Integrating with Citrix Gateway and Citrix ADC 编辑
When integrated with Endpoint Management, Citrix Gateway provides an authentication mechanism for remote device access to the internal network for MAM devices. The integration enables Citrix mobile productivity apps to connect to corporate servers in the intranet through a micro VPN. Endpoint Management creates a micro VPN from the apps on the device to Citrix Gateway. Citrix Gateway provides a micro VPN path for access to all corporate resources and provides strong multifactor authentication support.
When a user opts out of MDM enrollment, devices enroll using the Citrix Gateway FQDN.
Citrix Cloud Operations manages Citrix ADC load balancing.
Design Decisions
The following sections summarize the many design decisions to consider when planning a Citrix Gateway integration with Endpoint Management.
Certificates
Decision detail:
- Do you require a higher degree of security for enrollments and access to the Endpoint Management environment?
- Is LDAP not an option?
Design guidance:
The default configuration for Endpoint Management is user name and password authentication. To add another layer of security for enrollment and access to the Endpoint Management environment, consider using certificate-based authentication. You can use certificates with LDAP for two-factor authentication, providing a higher degree of security without needing an RSA server.
If you don’t allow LDAP and use smart cards or similar methods, configuring certificates allows you to represent a smart card to Endpoint Management. Users then enroll using a unique PIN that Endpoint Management generates for them. After a user has access, Endpoint Management creates and deploys the certificate later used to authenticate to the Endpoint Management environment.
Endpoint Management supports Certificate Revocation List (CRL) only for a third party Certificate Authority. If you have a Microsoft CA configured, Endpoint Management uses Citrix Gateway to manage revocation. When you configure client certificate-based authentication, consider whether you need to configure the Citrix Gateway Certificate Revocation List (CRL) setting, Enable CRL Auto Refresh. This step ensures that the user of a device enrolled in MAM only can’t authenticate using an existing certificate on the device. Endpoint Management reissues a new certificate, because it doesn’t restrict a user from generating a user certificate if one is revoked. This setting increases the security of PKI entities when the CRL checks for expired PKI entities.
Dedicated or shared Citrix Gateway VIPs
Decision detail:
- Do you currently use Citrix Gateway for Citrix Virtual Apps and Desktops?
- Will Endpoint Management use the same Citrix Gateway as Citrix Virtual Apps and Desktops?
- What are the authentication requirements for both traffic flows?
Design guidance:
When your Citrix environment includes Endpoint Management, plus Virtual Apps and Desktops, you can use the same Citrix Gateway virtual server for both. Due to potential versioning conflicts and environment isolation, a dedicated Citrix Gateway is recommended for each Endpoint Management environment.
If you use LDAP authentication, Citrix Workspace and Secure Hub can authenticate to the same Citrix Gateway with no issues. If you use certificate-based authentication, Endpoint Management pushes a certificate in the MDX container and Secure Hub uses the certificate to authenticate with Citrix Gateway. The Workspace app is separate from Secure Hub and can’t use the same certificate as Secure Hub to authenticate to the same Citrix Gateway.
You might consider this work around, which allows you to use the same FQDN for two Citrix Gateway VIPs. You can create two Citrix Gateway VIPs with the same IP address. The one for Secure Hub uses the standard 443 port and the one for Citrix Virtual Apps and Desktops (which deploys the Citrix Workspace app) uses port 444. Then, one FQDN resolves to the same IP address. For this work around, you might need to configure StoreFront to return an ICA file for port 444, instead of the default, port 443. This workaround doesn’t require users to enter a port number.
Citrix Gateway time-outs
Decision detail:
- How do you want to configure the Citrix Gateway time-outs for Endpoint Management traffic?
Design guidance:
Citrix Gateway includes the settings Session time-out and Forced time-out. For details, see Recommended configurations. Keep in mind that there are different time-out values for background services, Citrix Gateway, and for accessing applications while offline.
Enrollment FQDN
Important:
To change the enrollment FQDN requires a new SQL Server database and an Endpoint Management server rebuild.
Secure Web traffic
Decision detail:
- Will you restrict Secure Web to internal web browsing only?
- Will you enable Secure Web for both internal and external web browsing?
Design guidance:
If you plan to use Secure Web for internal web browsing only, the Citrix Gateway configuration is straightforward. However, if Secure Web can’t reach all internal sites by default, you might need to configure firewalls and proxy servers.
If you plan to use Secure Web for both internal and external browsing, you must enable the SNIP to have outbound internet access. IT generally views enrolled devices (using the MDX container) as an extension of the corporate network. Thus, IT typically wants Secure Web connections to come back to Citrix Gateway, go through a proxy server, and then go out to the Internet. By default, Secure Web access tunnels to the internal network. Secure Web uses a per-application VPN tunnel back to the internal network for all network access and Citrix Gateway uses split tunnel settings.
For a discussion of Secure Web connections, see Configuring User Connections.
Push Notifications for Secure Mail
Decision detail:
- Will you use push notifications?
