How to setup Citrix XenMobile 10 (including configuring NetScaler)

On February, 17 Citrix released the long awaited XenMobile 10. The big difference with its previous versions is that the XenMobile 10 now consists of one component, the XenMobile Server (XMS), so no longer a XenMobile MDM installation on a Windows Server and configuring a separate App Controller.

The XenMobile Server is, just like the old App Controller, an Unix appliance running on XenServer, Hyper-V or a VMWare hypervisor. Because it’s now one component you need 50% less resources then in previous versions and it is much faster to implement (see blog below). And in addition to this you have one Administrator console for both MDM and MAM.

I will show you to setup Citrix XenMobile 10 in a few steps, including the NetScaler configuration. But for I begin, lets talk about the XenMobile 10 requirements.

XenMobile 10 Requirements

  • Ports needs to be open in the firewalls (see Citrix eDocs)
  • A XenServer, Hyper-V of VMWare hypervisor
  • Microsoft SQL Server 2012 or 2014 (for production environments)
  • XenMobile License
  • Apple Push Notification Services Certificaat (APNS) (If managing Apple devices)
  • Service account with DBCreator rights on the SQL Server and AD read rights
  • 4 free IP Addresses in the DMZ (When implementing XenMobile with NetScaler)
  • 2 free public IP addresses
  • 2 SSL certificates (can also be a wildcard certificate)
  • NetScaler Gateway (NetScaler Standard or Higher when using Load Balancing)
  • Microsoft Exchange (Optional)

For publishing applications you need some more requirements, but I will talk about that in an others blog.

My Environment

First let me say something about my environment, I got the same external and internal domain name, For the Citrix XenMobile 10 setup I use a wildcard certificate. Two external DNS records have been created;


In my DMZ I have the following four free IP addresses for XenMobile 10;

  • (XenMobile Server)
  • (MAM Gateway)
  • (MAM Load Balancer)
  • (MDM Load Balancer)

 Setting up Citrix XenMobile 10

After uploading the Citrix XenMobile appliance to the hypervisor, start the virtual machine and open the command window.

How to setup Citrix XenMobile 10 - 001

Enter a new password for the command line admin account, this is another account than the Webinterface Administrator.

How to setup Citrix XenMobile 10 - 002

Fill in the following information;

IP address: <the IP address for the XMS, in my case>
Netmask: <the Netmask>
Default gateway: <IP of the default gateway in the DMZ>
Primary DNS server: <IP of the DNS server>
Secondary DNS server: <Optionally a secondary DNS server IP>

Press Y and enter to commit the settings

How to setup Citrix XenMobile 10 - 003

To generate a random passphrase, type Y and enter

How to setup Citrix XenMobile 10 - 004
Press y or n to enable FIPS mode, for this setup I press N and enter

How to setup Citrix XenMobile 10 - 005

For production environment always use an external database server. For PoC / Test environments you can use a local database for a quick setup. In my case I enter L and press enter

How to setup Citrix XenMobile 10 - 006

Enter the XenMobile Server FQDN, this must be the external MDM address. In my case and press enter. Press Y to commit.

How to setup Citrix XenMobile 10 - 007

Now you have the option the change the default ports. If you don’t want to change the default ports. Hit the enter button four times and press y to commit the settings.

How to setup Citrix XenMobile 10 - 008

Press y to set the same password for all the certificates of the PKI

How to setup Citrix XenMobile 10 - 009

Then enter the new password and press y to commit the settings

How to setup Citrix XenMobile 10 - 010

Fill in the webinterface administrator information. Give up an administrator username and password. Type y to commit the settings

How to setup Citrix XenMobile 10 - 011

The last step in the command line setup is the question if you want to upgrade from a previous release. In this case I will setup a new environment. Type N and enter

How to setup Citrix XenMobile 10 - 012

After that XenMobile 10 will be configured. After a few minutes the XenMobile 10 appliance is ready for the webinterface setup. The webinterface URL is displayed above “Starting monitoring..” . It will be the XenMobile Server IP:4443. In my case HTTPS://

How to setup Citrix XenMobile 10 - 013

Open a browser and open the URL from previous step. Login with the configured administrator account.

