Netscaler 12 Configuration for XenMobile Cloud
Standard XenMobile will have MDM and MAM part , MDM is for mobile device management and MAM is for mobile application management. XenMobile Cloud will have MDM part and we will configure on premise Netscaler for MAM services only to communicate with internal applications and services. The Netscaler MAM gateway will communicate with MDM services in the cloud.
This post will cover the configuration of Netscaler for XenMobile cloud, Don’t be scared to run the script on Netscaler as i have seen people really scared to run this script. Its tested , its very simple and straight forward. Take a backup of netscaler before doing this as you will always have backup to revert the state of netscler to.
Contents of the Post
Download the script bundle from Cloud
Login to XenMobile cloud – settings – Netscaler gateway – add the mam url which netscaler will host – select the gateway – select download scripts.
NSGConfigBundle.zip file will download – Extract the file, below files are part of zip file.
1. NSGConfigBundle_CREATESCRIPT.txt — Contains the NetScaler CLI commands that configure the required components in NetScaler.
2. NSGConfigBundle_DELETESCRIPT.txt — Contains the NetScaler CLI commands that remove the corresponding configurations.
3. readme.txt — This file.
4. root-ca.crt.pem — A Root CA certificate.
5. inter-ca.crt.pem — An Intermediate CA certificate.
Readme.txt file review
Readme.txt file contents are below, its very easy and detailed.
The bundle has the following files:
1. NSGConfigBundle_CREATESCRIPT.txt — Contains the NetScaler CLI commands that configure the required components in NetScaler.
2. NSGConfigBundle_DELETESCRIPT.txt — Contains the NetScaler CLI commands that remove the corresponding configurations.
3. readme.txt — This file.
4. root-ca.crt.pem — A Root CA certificate.
5. inter-ca.crt.pem — An Intermediate CA certificate.
NetScaler requirements:
1. NetScaler version 10.5 build 62.9 and above.
2. NetScaler IP address is configured and has connectivity to the LDAP server, unless LDAP is being load balanced.
3. NetScaler Subnet (SNIP) IP address is configured, has connectivity to the necessary backend servers, and has public network access over port 8443/TCP.
4. DNS can resolve public domains.
5. NetScaler is licensed with Platform/Universal or Trial licenses – https://support.citrix.com/article/CTX126049.
6. A NetScaler Gateway SSL certificate is uploaded and installed on the NetScaler – https://support.citrix.com/article/CTX136023.
Configuration Steps:
1. Modify place holders in NSGConfigBundle_CREATESCRIPT.txt with the appropriate values.
2. Upload NSGConfigBundle_CREATESCRIPT.txt into the /var directory of the NetScaler appliance.
3. Upload the root-ca.crt.pem and inter-ca.crt.pem certificates into the /nsconfig/ssl/ directory of the NetScaler appliance.
4. Execute the following command in the NetScaler bash shell:
/netscaler/nscli -U :<NetScaler Management Username>:<NetScaler Management Password> batch -f “/var/NSGConfigBundle_CREATESCRIPT.txt”
Pre-requisites
NetScaler requirements:
1.Xenmobile cloud url : mycompany-cs.xm.cloud.com
2.XenMobile MAM url: ( Netscaler will host) : mam.mycompany.com
3.NetScaler version 10.5 build 62.9 and above.
4.NetScaler IP address is configured and has connectivity to the LDAP server, unless LDAP is being load balanced.
Note: Need to verify NSIP to LDAP server 389/636 ports are opened
4.NetScaler Subnet (SNIP) IP address is configured, has connectivity to the necessary backend servers, and has public network access over port 8443/TCP.
SNIP will communicate with xenmobile cloud url https://mycompany-cs.xm.cloud.com on port 8443. This communication needs to be allowed for MAM to MDM communication.
5. DNS can resolve public domains.
SSH to Netscaler and ping mycompany-cs.xm.cloud.com , this should resolve.
6. NetScaler is licensed with Platform/Universal or Trial licenses – https://support.citrix.com/article/CTX126049.
Note: Platinum license is not mandatory , it can work with standard license also, if you have ShareFile AAA auth won’t work with standard edition.
7. A NetScaler Gateway SSL certificate is uploaded and installed on the NetScaler – https://support.citrix.com/article/CTX136023
Necessary csr is generated and certificate is installed for mam.mycompany.com. wildcard and server certificates will work. SAN certificate not supported.
8. Netscaler gateway Virtual IP for MAM url.
9. Public IP need to be Natted to above MAM VIP on port 443
10. One free virtual IP for Proxy load balancer to be configured on Netscaler.
11. LDAP service account , a domain user account with password. nsldap@company.com
12. MAM certificate Name : this will be certificate name displayed under SSL – Certificates section – MAMCertificate
NetScaler Configuration for XenMobile Cloud
Open Create Script text file (NSGConfigBundle_CREATESCRIPT.txt) and follow below steps.
Step 1:
search for <NSG_IP> in the text file and replace it with MAM VIP described in pre-reqs 8.
# <NSG_IP> — Virtual IP Address to be assigned to the NetScaler Gateway virtual server. This IP address must be reachable from your devices either directly or via a NAT.
Before changing:
After Changing:
Step 2: Replace PROXY_LB_VIP with your LB VIP IP 192.168.1.166, it is located in two places in script as shown below.
# <PROXY_LB_VIP> — Virtual IP Address to be assigned to the proxy load-balancer configured on the NetScaler. This IP address must be a private address.
After Changing:
Step3: Replace<LDAP_SVC_USERNAME> with ldap account nsldap, its located in two places.
# <LDAP_SVC_USERNAME> — LDAP Service Account Username.
Before Changing:
After changing:
Step 4: Replace <LDAP_PASSWORD> with ldap password, its located in 2 places.
# <LDAP_PASSWORD> — LDAP Service Account Password.
Before Changing:
After Changing:
Step 5: Replace <SERVER_CERT_NAME> with Certificate display Name in GUI, MAMCertificate
# <SERVER_CERT_NAME> — Name of the server certificate file on the NetScaler. This certificate is bound to the NetScaler Gateway virtual server.
Before Changing:
After Changing:
save the NSGConfigBundle_CREATESCRIPT.txt file
Step 6: Upload NSGConfigBundle_CREATESCRIPT.txt into the /var directory of the NetScaler appliance.
Using winscp or firezilla connect to netscaler and browse to /var and copy NSGConfigBundle_CREATESCRIPT.txt file to var directory in netscaler.
Step 7: Upload the root-ca.crt.pem and inter-ca.crt.pem certificates into the /nsconfig/ssl/ directory of the NetScaler appliance.
Using winscp or firezilla connect to netscaler and browse to/nsconfig/ssl/ and copyroot-ca.crt.pem and inter-ca.crt.pem certificates into the /nsconfig/ssl/ directory in netscaler. these two files are part of the initial zip file. they are nothing but the MDM url root and intermediate cert files.
Step 8: Execute the command in the NetScaler bash shell to create necessary configuration.
Connect to netscaler using putty or terminal and run below command
Run shell to go to bash shell then below command.
/netscaler/nscli -U :<NetScaler Management Username>:<NetScaler Management Password> batch -f “/var/NSGConfigBundle_CREATESCRIPT.txt”
Example:
shell
/netscaler/nscli -U :nsroot:nsrootpwd batch -f “/var/NSGConfigBundle_CREATESCRIPT.txt”
Note: nsroot is user, nsrootpwd is the password
This will create necessary Netscaler Gateway VIP and load balanced virtal server for proxy.
Hope this post is helpful, leave your comments and suggestions below.
I am glad that I noticed this website, exactly the right info that I was looking for!