Design guidance for iOS:
If your Citrix Gateway configuration includes Secure Ticket Authority (STA) and split tunneling is off: Citrix Gateway must allow traffic from Secure Mail to the Citrix listener service URLs. Those URLs are specified in push notifications for Secure Mail for iOS.
Design guidance for Android:
Use Firebase Cloud Messaging (FCM) to control how and when Android devices need to connect to Endpoint Management. With FCM configured, any security action or deploy command triggers a push notification to Secure Hub to prompt the user to reconnect to the Endpoint Management server.
HDX STAs
Decision detail:
- What STAs to use if you will integrate HDX application access?
Design guidance:
HDX STAs must match the STAs in StoreFront and must be valid for the Virtual Apps and Desktops site.
Citrix Files and Citrix Content Collaboration
Decision detail:
- Will you use storage zones controller in the environment?
- What Citrix Files VIP URL will you use?
Design guidance:
If you will include storage zones controller in your environment, ensure that you correctly configure the following:
- Citrix Files Content Switch VIP (used by the Citrix Files Control Plane to communicate with the storage zones controller servers)
- Citrix Files Load Balancing VIPs
- All required policies and profiles
For information, see the documentation for Storage zones controller.
SAML IdP
Decision detail:
- If SAML is required for Citrix Files, do you want to use Endpoint Management as the SAML IdP?
Design guidance:
The recommended best practice is to integrate Citrix Files with Endpoint Management, a simpler alternative to configuring SAML-based federation. Endpoint Management provides Citrix Files with:
- Single sign-on (SSO) authentication of Citrix mobile productivity apps users
- User account provisioning based on Active Directory
- Comprehensive access control policies.
The Endpoint Management console enables you to perform Citrix Files configuration and to monitor service levels and license usage.
There are two types of Citrix Files clients: Citrix Files for Endpoint Management (also known as wrapped Citrix Files) and Citrix Files mobile clients (also known as unwrapped Citrix Files). To understand the differences, see How Citrix Files for Endpoint Management Clients differ from Citrix Files mobile clients.
You can configure Endpoint Management and Citrix Files to use SAML to provide SSO access to:
- Citrix Files apps that are MAM SDK enabled or wrapped by using the MDX Toolkit
- Non-wrapped Citrix Files clients, such as the website, Outlook plug-in, or sync clients
If you want to use Endpoint Management as the SAML IdP for Citrix Files, ensure that the proper configurations are in place. For details, see SAML for SSO with Citrix Files.
ShareConnect direct connections
Decision detail:
- Will users access a host computer from a computer or mobile device running ShareConnect using direct connections?
Design guidance:
ShareConnect enables users to connect securely to their computers through iPads, Android tablets, and Android phones to access their files and applications. For direct connections, Endpoint Management uses Citrix Gateway to provide secure access to resources outside of the local network. For configuration details, see ShareConnect.
Enrollment FQDN for each management mode
| Management mode | Enrollment FQDN |
|---|---|
| MDM+MAM with mandatory MDM enrollment | Endpoint Management server FQDN |
| MDM+MAM with optional MDM enrollment | Endpoint Management server FQDN or Citrix Gateway FQDN |
| MAM-only | Endpoint Management server FQDN |
| MAM-only (legacy) | Citrix Gateway FQDN |
Deployment Summary
If you have multiple Endpoint Management instances, such as for test, development, and production environments, you must configure Citrix Gateway for the additional environments manually. When you have a working environment, take note of the settings before attempting to configure Citrix Gateway manually for Endpoint Management.
A key decision is whether to use HTTPS or HTTP for communication to the Endpoint Management server. HTTPS provides secure back-end communication, as traffic between Citrix Gateway and Endpoint Management is encrypted. The re-encryption impacts Endpoint Management server performance. HTTP provides better Endpoint Management server performance. Traffic between Citrix Gateway and Endpoint Management is not encrypted. The following tables show the HTTP and HTTPS port requirements for Citrix Gateway and Endpoint Management.
HTTPS
Citrix typically recommends SSL Bridge for Citrix Gateway MDM virtual server configurations. For Citrix Gateway SSL Offload use with MDM virtual servers, Endpoint Management supports only port 80 as the back-end service.
| Management mode | Citrix Gateway load balancing method | SSL re-encryption | Endpoint Management server port |
|---|---|---|---|
| MAM | SSL Offload | Enabled | 8443 |
| MDM+MAM | MDM: SSL Bridge | N/A | 443, 8443 |
| MDM+MAM | MAM: SSL Offload | Enabled | 8443 |
HTTP
| Management mode | Citrix Gateway load balancing method | SSL re-encryption | Endpoint Management server port |
|---|---|---|---|
| MAM | SSL Offload | Enabled | 8443 |
| MDM+MAM | MDM: SSL Offload | Not supported | 80 |
| MDM+MAM | MAM: SSL Offload | Enabled | 8443 |
For diagrams of Citrix Gateway in Endpoint Management deployments, see Architecture.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论