How to setup Citrix XenMobile 10 - 014

Press the Start button

You can use a local or a remote License server. If you don’t upload a license you will be run in a 30 day trial period. Click Next

The next step is to upload the certificates. If you are going to manage iOS devices you need to upload a APNS certificate beside a SSL Listener certificate. Click on the Import button.

How to setup Citrix XenMobile 10 - 017

For the APNS certificate, make the following selections;

Import: Keystore
Keystore type: PKCS#12
Use as: APNs

Browse to the Keystore file (APNS .pfx file) and fill in the Password.

Click Import

Click on OK

Click on Import again

How to setup Citrix XenMobile 10 - 020

Make the following selections;

Import: Keystore
Keystore type: PKCS#12
Use as: SSL Listener

Browse to the Keystore file (SSL .pfx file) and fill in the Password.

Click Import

Click Ok

Click Next

Fill in the following information;

Name: <anything you like>
Alias: <anything you like>
External URL: <external mam adres, for example>
Logon Type: Domain only

Click Next

Fill in the following information;

Primary server: <first DC>
Secondary server: <second DC (optional)>
Port: 389 (is using unsecure LDAP)
Domain name: <domain name>
User base DN: for example dc=robinhobo,dc=com
Group base DN: for example dc=robinhobo,dc=com
User ID: <the service account>
Password: <service account password>

Scroll down the page..

Fill in the following information;

Domain alias; <for example>

Click Next

Fill in your Microsoft Exchange server / Notification Server (optional) information and click Next

Click Finish

Click Start Managing Apps and Devices

Restart the Citrix XenMobile server so the certificates will be become active.

The Citrix XenMobile server is now in basic configured. At this point you can start configure Deployment Groups, Policies, Actions and Applications.

Configuring the NetScaler for Citrix XenMobile 10

Since Citrix NetScaler 10.5 build 54.9 there is a Citrix XenMobile 10 wizard available. This wizard will create a Gateway virtual server for MAM, a Load Balancer for MDM and a Load Balancer for MAM. Therefor you need a NetScaler Standard or higher. In the following steps I will guide your through the wizard. I assume that the SSL certificates are already installed on the NetScaler.

How to setup Citrix XenMobile 10 - 029

On the left side, click on XenMobile. On the right side select XenMobile 10 and click on Get Started

How to setup Citrix XenMobile 10 - 030

On the left side select Access through NetScaler Gateway and Load Balance XenMobile Servers and click Continue

How to setup Citrix XenMobile 10 - 031

Fill in the following information;

NetScaler Gateway IP Address: <a free IP in the DMZ, in my case>
Port: 443

Click Continue

How to setup Citrix XenMobile 10 - 032

Select the MAM SSL certificate or the wildcard certificate and click Continue

How to setup Citrix XenMobile 10 - 033

Fill in the following information;

IP Address: <IP Address of your DC>
Port: 389 (if using unsecure LDAP)
Base DN: <for example dc=robinhobo,dc=com>
Service account: <your XenMobile service account>
Password: <the service account password>
Server Logon Name Attribute: userPrincipalName or samAccountName

Click Continue

How to setup Citrix XenMobile 10 - 034

Now here is the tricky part. The wizard asks for a server address for MAM.. however you will need to fill in the external mdm address / XenMobile Hostname. In my case:

Fill in the Load Balancing IP address for MAM, in my case The port is 8443

Click Continue

How to setup Citrix XenMobile 10 - 035

Select the wildcard certificate and click Continue

How to setup Citrix XenMobile 10 - 036

Click Add Server

How to setup Citrix XenMobile 10 - 037

Fill in the IP address of the XenMobile server and click Add

How to setup Citrix XenMobile 10 - 038

Click Continue

How to setup Citrix XenMobile 10 - 039

Click Load Balance Device Manager Servers

How to setup Citrix XenMobile 10 - 040

Fill in the following information;

