Documente Academic
Documente Profesional
Documente Cultură
Table of Contents
Table of Contents............................................................................................2
Overview.........................................................................................................3
Page 2
Services
Overview
Citrix XenMobile is the revolutionary new way to mobilize your business. The
product offers security and compliance for IT while giving users mobile device,
app and data freedom. Users gain single-click access to all of their mobile, SaaS
and Windows apps from a unified corporate app store, including seamlessly-
integrated email, browser, data sharing and support apps.
In this lab, you will get hands on experience with deploying the full XenMobile
Enterprise Solution.
Page 3
Services
Machine Details
Site1- 192.168.10.11 Windows Server 2008 R2 SP1. Domain
AD.training. controller for training.lab, DNS, DHCP
lab services, and license server. (Training.lab)
Site1- 192.168.10.20 XM App Controller v2.9
AppC1
Site1-DDC 192.168.10.40 XenDesktop 7 Delivery Controller
Site1- 192.168.10.15 Windows Server 2008 R2 SP1 with
Exchange Exchange 2010 installed
Site1-NS1 NSIP=192.168.1 NetScaler VPX 10.1.e. NetScaler VPX pre-
0.50 configured to provide remote access to MS
SNIP=192.168.1 Exchange and XenMobile Device Manager
0.60 8.6.
VIP =
192.168.10.100
192.168.10.101
192.168.10.102
Site1- 192.168.10.14 Windows Server 2008 R2 SP1 running
SharePoint SharePoint 2010.
Site1-SQL1 192.168.10.12 Windows Server 2008 R2 SP1 running
Microsoft SQL 2008 R2.
Site1-VDA 192.168.10.41 Windows Server 2008 R2 SP1 running as
Virtual Delivery Agent (VDA) for
XenDesktop 7.0
Site1- 192.168.10.201 Windows 7 Client machine
Win7Client
Site1-XDM1 192.168.10.30 Windows Server 2012 running XenMobile
Device Manager 8.6
Site2- 192.168.20.11 Windows Server 2008 R2 SP1. Domain
AD.training controller for training.lab, DNS, DHCP
2.lab services, and license server. (Training2.lab)
Site2-NS2 NSIP=192.168.2 NetScaler VPX 10.1.e.
0.50
SNIP=192.168.2
0.60
VIP =
192.168.20.100
Page 4
Services
Machine Details
192.168.20.101
192.168.20.102
Page 5
Services
Page 6
Services
Ste Action
p
From your Browser navigate to http://ilt.citrixvirtualclassroom.com/
1.
Enter the Student Portal Session Code (provided by Instructor)
and your Business Email Address
NOTE: to select option keep session to email address when login off.
2. Click Start Lab to launch XenCenter Session
Page 7
Exercise 1: Configure Microsoft Cert Services
to support Client Cert Authentication
Overview
In this exercise, students will learn how to configure Microsoft Certificate
Services to support client certificate authentication.
Step-by-step guidance
Estimated time to complete this lab: 60 minutes
Ste Action
p
1. Select the Site1-AD.training.lab virtual machine and navigate to the
Console tab.
Exercise 1: Page 8
Ste Action
p
2. Open Active Directory Users and Computers shortcut found on
the desktop
Exercise 1: Page 9
Ste Action
p
4. Enter the following details:
First name: CertSvc
User Logon name: Certsvc
Select Next
Exercise 1: Page 10
Ste Action
p
5. Enter the following details:
Password: Citrix123
Check Password never expires
Exercise 1: Page 11
Ste Action
p
6. Make the new user CertSvc part of the Domain Admins group
Exercise 1: Page 12
Ste Action
p
7. Confirm that both Client Cert Mapping and IIS Client Cert
Mapping are installed
Exercise 1: Page 13
Ste Action
p
9. Select Client Cert Mapping Authentication and IIS Client Cert
Mapping Authentication
Exercise 1: Page 14
Ste Action
p
11. Open IIS Manager to confirm that https has been configured
correctly:
Open IIS Manager -> Default web site -> Edit Bindings
Exercise 1: Page 15
Ste Action
p
12. Select https -> Edit
Confirm SSL Certificate is set to ad.training.lab
Exercise 1: Page 16
Ste Action
p
14. Enable Active Directory Client Certificate Authentication
Exercise 1: Page 17
Ste Action
p
16. Add Certificate Template MMC snap-in by launching mmc console
Select File -> Add\Remove Snap-in -> Certificate Templates ->
Add
Select OK
Exercise 1: Page 18
Ste Action
p
17. XDM will be using a certificate to authenticate the connection to the
Microsoft Certificate authority. The Certificate used will be tied to a
user which in this case will be the CertSvc account. (This account
needs no special rights; a standard AD user is sufficient).
