Just to start it off I’m assuming that the following is in place and fully configured and you are familiar with these concepts:
– XenMobile 10.x cluster (XMS)
– Active Directory (AD)
– Active Directory Certificate Services (ADCS)
– Active Directory Certificate Template(s)
– NetScaler Gateway (NSGW)
– Certificate Based Authentication (CBA)
Which all of them are combined in a XenMobile deployment which is configured to use CBA as an enrollment requirement.
I came across a limitation/by design issue in conjunction with the web enrollment of ADCS that XMS cannot solve, meaning that enrollment and requests for the first time will work just fine but when you revoke or selective wipe a device/user and the latter enrolls again you will get a cached certificate from XMS (you say what…) Revocation in XMS will work just fine but not at this point because according to support the API used in ADCS is not capable of doing a revocation, and basically XMS is using the web-enrollment for this and relying on that.
If you want to check it just enroll a user with the above setup and check for yourself, user gets revoked, you revoke the user certificate in ADCS and enroll again and you will see the cached certificate being issued from XMS (and no new issued certificate from ADCS)
But there is a workaround/solution for this, query the XMS database for this certificate and select the user certificate to delete..
The following query will give you the certificates which are present on XMS
Select * from dbo.keystore where name like ‘%ag%’
To delete the certificate you execute this query with your ID (in my case 22)
Delete from dbo.keystore where id=22
After this the cached gateway certificate is deleted and with a new enrollment you will also get a new certificate.
When combining the above with a CRL or OCSP integration on the NetScaler this will give an automatic renewal request for the device, meaning no manual action needed anymore. This seems to be a builtin behaviour client side (Secure Hub) see the following article for more information: https://docs.citrix.com/en-us/netscaler/11-1/ssl/manage-cert-revocate-lists.html
I’ve done a couple of Xenmobile implementations and found at least two interesting caveats that stood out, when implementing XenMobile and finding resolutions for the problems you’ll get when not adding it in your deployment.
NTP got introduced again with XenMobile 10.3.x to be configured in the appliance, a little tip enter in an reachable internal server, when you don’t pay attention and let it stay not configured for example on VMware you will get a very nice error message from time to time on the console of your VM: “hrtimer: interrupt took XXXXXX ns” (the xxxxxx is variable) this leaves your node in an failed state and the only resolution then is a reboot of the node.
ADCS integration and let’s say you will have a tiered set for your ADCS regarding seperation of the roles. The thing that is not documented, is that XenMobile cannot request certificates when there are role seperations, everything needs to be on the same machine.
Certificate Pinning is something than can be enabled to function against MITM attacks, see Worx Home Certificate Pinning for more information. Usually when you demo or poc/pilot the solution you show al the different flavours that you can choose from. The customer I was started out with e-mailbased enrollment to the environment until the latter we changed to dual factor with certificate based authentication, and for ease of access we changed to upn enrollment with worxpin. Problem is I don’t know why or how, but when changing ADS the certificate pinning part breaks, corrupt certificate messages in worx home log or mismatch errors, you might think what’s going on! Had this kind of fun two times, and conclusion was remove the current certificate pinning / ads part and add the same setup again with the same certificates and all works again. Cloudops confirmed this on both occasions. Bug or not very annoying! I believe an support article is in the worx! (;-p)
Hope these insights help out!
I’ve come across an issue regarding the Netscaler Insight Centre were data is not showing all the time, at random it just fails on reporting and shows nothing. It seems that after a talk with support there is memory corruption occuring when the usage of insights memory is above 75%.
Resolution shall be active in the 11.0.67.x release of the product.
I came across an issue with Netscaler Insight with the latest build for Netscaler 11 and the same for Insight, logging did not reach the appliance regarding GUI flowcharts, we did see traffic generate from and to the Insight centre but no updates in the GUI screen, after some digging around and reporting this with Citrix it’s an bug regarding the Integrated Caching feature, this needs to be disabled otherwise it won’t work at all! ok.. that’s nice.. permanent fix is yet to be developed.
Well it was time for an update regarding some XenMobile actions from the field, attached is an PDF with some of my ranting, enjoy the read:
Notes from the field XenMobile the road so far
Came across this article today http://support.citrix.com/article/CTX139485 and basically changed my current vpx3000 2vpcu and 4gb to 6gb and 4vcpu and got the goodness!
Thought I would share some XMS 10.1 knowledge:
the tool you need when creating apns: https://xenmobiletools.citrix.com/XenMobileCloudTools-3.0/home/
the tool you need when diagnosing the environment (still BETA): https://xmdiag.cgm.citrix.com/users/signin
the rolling patch #1 for XMS10.1 (cannot find this from the Citrix site but old trusty google does): http://support.citrix.com/article/CTX201757
If you use SSL offloading with the netscaler test, test and test the internal lb vserver for MAM if the 8443 will get passed through allright otherwise a broken MAM.
Before implementing check if you use AGDLP, domain local group support isn’t supported from version 10 (it’s in the works)
there is still a bug regarding the ldap see
that’s it for the moment, more updates on the roadmap!
A greatly unknown toolkit by many is the online Tools as a Service from Citrix where you can upload the dumpfiles of:
And there will run an automatic analysis of the uploaded dump files with common issues and best practices, a nice quick and easy debugging solution.
Take a testdrive @ https://taas.citrix.com or https://cis.citrix.com with your mycitrix account.