IP Address: <a free IP address in the DMZ segment, in my case>

Click Continue

How to setup Citrix XenMobile 10 - 041

Click Continue

How to setup Citrix XenMobile 10 - 042

Click Done


  • Robin,

    Have you ever used regular Standard SSL certificates for both the Netscaler and App/MDM Appliance? Then use wildcard cert for you internal domain when they don’t match up? When your external domain doesn’t match your internal domain what do you name the App/MDM appliance FQDN external or FQDN internal?

    • Hi Colby, the XMS server should always have the external hostname. The external SSL cert (for MDM address) must be installed on the XenMobile Server (can be a non-wildcard cert) when configuring SSL Bridge on the NetScaler.

  • Thanks Robin, looking forward to your DuCUG Bring Your Own Session!.

    Disappointing to see that NetScaler E releases are not supported because these are still pre 54 firmware level.

  • Thanks for this Robin, it was very helpful. In your setup, did you hook the XMS to Storefront? Are you able to enumerate your XenApp/XenDesktop applications and desktop through the Worx Store?

    Everything worked fine for us except that we can’t see any of our Xenapp Apps or Desktops in the Worx Store. We only see mobile Apps like WorxWeb and WorxEdit.

    Any input would be greatly appreciated.

    • First of all did you configure the relative path including the config.xml? Within XenMobile 10 at the support tools page you can view the DebugLog and search for PNAgent to find more information about your problem. Hope this will help you. Please let me know.

  • According to the IP addresses that you put in the XenMobile 10 installation article, as we should configure the firewall port redirects? Does the external address of MDM and MAM should be appointed to which the IP of ?DMZ .

  • Robin,

    Have you managed to create a Microsoft SQL Server database with a named instance? It seems like a pretty straight forward and common thing to do, but I am yet to find any documentation on how to do it. I have a support call open with Citrix, but the 1st line support agent I spoke to only knew how to create a SQL Server database to a default instance. I’m waiting for them to get back to me.

    • Hi Stephen, never setup a SQL database when using an instance. But today I did. Configured a SQL 2014 server with an instance. I was not able to setup the database no matter how, tried several ways but none were successful. Seems like a bug to me.

      • Hi Stephan, it seems to work if you configure a port number on your SQL instance and configure that port number during the XMS setup.

  • Thanks for this guide I followed step by step. I have a problem though: when I connect from “worx home” to the fqdn are asked if enroll the device, if select “No” then I have the message “Could not reach the server. PLease verify your mail or server address and try again”, if select “Yes” I proposed user and password, in this case with any method (domain\user or user@domain or I have always the message “please verify your credentials and try again.”. Can you help me? Thanks

    • Hi Francesco, sounds like a configuration / connection problem. If you open the support page within the XenMobile 10 console you can do some connectivity checks (also for the NetScaler) to see if there are any problems.

      • Thank You. In the test of “NSG Connection” I error equal for both the component MAM that for the component MDM:
        “monitorname is not resolved by configured DNS servers.” .can you help me?

        • You can add the DNS Record manually on the NetScaler. Although its strange it can not resolve by the DNS server. What is the DNS server status on the NetScaler? Is it online?

        • Did you ever work this out? ive just got the same error from both NS and XM consoles, its effectively allows me to enroll and yet i receive an error on the client device. Looking at the NS config its looks okay, nothing obvious. The DNS is seen because part of the test is DNS lookup and that gets a green tick.

  • Thanks for the response Robin!