Exercise 1: Page 19
Ste Action
p
18. Select Windows Server 2003 Enterprise
Exercise 1: Page 20
Ste Action
p
20. In Request Handling Tab ensure Allow private key to be
exported is unchecked
Exercise 1: Page 21
Ste Action
p
21. In Subject Name tab, select Supply in the request. This allows
XDM to provide parameters to the certificate request. When this
option is selected, the following warning is seen:
Select OK
Exercise 1: Page 22
Ste Action
p
22. Select the Security tab -> Add CertSvc account and grant Full
Control.
Exercise 1: Page 23
Ste Action
p
23. Select Authenticated Users and grant them Enroll permissions
Select OK
Exercise 1: Page 24
Ste Action
p
25. Select Certificate Template -> New -> Certificate Template to
Issue
Exercise 1: Page 25
Ste Action
p
26. Select XDM User Template
Select OK
Exercise 1: Page 26
Ste Action
p
28. The next step is to generate a user certificate for CertSvc. This can
be done on the server running the Certificate Authority which, in this
case is the Domain Controller.
Exercise 1: Page 27
Ste Action
p
30. We will now request an user certificate which will be used to
htt authenticate XDM to the Microsoft Certificate Authority.
Select Request a certificate -> User Certificate
Exercise 1: Page 28
Ste Action
p
31. The following Web Access Confirmation is seen:
Select Yes
Select Submit
Select Yes
Exercise 1: Page 29
Ste Action
p
33. Install the certificate. This will make it available in the personal
certificate store and will allow us to open the certificate MMC plug-in
for the user and export the certificate.
Exercise 1: Page 30
Ste Action
p
34. Add Certificates MMC snap-in by launching mmc console
Select File -> Add\Remove Snap-in -> Certificates -> Add
Select OK
Exercise 1: Page 31
Ste Action
p
35. Select Certificates -> Personal -> Certificates
Exercise 1: Page 32
Ste Action
p
38. Check:
Include all certificates in the certificate path if possible
Export all extended properties
Click on Next
39. Type a password to protect the Private key
Password: Citrix123
Select Next
Exercise 1: Page 33
Ste Action
p
40. Specify the file path where to save the certificate:
File name: c:\certs\Certsvc.pfx
Select Finish
Exercise 1: Page 34
Ste Action
p
41. To test and confirm that Client certificate Authentication is
configured correctly, we need to temporarily disabling integrated
windows authentication.
Exercise 1: Page 35
Ste Action
p
42. In a browser, enter the following URL:
https://ad.training.lab/Certsrv
You should be prompted with a certificate as per below:
END OF EXERCISE
Exercise 1: Page 36
Summary
Key The key takeaways for this exercise are:
Takeaway Configure Microsoft Certificate services to support Client
s certificate authentication
Exercise 1: Page 37
Exercise 2: Configuring XDM to Communicate
with Microsoft CA
Overview
In this exercise you will learn how to configure XenMobile MDM server to
communicate with the Microsoft Certificate Authority and check out client
certificates.
Step-by-step guidance
Estimated time to complete this lab: 20 minutes
Ste Action
p
1. Select the Site1-Win7Client virtual machine and navigate to the
Console tab.
Exercise 2: Page 38
Ste Action
p
2. Launch URL https://xdm1.training.lab/zdm and use the following
credentials:
User name: training\administrator
Password: Citrix123
Exercise 2: Page 39
Ste Action
p
4. In this section we will import the PFX file we just created for user
Certsvc. This is simply a user certificate for a user that has
permission to generate certificates based on the mobility certificate
we plan to issue to the device. XDM authenticates itself to the CA
with this user certificate.
