hands-on lab exercise guidedocs.citrixvirtualclassroom.com/events/syn2015/syn-607.pdfhands-on lab...

607: Troubleshooting Methodology and Strategies

for XenMobile

Hands-on Lab Exercise Guide

Adolfo Montoya and Justin Maeder

May 2015

May 2015

| 1 |

Table of Contents Table of Contents ....................................................................................................................... 1

Overview .................................................................................................................................... 2

Scenario..................................................................................................................................... 5

Exercise 1: Initial Configuration of the XenMobile Server ........................................................... 6

Exercise 2: XenMobile Server Getting Started Wizard ..............................................................12

Exercise 3: Adding Worx Applications to XenMobile Server ......................................................21

Exercise 4: Configuring HDX Apps on XenMobile Server ..........................................................31

Exercise 5: Unable to Enroll iOS or Android Devices ................................................................35

Exercise 6: Unable to Navigate Intranet Sites ...........................................................................66

Exercise 7: Unable to Access Mail via WorxMail on iOS ...........................................................78

Exercise 8: Unable to Access Mail via WorxMail on Android ....................................................95

Exercise 9: Unable to Enumerate HDX Apps .......................................................................... 111

| 2 |

Overview

Hands-on Training Module

Objective

This training will provide hands-on experience with the following:

Initial/Basic configuration of XenMobile Server 10.0.

Fix integration of XenMobile Server with NetScaler Gateway.

Fix Microsoft SharePoint accessibility via WorxWeb.

Fix integration of XenMobile Server with HDX resources (e.g. Windows apps).

Prerequisites

Basic understanding of Web/SaaS/Mobile apps.

Familiarity with navigating the NetScaler Configuration Utility.

Basic understanding of http/https communication.

Basic understanding of networking concepts (IE: IP addressing and communication)

Install Worx Home app on the iOS or Android device.

Audience

Citrix Partners, Customers, Sales Engineers, Consultants, Technical Support.

Lab Environment Details

Describe the lab environment. The system diagram of the lab is shown below:

External access to common services (HTTP, SSL, SMTP, RDP, SSH, DNS) to simulate a

real production environment customized.

1 Active Directory namespace (e.g training.lab).

Pre-configured enterprise applications (Exchange & MSSQL).

Pre-configured NetScaler Gateway.

XenMobile Enterprise components (XenMobile Server, NetScaler Gateway, StoreFront and

XenDesktop).

| 3 |

The Student Desktop is accessed remotely using Citrix Receiver running on your laptop. All

windows applications such as XenCenter, (the XenServer GUI management tool), are accessed

from the Student Desktop.

Note: If you encounter the following message at any point during the lab exercises, click Restart

Later:

Lab Guide Conventions

This symbol indicates particular attention must be paid to this step

Special note to offer advice or background information

| 4 |

reboot Text the student enters or an item they select is printed like this

VMDemo Filename mentioned in text or lines added to files during editing

Start Bold text indicates reference to a button or object

Focuses attention on a particular part of the screen (R:255 G:20 B:147)

Shows where to click or select an item on a screen shot (R:255 G:102 B:0)

List of Virtual Machines Used

VM Name IP Address Description / OS

Site1-

AD.training.lab 192.168.10.11

Windows Server 2012 R2 Standard. Domain

controller for training.lab, DNS, DHCP services,

and license server.

Site1-DDC 192.168.10.40 Windows Server 2012 R2 Std. with XenDesktop

7.6 installed.

Site1-XMS1 192.168.10.20

XenMobile Server 10.0. Students will perform the

initial/basic XenMobile Server and configure apps,

policies, and delivery groups.

Site1-Exchange 192.168.10.15 Windows Server 2008 R2 with Exchange 2010

installed

Site1-NS1

NSIP=192.168.10.50

VIP=192.168.10.100

VIP=192.168.10.101

NS/AGEE 10.5. Students will perform steps to

integrate NetScaler Gateway with Citrix StoreFront

and XenMobile Server.

Site1-SharePoint 192.168.10.14 Windows Server 2008 R2 with SharePoint 2010

installed.

Site1-SQLServer

192.168.10.12

Windows Server 2012 Standard with SQL Server

installed.

Site1-VDA 192.168.10.205 Windows 8.1 Professional with XenDesktop VDA

installed.

Required Lab Credentials

The credentials required to connect to the environment and complete the lab exercises.

VM Name IP Address Password Description

Site1-AD.training.lab,

Site1-Win81Client,

Site1-DDC,

Site1-Exchange,

Site1-SharePoint,

Site1-SQLServer,

Site1-VDA

administrator Citrix123 Domain admin

Site1-NS1 nsroot nsroot NetScaler admin

| 5 |

Scenario You have been hired as a consultant to deploy a XenMobile Enterprise Edition for MobileTeX, Inc. in order to provide management of devices along with access to internal applications and data resources from any mobile device. Your task is to use the guidelines outlined below to implement a solution that meets the business needs.

Guidelines:

Architecture: The XenMobile Server should be installed and configured in the protected

LAN.

Security: NetScaler Gateway should front the XenMobile Server to provide a single point of

access.

Data: Company data should be available to employees internally and externally. This data

should be made publicly available and should only be accessed using read-only methods.

Users: End users should be able to browse internal sites securely.

| 6 |

Exercise 1

Initial Configuration of the XenMobile Server

Overview

Configuring the XenMobile Server is a two-part process. The initial configuration is done at the console of the server by configuring the new password, network settings (ie: IP address, subnet mask, default gateway), database location, and external FQDN. Once this is done, you connect to the Administration Console from a web browser to configure the basic configuration via the Start-up Wizard. In this lab, you will perform the initial configuration at the console of the XenMobile Titan server.

Step by step guidance

Estimated time to complete this lab: 10 minutes.

Step Action

1. Within XenCenter, double-click xenserver and enter the login credentials provided in

the lab site:

User name: admin

Password: (The XenServer credentials information is located in the lab site).

| 7 |

2. Select the Site1-XMS1 virtual machine and click the Console tab. You will notice that

the XenMobile Server is (in First Time Use mode).

Enter Citrix123 as the new password and hit Enter.

Re-enter Citrix123 as the new password and hit Enter.

3. Configure the following settings:

IP Address: 192.168.10.20

Netmask: 255.255.255.0

Default gateway: 192.168.10.1

Primary DNS server: 192.168.10.11

Secondary DNS server [optional]: Leave blank

Hit Enter to commit the settings.

| 8 |

4. The network settings are applied. Hit Enter to generate a random password to secure

server data.

5. Hit Enter to leave the FIPS mode disabled.

6. Next we will configure a remote database connection. Configure the following settings:

Local or remote [l/r]: r

Type (mi=Microsoft SQL, p=PostgreSQL) [mi]: mi

Use SSL: n

Server: 192.168.10.12

Port: 1433

Username: training\administrator

Password : Citrix123

Database name : DB_service

Accept the default y to commit the settings.

7. Hit Enter to enable Clustering on the XenMobile Server.

| 9 |

8. You are prompted for the XenMobile hostname.

Enter <IP2 FQDN> from your portal page.

Note: Your IP2 FQDN is available on the portal

page.

Example Only: 75-126-159-220.mycitrixtraining.net

Accept the default y to commit the settings.

9. Configure the following communication ports (Port listeners):

HTTP: 80

HTTPS with certificate authentication: 443

HTTPS with no certificate authentication: 8443

HTTPS for management: 4443

Accept the default y to commit the settings:

| 10 |

10. You are asked to use the same password for all certificates of the PKI.

Hit Enter to accept the default y.

