Citrix Reference Architecture

for XenMobile 8.5

using XenMobile to create a comprehensive solution
to manage mobile apps, data and devices

citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper i

Table of Contents
Overview ....................................................................................................................................................... 1
Comparison of XenMobile Features by Product ........................................................................................... 2
Understanding the XenMobile Architecture .................................................................................................. 3
XenMobile Architectures ............................................................................................................................... 4
XenMobile 8.5 MDM Edition...................................................................................................................... 6
XenMobile 8.5 MDM Edition Guidelines ............................................................................................... 6
XenMobile 8.5 App Edition ...................................................................................................................... 10
XenMobile 8.5 App Edition with XenDesktop Integration ................................................................... 10
XenMobile 8.5 App Edition Guidelines ................................................................................................ 11
XenMobile 8.5 Enterprise Edition ............................................................................................................ 13
XenMobile 8.5 Enterprise Edition with XenDesktop Integration ......................................................... 13
XenMobile 8.5 Enterprise Edition Guidelines ...................................................................................... 14
XenMobile 8.5 Enterprise Edition High Availability .............................................................................. 18
Reference Environment .............................................................................................................................. 20
Network Layout ....................................................................................................................................... 20
Server Hardware ..................................................................................................................................... 20
Authentication ......................................................................................................................................... 21
Certificates .............................................................................................................................................. 21
Domain Name Service (DNS) ................................................................................................................. 21
Microsoft SQL Server .............................................................................................................................. 22
Conclusion................................................................................................................................................... 23
Appendix A Firewall Port Requirements .................................................................................................. 24
XenMobile MDM Edition .......................................................................................................................... 24
XenMobile App Edition ............................................................................................................................ 26
Appendix B Configuration Guidelines and Recommendations ................................................................ 27
Integration of Windows Desktops and Apps with the App Controller ..................................................... 27
Linking the Device Manager with the App Controller .............................................................................. 27



citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 1

Overview
Citrix XenMobile is the revolutionary new way to mobilize your business. The product offers security
and compliance for IT, while giving users: mobile device, app and data freedom. Users gain single-
click access to all of their mobile, SaaS and Windows apps from a unified corporate app store,
including seamlessly-integrated email, browser, data sharing and support apps.
IT gains control over mobile devices with full configuration, security, provisioning and support
capabilities. In addition, XenMobile securely delivers Worx Mobile Apps, mobile apps built for
businesses using the Worx App SDK and found through the Worx App Gallery. With XenMobile, IT
can meet their compliance and control needs while users get the freedom to experience work and life
their way.
The Citrix

Reference Architecture for XenMobile 8.5 guides architects in designing the next
generation of mobile device and application management services. This document is for IT architects
looking to implement and manage their mobility infrastructure. Each of these validated architectures
has been certified by Citrix to perform and scale to the most demanding enterprise requirements.


citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 2

Comparison of XenMobile Features by Product
XenMobile MDM Edition
XenMobile MDM Edition is an enterprise mobile device management (MDM) solution for
delivering role-based management, configuration and security for corporate and employee-
owned devices. This edition includes the ShareFile StorageZones Controller for network
drives and SharePoint.
XenMobile App Edition
XenMobile App Edition is a mobile application management (MAM) solution for securely
delivering web, SaaS and mobile apps, including secure email and browser apps, to users on
any device. This is an ideal solution for those who already have an MDM solution. This
edition includes the ShareFile StorageZones Controller for network drives and SharePoint.
XenMobile Enterpri se Edi tion
The XenMobile Enterprise Edition is a comprehensive enterprise mobility management
solution with MDM, MAM, sandboxed email and browser, unified app store and SSO that
delivers IT secure control while giving users mobile freedom. This edition includes ShareFile
Enterprise.
Compare Features
XenMobile MDM
Edition
XenMobile App
Edition
XenMobile Enterprise
Edition
Configure, secure and provision mobile
devices

One-click live chat and support
Access SharePoint and network drives
Secure mobile web browser
App-specific micro VPN
Secure mail, calendar and contacts app
Enterprise-enable any mobile app
Seamless Windows app integration
Unified corporate app store
Multi-factor single sign-on
Secure document sharing, sync, and
editing

Both cloud and on-premise data storage
option

Table 1 Comparison of XenMobile Features by Product
Source: http://www.citrix.com/products/xenmobile/features/editions.html


citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 3

Understanding the XenMobile Architecture


Figure 1 Understanding the XenMobile Architecture
Source: http://www.citrix.com/products/xenmobile/how-it-works.html

Worx Home
Citrix Worx Home is an app that allows IT to enforce mobile settings and security on mobile
devices. Employees use this app to access their unified corporate app store and live support
services. XenMobile communicates with Worx Home to deliver MDM and Worx-enabled apps
and policies. XenMobile App Controller also stocks the unified corporate app store with apps
most relevant to the user.
NetScaler
NetScaler is a secure application and data access solution that provides administrators granular
application and data-level control while empowering users with remote access from anywhere. It
gives IT administrators a single point to manage access control and limit actions within sessions
based on both user identity and the endpoint device, providing better application security, data
protection and compliance management.
XenMobile Device Manager
Device Manager allows IT to manage mobile devices, set mobile policies and compliance rules,
gain visibility to the mobile network, provide control over mobile apps and data, and shield the
corporate network from mobile threats. With a one-click dashboard, simple administrative
console, and real-time integration with Microsoft Active Directory and other enterprise
infrastructure like PKI and Security Information and Event Management (SIEM) systems,
XenMobile Device Manager simplifies the management of mobile devices.
XenMobile App Controll er
App Controller manages and enables access to an organization's mobile, web and SaaS apps
and ShareFile data resources.
ShareFile
ShareFile is an enterprise follow-me data solution that enables IT to deliver a robust data sharing
and sync service that meets the mobility and collaboration needs of users and the data security
requirements of the enterprise. By making follow-me data a seamless and intuitive part of every
users day , ShareFile enables optimal productivity for todays highly mobile, anywhere, any-
device workforce.
citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 4

