Mobile Device Access, Citrix NetScaler VPX 9.3 and XenApp 6.5

I am often asked how to enable mobile device access through an existing Citrix Access Gateway Enterprise Edition appliance.  There are a number of useful guides, this is how I configure an environment.

Configure XenApp Services Site

First step is to create a new XenApp Services Site.

Highlight XenApp Services Site and select Actions > Create Site.

Citrix Web Interface create site

On the Specify IIS Location page change the Name to MobileAccess and click Next and Next.

Configure the site now and click Next.

Enter the Farm Name, Add the XenApp Server(s), enter the XML Service port and click Next.

In the Citrix Web Interface Management console high light the new MobileAccess site and from the Actions pane select Secure Access.

Highlight the Default and select Edit.  Change the Access method to Gateway direct, click OK and Next.

Enter the Access (FQDN) of the virtual server and click Next.

Click Add, enter the address of the STA, click OK and Finish.

Configure NetScaler Policy

Return to the NetScaler VPX configuration utility click Access Gateway > Policy Manager > Change group settings and user permissions.

Select Session Policies and Create new session policy.

The Create Access Gateway Session Policy window appears. Enter MobileAccess for the policy name and click New.

Name the Session Profile MobileDevices, on the Published Applications tab Override Global for ICA Proxy, Web Interface Address, Web Interface Portal Mode and Single Sign-On Domain.

Enter the following:

ICA Proxy: ON

Web Interface Address: http://XA65.ctxdemo.local/Citrix/MobileAccess/config.xml

Web Interface Portal Mode: NORMAL

Single Sign-on Domain: ctxdemo

In the Configure Access Gateway Session Policy window, next to Match Any Expression, click Add…

Expression  Type: General

Flow Type: REQ

Protocol: HTTP

Qualifier: HEADER

Operator: CONTAINS

Value: CitrixReceiver

Header Name: User-Agent

Select OK, Create and Close. The Access Gateway Session policy appears as an icon in the Access Gateway Policy Manager.

Under Configured Policies / Resources, expand the Virtual Servers > SmartAccess node and then drag the MobileAccess icon onto the SmartAccess > Session Policies icon.

Modify the priority of the policy so the MobileAccess policy has a high priority than the Remote Access policy.  This is done by assigning a lower policy number.

Close the Access Gateway Policy Manger and Save the configuration.

Test Application Enumeration and Launch

Install the root certificate on the client machine you are going to test from and make sure it is possible to resolve the FQDN of the NetScaler VPX virtual server.

On the mobile device install the Citrix Receiver and configure a profile that points to the FQDN of the gateway.

Setting up Vyatta on XenServer 6.0 Home Lab

I use a Vyatta virtual router in my home lab to segregate my test networks from the home one.  I first used  the virtual appliance over a year ago and its be faultless ever since.  I can’t claim to use more that 1% of its functionality as a) networking is not my thing and b) it does what I need and I’ve left my investigation at that.  So if you want to spin one up on XenServer 6.0 here is what you need to do.

  • Download the latest iso from Vyatta.  You have to enter your details to do this and if you are not paying a subscription then some features, such as the web GUI will not be available to you.  As a tes lab router however you’ll be able to do everything you need.
  • Create a new VM on XenServer 6.0, select Other, and assign a disk (at least 1GB – I use 20GB) and 512MB of RAM (I use 1GB).  In regards to network interfaces you will need to work out in advance where you want your device to site in your network.  I have created two networks on my XenServer host, Network 0 and Testlab and both are bound to the single NIC I use.  My new VM therefore has two network interfaces one on Network 0 and one on Testlab.
  • Make sure the iso you have down loaded is in the new VM DVD drive and start up the machine.
  • The iso is known as the live iso and will not install by default.  Login in using the default credentials (username= vyatta , password = vyatta) and run the following commands:

Select all defaults until you get to the following section, where you change the option to yes “Would you like to set up config files to prepare for the conversion to PV domU? [No]: ” yes

Following the install I run the commit and save commands then shutdown .