Enter Citrix123 as the new password.

Re-enter Citrix123 as the password.

Hit Enter to accept the default y to commit the settings.

Note: This configuration is for all the Public Key Infrastructure (PKI) certificates. This step creates the device manager’s certificate authorities. If you intend to cluster XenMobile Server nodes, you will need to provide

identical passwords for subsequent nodes.

11. You are prompted to configure the XenMobile console administrator account.

Configure the account as follows:

Username: administrator (Hit Enter to accept the default)

Password: Citrix123

Re-enter new password: Citrix123

Hit Enter to accept the default y to commit the settings.

12. You are asked if this is an upgrade from a previous release. Hit Enter to accept the

default n.

| 11 |

13. Once initial installation is complete, the following prompt should be seen:

14. Congratulations, you have finished this lab exercise.

Exercise Summary

In this exercise, the student performed the initial configuration of the XenMobile Server. During the first time use, you configured the XenMobile Server networking information, FQDN, DNS Server, and connection to a remote SQL database.

| 12 |

Exercise 2

XenMobile Server Getting Started Wizard

Overview

In this exercise we will go through the XenMobile Server Getting Started wizard in order to configure licensing, NetScaler Gateway integration, authentication server settings and more. The applications and policies will be assigned to the delivery groups.



Step Action

1. Minimize the Citrix XenCenter console.

2. On the taskbar, launch Chrome browser.

3. To access the XenMobile web management console, click the XenMobile Server

bookmark.

4. At the Certificate warning prompt, click Proceed to 192.168.10.20 (unsafe).

| 13 |

5. Login with the following credentials:

Username: administrator

Password: Citrix123

Click Sign in.

6. The Get Started wizard is displayed. Click Start to begin the configuration wizard.

| 14 |

7. The Initial Configuration window is displayed.

Click Next to accept the default licensing configuration.

8. On the SSL Certificate page, click Import.

| 15 |

9. Configure the following settings:

Import: Keystore

Keystore type: PKCS#12

Use as: APNs

Keystore file: APNS.pfx (Browse to \\Ad\Software\Certificates)

Password: Citrix123

Click Import.

Note: At the Windows Security prompt, enter the domain administrator credentials.

Username: training\administrator

Password: Citrix123

| 16 |

10. A confirmation window pops up.

Click OK.

11. Click Import again.

Configure the following settings:

Import: Keystore

Keystore type: PKCS#12

Use as: SSL Listener

Keystore file: MCTWildcard.pfx (Browse to \\Ad\Software\Certificates)

Password: Citrix123

| 17 |

12. A confirmation window pops up.

Click OK.

13. Both APNs and SSL Listener certificates are displayed.

Click Next.

| 18 |

14. Click Next. You are prompted to configure NetScaler Gateway.

Configure the following settings:

Name: NSG

Alias: leave blank

External URL: https:<IP1 FQDN>

Logon Type: Domain only

Password Required: On

Set as Default: On


page.


Click Next.

| 19 |

15. The LDAP Configuration page is displayed. Configure the following settings:

Primary Server: 192.168.10.11

Port: 389 (Default)

Domain name: training.lab

Userbase DN: dc=training,dc=lab (auto-filled in)

Group base DN: dc=training,dc=lab (auto-filled in)

User ID: [email protected]

Password: Citrix123

Domain alias: training.lab

Use search by: userPrincipalName (Default)

Click Next.

16. Click Next to skip the Notification Server configuration.

17. Click Finish on the Summary page.

| 20 |

18. The initial configuration is complete. Click Start Managing Apps and Devices.

19. In XenCenter, select the Site1-XMS1 virtual machine.

Click Reboot to reboot the server.

20. Wait until the XenMobile Server is back up before continuing with the next exercise.


Exercise Summary

The Getting Started wizard walks you through the configuration process for licensing, certificates, NetScaler Gateway & LDAP settings for the XenMobile Server.

| 21 |

Exercise 3

Adding Worx Applications to XenMobile Server

Overview

In this exercise students will add and configure MDX-wrapped WorxWeb & WorxMail apps for iOS

and Android in the XenMobile Server.



Step Action

1. Browse to http://bit.ly/Worx-Apps and download the WorxApps.zip file. This file includes all of the MDX applications for Android and iOS.

Extract the file to the Desktop.

2. If not open, launch the Chrome browser and click the XenMobile Server bookmark.


http://bit.ly/Worx-Apps

| 22 |



Password: Citrix123

Click Sign in.

5. To configure applications in XenMobile Server, go to Configure > click Apps.

6. Click Add.

| 23 |

7. At the Add App prompt window, click MDX.

8. Let’s add the WorxWeb MDX-wrapped app.

Click Add.


| 24 |

iOS Android

10. In the App Information page, enter the

following information:

Name: WorxWeb

Description: blank

App category: Default

Click Next.

In the App Information page, enter the


Name: WorxWeb

Description: blank


Click Next.

11. Uncheck Windows Phone.

Uncheck Windows Phone.

| 25 |

12. For iOS MDX apps, click Upload.

Browse to the Desktop and select

WorxWeb.mdx in the WorxApps\iOS folder.

For Android MDX apps, click Upload.


WorxWeb.mdx in the WorxApps\Android

folder.

13. In the MDX policies section, scroll down to

Network Access and select Tunneled to

the internal network.

In the MDX policies section, scroll down to

Network Access and select Tunneled

to the internal network.

14. Scroll down to the Application Settings

section and enter the following parameters:

Preloaded bookmarks:

Training,SharePoint,http://sp.tra

ining.lab,Training,Office Mail,

https://mail.training.lab/owa

Home page URL: www.citrix.com

Scroll down to the Application Settings

section and enter the following

parameters:

Preloaded bookmarks:

Training,SharePoint,http://sp.t

raining.lab,Training,Office

Mail,

https://mail.training.lab/owa

Home page URL: www.citrix.com

15. Click Next to bypass Approvals.

| 26 |

16. Select AllUsers delivery group.

Click Save.

17. Verify the WorxWeb app has been added.

18. Now let’s add the WorxMail MDX-wrapped app.

Click Add.

| 27 |


iOS Android

20. In the App Information page, enter the


Name: WorxMail

Description: blank


Click Next.

In the App Information page, enter the


Name: WorxMail

Description: blank


Click Next.

| 28 |

21. Uncheck Windows Phone.

Uncheck Windows Phone.

22. For iOS MDX apps, click Upload.


WorxMail.mdx in the WorxApps\iOS folder.

For Android MDX apps, click Upload.


WorxMail.mdx in the WorxApps\Android

folder.

23. In the MDX policies section, scroll down to

Network Access and select Tunneled to

the internal network.

In the MDX policies section, scroll down to

Network Access and select Tunneled

to the internal network.

| 29 |

24. Scroll down to the Application Settings

section and enter the following parameters:

Background network services:

mail.training.lab:443

Background network service gateway:

ag.domain.lab:443

Accept all SSL certificates:

ON

Scroll down to the Application Settings

section and enter the following

parameters:

Background network services:

mail.training.lab:443

Background network service gateway: :

<IP1 FQDN>:443

Accept all SSL certificates:

ON

25. Click Next to bypass Approvals.

26. Select AllUsers delivery group.

Click Save.

| 30 |

27. Verify that both WorxMail and WorxWeb apps have been added.


Exercise Summary

In this exercise students had the opportunity to add and configure MDX-wrapped WorxWeb mobile

application for iOS or Android devices. The configuration done on WorxWeb allow the student

navigate internal/external Web resources.