XenMobile Architectures
Determining the correct architecture is based on the device or app management requirements of the
enterprise. The components of XenMobile are modular and build upon each other. This section will
provide an overview of each edition and its design.


XenMobile 8.5 MDM Edition
+


XenMobile 8.5 App Edition


=
XenMobile 8.5 Enterprise Edition



Figure 2 Building Blocks to the XenMobile 8.5 Enterprise Edition

citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 5

The following sections will further identify and define key guidelines and recommendations for
deployment of these respective architectures.
citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 6

XenMobile 8.5 MDM Edition
XenMobile 8.5 MDM Edition includes the following infrastructure components:
XenMobile Device Manager (MDM) 8.5
XenMobile NetScaler Connector (XNC) 8.5
Note: XNC requires a NetScaler.
ShareFile StorageZones Controller 2.0
Citrix recommends using a NetScaler (i.e., NetScaler Gateway 10.1) for a more secure
deployment.
There are several reasons to do this:
Limit exposure to Windows servers in the DMZ
Easily scale out by adding more servers behind the NetScaler in the future
In order to enable the mobile device management functionality, the device will need to enroll with
the Device Manager server using one of the following:
Citrix Mobile Enroll (iOS devices)
Worx Home (Android devices)
Worx Home provides the user with the means to access work apps and data.
ShareFile enables IT to deliver a robust data sharing and sync service that meets the mobility
and collaboration needs of users and the data security requirements of the enterprise. By making
follow-me data a seamless and intuitive part of every users day, ShareFile enables optimal
productivity for todays highly mobile, anywhere, any-device workforce. The integration between
ShareFile and XenMobile provides follow-me data across devices and apps and allows users to
view, edit and share data within a secure container on their mobile device.



Figure 3 Reference Architecture for XenMobile 8.5 MDM Edition

XenMobile 8.5 MDM Edition Guidelines
In order to facilitate the deployment of XenMobile 8.5 MDM Edition, Citrix recommends that IT
administrators review the following minimum guidelines.

1. The following ports need to be open to allow MDM to communicate with internal and external
resources.
citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 7

Figure 4 XenMobile 8.5 MDM Edition Firewall Ports
Details: Appendix A Firewall Port Requirements

2. The Apple Push Notificati on Service (APNS) is used by MDM to push notifications to iOS
devices for configuration and policy updates. This service is provided by Apple and is only
required for iOS devices. Non-iOS devices have their own push implementation.

Note: A special APNS certificate that is signed by Citrix and issued by Apple is required
before installing MDM. Please see the installation instructions.

3. NetScaler is the secure application and data access solution for the infrastructure. NetScaler
is available as high-performance network appliances and software-based virtual appliances in
a range of editions for maximum deployment flexibility. These editions include:

NetScaler MPX appliances are hardened network appliances that offer up to 120
Gbps performance.
NetScaler SDX is a high-density consolidation platform that combines Xen-based
virtualization with the advanced architecture of NetScaler MPX to run up to 40
NetScaler instances simultaneously without sacrificing performance or security.
NetScaler VPX virtual appliances run as virtual machines (VMs) on popular
hypervisors, allowing NetScaler to be provisioned on demand using inexpensive,
industry-standard servers (i.e., NetScaler Gateway 10.1).

The following table details the minimum resource requirements of the NetScaler VPX:

vCPU Memory Disk Space
NetScaler Gateway 2 4096 MB 20 GB
Table 2 NetScaler Gateway Virtual Appliance (VPX) Specifications

4. XenMobile Device Manager (MDM) is the central server for MDM that combines policies,
devices and users to create deployments to manage the corporate mobile strategy.

Endpoint devices may connect to the MDM server over ports 80, 443, and 8443. Port
80 is used by legacy endpoint devices such as older phones and tablets running
Windows Mobile, or Symbian. However, newer endpoint devices are more secure
and use port 443. Port 8443 is only used during the enrollment process for iOS
devices.
The MDM server runs on the Microsoft Windows Server operating system (i.e.,
Windows Server 2008 R2).
citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 8

The MDM server requires connections to core components and common
infrastructure services such as Active Directory, DNS, SMTP, Microsoft SQL Server
and a certificate authority.
MDM also requires a PKI service such as Microsoft Certificate Authority or it can use
its own PKI service hosted on the MDM server that gets installed with Device
Manager. Device Manager will use this service to push client certificates to devices
for client certificate authentication to MDM. Client certificates are deployed
automatically during device enrollment.
Citrix recommends the use of Microsoft SQL Server (Express, Standard, or
Enterprise) for a production environment.