Click Upload
Exercise 2: Page 40
Ste Action
p
5. Select Entities -> New -> New MS CertSrv entity
Exercise 2: Page 41
Ste Action
p
7. Select the Template tab -> New template
Here we will specify the User template we created in exercise . This
will allow XDM to know which certificate template is available for use
in this CA.
Exercise 2: Page 42
Ste Action
p
9. Select Credential providers tab -> New credential provider
Use the following details:
Credential provider name: MS CA Provider
Description: CA Provider
Issuing entity: MS CA
Issuing method: SIGN
Template: XDM User template
Exercise 2: Page 43
Ste Action
p
10. Select CSR tab and use the details below:
Exercise 2: Page 44
Ste Action
p
11. Select Distribution Tab and use the following details:
Issuer: <Select the issuing CA certificate we added in PKI
Entity>
Distribution mode: Prefer centralised
Exercise 2: Page 45
Ste Action
p
12. Select Renewal Tab -> Check Renew certificates when they
expire
Select Add
END OF EXERCISE
Exercise 2: Page 46
Summary
Key
In this exercise, you learnt how to configure XenMobile MDM
Takeaway
server to communicate with the Microsoft Certificate Authority
s
and check out client certificates.
Exercise 2: Page 47
Exercise 3: Create Credential Policy in MDM Server
Overview
In this exercise, students will learn how to create a credential policy on the
MDM server which will be included in a deployment package and pushed down
to the devices.
Step-by-step guidance
Estimated time to complete this lab: 20 minutes
Ste Action
p
1. Select the Site1-Win7Client virtual machine and navigate to the
Console tab.
Page 48
Ste Action
p
2. Launch URL https://xdm1.training.lab/zdm and use the following
credentials:
User name: Administrator
Password: Citrix123
Page 49
Ste Action
p
5. Select General tab and use the following details:
Identifier: MS Credentials
Display name: MS Credentials
Organisation: Citrix Readiness
Description: MS Credentials
Select Create
Page 50
Ste Action
p
7. For Android devices:
Select Policies Tab -> Android -> Configurations -> General ->
Credentials
Select Add
Page 51
Ste Action
p
9. Select Deployment tab -> Training Package - iOS -> Edit
Select Finish
Page 52
Ste Action
p
11. Select Deployment tab -> Training Package - Android -> Edit
13. Re-enroll your device using the MDM server FQDN (your Extra IP2
FQDN)
Example: 173-192-86-182.mycitrixtraining.net
Page 53
Ste Action
p
14. Use the following credentials:
Username: training\user2
Password: Citrix123
15. Once the device is enrolled, you can confirm that deployment
package has been deployed successfully by:
Page 54
Ste Action
p
16. View the MDM server logs by:
Launch URL: https://xdm1.training.lab/zdm/helper.jsp
Select Tools -> Logs -> ZDMLOGFILE -> *
Page 55
Ste Action
p
17. Within the ZDM.log file, you will see the following information:
END OF EXERCISE
Page 56
Summary
Key The key takeaways for this exercise are:
Takeaway How to integrate configure and deliver Client Certificates to mobile
s devices (e.g. iOS and Android)
Page 57
Exercise 4: Configure Client Access Server to accept client certificates
Overview
In this exercise, you will learn how to configure Microsoft Exchange client
access server to accept client certificates as well as create an ActiveSync policy
within the MDM server.
Step-by-step guidance
Estimated time to complete this lab: 20 minutes
Ste Action
p
1. Select the Site1-Exchange virtual machine and navigate to the
Console tab.