Please note that some of the configuration conducted earlier is erratic (on purpose). This will allow

us later go through the troubleshooting phase and investigate what’s wrong where and fix it.

| 31 |

Exercise 4

Configuring HDX Apps on XenMobile Server

Overview

In this exercise students will configure the XenMobile Server with StoreFront 2.6 to access HDX

apps (e.g. Windows apps/desktops).

Please note that some of the configuration that would be conducted is erratic (on purpose). This will

allow us later go through the troubleshooting phase and investigate what’s wrong where and fix it.



Step Action

1. If not open, launch the Chrome browser and click the XenMobile Server bookmark.


| 32 |



Password: Citrix123

Click Sign in.

4. To configure HDX apps within XenMobile Server, go to Configure > click Settings.

| 33 |

5. Click More and select XenApp/XenDesktop.

6. Enter the following parameters:

Host: 192.168.10.40

Port: 80

Relative Path: /Citrix/Store/PNAgent/config.xml

Use HTTPS: Off

Click Save.


| 34 |

Exercise Summary

In this exercise students configured XenMobile Server with StoreFront to publish HDX Apps (e.g.

Windows apps/desktops) for mobile users.

As a reminder, XenMobile Server version 10 no longer supports StoreFront being in front of

XenMobile. Instead, XenMobile Server needs to contact the StoreFront (or Web Interface) server

using the PNAgent services site (e.g. /PNAgent/config.xml).

Please note that some of the configuration conducted earlier is erratic (on purpose). This will allow

us later go through the troubleshooting phase and investigate what’s wrong where and fix it.

| 35 |

Exercise 5

Unable to Enroll iOS or Android Devices

Overview

In this exercise students will try to enroll their iOS or Android device against the XenMobile Server.

Students will notice that the enrollment process is partially successful but they are unable to access

the application store (e.g. Worx Store).

For this use case, the NetScaler Gateway has been pre-configured. Some of the settings are

correct and some are wrong. As part of the troubleshooting process, students will go through a

series of steps to determine what’s wrong with the current environment and find a resolution.

Note: Be sure to have a fresh installation of the Worx Home app on the iOS or Android device. In

addition, make sure your mobile device is NOT enrolled with any other XenMobile environment.



iOS Android

1. Launch Worx Home app.

Launch Worx Home app.

| 36 |

2. At prompt, enter the <IP2 FQDN> as listed in

the lab site.

At prompt, enter the <IP2 FQDN> as listed in the

lab site.

3. Tap Yes at the prompt.

Tap Yes at the prompt.

Tap Activate.

| 37 |

4. At prompt, enter User1 credentials in UPN

format:

Username: [email protected]

Password: Citrix123

Tap Sign On.

At prompt, enter User1 credentials in UPN format:


Password: Citrix123

Tap Sign On.

Skip to Step 11.

| 38 |

5. As part of the enrollment process, we need to install the required profiles on the iOS device to allow

IT Admins send notifications, apps, revoke the device and more device management features.

Tap Install.

6. At the Warning prompt, tap Install.

| 39 |

7. At the prompt to install the XenMobile Profile Service, tap Install.

8. At the Warning prompt, tap Install.

| 40 |

9. At the Remote Management prompt, tap Trust.

10. Tap Done.

| 41 |

11. Once the profile is installed, do you notice any

errors before reaching the Worx Store?

Do you notice any errors before reaching the

Worx Store?

12. Let’s find out if the mobile device got enrolled with XenMobile.

Go to the Chrome browser and navigate to the XenMobile Server web management console.

13. Go to the Manage > click Devices.

| 42 |

14. Do you see the iOS or Android device enrolled?

Indeed!

This quick verification rules out any misconfiguration between NetScaler and the MDM load

balancer for XenMobile Server.

But what about the MAM access?

15. Since we know enrollment is working fine, let’s try to bypass the MDM enrollment process and

connect directly to the Worx Store.

To do this, we need to remove any previously installed profiles by XenMobile Server to the mobile

device.

| 43 |

16. iOS Only: Go to the Settings > General > tap Profiles & Device Management.

Remove both MDM Configuration and XenMobile CA profiles.

Android Only: Go to the Settings > Security > Device Administrators > deselect Worx

Home.

Once Worx Home is deactivated, re-install Worx Home on the Android device.

| 44 |

17. Next, double press the Home button on the

iOS device and kill the Worx Home app.

Once Worx Home is deactivated, we need to re-

install Worx Home on the Android device.

18. Launch the Worx Home app and let’s

configure it to bypass the enrollment process

altogether.

Launch the Worx Home app and let’s configure it

to bypass the enrollment process altogether.

19. At prompt, enter the <IP1 FQDN> as provided

in the lab portal page.

At prompt, enter the <IP1 FQDN> as provided in

the lab portal page.

| 45 |


format.


Password: Citrix123

Tap Sign On.

At prompt, enter User1 credentials in UPN format.


Password: Citrix123

Tap Sign On.

| 46 |

21. Do you notice any errors?

Do you notice any errors?

22. Now that we now something is wrong when accessing the Worx Store, let’s check if there is

anything wrong with the NetScaler Gateway.

Remember, at this stage we see a failure AFTER submitting user credentials. Hence, we know that

Worx Home can contact the NetScaler Gateway properly via SSL (443).

The following questions may arise:

- Is the NetScaler able to validate the user credentials?

- Can the NetScaler contact the XenMobile Server? (Note: We partially know this answer.

Remember during the enrollment stage, the NetScaler was able to contact the XenMobile

Server for MDM purposes.)

- Is DNS properly configured between NetScaler and XenMobile Server?

- Is the Worx Home policy properly bound and configured?

Let’s answer these questions by using some of the built-in tools in NetScaler.

23. First, let’s validate if the NetScaler can validate the user credentials.

Go to the desktop and launch mRemoteNG.

This application will allow us to remotely connect to multiple VMs within the environment.

| 47 |

24. Go to the Connections tab double-click NS 1.

This launches an SSH connection to the NetScaler.

25. Next, run shell and hit Enter.

26. Run the following command to check in real-time if the user credentials are valid or not.

root@ns# cat /tmp/aaad.debug

Hit Enter.

27. Go back to the mobile device and kill the Worx Home app.

We are going to re-enter the <IP1 FQDN> and User1 credentials.

Before taping Sign On, pay close attention to the SSH session.

28. The few lines you should expect to see something similar like this:

/usr/home/build/tagma_54/usr.src/netscaler/aaad/ldap_drv.c[761]: receive_ldap_user_bind_event Bind OK.

Mon Jan 5 17:50:43 2015

/usr/home/build/tagma_54/usr.src/netscaler/aaad/naaad.c[2932]: unregister_timer releasing timer 13

Mon Jan 5 17:50:43 2015

/usr/home/build/tagma_54/usr.src/netscaler/aaad/naaad.c[1965]: send_accept sending accept to kernel for : [email protected]

This message tells us that the validation process was successful. Therefore, we can disregard any

issues between NetScaler and LDAP queries made to Active Directory.

To stop the AAA debug tool from running in the SSH session, press Ctrl + C simultaneously.

| 48 |

29. Next step is to validate that the NetScaler can indeed contact the XenMobile Server successfully.

Again, we already know that the enrollment (MDM) process worked successfully.

