This post is relevant to the Nike (8.6) and above Release of the XenMobile Enterprise Edition

  • Device Manager Build :-8.6.33292
  • AppController :- 2.9.0_111000
  • Netscaler Build : – NS10.1: Build 120.1316.e.nc

Pre-requisite for this setup is that the Certificate Authority is configured and settings on the MDM Server are done to provide user certs to device. This setup will require an additional NSG to be setup to for HDX apps to work with receiver

On the AppController > Settings > Deployment > Edit\Add the NetScaler Gateway

  • Set Logon type to certificate
  • Do not require passwords should be unchecked
  • External URL should be set to the NSG URL
  • StoreFront Settings
    • Allow Storefront to aggregate AppController Apps :- Set to YES
    • Authentication Server  :- Set to NO

On the Netscaler, Netscaler Gateway > Virtual Servers (Pre-requisite the NSG is already added and configured) >Open the NSG

Add the Root Certificate from the Certificate Authority as a CA

Click on the Authentication Tab and Bind the LDAP policy and the Certificate Policy and give them the same Priority

If the Certificate policy is previously not created you can go ahead and create it here

Give it a name CertificatePolicy in this case and set the Authentication Type to CERTS

Click on New In the Server

Give it a Name and in User Name Field select “SubjectAltName:PrincipalName”

Two factor needs to be set to ON. Click Create

Back in the “Create Authentication Policy” server field should now show the certificate we created in the above step

Next Click on Named Expressions “Client is from different geographical reg…” drop down and scroll right to the bottom and select “TrueValue” and Click “Add Expression”

This should add “ns_true” in the Expressions window. Click Create

Ensure that the priorities on the authentication policies are the same

Click Back on the “Certificates” Tab and Select “SSL Parameters”

Check “Client Authentication” and make “Client Certificate – Mandatory” and Click OK and OK

Next we need to add additional NSG using the same IP to work on port 4443 for HDX apps to work

Netscaler > NetScaler Gateway > Select the NSG that is provisioned above and Select ADD and change port to 4443, give it a NetScaler_Gateway2 and add the Server Certificate

Switch to the Authentication Tab and ensure “Enable Authentication” is checked(do not add any authentication policy)

Click on Published Apps and Add Storefront URL’s as “Secure Ticket Authority”

Click Create and Close. Create and Close on the Virtual Server

IF you open the new Vserver (created above) and click on the Published Applications Tab. The STA servers will show up as UP

Next we need to change the port on StoreFront to 4443

Logon to the StoreFront server > Netscaler Gateway

Click on Change General Settings

Append the Netscaler Gateway URL with port 4443

Append the Callback URL with port 4443

Click OK and restart the IIS service. HDX apps should be successfully be able to launch using receiver with cert being mandatory for worxhome

Using this method admins can provide extra layer of security utilizing certificate authentication for mobile apps and seamlessly provide HDX integration to apps behind the NetScaler