Skip to content

XenMobile 10.x and NetScaler 10.x – A Comprehensive HowTo Guide

During implementing quite some XenMobile 10.x solutions in the last couple of months I came across some issues that caused quite some headaches. Therefore I'd like to document and share my lessons learned in this new blog.

As all my implementations were with existing NetScaler 10.x configurations already in place, I was not able to follow all those XenMobile 10.x installation and configuration guides out there by the book. All of those blogs and guides have one thing in common: they assume your start from scratch with both XenMobile 10.x and NetScaler 10.x and thus miss the point in merging XenMobile 10.x requirements with NetScaler 10.x, i.e. adding all those nasty MDM/MAM LB VIPs, DNS records, firewall rules, certificates, Session Policies and Profiles, et al.

I'm trying to shed some light on how to add a new XenMobile 10.x installation to an already existing NetScaler Gateway configuration.

This blog is comprised of the following topics:

Work in Progress

As implementing and configuring XenMobile can be quite a huge and complex task, I intend to update this article on a regular basis in order to get as close to a comprehensive guide as possible regarding this topic.

Prerequisites & Requirements:

For starters I'd like to recommend the following blogs for all those people out there who start from scratch with both XenMobile and NetScaler, as they provide loads of information on prerequisites and all things required for a (almost) hazzle free implementation:

The XenMobile architecture is quite a beast to tame and needs a lot of mastering in order to beat all its intricacies. Just have a look at the following architecture diagram for a fully blown up XenMobile 10.x MDM+MAM solution placed in your internal network:



Ensure you have all this at your hands and/or access to prior to doing anything else as this will definitely delay your progress in implementing XenMobile:

  • Apple Developer Account
  • Apple Push Notification Certificate
  • Microsoft Company Developer Account
  • Google Play Store Account and Google Device ID
  • Auto Discovery Actions
  • DNS Registrations
  • Network Connections, e.g. Firewall Rules
  • Active Directory/LDAP Service Accounts

Furthemore I recommend conducting the following Connectivity Tests on both NetScaler and XenMobile Device Manager to ensure that especially required network connections can be successfully established:

  • NetScaler Connectivity Tests
    • can be found on NetScaler | Configuration | Integrate with Citrix Products | XenMobile | Test Connectivity:



  • XenMobile Connectivity Tests
    • can be found on XenMobile | Support [Wrench Tool] | Diagnostics | XenMobile Connectivity Checks:


Enable all checks listed in the XenMobile Connectivity Checks table by activating the checkbox at the top left corner, then click Test Connectivity at the bottom right corner:


Ensure that all XenMobile Connectivity Checks are greenlit, i.e. are passed successfully:


In case of an error you could left-click the corresponding table entry in order to receive further information and helpful tips on the underlying issue:


Rinse and repeat until all checks are successful.


In order to achieve the renown A+ rating by Qualys' SSLLabs Check, you need to adjust a couple of security related settings in NetScaler. The following articles provide step-by-step instructions on how to achieve this goal:

After adjusting your settings you can verify the results with one of the following websites. Note that the last one (Qualys' SSL Labs Checker) is mostly recommended:


The following articles and blogs are a must read for a deeper understanding of and an insight look into XenMobile 10.x

I tried to create a table showing required IP addresses as well as corresponding NetScaler Gateway vServers necessary for a working XenMobile implementation with an existing NetScaler Gateway configuration:

XenMobile and NetScaler IP Addresses

FQDN/HostnameDescriptionIP AddressNote [internal]
XenMobile Server's FQDN, internally as well as externally; internal IP points to XenMobile Server directly10.0.0.240to make XenMobile Server reachable from internal networks (for administrative purposes); dedicated DNS address record in your internal DNS Zone [external]XenMobile Server's FQDN, internally as well as externally; external IP points to _XM_LB_MDM_XenMobile VIP directly (Ports 443 and 8443)e.g. (=> registration and enrollment to successfully occur, traffic on both Ports 443 and 8443 must be directed to NetScaler Gateway's vServer IP address (_XM_LB_MDM_XenMobile)
nsip.domain.localNetScaler Management IP10.0.0.252 [external]NetScaler Gateway's external FQDN, pointing to Gateway vServer providing XenMobile Session Policy and Profilee.g. (=> NetScaler Gateway vServer for access to XenApp/XenDesktop as well as XenMobile resources
_XM_MAM_LB_10.0.0.232_8443XenMobile Server's LB VIP on NetScaler (Port 443), referred to NetScaler Gateway vServer ( Session Profile (Account Services Address:
_XM_LB_MDM_XenMobileMDM_10.0.0.228_443XenMobile Server's LB VIP on NetScaler (Port 443), referred to by externally resolvable FQDN (
_XM_LB_MDM_XenMobileMDM_10.0.0.228_8443XenMobile Server's LB VIP on NetScaler (Port 8443), referred to by externally resolvable FQDN ( [internal]NetScaler Gateway vServer for XenMobile access after succesful enrollment; referred to by XenMobile Server10.0.0.251provides Session Policy and Profile to redirect incoming Worx Home traffic via to XenMobile Server [NetScaler DNS Address Record]XenMobile Server's FQDN, internally as well as externally; internal IP must be resolved to _XM_MAM_LB VIP from a NetScaler point of view10.0.0.232dedicated DNS address record is required on NetScaler to directly point traffic to _XM_MAM_LB VIP