The MDM component can be installed on physical or virtual machine. The following table
describes the resource requirements to support 5,000 devices for each of the components in
the MDM architecture.

vCPU Memory Disk Space
Device Manager 2 4 4 GB 24 GB
SQL Server 2 6 GB 24 GB
Table 3 XenMobile Server Virtual Machine (VM) Specifications

Enterprises requiring scalability greater than 5,000 devices will need to adjust server
specifications to match the minimum parameters in the table below.
Devices XenMobile MDM Server SQL Server
5,000 2 vCPU 4 GB RAM 2 vCPU 6 GB RAM
10,000 4 vCPU 8 GB RAM 4 vCPU 16 GB RAM
20,000 8 vCPU 16 GB RAM 16 vCPU 24 GB RAM
40,000 16 vCPU 32 GB RAM 32 vCPU 64 GB RAM
Table 4 XenMobile Server Virtual Machine (VM) Specifications for Scalability

The MDM and database servers can be clustered for high availability; please reference the
High Availability section for more details on clustering the MDM components. Database
backup and recovery should be performed according to the organizations data center policy.
Tomcat TCP connections also need to be taken into consideration
Devices Port 443 Port 8443 Port 80 Max Threads
Up to 10,000 400 30 20 12
Over 10,000 750 50 50 20
Table 5 XenMobile MDM Server and TCP Connections

If the TCP connections are getting close to 750, consider clustering the MDM server.
5. ShareFile StorageZones Controller provides instant mobile access to data on existing
network file shares through the ShareFile for iPad and ShareFile for iPhone apps. It also
provides access to existing ShareFile data.

6. XenMobile MDM Edition provides access to SharePoi nt sites. This requires external access
to your SharePoint server. This functionality can be configured in an MDM policy allowing the
Worx Home to host the SharePoint data in a secure viewer on the mobile device.

7. XenMobile NetScaler Connector (XNC) provides a device level authorization service for
ActiveSync clients to NetScaler acting as a reverse proxy for the ActiveSync protocol.
Authorization is controlled by a combination of policies defined within the XenMobile Device
Manager and by rules defined locally by XenMobile NetScaler Connector. XNC and MDM
can be clustered and load balanced by NetScaler.

The XNC component can be installed on the MDM server or any server running the
Microsoft Windows operating system (i.e., Windows Server 2008 R2).
citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 9

XNC communicates periodically with the MDM server to synchronize policies to ensure that
device policies are in sync and can be accurately enforced. The following describes this
process flow:
XenMobile NetScaler Connector Service provides a REST web service interface that
can be invoked by NetScaler to determine if an ActiveSync request from a device is
authorized.
XenMobile Configuration Service communicates with MDM to synchronize policy
changes with XNC.
XenMobile Notification Service sends notifications of unauthorized device access to
MDM so that MDM can take appropriate measures against the device, such as
notifying the user why the device was blocked.
XenMobile NetScaler Configuration application allows the administrator to configure
and monitor XNC.


Figure 5 XenMobile NetScaler Connector (XNC) Process Flow


citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 10

XenMobile 8.5 App Edition
XenMobile 8.5 App Edition includes the following infrastructure components:
XenMobile App Controll er 2.8 Virtual Appliance
NetScaler (i.e., NetScaler Gateway 10.1)
ShareFile StorageZones Controller 2.0
In order to connect to the unified corporate app store, the device will need to be installed and
configured with Worx Home. Worx Home provides the user with the easiest way to access work
apps and data.
WorxMail is a native iOS and Android email, calendar and contacts app. Citrix WorxMail
integrates with other Worx Mobile Apps and leverages the mobile app security features in
XenMobile through MDX technologies to offer secure productivity on the go. Users can attach
docs to emails and save attachments using ShareFile, open attachments and web links, including
internal sites, with WorxWeb, and view the free/busy information of colleagues before sending a
meeting invite, all while staying inside the secure container on the mobile device. WorxMail
supports ActiveSync and Exchange and offers security features, such as encryption for email,
attachments and contacts.
WorxWeb is a consumer-like native mobile browser for iOS and Android devices that enables
secure access to internal corporate web, external SaaS, and HTML5 web applications. WorxWeb
leverages MDX technologies to create a dedicated VPN tunnel for accessing a companys
internal network and the other MDX security features to ensure that users can access all of their
websites, including those with sensitive information. WorxWeb offers a seamless user
experience in its integration with WorxMail to allow users to click on links, such as mailto and
have the native apps open inside the secure container on the mobile device.
ShareFile enables IT to deliver a robust data sharing and sync service that meets the mobility
and collaboration needs of users and the data security requirements of the enterprise. By making
follow-me data a seamless and intuitive part of every users day, ShareFile enables optimal
productivity for todays highly mobile, anywhere, any-device workforce. The integration between
ShareFile and XenMobile provides follow-me data across devices and apps and allows users to
view, edit and share data within a secure container on their mobile device.
XenMobile 8.5 App Edition with XenDesktop Integration
StoreFront provides access to Windows desktops and apps hosted on the XenDesktop (or
XenApp) infrastructure. The App Controller server can be configured to provide access to the
Windows desktop and apps. When the user connects to the unified corporate app store, they will
be presented with apps from XenDesktop, XenApp, and the App Controller as a consolidated list
of resources.