Exercise Page 58
Ste Action
p
2. Open Exchange Management Console shortcut found on the
desktop
Exercise Page 59
Ste Action
p
5. Click Next
Exercise Page 60
Ste Action
p
7. Verify everything is OK.
Click Finish
8. Select Microsoft Exchange On-Premises -> Server Configuration
-> Client Access
Exercise Page 61
Ste Action
p
9. Select Authentication tab -> Accept client certificates
Exercise Page 62
Ste Action
p
11. Select Add Role Services
12. Select Client Cert Mapping Authentication and IIS Client Cert
Mapping Authentication
Click SSL Settings -> ensure SSL Settings are set to Accept
Exercise Page 64
Ste Action
p
16. Ensure Windows Authentication is enabled by selecting
Authentication -> Open Feature
Exercise Page 65
Ste Action
p
18. Open Configuration Editor
Exercise Page 66
Ste Action
p
19. Select system.webServer -> Security -> authentication ->
ClientCertificateMappingAuthentication
Select Apply
21. Close IIS Manager console
Exercise Page 67
Ste Action
p
23. Select the Site1-Win7Client virtual machine and navigate to the
Console tab.
24. First, lets recreate the Load Balance virtual server of NetScaler for
Exchange connections.
Exercise Page 68
Ste Action
p
25. Leave the folder open and launch WinSCP.
27. On the left pane, drag-and-drop the SSL Bridge ns.conf file to the
right pane. Click Yes to overwrite the file.
Exercise Page 69
Ste Action
p
30. Type the following command:
>reboot warm
Exercise Page 70
Ste Action
p
32. To verify if everything is working as expected, outside from the lab
environment, open Internet Explorer browser and connect to
https://ExtraIP1.mycitrixtraining.net/owa (Note: ExtraIP1 is
available on the ILT page. Ensure to replace the periods between
octets to dashes (-).
Exercise Page 71
Ste Action
p
33. Next, were going to configure the MDM policy to configure Exchange
with Client Certificate Auth against Exchange Server.
Exercise Page 72
Ste Action
p
35. Select General tab and use the following details:
Exercise Page 73
Ste Action
p
36. Select Exchange ActiveSync tab and use the following details:
Select Create
Exercise Page 74
Ste Action
p
37. Next, create a Credentials policy to push the Root CA for Training.lab
for iOS devices in order to trust the Client Certificate delivered by
MDM.
Exercise Page 75
Ste Action
p
39. Go to Credential tab and enter the Credential Name as Root CA
Training.
Click Create
40. Select Deployment tab -> Training Package - iOS -> Edit
Exercise Page 76
Ste Action
p
41. Select Resources and add MS Exchange Credentials and Root
Training
Select Finish
42. If you are not enrolled, re-enroll to XDM. Otherwise, redeploy the
package by:
Exercise Page 77
Ste Action
p
43. Once the package has been redeployed, you can confirm that the
additional policy has been deployed successfully by:
Were going to configure the Root CA for later use with WorxMail on
XenMobile App and Enterprise Edition exercises.
Exercise Page 78
Ste Action
p
45. Enter the following parameters:
Click Add
46. Select Deployment tab -> Training Package - Android -> Edit
Exercise Page 79
Ste Action
p
47. Select Resources and add Exchange ActiveSync and Root
Training
Select Finish
48. If you are not enrolled to XDM, please enroll to test. Otherwise, go to
the Devices tab and click Deploy to the Android device.
49. View the MDM server logs by:
Launch URL: https://xdm1.training.lab/helper.jsp
Select Tools -> Logs -> ZDMLOGFILE -> *
Exercise Page 80
Ste Action
p
50. Within the ZDM.log file, you will see the following information:
51. The user should not be prompted for any password as we are now
using the client certificate for authentication
52. Before moving forward with other lab exercises, please revert the
changes on the NetScaler back to SSL Offload by replacing the
ns.conf file. Refer to steps 23-31.
END OF EXERCISE
Exercise Page 81
Summary
Key The key takeaways for this exercise are:
Takeaway Configure Microsoft Exchange CAS to accept Client
s Certificates
Create an ActiveSync policy on MDM server and include it
in a deployment package.
Exercise Page 82
Revision History
Revisi Change Description Updated By Date
on
1.0 Original Version Karen 11/13/2013
Sciberras
1.1 Fixed typos and added the SSL Adolfo 11/25/13
Bridge for Exchange Montoya
1.2 Fixed typos and removed Android Adolfo 12/2/2013
Exchange Profile for MDM and Montoya
TouchDown.
Page 83