xenmobile packet flow

XenMobile Packet Flow | Citrix MPG Marketing

XenMobile Packet Flow

Citrix Systems, Inc. © 2013 of 10

Contents

Introduction............................................................................................................................................. 1

Authentication Sequence with Access Gateway.....................................................................................2

MDM Enrollment Sequence iOS.............................................................................................................3

MDM Enrollment Sequence Android.......................................................................................................4

External Access Sequence to XMA........................................................................................................5

Internal Access Sequence to AppController...........................................................................................7

Citrix Systems, Inc. © 2013 of 10

Introduction

The purpose of this document is to illustrate a high level overview of the traffic flow between Enroll / Worx Home / Receiver, Netscaler, XenMobile Device Manager, and XenMobile AppController.

The AppController sequence assumes that the environment has the following constraints:

1. NetScaler: Is Deployed in the DMZ Has access to Active Directory on port 389 or 636 Has access to XMA on port 443 and 80

2. AppController: Has access to Active Directory on port 389 or 636

3. Users: Have mobile devices that are connected to an external network (Wifi/3or4G) and can commu-

nicate directly with XMA on port 443 and 80

The MDM sequence for Android does not require an APNS certificate or a Developer Account. They are exclusively for iOS.

Citrix Systems, Inc. © 2013 Page 1 of 10

Authentication Sequence with Access Gateway

1. User connects to Access Gateway

2. Access Gateway prompts the user to authenticate

3. User enters their Active Directory credentials

4. Access Gateway takes the users credentials and verifies them with Active Directory

5. Active Directory responds with an authentication successful message

6. Access Gateway creates a token SSOs to XMA

7.XMA extracts the users credentials from the token and uses them to verify the user with Active Directory

8. Active Directory responds with an authentication successful message

9. XMA now makes a callback to Access Gateway to verify that the request initiated from there

10. Callback succeeds and the apps are enumerated


MDM Enrollment Sequence iOS

Step From To Protocol Port Description

1. Mobile Device

Apple App Store

HTTP443 (80?)

User downloads and installs Citrix Enroll on their mobile device

2. Enroll XDMHTTPS / SSL

443 User enter credentials

3. Enroll XDMHTTPS / SSL / DNS

8443

If domain is specified in the user dialog, the Worx Home app will verify the Citrix NOC discover.mdm.zenprice.com to verify if XDM server is registered for the domain

4. Enroll XDM HTTP 8443If not found, user is prompted for XDM server name (FQDN).

5. Enroll XDM HTTP 8443 If found, user is prompted for password

6. XDM LDAP serverLDAP / LDAPS

389 / 636 / 3289

User credentials are verified against LDAP server

7. Enroll XDM SSL 8443If successful, device is connected through a persistent, long-lived HTTPS connection (Root CA and MDM profile)


389 / 636 / 3289

XDM server verified user group membership against LDAP server

9. XDM Enroll SSL 8443User must accept profiles pushed down to the user via HTTPS connection to server (Root CA and MDM profile)

10. XDM APNS APNS 2195 XDM server initiates connection to APNS network to tell the device to wake up

11. APNS Enroll SSL 5223

12. Enroll XDMHTTPS / SSL

443XDM server tells device to call home to the XDM server

13. XDM APNS APNS 2196XDM server requests acknowledgement of acceptance and status of request via APNS network

14. XDM Worx HomeHTTPS / SSL

443Based on AD group membership, policies, applications and files are pushed to the device thru the HTTPS connection

15. XDM APNS APNS 2196XDM server requests acknowledgement of acceptance and status of request via APNS network


MDM Enrollment Sequence Android


1. Mobile Device

Google Play Store

HTTP 80User downloads and installs Citrix Worx Home on their mobile device

2. Worx Home XDMHTTP / HTTPS / SSL

443 User enter credentials

3. Worx Home XDM

HTTP / HTTPS / SSL / DNS

443 / 53

If domain is specified in the user dialog, the connect app will verify the Citrix. NOC discover.mdm.zenprise.com to verify if XDM server is registered for the domain


443If not found, user is prompted for XDM server name (FQDN). No HTTPS:// needed in server-name.


