XenMobile Server

Install and configure

Before you start

You can use the following preinstallation checklist to note the prerequisites and settings for installing XenMobile on-premises. Each task or note includes a column indicating the component or function for which the requirement applies.

Planning a XenMobile deployment involves many considerations. For recommendations, common questions, and use cases for your complete XenMobile environment, see the XenMobile Deployment Handbook.

For installation steps, see the Install XenMobile section later in this article.

Preinstallation checklist

Basic Network Connectivity

The following are the network settings that you need for the XenMobile solution.

Prerequisite or setting Component or function Note the setting    
Note the fully qualified domain name (FQDN) to which remote users connect. XenMobile and Citrix Gateway      
Note the public and local IP address.        
You need these IP addresses to configure the firewall to set up network address translation (NAT). XenMobile and Citrix Gateway      
Note the subnet mask. XenMobile and Citrix Gateway      
Note the DNS IP addresses. XenMobile and Citrix Gateway      
Write down the WINS server IP addresses (if applicable). Citrix Gateway      
Identify and write down the Citrix Gateway host name. Citrix Gateway This item is not the FQDN. The FQDN is contained in the signed server certificate that is bound to the virtual server and to which users connect. You can configure the host name by using the Setup Wizard in Citrix Gateway. Citrix Gateway  
Note the IP address of XenMobile. Reserve one IP address if you install one instance of XenMobile. If you configure a cluster, note all IP addresses that you need. XenMobile      
One public IP address configured on Citrix Gateway Citrix Gateway      
One external DNS entry for Citrix Gateway Citrix Gateway      
Note the web proxy server IP address, port, proxy host list, and the administrator user name and password. These settings are optional if you deploy a proxy server in your network (if applicable). Citrix Gateway You can use either the sAMAccountName or the User Principal Name (UPN) when configuring the user name for the web proxy. XenMobile and Citrix Gateway  
Note the default gateway IP address. XenMobile and Citrix Gateway      
Note the system IP (NSIP) address and subnet mask. Citrix Gateway      
Note the subnet IP (SNIP) address and subnet mask. Citrix Gateway      
Note the Citrix Gateway virtual server IP address and FQDN from the certificate. To configure multiple virtual servers, note all virtual IP addresses and FQDNs from the certificates. Citrix Gateway      
Note the internal networks that users can access through Citrix Gateway. Example: 10.10.0.0/24. Enter all internal networks and network segments that users need access to in these cases: When users connect with Secure Hub or the Citrix Gateway Plug-in when split tunneling is set to On. Citrix Gateway      
Ensure that the network connectivity between the XenMobile Server, the Citrix Gateway, the external Microsoft SQL Server, and the DNS server are reachable. XenMobile and Citrix Gateway      

Licensing

XenMobile requires you to purchase licensing options for Citrix Gateway and XenMobile. For more information about Citrix Licensing, see The Citrix Licensing System.

Prerequisite Component Note the location
Obtain Universal licenses from the Citrix website. For details, see Licensing in the Citrix Gateway documentation. Citrix Gateway, XenMobile, and Citrix License Server  

Certificates

XenMobile and Citrix Gateway require certificates to enable connections with other Citrix products and apps and from user devices. For details, see the Certificates and Authentication section in the XenMobile documentation.

Prerequisite Component Notes
Obtain and install the required certificates. XenMobile and Citrix Gateway  

Ports

Open ports to allow communication with the XenMobile components.

Prerequisite Component Notes
Open ports for XenMobile XenMobile and Citrix Gateway  

Database

XenMobile requires database connection configuration. The XenMobile repository requires a Microsoft SQL Server database running on one of the supported versions noted in System requirements and compatibility. Citrix recommends using Microsoft SQL remotely. PostgreSQL is included with XenMobile. Use PostgreSQL locally or remotely only in test environments.

By default, XenMobile uses the jTDS database driver. To use the Microsoft JDBC driver for on-premises installations of XenMobile Server, see SQL Server drivers.