    I have noticed lots of this in the logs:
    2015-02-27T11:18:59.937-0500 | 6f2ed3bac9a8a779 | ERROR | http-nio-18443-exec-32 | | Exception while getting HDX Apps ..CharlotteErrorBadCredentials
    2015-02-27T11:19:06.488-0500 | 6f2ed3bac9a8a779 | ERROR | http-nio-18443-exec-32 | | Exception while getting HDX Apps ..CharlotteErrorBadCredentials
    2015-02-27T11:19:06.805-0500 | 6f2ed3bac9a8a779 | ERROR | http-nio-18443-exec-5 | | Exception while getting HDX Apps ..CharlotteErrorBadCredentials
    2015-02-28T11:50:29.824-0500 | 6f2ed3bac9a8a779 | ERROR | http-nio-18443-exec-5 | | Exception while getting HDX Apps ..CharlotteErrorBadCredentials
    2015-02-28T11:50:31.143-0500 | 7ebbab279bf2a1e7 | ERROR | http-nio-18443-exec-41 | | Exception while getting HDX Apps ..CharlotteErrorBadCredentials
    2015-02-28T11:50:33.432-0500 | 39b1a55039cd831d | ERROR | http-nio-18443-exec-42 | | Exception while getting HDX Apps ..CharlotteErrorBadCredentials
    2015-02-28T11:50:33.762-0500 | 7ebbab279bf2a1e7 | ERROR | http-nio-18443-exec-41 | | Exception while getting HDX Apps ..CharlotteErrorBadCredentials

    The PNAgent URL is valid for sure – I have tested it and the logs show the correct URL. The problem seems to be when the MDM goes to Storefront to enumerate the apps. I have storefront 2.6.


  • P.S. In all fairness to you Robin, I want to let you know that I have had a case (68862733) open with Citrix Support since the 23rd of February.

    I see that it was escalated on Friday.

    Wondering what is so unique about our environment that we can’t seem to get it working. We had Xenmobile 9 working no problem – except for the fact that it was Xenmobile 9 and the server consolidation and other features of 10 seem attractive.

    • It says BadCredentails.. can it be a UPN / SAM account name issue? XenMobile is by default UPN, how are the LDAP policies for the Gateway (for StoreFront) configured?

  • Thanks Robin. From XenMobile 10 console/NetScaler Gateway Connectivity Checks on MAM and on MDM I find this error “‘-monitorName’ is not resolved by configured DNS servers.” Do you know what can I configure? thank you

    • I guess this is a bug.

      If you check your NSCONF File on netscaler you will see two lines binding the monitor to the service

      bind serviceGroup SVC_HTTPS_Storefront -monitorName https-ecv

      which is the HTTPS Monitor


      bind serviceGroup XD_SG_externalip -monitorName XD_MON_externalip

      if you have configured a netscaler gateway

      as there is no other MonitorName in the nsconf file, this can just be a bug in the checking routine.

      my environment brings up the same error, but runs like a charm

  • Yes Robin,

    I believe it is a UPN/SAM issue, I have the MDM set for UPN, but it keeps passing the SAMAccountName to Storefront. In addition, all of my netscaler Auth/LDAP policies are UPN, and they work fine against storefront. We are a CSP, so we do everything UPN.

  • Thanks for the nice guide. My problem: After enroll the device I have only a blank screen with the icon ‘worx store’, when I click: ‘Please contact support for access to your apps.” You know why?

    • Hi Frank, That is probably a wrong mam fqdn within the NetScaler configuration or a wrong NetScaler Gateway configuration within XMS.

      • OK
        My problem was not caused by a misconfiguration, but other configurations, operating and active on NetScaler. Starting with a clean NetScaler is fine with no errors. Thanks again for guide.

        • Whoaaah, this is exactly my problem. Deploying NetScaler and XenMobile using this tutorial i finally managed to finish it … Enrollment, Custom Policy, Device Locate, Change terms and agreement is fine … But when clicking Worx Store icon, it only shows the same error message … “Please contact support, etc etc ”

          I want to clean install the NetScaler again, but this blog on step number 82 tells additional configuration on NetScaler, can you confirm about this?