Citrix Receiver provides the capability for users to run Windows desktops and apps published on
XenApp or XenDesktop from a mobile device. Receiver will run in the background to support the
capability of running those Windows desktops and apps.

citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 11

Figure 6 Reference Architecture for XenMobile 8.5 App Edition

XenMobile 8.5 App Edition Guidelines
In order to facilitate the deployment of XenMobile 8.5 App Edition, Citrix recommends that IT
administrators review the following minimum guidelines.

1. The following ports need to be open for the XenMobile 8.5 App Edition reference
architecture.


Figure 7 XenMobile 8.5 App Edition Firewall Ports
Details: Appendix A Firewall Port Requirements

2. NetScaler is the secure application and data access solution for the infrastructure. NetScaler
is available as high-performance network appliances and software-based virtual appliances in
a range of editions for maximum deployment flexibility. These editions include:

NetScaler MPX appliances are hardened network appliances that offer up to 120
Gbps performance.
NetScaler SDX is a high-density consolidation platform that combines Xen-based
virtualization with the advanced architecture of NetScaler MPX to run up to 40
NetScaler instances simultaneously without sacrificing performance or security.
citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 12

NetScaler VPX virtual appliances run as virtual machines (VMs) on popular
hypervisors, allowing NetScaler to be provisioned on demand using inexpensive,
industry-standard servers.

The following table details the minimum resource requirements of the NetScaler VPX (i.e.,
NetScaler Gateway 10.1):

vCPU Memory Disk Space
NetScaler Gateway 2 4096 MB 20 GB
Table 6 NetScaler Gateway Virtual Appliance (VPX) Specifications

3. The App Controll er component can be a virtual appliance that is installed on a hypervisor.
The following table describes the resource requirements to support 5,000 devices for each of
the components in the MDM architecture:

vCPU Memory Disk Space
App Controller 2 4 GB 50 GB
Table 7 App Controller Virtual Machine (VM) Specifications

4. The ShareFi le StorageZones Controll er provides mobile access to data on existing network
file shares and SharePoint through the ShareFile for iPad and ShareFile for iPhone apps. It
also provides access to existing ShareFile data.

citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 13

XenMobile 8.5 Enterpri se Edition
XenMobile 8.5 Enterprise Edition includes the following infrastructure components:
XenMobile Device Manager (MDM) 8.5
XenMobile NetScaler Connector (XNC) 8.5
Note: XNC requires a NetScaler.
XenMobile App Controll er 2.8 Virtual Appliance
StoreFront 2.0
NetScaler (i.e., NetScaler Gateway 10.1)
ShareFile StorageZones Controller 2.0
In order to enable the mobile device management functionality, the device will need to enroll with
the Device Manager server using one of the following:
Citrix Mobile Enroll (iOS devices)
Worx Home (Android devices)
In order to connect to the unified corporate app store, the device will need to be installed and
configured with Worx Home. Worx Home provides the user with the easiest way to access work
apps and data.
WorxMail is a native iOS and Android email, calendar and contacts app. Citrix WorxMail
integrates with other Worx Mobile Apps and leverages the mobile app security features in
XenMobile through MDX technologies to offer secure productivity on the go. Users can attach
docs to emails and save attachments back using ShareFile, open attachments and web links,
including internal sites, with WorxWeb, and view the free/busy information of colleagues before
sending a meeting invite, all while staying inside the secure container on the mobile device.
WorxMail supports ActiveSync and Exchange and offers security features, such as encryption, for
email, attachments and contacts.
WorxWeb is a consumer-like native mobile browser for iOS and Android devices that enables
secure access to internal corporate web, external SaaS, and HTML5 web applications. WorxWeb
leverages MDX technologies to create a dedicated VPN tunnel for accessing a companys
internal network and the other MDX security features to ensure that users can access all of their
websites, including those with sensitive information. WorxWeb offers a seamless user
experience in its integration with WorxMail to allow users to click on links, such as mailto and
have the native apps open inside the secure container on the mobile device.
ShareFile enables IT to deliver a robust data sharing and sync service that meets the mobility
and collaboration needs of users and the data security requirements of the enterprise. By making
follow-me data a seamless and intuitive part of every users day, ShareFile enables optimal
productivity for todays highly mobile, anywhere, any-device workforce. The integration between
ShareFile and XenMobile provides follow-me data across devices and apps and allows users to
view, edit and share data within a secure container on their mobile device.
XenMobile 8.5 Enterpri se Edition with XenDesktop Integration
StoreFront provides access to Windows desktops and apps hosted on the XenDesktop (or
XenApp) infrastructure. The App Controller server can be configured to provide access to the
Windows desktop and apps. When the user connects to the unified corporate app store, they will
be presented with apps from XenDesktop, XenApp, and the App Controller as a consolidated list
of resources.

Citrix Receiver provides the capability for users to run Windows desktops and apps published on
XenApp or XenDesktop from a mobile device. Receiver will run in the background to support the
capability of running those Windows desktops and apps.

citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 14

Figure 8 Reference Architecture for XenMobile 8.5 Enterprise Edition

XenMobile 8.5 Enterpri se Edition Guidelines
In order to facilitate the deployment of XenMobile 8.5 MDM Edition, Citrix recommends that IT
administrators review the following minimum guidelines.