Prerequisite Component Notes
Microsoft SQL Server IP address and port. Make sure that the service account of the SQL Server to be used on XenMobile has the DBcreator role permission. XenMobile  

Active Directory Settings

Prerequisite Component Notes
Note the Active Directory IP address and ports for the primary and secondary servers. If you use port 636, install a root certificate from a CA on XenMobile, and change the Use secure connections option to Yes. XenMobile and Citrix Gateway  
Note the Active Directory domain name. XenMobile and Citrix Gateway  
Note the Active Directory service account, which requires a user ID, password, and domain alias.    
The Active Directory service account is the account that XenMobile uses to query the Active Directory. XenMobile and Citrix Gateway  
Note the User Base DN, which is the directory level under which users are located. For example: cn=users,dc=ace,dc=com. Citrix Gateway and XenMobile use the User Base DN to query the Active Directory. XenMobile and Citrix Gateway  
Note the Group Base DN, which is the directory level under which groups are located. Citrix Gateway and XenMobile use this DN to query Active Directory. XenMobile and Citrix Gateway  

Connections between XenMobile and Citrix Gateway

Prerequisite Component Note the setting
Note the XenMobile host name. XenMobile  
Note the FQDN or IP address of XenMobile. XenMobile  
Identify the apps users can access. Citrix Gateway  
Note the Callback URL. XenMobile  

User Connections: Access to Citrix Virtual Apps and Desktops and Citrix Secure Hub

Citrix recommends that you use the Quick Configuration wizard in Citrix ADC to configure connection settings between XenMobile and Citrix Gateway and between XenMobile and Secure Hub. You create a second virtual server to enable user connections from Citrix Receiver and web browsers. Those connections are to Windows-based applications and virtual desktops in Virtual Apps and Desktops. Citrix recommends that you also use the Quick Configuration wizard in Citrix ADC to configure these settings.

Prerequisite Component Note the setting
Note the Citrix Gateway host name and external URL. The external URL is the web address with which users connect. XenMobile  
Note the Citrix Gateway callback URL. XenMobile  
Note the IP addresses and subnets masks for the virtual server. Citrix Gateway  
Note the path for Program Neighborhood Agent or a Virtual Apps and Desktops Site. Citrix Gateway and XenMobile  
Note the FQDN or IP address of the Citrix Virtual Apps and Desktops server running the Secure Ticket Authority (STA) (for ICA connections only). Citrix Gateway  
Note the public FQDN for XenMobile. Citrix Gateway  
Note the public FQDN for Secure Hub. Citrix Gateway  

Flowchart for XenMobile deployment

You can use this flowchart to guide you through the main steps for deploying XenMobile. Links to topics on each step follow the figure.

1: System requirements and compatibility

2: Install and configure

3 and 4: Preinstallation checklist (this article)

5: Configure XenMobile in the Command Prompt Window (this article)

6: Configure XenMobile in a web browser (this article)

7: Configuring Settings for Your XenMobile Environment

8: Port requirements

Install XenMobile

The XenMobile virtual machine (VM) runs on Citrix XenServer, VMware ESXi, or Microsoft Hyper-V. You can use XenCenter or vSphere management consoles to install XenMobile.

Note:

Make sure that the hypervisor is configured with the correct time – either using an NTP server or a manual configuration - because XenMobile uses that time. If you have time zone issues when syncing XenMobile time with a hypervisor, you can avoid the issues by pointing XenMobile to an NTP server. To do that, use the XenMobile CLI, as described in Command-line interface options.

XenServer or VMware ESXi prerequisites. Before installing XenMobile on XenServer or VMware ESXi, you must do the following. For details, see your XenServer or VMware documentation.

  • Install XenServer or VMware ESXi on a computer with adequate hardware resources.
  • Install XenCenter or vSphere on a separate computer. The computer that hosts XenCenter or vSphere connects to the XenServer or VMware ESXi host through the network.

Hyper-V prerequisites. Before installing XenMobile on Hyper-V, you must do the following. For details, see your Hyper-V documentation.

  • Install Windows Server 2016 or Windows Server 2019 with Hyper-V enabled, role enabled, on a computer with adequate system resources. While installing the Hyper-V role, be sure to specify the NICs on the server that Hyper-V uses to create the virtual networks. You can reserve some NICs for the host.
  • Delete the file Virtual Machines/<build-specific UUID>.xml
  • Move the file Legacy/<build-specific UUID>.exp into Virtual Machines

FIPS 140-2 mode. To install XenMobile Server in FIPS mode, complete a prerequisite group, as discussed in Configure FIPS with XenMobile.

Download XenMobile product software

You can download product software from the Citrix website. Log on to the site and then use the Downloads link to navigate to the page containing the software you want to download.

