix Endpoint Management configuration.
- Requires another NetScaler Gateway platform license. License each NetScaler Gateway instance for NetScaler Gateway.
For information about what to consider when integrating NetScaler Gateway and Citrix ADC for Citrix Endpoint Management management modes, see Integrating with NetScaler Gateway and Citrix ADC.
StoreFront
If you have a Citrix Virtual Apps and Desktops environment, you can integrate HDX applications with Citrix Endpoint Management using StoreFront. When you integrate HDX apps with Citrix Endpoint Management:
- The apps are available to users who are enrolled with Citrix Endpoint Management.
- The apps display in the app store along with other mobile apps.
- Citrix Endpoint Management uses Citrix Receiver on StoreFront.
- When the Citrix Workspace app is installed on a device, HDX apps start using that app.
StoreFront has a limitation of one service site per StoreFront instance. Suppose that you have many stores and want to segment it from other production usage. In that case, Citrix generally recommends that you consider a new StoreFront Instance and services site for Citrix Endpoint Management.
Considerations include:
- Are there any different authentication requirements for StoreFront? The StoreFront services site requires Active Directory credentials for logon. Customers only using certificate-based authentication cannot enumerate applications through Citrix Endpoint Management using the same NetScaler Gateway.
- Use the same store or create a store?
- Use the same or a different StoreFront server?
The following sections note the advantages and disadvantages of using separate or combined storefronts for Citrix Workspace and Citrix mobile productivity apps.
Integrate your existing StoreFront instance with Citrix Endpoint Management
Advantages:
- Same store: No additional configuration of StoreFront is required for Citrix Endpoint Management, assuming that you use the same NetScaler Gateway VIP for HDX access. Suppose that you choose to use the same store and want to direct Citrix Workspace access to a new NetScaler Gateway VIP. In that case, add the appropriate NetScaler Gateway configuration to StoreFront.
- Same StoreFront server: Uses the existing StoreFront installation and configuration.
Disadvantages:
- Same store: Any reconfiguration of StoreFront to support Citrix Virtual Apps and Desktops workloads might adversely affect Citrix Endpoint Management.
- Same StoreFront server: In large environments, consider the additional load from Citrix Endpoint Management usage of Citrix Receiver for app enumeration and start-up.
Use a new, dedicated StoreFront instance for integration with Citrix Endpoint Management
Advantages:
- New store: Any configuration changes of the StoreFront store for Citrix Endpoint Management don’t affect existing Virtual Apps and Desktops workloads.
- New StoreFront server: Server configuration changes don’t affect Virtual Apps and Desktops workflows. Also, load outside of Citrix Endpoint Management usage of Citrix Receiver for app enumeration and launch don’t affect scalability.
Disadvantages:
- New store: StoreFront store configuration.
- New StoreFront server: Requires a new StoreFront installation and configuration.
For more information, see Citrix Virtual Apps and Desktops through the app store.
ShareFile and Citrix Files
ShareFile enables you to easily and securely exchange documents, send large documents by email, and securely handle document transfers to third parties. The Citrix Files app enables users to access and sync all of their data from any device. With Citrix Files, users can securely share data with people both inside and outside the organization.
Citrix Endpoint Management provides Citrix Files with:
- Single sign-on authentication for mobile productivity app users.
- Active Directory-based user account provisioning.
- Comprehensive access control policies.
Mobile users can benefit from the full Enterprise account feature set.
Alternatively, you can configure Citrix Endpoint Management to integrate only with storage zone connectors. Through storage zone connectors, Citrix Files provides access to:
- Documents and folders
- Network file shares
- In SharePoint sites: Site collections and document libraries.
Connected file shares can include the same network home drives used in Citrix Virtual Apps and Desktops environments. You use the Citrix Endpoint Management console to configure the integration with Enterprise accounts or storage zone connectors. For more information, see Citrix Files for Citrix Endpoint Management.
The following sections note the questions to ask when making design decisions for Citrix Files.
Integrate with Citrix Files or only storage zone connectors
Questions to ask:
- Do you want to store data in Citrix-managed storage zones?
- Do you want to provide users with file sharing and sync capabilities?
- Do you want to enable users to access files on the Citrix Files website? Or to access Office 365 content and Personal Cloud connectors from mobile devices?
Design decision:
- If the answer to any of those questions is “yes,” integrate with an Enterprise account.
- An integration with only storage zone connectors gives iOS users secure mobile access to existing on-premises storage repositories, such as SharePoint sites and network file shares. In this configuration, you don’t set up a Citrix Files subdomain, provision users to Citrix Files, or host Citrix Files data. Using storage zone connectors with Citrix Endpoint Management follows security restrictions against leaking user information outside of the corporate network.
Storage zones controller server location
Questions to ask:
- Do you require on-premises storage or features such as storage zone connectors?