          Thank you in advance

  • Hi Robin,

    Thanx for this guide. Your blog is the best for Citrix guides! congrats!!

  • Just curious Robin – is yours working with SF? I was informed by Citrix today that I am not the only one reporting this error. Still no solution. It is getting escalated again tomorrow.

  • Hi Robin,

    I got a message on my worxhome when I try to connect to XMD through Netscaler: the server certificate is not trusted. I checked all the guide on the net, but none of them worked. Could you help me?

  • Hi Robin,
    nice Article, but I have a few questions.
    Do I still necessarily need two external adresses for MAM and MDM? I hoped because of the server consolidation all the connections could go over one address.
    And if I only use one XenMobile Server, do I have to configure a Load Balancer in NetScaler?
    Thanks in advance!

    • Hi Flo, by default you need two public addresses. However if you are good in creating content switching servers on the NetScaler you can give it a try to let it work with only one public IP address. And for your second question, no you don’t need the load balancer for XenMobile to work, however, if you want to use the XenMobile 10 wizard on the NetScaler you need it. There is no way to skip that step.

  • Thanks, looks like a great guide. Waiting for their upgrade utility to come out later this month before upgrading. Your blog is great though and a good resource. Maybe you could post an upgrade guide when the upgrade utility is released?

  • Great Article Robin!

    Have u ever try to put both XenMobile 10 and XenApp on the same Netscaler box? it seems breaks the micro vpn connection on the MAM…

    I’ve tried on my lab and the only workaround is separate xenap and xenmobile 10 into two netscaler boxes… 🙁

    • Hi Paul, have it working in my environment. More people seems to have this problem (see other comments under this blog). I did not used the wizard for setting up the XenApp/XenDesktop environment. Perhaps its a wizard thing? Did you used the wizard?

  • great article robin! thanks!

    i’ve just tried this on top of my xanapp + netscaler lab. it seems there is a bug on netscaler if xenapp and XMS co-exitst in the same box…. the vpn tunnel of MAM just failed… buy it goes well if i take the XenApp setup away…

    any idea for that?

  • Quick question! On the Netscaler XenMobile Settings, I put in my mdm address in the load balancing FQDN for MAM, but for the load balancing IP address field, is that just the IP of or is another free IP in the DMZ?

  • Thanks for that How-To

    The part with the MDM-load balancer was truely tricky. Was the part were I always stucked and nothing worked correctly afterwards.

    But one question. When I try to connect via web browser to the gateway-address and I log in, is it normal that I got an error message “HTTP Status 404 – Not Found”

    I already have a gateway running for my XenDesktop farm, so it would be great when I could use one gateway for XenDesktop and XenMobile

    • Hi Sascha, Yes that is correct. Got the same error message when opening the MAM address with a browser. Checked this by Citrix but this is by design.

      • Hi Guys, as Robin mentioned this is by design, as citrix change MAM part and is not anymore possible to access applications via web content. This was announced by Citrix. We have many customers which complained this, as they would like to us it as before. Answer from CTX SE was….. working on it, it should be available for CTX receiver NX1.

  • Robin,

    Maybe you can help me out. I configured ldap but i am unable to login in Worx using my AD credentials. I was able to add my XenMobile AD user group as a delivery group, so i know it’s connecting to my AD. However, when I try to login with my domain credentials I am denied. My ldap is set to search by upn. any thoughts on what i should check would be great.

    • FYI – switching teh LDAP config to use SamAccount instead of UPN fixed that. I can authenticate using AD credentials.

  • Hi Robin
    With XM10.0, Is it possible to place XMS servers with in the corporate network and have Netscaler front end the external connections?
    Can you please point me to Citrix article or blog relating to that?