To download the software for XenMobile

  1. Go to the Citrix website.

  2. Next to the Search box, click Log On and log on to your account.

  3. Click the Downloads tab.

  4. On the Downloads page, from the select a product list, click Citrix Endpoint Management (and Citrix XenMobile Server). The Citrix Endpoint Management (and Citrix XenMobile Server) page automatically appears.

    Product list

  5. Expand XenMobile Server (on-premises).

  6. Expand Product Software.

  7. Click XenMobile Server 10.

  8. Click the Jump to Download menu and choose the appropriate virtual image to use to install XenMobile. Alternatively, scroll down the page to locate the Download File button for the image you want to install.

  9. Follow the instructions on your screen to download the software.

To download the software for Citrix Gateway

You can use this procedure to download the Citrix Gateway virtual appliance or software upgrades to your existing Citrix Gateway appliance.

  1. Go to the Citrix website.
  2. If you are not already logged on to the Citrix website, next to the Search box, click Log On and log on to your account.
  3. Click the Downloads tab.
  4. On the Downloads page, from the select product list, click Citrix Gateway.
  5. Click Go. The Citrix Gateway page appears.
  6. On the Citrix Gateway page, expand the version of Citrix Gateway you are running.
  7. Under Firmware, click the appliance software version you want to download.

    Note:

    You can also click Virtual Appliances to download Citrix ADC VPX. When you select this option, you receive a list of software for the virtual machine for each hypervisor.

  8. Click the appliance software version that you want to download.
  9. On the appliance software page for the version you want to download, click Download for the appropriate virtual appliance.
  10. Follow the instructions on your screen to download the software.

Configure XenMobile for First-Time Use

  1. To configure the IP address and subnet mask, default gateway, DNS servers, and other settings for XenMobile: Use the XenCenter or vSphere command-line console.

    Note:

    When you use a vSphere web client: We recommend that you don’t configure networking properties during the time you deploy the OVF template on the Customize template page. By doing so in a high availability configuration: You avoid an issue with the IP address that occurs when you clone and then restart the second XenMobile virtual machine.

  2. Access the XenMobile management console only through the XenMobile Server fully qualified domain name or the IP addresses of the node.

  3. Log on and then follow the steps in the initial logon screen.

Configure XenMobile in the Command Prompt Window

  1. Import the XenMobile virtual machine into Citrix XenServer, Microsoft Hyper-V, or VMware ESXi. For details, see XenServer, Hyper-V, or VMware documentation.
  2. In your hypervisor, select the imported XenMobile virtual machine and start the command prompt view. For details, see the documentation for your hypervisor.
  3. From the hypervisor console page, create an administrator account for XenMobile in the command prompt window by typing the administrator user name and password.

    When you create or change passwords for the command prompt administrator account, Public Key Infrastructure (PKI) server certificates, and FIPS: XenMobile enforces the following rules for all users except Active Directory users whose passwords are managed outside of XenMobile.

    • The password must be at least eight characters long.
    • The password must meet at least three of the following complexity criteria:
      • Uppercase letters (A through Z)
      • Lowercase letters (a through z)
      • Numerals (0 through 9)
      • Special characters (such as ! # $ %)

    CLI password

    No characters, such as asterisks, appear when you type the new password.

  4. Provide the following network information and then type y to commit the settings:
    1. IP address of the XenMobile Server
    2. Netmask
    3. Default gateway, which is the IP address of the default gateway in the DMZ
    4. Primary DNS server, which is the IP address of the DNS server
    5. Secondary DNS server (optional)

      Network settings

      Note:

      The addresses shown in this and the following images are non-working and are provided as examples only.

  5. Type y to increase security by generating a random encryption passphrase or n to provide your own passphrase. Citrix recommends typing y to generate a random passphrase.

    The passphrase is used as part of the protection of the encryption keys used to secure your sensitive data. A hash of the passphrase, stored in the server file system, is used to retrieve the keys during the encryption and decryption of data. The passphrase cannot be viewed.

    Note:

    If you intend to extend your environment and configure more servers, provide your own passphrase. If you select a random passphrase, you can’t view it.

    Passphrase

  6. Optionally, enable the Federal Information Processing Standard (FIPS). For details about FIPS, see FIPS. Also, be sure to complete a prerequisite group, as discussed in Configure FIPS with XenMobile.