443 If found, user is prompted for password


389 / 636 / 3289

User credentials are verified against LDAP server


443If successful, device is connected through a persistent, long-lived HTTPS connection


389 / 636 / 3289

XDM server verified user group membership against LDAP server


443Based on AD group membership, policies, applications and files are pushed to the device through the HTTPS connection

10. XDM Worx HomeHTTP / HTTPS / SSL

Any port

Geo Locate is requested to the device through the persistent HTTPs connection from the server to the device

11. No network activityThe device attempts to obtain a GPS lock via the onboard GPS chip. The user must have location service enabled for this to work

12. Worx Home XDMHTTPS / SSL

443If the device retrieves a lock, it sends the request back to the XDM. XDM does NOT do cell tower location


443Wipe of the device is sent from the server to the device via the HTTPS connection initiated by the device


Any port

The Worx Home app verifies that command was received via the HTTPS connection, ensure the server received the acknowledgement and wipes the device


External Access Sequence to XMA


1. Mobile Device

Apple App Store

HTTP 80User downloads and installs Receiver on their mobile device

2. ReceiverAccess Gateway

HTTPS / SSL

443User clicks Add Account and connects to Access Gateway

3. Access Gateway

ReceiverHTTPS / SSL

443Access Gateway (AG) verifies that the user is requesting a valid resource and then prompts the user to authenticate

4. ReceiverAccess Gateway

HTTPS / SSL

443User authenticates using their AD credentials (and OTT if it exists)

5. Access Gateway

Active Directory

LDAP / LDAPS

389 / 636

AG verifies credentials by checking with AD

6. Access Gateway

XMAHTTPS / SSL

443 AG creates a token and SSOs to XMA

7. XMAActive Directory

LDAP / LDAPS

389 / 636

XMA uses the token to authenticate the user against Active Directory

8. XMA Access Gateway

HTTPS / SSL

443XMA then makes a callback to AG to verify that the authentication request originated at AG

9. Receiver XMAHTTPS / SSL

443If the authentication is successful, Receiver then makes a GET request for the store information (.cr file)

10. XMA ReceiverHTTPS / SSL

443XMA validates the endpoint, registers the device (Receiver), pushes down the .cr file


HTTPS / SSL

389 / 636 / 443

XMA checks that the user belongs to the correct role i.e group in AD and sends the list of resources (app icons for each resource) down to the Receiver


443


443User subscribes to a resource such as a native mobile app

14. XMA Receiver HTTP 80XMA makes note of this subscription and then sends down the app to the mobile device


443User subscribes to a Web/SaaS SSO (Formfill) application


443XMA makes note of this subscription and then prompts the user to provide Web/SaaS application credentials


443 XMA saves credentials in its local database



443XMA issues a redirect to the endpoint device with the required form

19. Receiver ApplicationHTTPS / SSL

443Endpoint submits the token to the Web/SaaS application and is signed on


443User subscribes to a Web/SaaS SSO (SAML) application


443 XMA makes note of this subscription

22. XMA XMAHTTPS / SSL

443XMA saves Web/SaaS app username in its local database


443XMA issues a SAML token with a redirect to the endpoint device




Policies, apps, and file

Internal Access Sequence to XMA


1. Mobile Device

XMA HTTP 80User downloads and installs Receiver on their mobile device


443 User clicks Add Account and connects to XMA


443XMA verifies that the user is requesting a valid resource and then prompts the user to authenticate


443User authenticates using their AD credentials against Active Directory


LDAP / LDAPS

389 / 636


443If the authentication is successful, Receiver requests for the store information (.cr file)


443XMA validates the endpoint, registers the device (Receiver), and pushes down the .cr file


HTTPS / SSL

389 / 636 / 443 XMA verifies the user’s role group in AD and sends

a list of resources to the Receiver9. XMA Receiver

HTTPS / SSL

443

10. Receiver XMA HTTP 80User subscribes to a resource such as a native mobile app

11. XMA Receiver HTTP 80XMA makes note of this subscription and then sends down the app to the mobile device


443User subscribes to a Web/SaaS SSO (Formfill) application


443XMA makes note of this subscription and then prompts the user to provide Web/SaaS application credentials

14. Receiver XMAHTTS / SSL

443 XMA saves credentials in its local database


443XMA issues a redirect to the endpoint device with the required form





443User subscribes to a Web/SaaS SSO (SAML) application


443 XMA makes note of this subscription

19. XMA XMAHTTPS / SSL

443XMA saves Web/SaaS app username in its local database


443XMA issues a SAML token with a redirect to the endpoint device




xenmobile packet flow

Technology