Let’s check if the DNS is properly set such that the NetScaler can communicate with the MAM

process of the XenMobile Server.

Remember that as part of the new requirement for XenMobile 10, NetScaler will contact an internal

load balancing vserver for MAM purposes using the XenMobile Server hostname. This hostname

record must exist on the NetScaler.

30. Go back to mRemoteNG to the SSH session against the NetScaler (e.g. NS 1).

Inside the shell, type the following command:

dig <IP2 FQDN> and hit Enter.

This will allow us to know if the NetScaler can resolve the XenMobile Server hostname.

Example of command:

root@ns# dig 75-126-159-220.mycitrixtraining.net

31. Do you notice something missing the summary?

; <<>> DiG 9.8.4-P2 <<>> 75-126-159-220.mycitrixtraining.net

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49547

;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; WARNING: recursion requested but not available

;; QUESTION SECTION:

;75-126-159-220.mycitrixtraining.net. IN A

;; AUTHORITY SECTION:

mycitrixtraining.net. 3600 IN SOA ad.training.lab. hostmaster.training.lab. 3 900 600 86400 3600

;; Query time: 1 msec

;; SERVER: 127.0.0.2#53(127.0.0.2)

;; WHEN: Mon Jan 5 18:11:03 2015

;; MSG SIZE rcvd: 135

32. Indeed! There is no IP address returned!

Let’s verify if the A record indeed does not exist.

Before running this command, we need to exit from the NetScaler shell.

Type exit and hit Enter.

| 49 |

33. Next, type the following command to verify if the A DNS record exist:

> show dns AddRec <IP2 FQDN>

Example of command:

> show dns AddRec 75-126-159-220.mycitrixtraining.net

34. What do you get in return? (Check the highlighted area).

> show dns AddRec 75-126-159-220.mycitrixtraining.net

ERROR: Address record for host name not available

35. This confirms that the DNS A record does not exist on the NetScaler.

This DNS A record is an important piece of integration between NetScaler and XenMobile Server.

But before we can generate the DNS A record on the NetScaler, we need to find out what is the

load balancing IP (e.g. VIP) used in this broken configuration for MAM purposes.

36. In the SSH session, type the following command:

> show lb vserver _XM and hit Tab twice.

This should display all the load balancing vservers created in this configuration related to

XenMobile.

> show lb vserver _XM_

_XM_LB_MDM_XenMobileMDM_192.168.10.101_443 _XM_LB_MDM_XenMobileMDM_192.168.10.101_8443

_XM_MAM_LB_192.168.1.1_8443

37. The load balancing vserver that we are interested is the MAM one.

In the SSH session type:

> show lb vserver _XM_MAM_LB_192.168.1.1_8443 and hit Enter.

| 50 |

38. The following is returned and check the highlighted areas:

> show lb vserver _XM_MAM_LB_192.168.1.1_8443

_XM_MAM_LB_192.168.1.1_8443 (192.168.1.1:8443) - SSL Type: ADDRESS

State: DOWN[Certkey not bound]

Last state change was at Fri Jan 2 15:27:28 2015

Time since last state change: 3 days, 08:04:50.790

Effective State: DOWN

Client Idle Timeout: 180 sec

Down state flush: ENABLED

Disable Primary Vserver On Down : DISABLED

Appflow logging: ENABLED

No. of Bound Services : 1 (Total) 1 (Active)

Configured Method: LEASTCONNECTION

Rule: HTTP.REQ.COOKIE.VALUE("ACNODEID")

Mode: IP

Persistence: CUSTOMSERVERID Persistence Timeout: 2 min

Vserver IP and Port insertion: OFF

Push: DISABLED Push VServer:

Push Multi Clients: NO

Push Label Rule: none

L2Conn: OFF

Skip Persistency: None

IcmpResponse: PASSIVE

RHIstate: PASSIVE

New Service Startup Request Rate: 0 PER_SECOND, Increment Interval: 0

Mac mode Retain Vlan: DISABLED

DBS_LB: DISABLED

Process Local: DISABLED

Traffic Domain: 0

Bound Service Groups:

1) Group Name: _XM_SVC_GRP_MAM_

1) _XM_SVC_GRP_MAM_ (192.168.10.20: 8443) - SSL State: UP Weight: 1

Done

>

| 51 |

39. If you paid close attention, we found two things:

1. We figured out the virtual IP address (VIP) for the MAM load balancing vserver. In this case

is 192.168.1.1 and listening on port 8443.

2. Another interesting point is that there is no SSL certificate bound to this virtual server! The

fact that SSL Offload is being used for MAM, we must bind an SSL certificate.

40. First, let’s create the DNS A record on the NetScaler.

Minimize the mRemoteNG console.

Go to Chrome browser and click the NetScaler bookmark.

41. Login to the NetScaler management console with the default credentials:

Username: nsroot

Password: nsroot

42. Before creating the DNS (A) record, let’s flush any cached DNS records from the NetScaler.

Go to Traffic Management > DNS > Records > click Flush Proxy Records.

Click OK.

| 52 |

43. In the Configuration tab, go to Traffic Management > DNS > Records > click Address

Records.

44. Click Add.

| 53 |

45. Enter the following parameters:

Host Name: <IP2 FQDN>

IP Address: 192.168.1.1

Click Create.


page.


46. Verify the record has been added.

| 54 |

47. Next, we need to bind the SSL certificate to the load balancing virtual server for MAM.

In the NetScaler management console, go to Traffic Management > Load Balancing > click

Virtual Servers.

48. Select the MAM load balancing virtual server and click Edit.

49. Click SSL Certificate.

| 55 |

50. Click on the No Server Certificate message.

51. To select the SSL certificate, click to select.

52. Select the Wildcard.mycitrixtraining.net SSL certificate.

Click OK.

| 56 |

53. Click Bind.

54. Click Done.

55. Verify that all load balancing virtual servers are UP.

56. Click Save.

57. Let’s now test and verify if this configuration works.

First, we will test the MAM access only (bypassing enrollment) to ensure access to Worx Store is

fixed.

| 57 |

iOS Android

58. Kill the Worx Home app. Kill the Worx Home app.

59. Launch Worx Home. At prompt, enter the

<IP1 FQDN> from the lab portal.

Launch Worx Home. At prompt, enter the <IP1

FQDN> from the lab portal.


format.


Password: Citrix123

Tap Sign On.



Password: Citrix123

Tap Sign On.

| 58 |

61. Do you see an error pop-up?

Do you see an error pop-up?

62. Indeed! There is something else missing in this configuration.

Let’s investigate if the correct Session Policy is being hit by NetScaler.

To verify this, we will use the SSH session in mRemoteNG console.

63. Restore the mRemoteNG console window and restore the SSH session to the NetScaler by double-

clicking NS 1.

64. Type shell and hit Enter.

| 59 |

65. Next, type the following command to witness in real-time the policies being hit when a user attempts

to connect to the NetScaler Gateway vserver:

root@ns# nsconmsg -d current -g pol_hits

iOS Android

66. Go back to the mobile device and kill the

Worx Home app.

Go back to the mobile device and kill the Worx

Home app.





| 60 |


format.


Password: Citrix123

Tap Sign On.



Password: Citrix123

Tap Sign On.

69. Once you receive the error in Worx Home, go

back to the SSH session to check what

policies were hit.

Once you receive the error in Worx Home, go back

to the SSH session to check what policies were

hit.

70. The policy we are interested is this one - PL_OS_192.168.10.100.

If you notice, this policy was hit successfully but there is something wrong with it since we cannot

access the Worx Store.