  • Thank you so much. Citrix documentation seems decent for MDM or MAM, but not both together, especially when Netscaler is involved. I have been trying on and off for the past couple months to get this to work. I was about to break down and open a case with Citrix when I came across your blog. Everything is working great now.

    Again, much appreciated.

  • Hi Robin,

    Excellent Blog. It’s helped us out immensely (even though we’ve been working with Citrix in standing up an environment)

    We have successfully registered an Android device with the XMS however, when the Android device tries to open the Worx Store via Worx Home, it opens up a page that displays the message:

    “Internal Server Error

    The server encountered an internal error or misconfiguration and was unable to complete your request”

    Any ideas on why this is occurring?

    Keep up the great work.

    Also, as a future request, would you consider doing some architecture documents that highlights the data flows that are required to fully enrol and deliver applications to an endpoint device?


    • Hi, you can check your gateway configuration within the XenMobile configuration. Also make sure the NetScaler configuration is correct. Are the DNS records created to the XMS?

  • Thank you Robin for this guide.

    I can now open my store but can not see any MDX-Apps. If I create a WebLink, I can see it in the Store.

    Any Ideas where I should start my search?

    Thank you 🙂

  • So Robin, you are saying to get both MDM and XenDesktop/App (storefront) working together you would run the wizard for the MDM and then add the storefront integration manually? Sounds like an opportunity for a great combo article.

  • Hey Robin, your article is great, my team managed to deploy XenMobile and NetScaler using this tutorial …

    And, i would like ask some question;

    Opening reveals the XenMobile web console (with port 4443 for the admin login).

    But, opening reveals NetScaler login page which is different from the NetScaler VPX that we use for this demo and we cannot login using nsroot/nsroot account.

    What does actually that NetScaler login purpose for? And what should i use to login for that?

    Thank you in advance …
    With best regard,

    Myself =)

  • Hi Robin,

    thanks for your guide, it’s very helpful! I have allready installed XenMobile and I have to integrate NetScaler. I have a quick question for you: why do you need two public IP address? Why is not enough NetScaler in order to access to XenMobile through it?

  • Looking at the following CTX article, I am not sure why there needs a entry to be created for an ADNS record to be created which is the same IP address as the Netscaler VIP for the MAM load balance entry.

    The CTX article indicates the following:

    this value is vital to ensure the NetScaler Gateway virtual server contacts the MAM load balancing virtual server (internally) and decide which XenMobile Server node to contact. The DNS record value points to the MAM load balancing virtual server (listening on 8443).
    This DNS record is not applicable for MDM traffic (for example, enrollment, application/policies push, and so on). Can you provide an onsite on this?

  • Robin, when defining firewall rules, does external traffic only go to the NetScaler LB VIP(s) or does traffic go to the XMS as well? the flow from the internal WAN, does all traffic flow back to the XMS or does it go to the LB VIP(s) as well?

    • Hi Maya,

      All data will be through the NetScaler and not to the NetScaler directly. Outside traffic will be from the XenMobile server directly to the internet.



  • Hi Robin:

    Is it possible to install Xenmobile 10 with Microsoft ISA Server instead of Citrix Netscaler?

    Thanks in advance

    • Hi Juan, You don’t even need a NetScaler for MDM, when using MAM mVPN you need a NetScaler. Technically for LB (which is optional) you can use anything you want, but remember that this is not supported by Citrix (Only NetScaler is supported).

  • It’s a good manual. Thanks~~

    Do you have experience that, when test send a ad-hoc notification via worx home. the admin console shows that “no valid phone number, e-mail or worx home token for the device”? , other thing ex. remote wipe or revoke all ok.

  • Hi Robin,

    Thank you! Its a very good document. Do you have any estimates on how long to do the install and configuration. Considering everything is ok with hardware and networks.

  • Hi Robin,
    this blog is amazing…
    i have a question for you; I have only 1 Public IP Address. How can i solve this? is there a guide with net scaler single point access??
    sorry for my english.