  • At reboot you will now want to install the Xen tools.  To do this make sure the xen tools iso is in the VM DVD Drive, login in and and execute the following commands:


sudo mount /dev/cdrom /mnt

ls /mnt/Linux

sudo dpkg -i /mnt/Linux/xe-guest-utilities_6.0.0-743_i386.deb

sudo umount /dev/cdrm /mnt




  • Restart the VM and login to the console.  you can now add IP addresses to the interfaces and a static route so your test lab machines can access you home router and out to the Internet.  I have also set a static route on my home router so it can get back to the testlab VLAN.  I have listed examples of commands that you may find useful below:
Adding an IP address
set interfaces ethernet eth0 address <IP address/subnet e.g.
Adding a route
set protocols static route <Network address/subnet e.g.> next-hop <IP address e.g.>

Citrix XenApp 6.5 in Amazon EC2

This article covers how to set up and run a Citrix XenApp 6.5 server in Amazon EC2.  For reference I used the following articles:

Sign up for an Amazon Web Services account.  I have used EC2 the Amazon Elastic Compute Cloud for this purpose.  EC2 is one of two compute services from Amazon, it is worth looking through all the services on offer as this will help you develop an understanding of the entire Amazon services.

EC2 - Create an account

Once the account has been created, sign in and launch the EC2 console.

From the console select your region,  I selected Singapore.  I completed a number of tests before selecting the region I wanted to use.  I’m based in Perth Western Australia and my ISP routes me straight there so my experience is very good.  However if you are based on the Eastern States of Australia then the results of my testing showed that the West coast of the United States would be the best option.

From the EC2 dashboard, select Network and Security, Security Groups.  Create a new security group and assign the inbound port rules.

I added rules for RDP, HTTP, and ICA including the CGP.  I have not enabled multi stream ICA in this environment or UDP stream.  IF this is required then make the adjustments required in the security group.

Navigate to images and search for an AMI to use.  In this instance I used ami-f4dfa1a6 (amazon/Windows-2008R2-SP1-English-Base-v101).  Once selected you will need to launch the instance.

On launch you are required to select the number of instance, availability zone and instance type.  If you are unsure of the cost or location Amazon provides a very good pricing guide and FAQ, which is well worth referencing.

 Post type selection you will be asked to create a key pair, configure the firewall, which is a matter of adding the instance to you security group and reviewing the information you have selected.

From the EC2 dashboard it is now possible to start the instance.  The status will change from stopped, to pending and then running.  Once running right click the instance and retrieve the Windows password and connect to the device.  This will start an RDP session to the server.

After logging into the server launch the EC2 Configuration Service and un tick the Set Computer Name, Initialize Drives and Password options.  Then in computer management reset the computers hostname.  The new hostname will be used as the license server name.

I have not played with the features however if I was to build more than one device and required the use of Sysprep then this may change the options I have chosen.

Following a reboot, download the XenApp 6.5 ISO and mount on the server.  I used Virtual CloneDriver for this.   It is possible to convert this instance to a template for further use; I have not completed this step in this case.
Please note:  you will need a MyCitrix account to access the media and evaluation licenses.

Once mounted follow the XenApp 6.5 install process, installing the edition and components required.  For a single server set up I installed XenApp, web interface and licensing all on a single device.

In this environment I have not used an AWS elastic IP address and am therefore presented with a different public IP address at each instance start.  Therefore to access published applications over the Internet I have configured the Web Interface and Service Site to user Alternate address translation and on each instance start set the AaltAddr on the XenApp server to map the current public IP address.

Setting the secure access method on the XenApp Web Interface and Services sites.


Setting the Alternate address on a XenApp 6.5 server

Windows 8, Touch me Now!

There have been a number of blogs about the Windows 8 Metro look and feel, some positive some negative.  In my own experience if you use the OS from a touch enabled device the experience is good, try using a mouse and it is frustrating.  No doubt it will be possible to switch between interfaces however what I would like to see is the intelligence in the operating system to detect the type of device you are using and then present the interface based on the result.  Between devices if the user choices and settings can be synced then I think Microsoft will have a real winner.  In my opinion leave it up to admins to decide who gets what and when and force users to use an interface they are not happy with and the operating system will be rejected.

XenDesktop 5 References

In my last presentation at the Perth and Adelaide Citrix Tech Exchange I referenced a number of articles, for those that would like access to them I have listed them with links below:

The Virtual Desktop UX

More and more my conversations are moving away from just how well a screen loads or an app can be scrolled to placing the user in the centre of the IT world. Here I focus on defining how a user logs in, where they can work from, the target devices they utilise, how they will load their applications and even how they will cope with change. From this position I map out all the elements that will impact the user experience or what I like to call the Virtual Desktop UX.

Starting conversations by trying to define the Desktop UX I find an interesting approach, it enables the focus of the project to change and places the emphasis squarely in one direction.  It clearly defines that it is the desktop that is the point of change and the users perception of that and how they work that is the focus.