71. In the SSH session, click Ctrl + C to exit the real-time monitoring of policies.

72. Next, type exit to exit the shell.

| 61 |

73. So far, we know that the PL_OS_192.168.10.100 session policy is being hit by Worx Home. But

let’s find out what is the Session Profile taking effect.

In the SSH session, type show runningconf | grep “PL_OS_” and hit Enter.

Example of command and result:

> show runningconf | grep "PL_OS_"

add vpn sessionPolicy PL_OS_192.168.10.100 "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER

X-Citrix-Gateway EXISTS" AC_OS_192.168.10.100_A_

bind vpn vserver _XM_XenMobileGateway -policy PL_OS_192.168.10.100 -priority 100

>

74. Check the highlighted area.

That is the Session Profile being used by this particular session policy for Worx Home.

75. Next, let’s check what profile settings are taking effect.

Type the command show runningconf | grep "AC_OS_" and hit Enter.

Example of result:

add vpn sessionAction AC_OS_192.168.10.100_A_ -splitDns BOTH -sessTimeout 1440 -splitTunnel OFF -transparentInterception ON -

defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy OFF -ClientChoices OFF -forcedTimeout 1440 -

clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl

"https://xm.training.lab:8443"

add vpn sessionPolicy PL_OS_192.168.10.100 "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER

X-Citrix-Gateway EXISTS" AC_OS_192.168.10.100_A_

>

76. Take a close look at the highlighted area.

The parameter storefronturl is the same as the Account Services URL when accessing the Web

GUI console.

Does this URL looks right?

Of course not! This URL has to match exactly with the XenMobile Server hostname.

77. To quickly fix this, let’s run the following command to set the correct parameter value.

Type the command set vpn sessionAction AC_OS_192.168.10.100_A_ -

storefronturl "https://<IP2 FQDN>:8443"

Example of command:

> set vpn sessionAction AC_OS_192.168.10.100_A_ -storefronturl "https://75-126-159-220.mycitrixtraining.net:8443"

Done

Note: It is very important to include the :8443 port number. This is the port the XenMobile Server

uses for the MAM services.

| 62 |

78. Are we done? Not so fast!

There are a few more edits to make. These are:

- The App Controller URL

- The Clientless Access Domains

Check it out for yourself by running the command show runningconf | grep

"xm.training.lab"

Example of results:

bind policy patset ns_cvpn_default_inet_domains xm.training.lab:8443 -index 2

bind vpn vserver _XM_XenMobileGateway -appController "https://xm.training.lab:8443"

Note: The other session policies for Receiver for Web and NetScaler Gateway plug-in are not

relevant for this troubleshooting session. You are more than welcome to fix them but it is not

necessary.

79. Let’s fix the clientless access domain with the correct hostname.

Type the following command to add a new pattern set:

bind policy patset ns_cvpn_default_inet_domains <IP2 FQDN>:8443 -index 3

and hit Enter.


> bind policy patset ns_cvpn_default_inet_domains 75-126-159-220.mycitrixtraining.net:8443 -index 3

Done

>

80. Finally, let’s fix the AppController URL parameter. First, we need to unbind the wrong value.

Type the following command:

unbind vpn vserver _XM_XenMobileGateway -appController

"https://xm.training.lab:8443" and hit Enter.

81. Next, bind the correct value to the AppController parameter.


bind vpn vserver _XM_XenMobileGateway -appController "https://<IP2

FQDN>:8443"


> bind vpn vserver _XM_XenMobileGateway -appController "https://75-126-159-220.mycitrixtraining.net:8443"

Done

>

82. To save all the changes made so far, type save conf and hit Enter.

83. Finally, let’s do some testing!

| 63 |

iOS Android

84. Kill the Worx Home app in the mobile device. Kill the Worx Home app in the mobile device.





| 64 |


format.


Password: Citrix123

Tap Sign On.



Password: Citrix123

Tap Sign On.

| 65 |

87. Are you able to access the Worx Store?

If no, that means there is a typo somewhere in

the previous commands executed.

Otherwise, you should be able to access the

Worx Store and see the WorxWeb and

WorxMail apps.

Are you able to access the Worx Store?

If no, that means there is a typo somewhere in the

previous commands executed.

Otherwise, you should be able to access the Worx

Store and see the WorxWeb and WorxMail apps.

88. Do not sign off. We will continue the current session in the next exercise.

Minimize the mRemoteNG console window.


Exercise Summary

In this exercise students had the opportunity to test the XenMobile deployment using their iOS or

Android device and access MDX-wrapped apps.

As part of the troubleshooting process, NetScaler built-in tools were utilized to narrow down the

issue and fix it. Issues such as DNS, wrong hostname values and missing SSL certificates are

common and easily to omit when deploying a XenMobile solution.

| 66 |

Exercise 6

Unable to Navigate Intranet Sites

Overview

In this exercise students will install WorxWeb mobile app in their iOS or Android device and attempt

to access Intranet sites.

Please note that some of the configuration previously conducted was erratic (on purpose). This will

allow us later go through the troubleshooting phase and investigate what’s wrong where and fix it.



Step Action

iOS Android

1. Inside Worx Store, download and install

WorxWeb app.

Inside Worx Store, download and install

WorxWeb app.

| 67 |

2. Tap Install.

Tap Install.

3. Once installed, launch WorxWeb.

Tap Trust at the prompt.

If you are unable to install WorxWeb, make

sure to check if the Unknown Sources is

checked on Android.

| 68 |

4. The Citrix.com homepage should come

up successfully.

The Citrix.com homepage should come up

successfully.

5. Tap the bookmarks.

Tap the bookmarks.

6. Tap Favorites > tap Training.

Tap Favorites > Tap Training.

7. Tap SharePoint. Tap SharePoint.

| 69 |

8. Do you witness a delay? Did an error pop-

up?

Do you witness a delay? Did an error pop-

up?

9. Indeed!

What could be the root cause?

Let’s try to test the other bookmark,

Office Mail.

Indeed!

What could be the root cause?

Let’s try to test the other bookmark, Office

Mail.

10. Do you see any errors?

Do you see any errors?

| 70 |

11. No errors witnessed.

This narrows down the issue to only SharePoint.

Here is what we know:

- WorxWeb can access Internet sites (e.g. Citrix.com)

- WorxWeb can also access Intranet sites (e.g. Office Mail)

The fact that we are leveraging WorxWeb and tunneling all the traffic to the NetScaler, we

need to find out how is the NetScaler handling the requests to SharePoint on-behalf of the

mobile device.

12. First, let’s find out if the NetScaler can resolve the name of the SharePoint site (e.g.

sp.training.lab).

13. Go to the mRemoteNG console window and re-establish the SSH session with NS 1.

14. Type shell and hit Enter.

15. Type the following command to check if the NetScaler can resolve the SharePoint URL.

dig sp.training.lab and hit Enter.

| 71 |

16. This is what is expected:

root@ns# dig sp.training.lab

; <<>> DiG 9.8.4-P2 <<>> sp.training.lab


;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4465




;sp.training.lab. IN A

;; ANSWER SECTION:

sp.training.lab. 3600 IN A 192.168.10.140


;; SERVER: 127.0.0.2#53(127.0.0.2)

;; WHEN: Mon Jan 5 23:03:01 2015


17. Take a closer look at this IP address returned for SharePoint. Is this the correct address

listed in Page 4 (under the VMs table)?

| 72 |

18. Correct! It is not the correct IP address.

Go to the mRemoteNG console > Connections > double-click AD. This is the VM that

hosts the DNS service.