  • Robin,

    Big fan of your work! Have a question for you. Is your NetScaler Gateway FQDN? You mention at the top of this thread that you have 2 public DNS records – 1 for MAM, 1 for MDM. Are you excluding the NetScaler Gateway DNS record here? So, in theory, you should have 3 total external DNS records – 1 for NSG, 1 for MAM, 1 for MDM?

    All VIPs should be public facing correct?

    • To clarify, this is my setup: (NetScaler Gateway) (MDM VIP) (MAM VIP)

      All are NAT through the firewall, with internal and external DNS records.

      Also, with this setup, which is technically the enrollment site? Shouldn’t it be the XenMobile hostname? (in my case,

      Thanks in advance!

  • Hi Robin,

    Thanks for sharing,
    Q. if I want to deploy MDM only how many DMZ ip I will need and still I need to check Access through NetScaler Gateway and Load Balance XenMobile Servers


  • HI Robin,

    Q. for MDM only how many DMZ IP I will need and can check only LB configuration on Netscaler.


    • Hi Mustafa, it depends on your setup. If your XMS is in the DMZ (recommended) you need one DMZ for every XMS server. If you are load balancing you need another IP for the LB address. An Gateway is only used for MAM and is not needed for MDM only implementations.

      Regards, Robin

  • Hi Robin,

    Thank you for this post, very helpful. I’m trying to setup a POC, here is my setup:

    1. One Public IP
    2. External DNS record,
    3. Installed and configured the XMS Server using this guide. XMS hostname is the same as my external URL,
    4. On my NetScaler, I ran the wizard exactly the same way you did, in XenMobile FQDN, I put in the hostname of my XMS Server.
    5. SSH into my NS, to make sure I was able to ping and resolve my XMS Server, which it did work.
    6. Went into my XMS Server to ping my (NetScaler Gateway IP) and it did work just fine.

    My problem is when I try to do the enrollment, it does not work externally trough the NetScaler ( It does work internally, meaning by if my mobile device is connected via WIFI to my internal network.

    If I connect using a browser, I hit the interface, put in my username and password and then I get the 403 error, which is fine, as far as I know this is by design.

    Now, if I try with the Worx app, put in my, put in my username and password and then I get Request Failed.

    By the way, when I click on my Enrollment notification from my mobile device, it opens the……. and I get the error could not connect to the server.

    What am I missing?.

    I would appreciate your help.

  • Excellent write-up! Has anyone seen or know why I am getting “Security policy does not allow you to connect.” after entering my credentials within the Worx app?

  • Great write up Robin. We did this build for our POC but seems like we can’t hit from external. Err_Connection_Refused and confirmed firewall is passing to Netscaler. Used the wizard for netscaler.

    Able to authenticate to the XDM and get into WorxHome but profile and certificates don’t load.

    Inside works but security keeps iDevices outside so we need external Enrollment.


  • Disregard the previous comment. I was running this setup with a single external IP rather than two, one for MDM and one for MAM.

    Working on firewall and DNS changes now and hope to report back a fully functional system in a day or two. Darn Change management processes 😉

  • Robin, have you seen a way to reboot the XMS from the GUI? Just a side question, great write up once again.

    • Thanks Carla. For a reboot you have to logon to the console (on your hypervisor). The webinterface of XenMobile 10.x does not have a option to reboot te server at this moment.

  • Robin nice job. Really good article. I have a question that i think you can answer.
    I have the checklist document for deployment from citrix, but im confused on the “netscaler gateway ip/MAM Gateway” portion of wizard. here is a visio screenshot of my setup.
    i have a
    mam vip
    mdm vip
    xenmobile server ip

    nowhere in that document does it talk about a mam gateway ip like the wizard is asking for. So my question is, what firewall rules do i need besides whats already setup in that screenshot?
    Thanks in advance.

  • Ah ok, so that MAM VIP that it wants in that document is actually the MAM gateway in your steps above.
    And the MAM LB does not need any external access?