1. The following ports need to be open to allow MDM to communicate with internal and external
resources.


Figure 9 XenMobile 8.5 Enterprise Edition Firewall Ports
Details: Appendix A Firewall Port Requirements

citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 15

2. The Apple Push Notificati on Service (APNS) is used by MDM to push notifications to iOS
devices for configuration and policy updates. This service is provided by Apple and is only
required for iOS devices. Non-iOS devices have their own push implementation.

Note: A special APNS certificate that is signed by Citrix and issued by Apple is required
before installing MDM. Please see the installation instructions.

3. NetScaler is the secure application and data access solution for the infrastructure. NetScaler
is available as high-performance network appliances and software-based virtual appliances in
a range of editions for maximum deployment flexibility. These editions include:

NetScaler MPX appliances are hardened network appliances that offer up to 120
Gbps performance.
NetScaler SDX is a high-density consolidation platform that combines Xen-based
virtualization with the advanced architecture of NetScaler MPX to run up to 40
NetScaler instances simultaneously without sacrificing performance or security.
NetScaler VPX virtual appliances run as virtual machines (VMs) on popular
hypervisors, allowing NetScaler to be provisioned on demand using inexpensive,
industry-standard servers (i.e., NetScaler Gateway 10.1).

The following table details the minimum resource requirements of the NetScaler VPX:

vCPU Memory Disk Space
NetScaler Gateway 2 4096 MB 20 GB
Table 8 NetScaler Gateway Virtual Appliance (VPX) Specifications

4. XenMobile Device Manager (MDM) is the central server for MDM that combines policies,
devices, and users to create deployments to manage the corporate mobile strategy.

Endpoint devices may connect to the MDM server over ports 80, 443, and 8443. Port
80 is used by legacy endpoint devices such as older phones and tablets running
Windows Mobile, or Symbian. However, newer endpoint devices are more secure
and use port 443. Port 8443 is only used during the enrollment process for iOS
devices.
The MDM server runs on the Microsoft Windows Server operating system (i.e.,
Windows Server 2008 R2).
The MDM server requires connections to core components and common
infrastructure services such as Active Directory, DNS, SMTP, Microsoft SQL Server,
and a certificate authority.
MDM also requires a PKI service like Microsoft Certificate Authority or it can use its
own PKI service hosted on the MDM server that gets installed with Device Manager.
Device Manager will use this service to push out client certificates to devices for
client certificate authentication to MDM. Client certificates are deployed automatically
during device enrollment.
Citrix recommends the use of Microsoft SQL Server (Express, Standard, or
Enterprise) for a production environment.

The MDM component can be installed on physical or virtual machine. The following table
describes the resource requirements to support 5,000 devices for each of the components in
the MDM architecture.

vCPU Memory Disk Space
Device Manager 2 4 4 GB 24 GB
SQL Server 2 6 GB 24 GB
Table 9 XenMobile Server Virtual Machine (VM) Specifications

Enterprises requiring scalability greater than 5,000 devices will need to adjust server
specifications to match the minimum parameters in the table below.
citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 16

Devices XenMobile MDM Server SQL Server
5,000 2 vCPU 4 GB RAM 2 vCPU 6 GB RAM
10,000 4 vCPU 8 GB RAM 4 vCPU 16 GB RAM
20,000 8 vCPU 16 GB RAM 16 vCPU 24 GB RAM
40,000 16 vCPU 32 GB RAM 32 vCPU 64 GB RAM
Table 10 XenMobile Server Virtual Machine (VM) Specifications for Scalability

The MDM and database servers can be clustered for high availability; please reference the
High Availability section for more details on clustering the MDM components. Database
backup and recovery should be performed according to the organizations data center policy.
Tomcat TCP connections also need to be taken into consideration
Devices Port 443 Port 8443 Port 80 Max Threads
Up to 10,000 400 30 20 12
Over 10,000 750 50 50 20
Table 11 XenMobile MDM Server and TCP Connections

If the TCP connections are getting close to 750, consider clustering the MDM server.
5. App Control ler component can be a virtual appliance that is installed on a hypervisor. The
following table describes the resource requirements to support 5,000 devices for each of the
components in the MDM architecture:

vCPU Memory Disk Space
App Controller 2 4 GB 50 GB
Table 12 App Controller Virtual Machine (VM) Specifications

6. ShareFile StorageZones Controller provides instant mobile access to data on existing
network file shares through the ShareFile for iPad and ShareFile for iPhone apps. It also
provides access to existing ShareFile data.

7. XenMobile Enterprise Edition provides access to SharePoint sites. This requires external
access to your SharePoint server. This functionality can be configured in an MDM policy
allowing the Worx Home to host the SharePoint data in a secure viewer on the mobile device.

8. The XenMobile NetScal er Connector (XNC) provides a device level authorization service
for ActiveSync clients to NetScaler acting as a reverse proxy for the ActiveSync protocol.
Authorization is controlled by a combination of policies defined within the XenMobile Device
Manager and by rules defined locally by XenMobile NetScaler Connector. XNC and MDM
can be clustered and load balanced by NetScaler.