19. On the desktop, double-click DNS.

20. Expand the Forward Lookup Zones and click training.lab.

| 73 |

21. Double-click SP record to edit the value.

22. Remove the zero and click OK.

| 74 |

23. Verify the record is correct.

24. Now, we need to flush the proxy records on the NetScaler to ensure a new DNS query is

made for SharePoint.

25. Go to mRemoteNG console window and re-establish the SSH session with NS 1.

26. Ensure you are not in the shell.


flush dns proxyRecords and hit Enter.

| 75 |

27. Next, type shell and hit Enter.

28. Run the Dig command to query the correct SharePoint IP address from DNS.

Type the command:

dig sp.training.lab and hit Enter.

29. The results shoud look like this:

root@ns# dig sp.training.lab

; <<>> DiG 9.8.4-P2 <<>> sp.training.lab


;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45727




;sp.training.lab. IN A

;; ANSWER SECTION:

sp.training.lab. 3600 IN A 192.168.10.14


;; SERVER: 127.0.0.2#53(127.0.0.2)

;; WHEN: Mon Jan 5 23:20:25 2015


30. Notice the highlighted area. This is now showing the correct value.

| 76 |

31. Launch WorxWeb and try to access the SharePoint bookmark now.

Note: When launching WorxWeb, you may be prompted to enter the password (e.g.

Citrix123).


Exercise Summary

In this exercise students configured and installed WorxWeb to access intranet/internet sites from

the mobile device.

In addition, students had the opportunity to troubleshoot intranet access issues via WorxWeb. In

this scenario, WorxWeb was configured to use MicroVPN to send all the traffic to the NetScaler

| 77 |

Gateway. Hence, the NetScaler uses the SNIP/MIP address to contact the back-end resources

(e.g. DNS, Web servers, etc.) on behalf of the mobile device.

For more information on MicroVPN and XenMobile, check out this article -

http://support.citrix.com/article/CTX136914

http://support.citrix.com/article/CTX136914

| 78 |

Exercise 7

Unable to Access Mail via WorxMail on iOS

Overview

In this exercise, students will identify and fix why they cannot access mail via WorxMail for iOS.

Please note if you have an Android device, go to Exercise #8

During this part of the rollout, the IT Admin configured the XenMobile Server and WorxMail to use

the Secure Ticket Authority (STA) feature in order to save battery life on mobile devices. The goal

is to allow remote mobile users to launch WorxMail and be able to access mail from Exchange.

Here is the scenario explained by one of the end-users using iOS: “I access Worx Store to

download and install WorxMail. WorxMail installation is successful. I launch WorxMail, I enter the

address of the Exchange Server (e.g. mail.training.lab) and tap Save. Next, I received an error that

says:”

“Access to your company network is not currently available.”

Pre-requisites on your mobile device:

- Worx Home installed and configured as per previous Exercise #5.

- Mobile device with native email client registered to a personal or corporate mail account

(e.g. Yahoo, Outlook.com, Exchange, etc.) This is needed in order to extract the Worx Home

log files via email.

Tools to be used:

Students will leverage NetScaler commands to verify WorxMail connections, WorxMail logs to verify

what policies were configured on WorxMail and Notepad++ to find out what could be the root cause

issue of mail access.



Step Action

1. Let’s reproduce the end-user issue. From Worx Home for iOS, sign in as User1.

Username: user1

Password: Citrix123

| 79 |

2. Tap into Worx Store and tap into WorxMail to download and install it.

3. Launch WorxMail and type the mail server FQDN: mail.training.lab.

Tap Sign On.

4. Do you see any errors?

Tap OK.

5. Next step, let’s gathered the WorxMail log files from Worx Home.

Go back to Worx Home, swipe to the right until you reach the Support area.

| 80 |

6. Tap the envelope icon.

| 81 |

7. This should bring two options:

Gather logs from Worx Home and/or WorxMail. In our case, we’re interested on WorxMail

logs.

| 82 |

8. Tap into WorxMail iOS.

| 83 |

9. Before clicking Send Log you need to turn off the option Send using WorxMail.

This should then launch your native email client configured on your iOS device. Send

yourself an email with the log files so they can be examined.

10. From the Student Desktop, access your email mailbox (where you send the WorxMail log

files) and download them. You should have received a Logs.zip file.

Extract the files.

| 84 |

11. Navigate to the MDXApps folder and extract the WorxMail.zip file.

12. Navigate to the Diagnostics folder. Right-click the .CSV file and then select Edit with

Notepad++.

13. Next, press the Ctrl + F keys and enter the following keyword: agtunneler.

Click Find All Current Document.

14. In the Find Results, scroll down and search for a line similar to this one:

",AGTunneler,WARNING (3),"Failed to resolve gatewayDomain(ag.domain.lab) to ip

address;

15. Double-click the most current entry. We’re looking for the line that refers to the STA

tunneling.

Example:

",AGTunneler,INFO (4),"AG policy: Intercepting mail.training.lab:443 for STA tunneling"

| 85 |

16. Notice from the previous line, the Exchange Server FQDN (mail.training.lab:443) is

correctly defined, so why is NetScaler Gateway failing with this name resolution error?

“AGTunneler,WARNING (3),"Failed to resolve gatewayDomain(ag.domain.lab) to ip

address;

17. Next step is to check what policies were configured on WorxMail. The MDX policies will

provide us with all details regarding the STA configuration. These policy settings are

available in the WorxMail logs.

Let’s go back to the WorxMail logs and navigate to the

C:\Users\localuser\Downloads\Logs\MDXApps\WorxMail folder.

18. In the WorxMail folder, there is a file called CtxLog_AppPolicies.xml. This file contains

the WorxMail MDX policy settings configured on the XenMobile Server.

Right-click the CtxLog_AppPolicies.xml file and select Edit with Notepad++.

| 86 |

19. The XML tags of interest are:

<key>BackgroundServices</key> and <key>BackgroundServicesGateway</key>.

Do you see anything wrong with the BackgroundServicesGateway value?

20. Indeed! ag.domain.lab is non-existing.

The Background Services Gateway is the key value that holds the NetScaler Gateway

FQDN where WorxMail is proxying the STA ticket. Then, NetScaler Gateway will validate

the STA ticket with XenMobile Server and proxy the connection to the Exchange Server (ie.

mail.training.lab).

We need to modify this value on WorxMail and enter the PublicIP1 FQDN available on

your lab details page.

21. Next, let’s go to the XenMobile Server management console.

Log on as administrator.


Password: Citrix123

| 87 |

22. Go to the Configure tab then select the Apps tab and select WorxMail and click the Edit

button (pencil icon).

23. Click the iOS tab under the Platform section. Scroll down to the Application Settings

area. You should see the wrong value assigned to Background network service

gateway.

24. In this field, you have to specify the PublicIP1 FQDN found on your lab details page along

with the port number (e.g. 443).

Example:

Background network service gateway: 75-126-154-53.mycitrixtraining.net:443

Click Save.

| 88 |

25. Before testing, let’s check the NetScaler Gateway configuration too.

On the Student Desktop, open Internet Explorer, select the NetScaler bookmark to login

to the management console.

Log on with nsroot credentials.

Username: nsroot

Password: nsroot

26. On NetScaler management console, go to NetScaler Gateway > Virtual Servers >

double-click the _XM_XenMobileGateway virtual server to open it.