    FIPS

  7. Provide the following information to configure the database connection.

    Database configuration

    • Your database can be local or remote. Type l for local or r for remote.
    • Select the database type. Type mi for Microsoft SQL or type p for PostgreSQL.

      Important:

      • Citrix recommends using Microsoft SQL remotely. PostgreSQL is included with XenMobile. Use PostgreSQL locally or remotely only in test environments.
      • Database migration is not supported. Databases created in a test environment cannot be moved to a production environment.
    • Optionally, type y to use SSL authentication for your database.
    • Provide the fully qualified domain name (FQDN) for the server hosting XenMobile. This one-host server provides both device management and app management services.
    • Type your database port number if it is different from the default port number. The default port for Microsoft SQL is 1433 and the default port for PostgreSQL is 5432.
    • Type your database administrator user name.
    • Type your database administrator password.
    • Type the database name.
    • Press Enter to commit the database settings.
  8. Optionally, type y to enable clustering XenMobile nodes, or instances.

    Important:

    If you enable a XenMobile cluster, after system configuration completes, open port 80 to enable real-time communication between cluster members. Complete that setup on all cluster nodes.

  9. Type the XenMobile Server fully qualified domain name (FQDN).

    Host name

  10. Press Enter to commit the settings.
  11. Identify the communication ports. For details on ports and their uses, see Port Requirements.

    Note:

    Accept the default ports by pressing Enter (Return on a Mac).

    Ports

  12. Skip the next question about upgrading from a previous XenMobile release because you are installing XenMobile for the first time.
  13. Type y if you want to use the same password for each Public Key Infrastructure (PKI) certificate. For details on the XenMobile PKI feature, see Uploading Certificates.

    PKI

    Important:

    If you intend to cluster nodes, or instances, of XenMobile together, provide identical passwords for subsequent nodes.

  14. Type the new password and then enter the new password again to confirm it.

    No characters, such as asterisks, appear when you type the new password.

  15. Press Enter to commit the settings.
  16. Create an administrator account for logging on to the XenMobile console with a web browser. Be sure to record these credentials for later use.

    Console account

    Note:

    No characters, such as asterisks, appear when you type the new password.

  17. Press Enter to commit the settings. The initial system configuration is saved.
  18. When asked if you’re upgrading, type n because it is a new installation.
  19. Copy the complete URL that appears on the screen and continue this initial XenMobile configuration in your web browser.

    URL

Configure XenMobile in a web browser

After completing the initial portion of the XenMobile configuration in your hypervisor command prompt window, complete the process in your web browser.

  1. In your web browser, navigate to the location provided at the conclusion of the command prompt window configuration.

  2. Type the XenMobile console administrator account user name and password that you created in the command prompt window.

    Console sign-on screen

  3. On the Get Started page, click Start. The Licensing page appears.

  4. Configure the license. If you don’t upload a license, you use an evaluation license valid for 30 days. For details on adding and configuring licenses and configuring expiration notifications, see Licensing.

    Important:

    If you intend to use XenMobile clustering by adding cluster nodes, or instances, of XenMobile, you must use the Citrix Licensing on a remote server.

  5. On the Certificates page, click Import. The Import dialog box appears.

  6. Import your APNs and SSL Listener certificate. iOS device management requires an APNs certificate. For details on working with certificates, see Certificates.

    Note:

    This step requires restarting the server.

  7. If appropriate to the environment, configure Citrix Gateway. For details on configuring Citrix Gateway, see Citrix Gateway and XenMobile and Configuring Settings for Your XenMobile Environment.

    Note:

    • You can deploy Citrix Gateway at the perimeter of your internal network (or intranet). That deployment provides a secure single point of access to the servers, apps, and other network resources that reside in the internal network. In this deployment, all remote users must connect to Citrix Gateway before they can access any resources in the internal network.
    • Although Citrix Gateway is an optional setting: After you enter data on the page, you must clear or complete the required fields before you can leave the page.
  8. Complete the LDAP configuration to access users and groups from the Active Directory. For details on configuring the LDAP connection, see LDAP Configuration.

  9. Configure the notification server to be able to send messages to users. For details on notification server configuration, see Notifications.

Post-requisite. Restart the XenMobile Server to activate your certificates.

Install and configure