- If using on-premises features of Citrix Files, where will the storage zones controllers sit in the network?
Design decision:
- Determine whether to locate the storage zones controller servers in the Citrix Files cloud, in your on-premises single-tenant storage system, or in supported third-party cloud storage.
- Storage zones controllers require some internet access to communicate with the Citrix Files Control Plane. You can connect in several ways, including direct access or NAT/PAT configurations.
Storage zone connectors
Questions to ask:
- What are the CIFS share paths?
- What are the SharePoint URLs?
Design decision:
- Determine if on-premises storage zones controllers are required to access those locations.
- Because of storage zone connector communication with internal resources such as file repositories, CIFS shares, and SharePoint: Citrix recommends that the storage zones controllers are in the internal network behind DMZ firewalls and fronted by NetScaler Gateway.
SAML integration with Citrix Endpoint Management
Questions to ask:
- Is Active Directory authentication required for Citrix Files?
- Does first time use of the Citrix Files app for Citrix Endpoint Management require SSO?
- Is there a standard IdP in your current environment?
- How many domains are required to use SAML?
- Are there many email aliases for Active Directory users?
- Are there any Active Directory domain migrations in progress or scheduled soon?
Design decision:
You might choose to use SAML as the authentication mechanism for Citrix Files. The authentication options are:
-
Use the Citrix Endpoint Management server as the Identity Provider (IdP) for SAML
This option can provide excellent user experience, automate Citrix Files account creation, and enable mobile app SSO features.
The Citrix Endpoint Management server is enhanced for this process: It does not require the synchronization of the Active Directory.
Use the Citrix Files User Management Tool for user provisioning.
-
Use a supported third-party vendor as the IdP for SAML
If you have an existing and supported IdP and don’t require mobile app SSO capabilities, this option might be the best fit for you. This option also requires the use of the Citrix Files User Management Tool for account provisioning.
Using third-party IdP solutions such as ADFS might also provide SSO capabilities on the Windows client side. Be sure to evaluate use cases before choosing your Citrix Files SAML IdP.
-
Or, to satisfy both use cases, see ShareFile single sign-on configuration guide for dual identity providers.
Mobile apps
Questions to ask:
- Which Citrix Files mobile app do you plan to use (public, MDM, MDX)?
Design decision:
- You distribute Citrix mobile productivity apps from the Apple App Store and Google Play Store. With that public app store distribution, you get wrapped apps from the Citrix downloads page.
- If your security requirements are low and you don’t require containerization, the public Citrix Files app might not be suitable.
- For more information, see Apps and Citrix Files for Citrix Endpoint Management.
Security, policies, and access control
Questions to ask:
- What restrictions do you require for desktop, web, and mobile users?
- What standard access control settings do you want for users?
- What file retention policy do you plan to use?
Design decision:
- Citrix Files lets you manage employee permissions. For information, see Employee Permissions.
- Some Citrix Files device security settings and MDX policies control the same features. In those cases, the Citrix Endpoint Management policies take precedence, followed by the Citrix Files device security settings. Examples: If you disable external apps in Citrix Files, but enable them in Citrix Endpoint Management, the external apps get disabled in Citrix Files. You can configure the apps so that Citrix Endpoint Management doesn’t require a PIN/passcode, but the Citrix Files app requires a PIN/passcode.
Standard versus restricted storage zones
Questions to ask:
- Do you require restricted storage zones?
Design decision:
- A standard storage zone is intended for non-sensitive data and enables employees to share data with non-employees. This option supports workflows that involve sharing data outside of your domain.
- A restricted storage zone protects sensitive data: Only authenticated domain users can access the data stored in the zone.
Access control
Enterprises can manage mobile devices inside and outside of networks. Enterprise Mobility Management solutions such as Citrix Endpoint Management are great at providing security and controls for mobile devices, independent of location. However, when you combine them with a Network Access Control (NAC) solution, you can add QoS and more fine-grained control to devices that are internal to your network. That combination enables you to extend the Citrix Endpoint Management device security assessment through your NAC solution. Your NAC solution then can use the Citrix Endpoint Management security assessment to facilitate and handle authentication decisions.
You can use any of these solutions to enforce NAC policies:
- NetScaler Gateway
- ForeScout
Citrix doesn’t guarantee integration for other NAC solutions.
Advantages of a NAC solution integration with Citrix Endpoint Management include the following:
- Better security, compliance, and control for all endpoints on an enterprise network.
- A NAC solution can:
- Detect devices at the instant they try to connect to your network.
- Query Citrix Endpoint Management for device attributes.
- Use that device information to determine whether to allow, block, limit, or redirect those devices. Those decisions depend on the security policies that you choose to enforce.
- A NAC solution provides IT administrators with a view of unmanaged and non-compliant devices.
For a description of the NAC compliance filters supported by Citrix Endpoint Management and a configuration overview, see Network Access Control.