I'm trying to improve my writing English skill. A little awkward but I'm trying my best :)
Here we go!
Servers:
1. Two Xenmobile Device Manager servers for load balancing and redundancy.
2. Two Appcontroller servers for high availability (active/standby). You can use HA or cluster (with netscaler), you can't use LBVIP for load balancing Appcontroller servers.
3. Two Storage Zone Controller servers for load balancing and redundancy.
4. One license server with version 11.12
5. MPX or VPX Netscaler with 10.1: Build 126.1203.e.nc or 10.5 with e (e means enhanced, this version of build have Xenmobile or Sharefile Wizard which helps you quickly configure LBVIP for these servers). Its recomended to have Enterprise license. You can use Standrart license too, but you will not be able to use Xenmobile Wizard because for this you will need to have AAA feature enabled which included only to Enterprise Netscaler license. Imortant: You need to switch your AccessGateway from Basic Mode to SmartAccessMode and install Access Gateway Universal License (http://support.citrix.com/article/CTX126049). It's need for Micro VPN feature to be enabled. You still will be able to access your storefront through this accessgateway after switching to SmartAccessMode.
6. Optional. If you want to access to XenMobile/XenDesktop apps/desktops from WorxHome you will need two Storefront servers for load balancing and redundancy.
Public IP:
1. Public IP for Xenmobile Device Manager servers. If you want to load balance this servers you need to publish this LBVIP to external network.
2. Public IP for Access Gateway which will work as a proxy for AppController servers. If you already have Access Gateway published to external network with storefront (or WebInterface) session polices you can use this Access Gateway. Just add additional session policy for AppController.
3. Public IP for Storage Zone Controller servers (Sharefile Enterprise). If you want to load balance this servers you need to publish this LBVIP to external network.
External DNS records:
1. For Xenmobile Device Manager servers or LBVIP. For example: xmdm.company.com
2. For Access Gateway (if you not already have one). For example: agee.company.com
3. For Storage Zone Controller servers or LBVIP. For example: sharefile.company.com
Public SSL certificate:
1. For Xenmobile Device Manager servers you need public signed SSL certificate installed on Xenmobile Device Manager servers if you use SSL_BRIDGE (http://support.citrix.com/article/CTX136952) or on LBVIP if you use SSL Offload (http://blogs.citrix.com/2013/12/13/xenmobile-configure-ns-ssl-offload-for-device-manager/)
2.For Access Gateway which will work as a proxy for AppController servers. If you already use Access Gateway for Storefront with public SSL certificate, you won't need additional public SSL certificate.
3. For Storage Zone Controller servers. If you want to load balance this servers you need to install SSL public certificate on LBVIP.
Internal SSL certiciate:
1. For AppController if you use Access Gateway.
2. For Storage Zone Controller servers. Internal SSL certificate need to be installed on IIS on each Storage Zone Controller server which you load balance.
Great thing for this is a wildcard certificate.
External Ports:
To:
1. 80, 443, 8443 to Xenmobile Device Manager servers or LBVIP.
2. 443 to Access Gateway.
3. 443 to Storage Zone Controller servers or LBVIP.
From:
1. Xenmobile Device Manager servers to:
1.1 Apple Push Notification Service (APNS):
gateway.push.apple.com:2195
feedback.push.apple.com:2196
It's good to use a whole Apple network 17.0.0.0/8 for this ports, because APNS host servers are load balancing and changing their IP addresses sometimes.
1.2 Appstore and Google play:
itunes.apple.com: 80 and 443
ax.itunes.apple.com: 80 and 443
ax.itunes.com: 80 and 443
play.google.com: 80 and 443
android.clients.google.com: 80 and 443
2. AppController servers to:
2.1 Appstore and Google play (Important thing: you need to open ports to appstore and google play from Xenmobile Device Manager and Appcontroller at the same time):
itunes.apple.com: 80 and 443
ax.itunes.apple.com: 80 and 443
ax.itunes.com: 80 and 443
play.google.com: 80 and 443
android.clients.google.com: 80 and 443
2.2 Sharefile Enterprise Account (company.sharefile.com for US or company.sharefile.eu for Europe. You will get this address when you will buy Sharefile licenses):
company.sharefile.com:443
Trusts:
You need trust relationship between:
1. Access Gateway and AppController (use only DNS (not IP), add and link root certificates in netscaler and appcontroller, use only 443 port).
2. Access Gateway and Storefront.
3. AppController and Storefront.
If you use same wildcard certificate to configure all servers you don't need additional configuration.
1. Citrix Xenmobile: Deploy prerequisites
2. Citrix Xenmobile: Configuring Citrix AccessGateway and Citrix AppController 9