The XNC component can be installed on the MDM server or any server running the
Microsoft Windows operating system (i.e., Windows Server 2008 R2).
XNC communicates periodically with the MDM server to synchronize policies to ensure that
device policies are in sync and can be accurately enforced. The following describes this
process flow:
XenMobile NetScaler Connector Service provides a REST web service interface that
can be invoked by NetScaler to determine if an ActiveSync request from a device is
authorized.
XenMobile Configuration Service communicates with MDM to synchronize policy
changes with XNC.
XenMobile Notification Service sends notifications of unauthorized device access to
MDM so that MDM can take appropriate measures against the device, such as
notifying the user why the device was blocked.
XenMobile NetScaler Configuration application allows the administrator to configure
and monitor XNC.

citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 17

Figure 10 XenMobile NetScaler Connector (XNC) Process Flow


citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 18

XenMobile 8.5 Enterpri se Edition High Avai lability
Citrix recommends using a high availability implementation of XenMobile. Each core component of
the XenMobile infrastructure can be configured in high availability mode.


Figure 11 Reference Architecture for XenMobile 8.5 Enterprise Edition with High Availability (HA)

A high availability deployment of two NetScaler Gateway appliances can provide uninterrupted
operation in any transaction. With one appliance configured as the primary node and the other as the
secondary node, the primary node accepts connections and manages servers while the secondary
node monitors the primary node. If for any reason the primary node is unable to accept connections,
the secondary node takes over. See Citrix eDocs for information pertaining to Configuring High
Availability on NetScaler Gateway.
Two XenMobile App Controller virtual machines (VM) can be deployed as a high availability pair.
The first XenMobile App Controller on which high availability is configured is called the primary, and
the other instance is called the secondary. In this deployment, the primary App Controller listens for
requests, serves user requests, and synchronizes its data with the data on the secondary App
Controller. The two virtual machines (VM) work as an active-passive pair, in which only one VM is
active at a time. If the primary App Controller stops responding for any reason, the secondary App
Controller takes over, becoming the active VM and begins to service user requests.
As the active VM, the secondary App Controller also synchronizes system and database information
by using a client-server mechanism. A client on the active App Controller shares the necessary
information to a virtual server on the passive App Controller as a series of requests. The virtual
server parses the requests and performs the necessary action. A virtual IP is required; this will be the
FQDN App Controller address used when configuring StoreFront and NetScaler Gateway in the
XenMobile App Edition or XenMobile Enterprise Edition architectures. Review Citrix eDocs for details
pertaining to Configuring High Availability on App Controller.
citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 19

Multiple instances of the App Controller virtual machine can be installed to create a cluster. One App
Controller will act as the cluster head and is considered to the host. As such, the cluster head will
host the database for all of the App Controller VMs in the cluster. All other App Controller virtual
machines in the cluster are called the service nodes. Each service node has a local database that is
used by the service node only. Updating user information from the service node to the cluster head
requires writing to the database. A service node connects to the database on the cluster head by
using a secure channel.
App Controllers deployed as service nodes obtain their configuration from the App Controller that acts
as the cluster head. Citrix recommends deploying two App Controller VMs in a high availability pair.
Each VM is a cluster head. If one VM fails, the secondary VM can act as the cluster head.
Search Citrix eDocs for information regarding Configuring App Controller Clustering.


Figure 12 XenMobile App Controller with High Availability (HA) and Clustering

XenMobile Device Manager (MDM) can be configured with multiple servers load-balanced behind a
NetScaler appliance or another hardware load-balancing solution. The Device Managers work in an
active-active configuration. In this environment, ports 80, 443, and 8443 are load-balanced. For SSL
connections (ports 443 and 8443), make sure to turn on SSL session persistence in the load
balancing rules. MDM requires a shared SQL server and NTP configured on each server.

StoreFront is an integral component of any XenDesktop, XenApp, XenMobile, or VDI-in-a-Box
implementation. StoreFront provides high availability and multi-site configuration. It includes a
number of features that combine to enable load balancing and failover between the deployments
providing the resources for stores. StoreFront can be setup with dedicated disaster recovery
deployment for increased resiliency. These features enable StoreFront to be distributed over multiple
sites to provide high availability for the stores. Additional information can be found in Citrix eDocs
regarding StoreFront high availability and multi-site configuration.


citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 20

Reference Environment

In the various reference architectures described in this document, there are many supporting servers
and services that are required for operation in an enterprise environment. The following section
details the common infrastructure components (storage, virtualization environment, servers,
networking equipment, etc.) and how the various architectures integrate with those core components.

Network Layout

Figure 13 Network Layout for Reference Environment
Server Hardware

XenServer Hosts Dell PowerEdge C6100
The Dell C6100 contains 4 physical servers enclosed in a 2U form factor with each server
having the hardware specifications listed below:
2 Intel Xeon E5620 Processors
64GB RAM
500GB HDD
2 physical machines configured in HA (High Availability) mode
2 1Gb Ethernet Adapters
XenServer Configuration 2 servers configured in a virtualization pool for HA (High Availability)
XenServer version 6.1.0-59235p
Three separate VLANs configured:
o VLAN 30 Storage VLAN configured for 9000 MTU for fast
connectivity to backend NFS storage.
o VLAN 10 User/Management traffic VLAN configured for standard
1500 MTU. Please note that it is best practice for XenServer to further
segregate User and Management traffic by creating additional VLANs
in high traffic implementations.
o VLAN 50 DMZ VLAN to provide access from outside the enterprise
network.
Storage NetApp 2240-2
7.2TB total configurable storage
Active/Active Controller configuration
4.5TB NFS configured storage volume
~250GB used for complete virtualized environment
2 - 10Gb Ethernet (10GbE) Adapters
Network Cisco C3560X
Cisco ASA 5520
Table 13 Server Hardware and Specifications for Reference Environment
citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 21