For an already existing NetScaler Gateway configuration the following Session Policy and Profile must be added to the corresponding vServer for XenMobile traffic to be supported. Ensure checking each Session Profile/Action tab's Advanced Settings as well:

Session Policy:

  • Name:
  • Profile:
  • Expression (in my case):
    REQ.HTTP.HEADER User-Agent CONTAINS zenprise && REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS || REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS && REQ.HTTP.HEADER User-Agent CONTAINS Worx

You could run the following NetScaler command at CLI as well in order to create the corresponding Session Profile/Action:

#add NetScaler Gateway Session Profile
add vpn sessionAction <SessionProfileName> -splitDns BOTH -sessTimeout 1440 -splitTunnel OFF -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy OFF -ClientChoices OFF -forcedTimeout 1440 -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl "https://<PublicXenMobileFQDN>:8443"

#add NetScaler Gateway Session Policy
add vpn sessionPolicy <SessionPolicyName> "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS" <SessionProfileName>

#add NetScaler Gateway Session Policy (alternative)
add vpn sessionPolicy <SessionPolicyName> "REQ.HTTP.HEADER User-Agent CONTAINS zenprise && REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS || REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS && REQ.HTTP.HEADER User-Agent CONTAINS Worx" <SessionProfileName>

Session Profile / Action:

TabOptionOverride GlobalValue
Client ExperienceSplit TunnelYOFF
Client ExperienceSession Time Out (mins)Y1440
Client ExperienceClientless AccessYON
Client ExperienceClientless Access URL EncodingYCLEAR
Client ExperiencePlugin TypeYWindows/MAC OS X
Client ExperienceSingle Sign-on to Web ApplicationsYCheckbox checked
Client ExperienceCredential IndexYPRIMARY
SecurityDefault Authorization ActionYALLOW
SecuritySecure BrowseYENABLED
Published ApplicationsICA ProxyYOFF
Published ApplicationsAccount Services AddressY
NetScaler XenMobile 10 Session Profile


Keep in mind that for troubleshooting purposes it's always recommendable to not just turn to XenMobile's and NetScaler's Connectivity Tests (as mentioned above), but to its logging capabilities as well, i.e. investigating its corresponding Debug Logs, Admin Audit Logs, and User Audit Logs, which can be found under in Support [Wrench Tool] | Log Operations | Logs:


Log Levels can be adjusted accordingly in Support [Wrench Tool] | Log Operations | Log Settings.

iOS Enrollment Issues:

Worx Home Enrollment Error - Push service on server is not enabled. Please contact the administrator.


Make sure your XenMobile server has internet access and can reach ports TCP 2195 and TCP 2196 at destination APNs hosts using the public IP address Have a look at Citrix eDocs - Port Requirements as well.

Worx Home Enrollment Error - Profile Installation Failed. A network error has occured.


In my case it turned out that XenMobile server's hostname deviated from my external FQDN as I configured it with an internal FQDN instead. I dug deep into XenMobile server's Debug Log File and found the following entry while trying to enroll my iOS device:


Unfortunately you cannot change the hostname afterwards, thus requiring you to reinstall XenMobile. So make sure that during initial configuration, while defining the XenMobile Server FQDN, it equals your external FQDN:


Worx Home Enrollment Error - Access to your company is not currently available.


Ensure that XenMobile Server's certificate including corresponding private key and certificate chain is complete and intact:


Best practice is to import the server certificate in PFX file format including

  • private key,
  • all certificates in the certification path,
  • and extended properties.

During import you should select all options as depicted:

  • Import: Keystore
  • Keystore type: PKCS#12
  • Use as: Server
  • Keystore file: <certificate.pfx>
  • Password: <password to your private key>


In the end it should look like this in order for you to successfully register and enroll a device with XenMobile:

  • Server
  • SSL Listener
  • SAML
  • APNs


Worx Home Enrollment Error - An error occurred. The enrollment will stop.


XenMobile Debug Log: missing x-citrix-device-ID

The following bugs relate to an integration between XenMobile and NetScaler for the following versions of NetScaler when the TLS 1.2 security protocol is configured on NetScaler:

  • NetScaler 11.x versions earlier than 11.0.64
  • 10.5.59
  • 10.5.58

Note that the issue does not arise when your XenMobile MAM deployment includes a NetScaler load balancer between the XenMobile server and NetScaler Gateway.

Communication between NetScaler Gateway and XenMobile in MAM mode fails due to issues with a backend TLS 1.2 session. As a result, users cannot download apps from the WorxStore, nor files from ShareFile, when connecting to the internal network.

see: XenMobile Server 10.3 Known Issues


When updating from XenMobile 10.1 to version 10.3, if the WorxStore has a custom name, you must change the store name to the default setting of Store and deploy the setting to devices before updating. If not, the custom store name causes issues with XenMobile 10.3 enrollment, access to Worx Home and the WorxStore, and app deployment on iOS devices.

see: Citrix Discussions - Login over MAM no more possible

XenMobile Debug Log: URLRequestFailedMessage

Make sure your NetScaler Session Policy and Profile are configured as described above.

see: Citrix Discussions - Issue with MAM


Read Anton van Pelt's blog on hardening your NetScaler configuration in order to receive the most precious of ratings: the Qualys SSL Labs A+ Rating. Most recommendable! And there are a lot of Citrix Mobility and NetScaler Master Class videos available on YouTube. Make sure to check them out as well!

Further Reading:

Leave a Reply