27. Go to the Published Applications section on the right and click on the STA Server

section.

Notice that it says No STA Server!

| 89 |

28. Enter the PublicIP2 FQDN with Port 8443 defined and choose IPV4 as the STA Server

Address Type and then click Bind.

29. Validate that STA URL matches your XenMobile Server PublicIP2 FQDN and has an Up

status. For WorxMail STA feature to work you must have the XenMobile Server FQDN

over port 8443.

30. Next, let’s clear any active sessions on the NetScaler Gateway before we test.

Click on NetScaler Gateway > Active user sessions.

31. Click Continue to show all active user session then click Terminate.

Click Done.

| 90 |

32. Now, let’s test! On your iOS device, kill the WorxMail and Worx Home processes that are

running. In order for this new change take effect on WorxMail that is already installed, we

need to log on again through Worx Home.

Log on as User1.

Username: user1

Password: Citrix123

33. Tap into WorxMail iOS.

34. Enter the Exchange Server Address: mail.training.lab. Tap Sign On.

| 91 |

35. Next, you should be prompted for user1 credentials.

Password: Citrix123

Domain: training.lab

Tap Sign On.

36. Verify whether or not emails are syncing. Try to send a new message from WorxMail.

Click New Message.

37. Enter the User One email address ([email protected]) and type test as part of the subject

and body message.

Tap Send.

mailto:[email protected]

| 92 |

38. To verify that you are truly using the STA feature instead of microVPN, go back to Worx

Home and Sign Off.

39. Switch back to WorxMail and send a New Message to yourself (ie. [email protected]).

40. To verify the WorxMail connection via NetScaler Gateway is working, launch a CLI session

to the NetScaler device.

Go to mRemoteNG console window and re-establish the SSH session with NS 1.

41. Log on as nsroot user.

Username: nsroot

Password: nsroot


| 93 |

42. Type sh icaConnection and press Enter. Do you see anything?

Of course you do! You should see a secure SOCKS proxy connection between the Client

(mobile device) and the Exchange Server.

Example:

Client IP: Mobile Device IP Address

CPS IP = Exchange Server IP address

CPS Port = 443 (ActiveSync port)

You can also see the same information from NetScaler management console under

NetScaler Gateway node > ICA connections.

43. Log off from Worx Home.

Exercise Summary

In this exercise, you were able to identify and fix why mobile users using iOS devices were not able to sync email via WorxMail and using the Secure Ticket Authority (STA) feature from XenMobile. When IT Admins configure NetScaler Gateway, XenMobile Server and WorxMail using STA, it is necessary to enter the correct information.

| 94 |

On NetScaler, define the Secure Ticket Authority (STA) pointing to the XenMobile Server over port 8443:

On the XenMobile Server, define the background services correctly:

Background network services: Exchange Server FQDN:port. Example: Background network services: mail.training.lab:443 Background network service gateway: NetScaler Gateway FQDN:port Example: Background network service gateway: 75-126-147-85.mycitrixtraining.net:443 For more information regarding the differences between microVPN vs. STA for WorxMail connections, refer to this blog - http://blogs.citrix.com/2013/09/16/improving-battery-life-with-worxmail-sta-to-the-rescue/.

http://blogs.citrix.com/2013/09/16/improving-battery-life-with-worxmail-sta-to-the-rescue/


| 95 |

Exercise 8

Unable to Access Mail via WorxMail on Android

Overview

In this exercise students will identify and fix why they cannot access mail via WorxMail for Android.

During this part of the rollout, the IT Admin configured the XenMobile Server and WorxMail to use

the Secure Ticket Authority (STA) feature in order to save battery life on mobile devices. The goal

is to allow remote mobile users to launch WorxMail and be able to access mail from Exchange.

There is no XenMobile Device Manager involved in this scenario.

Here is the scenario explained by one of the end-users using Android: “I access Worx Store to

download and install WorxMail. WorxMail installation is successful. I launch WorxMail, I enter my

email address and password. Tap Save. Next, I received an error that says:”

“Error while establishing connection to server.”

I tap Try Again, and enter the Exchange Server FQDN (ie. mail.training.lab) and tap Next. Error

displayed:

“Access to your company network is not currently available.”

Pre-requisites on your mobile device:

- Worx Home installed configured as per previous Exercise #3.

- Mobile device with native email client registered to a personal or corporate mail account

(e.g. Yahoo, Outlook.com, Exchange, etc.) This is needed in order to extract the Worx Home

log files via email.

Tools to be used:

Students will leverage NetScaler commands to verify WorxMail connections, WorxMail logs to verify

what policies were configured on WorxMail and Notepad++ to find out what could be the root cause

issue of mail access.

| 96 |



Step Action

1. Let’s reproduce the end-user issue. From Worx Home for Android, sign in as User1.

Username: user1

Password: Citrix123

| 97 |

2. Tap into Worx Store and tap WorxMail to download and install it.

| 98 |

3. Launch WorxMail and enter the email address of User1 and password.

Email address: [email protected]

Password: Citrix123

Tap Next.

4. What error message do you see?

Tap Try Again.


| 99 |

5. Enter the mail server FQDN: mail.training.lab.

Tap Next.

6. What error message do you see?

Tap Try Again.

| 100 |

7. We need to verify all of the NetScaler Gateway settings. We will use a Citrix Diagnosis

Tool called Cerebro to validate the XenMobile configuration on the NetScaler Gateway.

On the Student Desktop, open the folder CEREBRO and right click on

CEREBROUI.exe. Click Run as administrator.

8. Click Online Analysis.

| 101 |

9. Enter the following information:

NetScaler Management IP: 192.168.10.50

Username: nsroot

Password: nsroot

Click Start Analysis.

10. Notice the STA configuration shows up as “Not Configured”.

Let’s take a look at the NetScaler Gateway configuration.

| 102 |

11. On the Student Desktop, open Internet Explorer, select the NetScaler bookmark to log

on to the management console.

Log on with nsroot credentials.

Username: nsroot

Password: nsroot

12. On NetScaler management console, go to NetScaler Gateway > Virtual Servers >

double-click the _XM_XenMobileGateway virtual server to open it.

13. Go to the Published Applications section on the right and click on the STA Server

section.

Notice that it says No STA Server!

| 103 |

14. Enter the PublicIP2 FQDN with Port 8443 defined and choose IPV4 as the STA Server

Address Type and then click Bind.

15. Validate that STA URL matches your XenMobile Server PublicIP2 FQDN and has an Up

status. For WorxMail STA feature to work you must have the XenMobile Server FQDN

over port 8443.

16. Next, let’s clear any active sessions on the NetScaler Gateway before we test.

Click on NetScaler Gateway > Active user sessions.

17. Click Terminate.

Click Close.

| 104 |

18. Before we test again, go back to the Cerebro Tool and run the analysis again.

Notice that the STA configuration is now validated successfully.

19. Now, let’s test! On your Android device, kill/close the running WorxMail process. In order

for this new change take effect, we need to log on again through Worx Home.

Log on as User1.

Username: user1

Password: Citrix123

| 105 |

20. Tap into WorxMail Android.

21. Enter the User1 email address and password.

Email Address: [email protected]

Password: Citrix123

Tap Next.


| 106 |

22. Do you get any errors?

I’m afraid yes. The error expected is this:

“Error while establishing connection to server.”

This error happens because WorxMail is trying to leverage Exchange auto discover

service. This lab environment is not configured for Exchange auto discovery.