Authentication
Active Directory running on Windows Server 2008 R2 was used for all reference architecture
environments. Active Directory, or LDAP, support is different for each product. Both App
Controller and XenMobile MDM will not authenticate users in nested groups. Another limitation
for App Controller is that it only supports a single forest environment. Please check each
products documentation for full support requirements.
The reference environments also make use of two factor authentication configured on NetScaler
Gateway to provide secure access to the internal corporate resources using RADIUS
authentication from Symantec Validation and ID Protection. Using two-factor authentication will
require an extra port to be opened on the firewall (typically UDP/1812) from DMZ (NetScaler
Gateway) to the RADIUS server (internal).

Certificates
Wildcard and SAN certificates are supported for all Citrix products. In most deployments, only
two wildcard or SAN server certificates are required:
1) External *.extcompany.com
2) Internal *.intdomain.net
The following table shows the certificates required and format needed for each component. A
simple utility like OpenSSL can be used to convert certificate formats. A separate SAML
Certificate will be needed depending on the SAML authentication enabled apps that are published
in App Controller.
Certificate Format Certificates Required Location
NetScaler Gateway PEM Server
1
, root CA External
App Controller
PEM or
PFX (PKCS#12)
Server, SAML, root CA Internal
StoreFront PFX (PKCS#12) Server, root CA Internal
XenMobile MDM PFX (PKCS#12)
APNS, server.
MDM will create its own PKI
service or use Microsoft CA
for client certificates.
External
Table 14 Certificate Requirements
1
It is recommended to make this a public (3
rd
party) cert so mobile devices wont need to
download the companys private root CA first.

Domain Name Service (DNS)
It is recommended to use static IPs for all servers in the environment. As configured in the
reference environment the following records were added to the DNS server.

Server Location Record
XenMobile Device Manager Internal and External Host (A)
NetScaler Gateway
(including Vserver IP address)
Internal and External Host (A)
App Controller Internal Host (A)
StoreFront Internal Host (A)
Table 15 DNS Server Records and Locations

Tip: In order to confirm communication between the servers, verify that the FQDN of each
server can be resolved and pinged from every other server in the architecture, including
the NetScaler.

citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 22

Microsoft SQL Server
Microsoft SQL Server (Express, Standard, and Enterprise) are supported for all the products in
the XenMobile reference architectures. It is important to plan accordingly and size the SQL
server based on number of devices, applications and users that will be using the environment.
The same SQL server may be used for the different products. It is recommended to size the SQL
server based on the MDM requirements.


citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 23

Conclusion
The Citrix Reference Architecture for XenMobile 8.5 document has outlined the various editions of
XenMobile and the respective reference architecture. Each edition offers security and compliance for
IT, while giving users; mobile device, app and data freedom. Citrix has well-defined and proven
architectures for each of XenMobile editions. Once the IT architects have created their corporate
mobile strategy, they can utilize this document to select the appropriate edition and corresponding
reference architecture for planning the deployment of their mobility infrastructure.
For additional product information and technical questions or queries, concerning this document or
the products mentioned herein, please visit the Citrix corporate web site, search Citrix eDocs for the
latest product documentation, or contact your local Citrix representative.


citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 24

Appendix A Firewall Port Requirements

XenMobile MDM Edition

TCP Port Description Source Destination
25
By default, the MDM SMTP configuration of the
Notification Service uses port 25. However, if your
corporate SMTP server uses a different port, make
sure that your corporate firewall does not block that
port.
XenMobile MDM Corporate SMTP Server
80
Over-the-Air (OTA) Enrollment and Agent Setup
(Android and Windows Mobile)
Internet
XenMobile Device
Manager Server
Over-the-Air (OTA) Enrollment and Agent Setup
(Android and Windows Mobile), MDM Web Console,
MDM Remote Support Client
Corporate LAN and Wi-
Fi
MDM server Enterprise App Store connection to
Apple iTunes App Store (ax.itunes.apple.com). Used
for publishing recommended iTunes App Store apps
from the available iOS applications within the Web
Console and iOS Mobile Connect App
XenMobile MDM
Apple iTunes
App Store
(ax.itunes.apple.com)
80 or 443
XenMobile Device Manager Nexmo SMS Notification
Relay outbound connection
XenMobile MDM Nexmo SMS Relay server
389 or 636
LDAP/LDAPS connection from MDM server to
Directory Service Host (Active Directory Global
Catalog server or equivalent LDAP directory service
host)
XenMobile MDM
LDAP / Active Directory
Services
443
SSL OTA Enrollment/Agent Setup (Android and
Windows Mobile), All Device-related traffic and data
connections (iOS, Android and Windows Mobile)
Internet
XenMobile MDM
SSL OTA Enrollment/Agent Setup (Android and
Windows Mobile), All Device-related traffic and data
connections (iOS, Android and Windows Mobile),
MDM Web Console
Corporate LAN and Wi-
Fi
1433
Remote database server connection to separate SQL
server (Optional)
XenMobile MDM SQL Server
2195
Apple APNS (Push Notification Service) outbound
connection to gateway.push.apple.com, used for
iOS device notifications and device policy push
XenMobile MDM
Internet (Apple APNS
Service Hosts on public IP
network17.0.0.0/8)
2196
Apple APNS (Push Notification Service) outbound
connection to feedback.push.apple.com, used for
iOS device notifications and device policy push
5223
Apple APNS (Push Notification Service) outbound
connection from iOS devices connected via Wi-Fi
network to *.push.apple.com
iOS device on Wi-Fi
network service
8443 Over-the-Air (OTA) Enrollment for iOS Devices only
Internet
XenMobile MDM
Corporate LAN and Wi-
Fi

citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 25

Note: Corporate LAN traffic outbound to DMZ and the Internet is assumed to be allowed.

citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 26

XenMobile App Edition

Note: Corporate LAN traffic outbound to DMZ and the Internet is assumed to be allowed.


