Notes from the field: XenMobile caveats

I’ve done a couple of Xenmobile implementations and found at least two interesting caveats that stood out, when implementing XenMobile and finding resolutions for the problems you’ll get when not adding it in your deployment.

No.1
NTP got introduced again with XenMobile 10.3.x to be configured in the appliance, a little tip enter in an reachable internal server, when you don’t pay attention and let it stay not configured for example on VMware you will get a very nice error message from time to time on the console of your VM: “hrtimer: interrupt took XXXXXX ns” (the xxxxxx is variable) this leaves your node in an failed state and the only resolution then is a reboot of the node.

No.2
ADCS integration and let’s say you will have a tiered set for your ADCS regarding seperation of the roles. The thing that is not documented, is that XenMobile cannot request certificates when there are role seperations, everything needs to be on the same machine.

No.3
Certificate Pinning is something than can be enabled to function against MITM attacks, see Worx Home Certificate Pinning for more information. Usually when you demo or poc/pilot the solution you show al the different flavours that you can choose from. The customer I was started out with e-mailbased enrollment to the environment until the latter we changed to dual factor with certificate based authentication, and for ease of access we changed to upn enrollment with worxpin. Problem is I don’t know why or how, but when changing ADS the certificate pinning part breaks, corrupt certificate messages in worx home log or mismatch errors, you might think what’s going on! Had this kind of fun two times, and conclusion was remove the current certificate pinning / ads part and add the same setup again with the same certificates and all works again. Cloudops confirmed this on both occasions. Bug or not very annoying! I believe an support article is in the worx! (;-p)

Hope these insights help out!

Author: hheres

IT Pro / Geek

3 thoughts on “Notes from the field: XenMobile caveats”

  1. Actually that hrtimer error shows up on VMware even with NTP set. I think migrating the VM between hosts causes it sometimes, but have not fully verified.

    1. Thanks for the update Wade, I’ve also seen additional information lately, it’s related to the hazlecast cluster setup in the node(s), the hrtimer issue comes up much more after installing 10.3.6, it’s confirmed that RU1 which is upcoming whill fix this. Best is to log a case for this issue.

Leave a Reply

Your email address will not be published. Required fields are marked *