      • something strange that is happening now.
        when im enrolling a ios device with the address as the mdm server name.
        at the point of installing “XenMobile Profile Service” it gives the error
        “Profile installation failed” -“a network error has occured”.
        i found this article from citrix

        and im not sure what they mean by
        “Make Sure Enrollment FQDN and XMS Server FQDN are same”
        The enrollment fqdn is the —natted to—> the mdm LB vserver ending in .7 in that diagram i posted earlier.

        What do they mean by the XMS Server FQDN? internally the fqdn of the xms server appliance is xmsserver , its not domain joined.
        do you know of a diagram or document thats explains this in a less confusing manner.

        Also im not sure if this matters but the external domain name cert im using is a wildcard.

        thanks again.

        • scratch that question.

          i just saw this step in your steps above.
          “Enter the XenMobile Server FQDN, this must be the external MDM address. In my case and press enter. Press Y to commit”

          I mustve got confused and thought it meant an actual server name. is there a way to change this or do i have to redeploy a new appliance? and do everything again.

        • Hi James, What I always do is that I give my XenMobile server the same hostname as the external FQDN. If you configure it that way you can use the same SSL certificate on your XM server and on the NS. If not, you need to install a different SSL cert on your XM server and it always must be a FQDN address. For example, my XM server hostname is;

  • Hello,

    So you have an internal dns record that points to your XM Server and an external dns record that points to your XM Gateway VIP.. is it?

    it seems: (VIP from NSGW) (MAM LB VIP) – ?? What about this one?

    • No. You have two external DNS records; pointing to MDM LB VIP and pointing to NSGW VIP. On the Netscaler there is a DNS record pointing to the MDM LB VIP. The NSGW is forwarding traffic to the MAM LB VIP.

  • Great write up Robin! I just want to add that YOU CANNOT CHANGE THE FQDN later on so make sure that this is established on setup, and is using the same name as your certificate or you will need to START FROM SCRATCH

  • Hi there, I got this error after wrapping apps with Citrix MDX Toolkit:
    ###Analyzing app…
    Using package-specific policies.
    I: Generating new resources
    I: Creating a new

    Unexpected error occurred: String index out of range: -1

    So the process did not get to the end.
    Been digging for a while and many people say the cause should be in the paths defined in file /Applications/Citrix/MDXToolkit/android_settings.txt, which I triple-checked.

    Any ideas/suggestions will be much appreciated!

    • Hi Alejandro, I had this before. Updating the Android SDK to the latest version and changed the paths in android_settings.txt to the latest versions solved my problem. Regards, Robin

  • A query, my deployment will be the following
    -two xenmobile Servers,,
    -Netscaler (NIP
    -certified wildacrd (*
    -domain controller ( contoso.local
    -configured samaccountname
    – 6 IP DMZ (XenMobile Server) (XenMobile Server) (MAM Gateway) (MAM load balancer) (MDM Load Balancer)
    – 2 public IP ( and (

    My question is
    With a single certified wildcard (*. DigiCert is Enough?
    The external NAT an internal is as follows:,: 443-> (MDM Balancer)> Gateway)
    From already thank you very much

  • Hello Robin,

    Thank you for your effort – great work!
    It would be nice to mention that users should also configure XMS to use NTP servers, we had issues because our XMS time was different from NetScaler time.

    Kind regards

  • Great Instruction Robin. We have an issue where we had to change the UPN for a 365 move which has broken XenMobile. Have re synced Ldap but still not working. Any troubleshooting suggestions?

About Robin Hobo

I am a Technology Specialist working for Microsoft with focus on the Modern Workplace. I am specialized in Microsoft Intune, Azure Virtual Desktop (AVD), Windows 365, Windows 11 and Azure AD. Also interested in mental health, NLP and personal development.

For more information, see the About Me page or my LinkedIn profile.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.