TCP Port Description Source Destination
443
Connections to Storefront Services for Enterprise
edition access to Web, Mobile, SaaS and Desktop
Applications
NetScaler Gateway StoreFront
Connections to AppController for Web, Mobile and
SaaS application delivery
NetScaler Gateway App Controller
Secure Ticket Authority (STA) NetScaler Gateway
Citrix XenDesktop /
XenApp Servers
389, 636
or 3268
LDAP/LDAPS connection from NetScaler Gateway to
Directory Service Host (Active Directory Global Catalog
server or equivalent LDAP directory service host)
NetScaler Gateway
LDAP / Active
Directory Services
53 DNS NetScaler Gateway DNS Server
123 NTP Services NetScaler Gateway NTP Server
1494 Citrix ICA Protocol NetScaler Gateway
Citrix XenDesktop /
XenApp Servers
2598
Citrix ICA/CGP Protocol
When Session Reliability is enabled, TCP port 2598
replaces port 1494
NetScaler Gateway
Citrix XenDesktop /
XenApp Servers
citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 27

Appendix B Configuration Guidelines and Recommendations

Citrix recommends following the installation instructions as presented in the product documentation.
However, in order to ensure a successful deployment of XenMobile, the following recommendations
have been highlighted to supplement those instructions.

Integration of Windows Desktops and Apps with the App Controller
1. Logon to the App
Controller console.
2. Proceed to the Apps &
Docs tab.
3. Select the Windows
Apps option from the left
pane.
4. Input the host FQDN in
the Host field.
5. Input the port information
in the Port field.
6. Select the Allow secure
access option.
7. Save the configuration.

Figure B-1 Integration of Windows Desktops and Apps with the App Controller


Linking the Device Manager with the App Controll er

1. Logon to the MDM
server console.
2. Navigate to the AppC
Webservice API.
3. Input the App Controller
FQDN in the Host Name
field.
4. Provide a Shared Key
(common password) that
will be used by both
AppC and the Device
Manager.
5. Select the Enable App
Controller option, but do
not select the Check
connection button.
6. Select the Close button.
7. Select the Yes option
when prompted to save
the configuration.


citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 28

1. Logon to the App
Controller console.
2. Navigate to the Settings
tab.
3. Select the XenMobile
MDM option from the left
pane.
4. Input the Device
Manager FQDN in the
Host field.
5. Input the port information
in the Port field.
6. Provide the Shared Key
(The one that was
created on the Device
Manager).
7. Verify the Instance Path
is listed as /zdm.
8. Select Require Device
Manager enrollment to
force devices to enroll
with the Device manager
before gaining access to
the unified store.
9. Select the Test
Connection button.
10. Verify the Test
Connection was
successful message is
displayed.






1. Return to the MDM
server console.
2. Navigate to the AppC
Webservice API.
3. Select the Check
connection button.
4. Verify the Check
connection returns as a
Success.



1. Return to the App
Controller server
console.
2. Select the Save button.


Note: Synchronization between the Device Manager and App Controller will commence
and is expected to complete without issue. Upon completion, the infrastructure will have
a fully integrated MDM and MAM environment.
Figure B-2 Linking the Device Manager with the App Controller


citrix.com
Citrix

Reference Architecture for XenMobile 8.5 | Whitepaper 29

Corporate Headquarters
Fort Lauderdale, FL, USA

India Development Center
Bangalore, India

Latin America Headquarters
Coral Gables, FL, USA

Silicon Valley Headquarters
Santa Clara, CA, USA

Online Division Headquarters
Santa Barbara, CA, USA

UK Development Center
Chalfont, United Kingdom

EMEA Headquarters
Schaffhausen, Switzerland

Pacific Headquarters
Hong Kong, China


About Citrix
Citrix (NASDAQ:CTXS) is the cloud company that enables mobile workstylesempowering people to
work and collaborate from anywhere, easily and securely. With market-leading solutions for mobility,
desktop virtualization, cloud networking, cloud platforms, collaboration and data sharing, Citrix helps
organizations achieve the speed and agility necessary to succeed in a mobile and dynamic world. Citrix
products are in use at more than 260,000 organizations and by over 100 million users globally. Annual
revenue in 2012 was $2.59 billion. Learn more at www.citrix.com.

Copyright 2013 Citrix Systems, Inc. All rights reserved. Citrix, XenMobile, NetScaler, XenDesktop,
XenApp ShareFile, Citrix Receiver, WorxMail, WorxWeb, ShareFile and GoToAssist are trademarks of
Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other
countries. Other product and company names mentioned herein may be trademarks of their respective
companies.

citrix.com