Tap Try Again to enter the Exchange Server FQDN.

23. In the Server field, enter the Exchange Server FQDN: mail.training.lab.

Tap Next.

| 107 |

24. Once WorxMail is configured, test if you can send/receive emails.

Tap in the New Message icon.

Send yourself (ie. User1) an email. Enter User One email address ([email protected])

and type test as part of the subject and body message.

Tap Send.

25. To verify that you are truly using the STA feature instead of microVPN, go back to Worx

Home and Sign Off.

26. Switch back to WorxMail and send a New Message to yourself (ie. [email protected]).



| 108 |

27. To verify the WorxMail connection via NetScaler Gateway is working, launch a CLI

session to the NetScaler device.

Go to mRemoteNG console window and re-establish the SSH session with NS 1.

28. Log on as nsroot user.

Username: nsroot

Password: nsroot

| 109 |

29. Type sh icaConnection and press Enter. Do you see anything?

Of course you do! You should see a secure SOCKS proxy connection between Client

(mobile device) and Exchange Server.

Example:

Client IP: Mobile Device IP Address

CPS IP = Exchange Server IP address

CPS Port = 443 (ActiveSync port)

You can also see the same information from NetScaler management console under

NetScaler Gateway > ICA connections.

30. Log off from Worx Home.

Exercise Summary

In this exercise, you were able to identify and fix why mobile users using Android devices were not able to sync email via WorxMail and use the Secure Ticket Authority (STA) feature from XenMobile. When IT Admins configure NetScaler Gateway, XenMobile Server and WorxMail using STA, it is necessary to enter the correct information:

| 110 |

On NetScaler, define the Secure Ticket Authority (STA) pointing to the XenMobile Server:

On XenMobile Server, define the background services correctly:

Background network services: Exchange Server FQDN:port. Example: Background network services: mail.training.lab:443 Background network service gateway: NetScaler Gateway FQDN:port Example: Background network service gateway: 75-126-147-85.mycitrixtraining.net:443 For more information regarding the differences between microVPN vs. STA for WorxMail

connections, refer to this blog - http://blogs.citrix.com/2013/09/16/improving-battery-life-with-

worxmail-sta-to-the-rescue/.



| 111 |

Exercise 9

Unable to Enumerate HDX Apps

Overview

In this exercise students will try to enumerate HDX Apps (e.g. Windows apps/desktops) via Worx

Home.

At this point, students should have noticed that only WorxWeb is being displayed inside Worx Store,

and no Windows apps or desktops are enumerated.

Note: For this exercise, students are not required to launch HDX apps from their mobile device. The

goal of this exercise is to fix app enumeration.



Step Action

iOS Android

1. Launch Worx Home and validate that no

Windows apps/desktops are displayed.

Launch Worx Home and validate that no

Windows apps/desktops are displayed.

2. Let’s find out what is the issue.

Open Chrome browser and click the XenMobile Server bookmark.

| 112 |




Password: Citrix123

Click Sign in.

5. Click the tool icon.

| 113 |

6. Under Log Operations > click Logs.

7. Let’s open the DebugLog file to check what could be the root cause of not being able to

see HDX apps via Worx Home.

Select DebugLog > click View.

8. Hit Ctrl + F to find the following keyword PNAgent.

| 114 |

9. What errors do you see?

2015-01-05T19:20:50.27-0800 | e444a54f6788636e | INFO | http-nio-18443-exec-1 | com.citrix.cg.bo.GenericPNAMgr |

PNA Web Service URL:http://192.168.10.40:80/Citrix/Store/PNAgent/config.xml

2015-01-05T19:20:50.34-0800 | e444a54f6788636e | ERROR | http-nio-18443-exec-1 | com.citrix.cg.bo.GenericPNAMgr |

Unable to get the element data //Request/Enumeration/Location/text()

2015-01-05T19:20:50.34-0800 | e444a54f6788636e | DEBUG | http-nio-18443-exec-1 | com.citrix.cg.bo.GenericPNAMgr |

Before replacing Host and Port


Creating PNA DAO instance ...


PNA Details Host: 192.168.10.40, Path: /Citrix/Store/PNAgent/config.xml

2015-01-05T19:20:50.35-0800 | e444a54f6788636e | ERROR | http-nio-18443-exec-1 | com.citrix.cg.bo.GenericPNAMgr |

PNA MalformedURLException no protocol:


PNA generatePNAServiceURL null URL : {}

10. We can definitely determine that XenMobile Server is unable to query the config.xml file

in the StoreFront server to enumerate HDX apps.

This particular error provides a clue: PNA MalformedURLException no protocol:

This could mean that IIS is not working properly on StoreFront? Let’s investigate.

11. Go to the mRemoteNG console window and double-click the DDC VM.

12. Go to the Start menu.

| 115 |

13. Click IIS Manager console.

14. Navigate to the Sites node.

15. It is clear that the IIS site is UP (check the Status column).

However, there is something different in the next column (ie. Binding).

| 116 |

16. Bingo! There is a Host Header value defined. This means that only incoming requests to

http://ddc.training.lab will be processed. Anything else is not.

If you remember, we configured the XenApp/XenDesktop settings on XenMobile Server

like this (from Exercise 4):

17. Let’s go back to XenMobile Server > Settings > More > click XenApp/XenDesktop.

Change the Host value to ddc.training.lab.

18. Click Save.

| 117 |

19. Let’s Test!

Launch Worx Home on your mobile device. You can Sign Off and Sign On again to

re-enumerate the application list.

iOS:

Android:

| 118 |

20. BONUS!

If you would like to test HDX app launch on the mobile device, here are some missing

pieces in this deployment that you need configure on our own:

- There is no XenApp/XenDesktop defined as STA on the NetScaler Gateway.

- There is no Remote Access configured on StoreFront.

If you get stuck during the configuration of StoreFront, please consult with the instructor

or one of the facilitators for further assistance.


Exercise Summary

In this exercise students troubleshoot the issue of not being able to enumerate HDX apps via Worx

Home.

It is important to remember that XenMobile queries the PNAgent services site (e.g.

/PNAgent/config.xml) file from StoreFront to enumerate Windows apps/desktop from

XenApp/XenDesktop respectively.

As a reminder, XenMobile Server 10 does not allow StoreFront to be deployed in-front of the

XenMobile solution anymore. Instead, XenMobile Server 10 needs to contact the StoreFront (or

Web Interface) server using the PNAgent services site.

| 119 |

Revision: Change Description Updated By Date

1.0 Original Version Adolfo Montoya and

Justin Maeder May 2015

About Citrix

Citrix (NASDAQ:CTXS) is a cloud company that enables mobile workstyles—empowering people to

work and collaborate from anywhere, securely accessing apps and data on any of the latest

devices, as easily as they would in their own office. Citrix solutions help IT and service providers

build clouds, leveraging virtualization and networking technologies to deliver high-performance,

elastic and cost-effective cloud services. With market-leading cloud solutions for mobility, desktop

virtualization, networking, cloud platforms, collaboration and data sharing, Citrix helps organizations

of all sizes achieve the speed and agility necessary to succeed in a mobile and dynamic world.

Citrix products are in use at more than 330,000 organizations and by over 100 million users

globally. Annual revenue in 2012 was $2.59 billion. Learn more at www.citrix.com.

http://www.citrix.com/

| 120 |

hands-on lab exercise guidedocs.citrixvirtualclassroom.com/events/syn2015/syn-607.pdfhands-on lab...

Documents