The Netscaler XenMobile wizard (10.5) do not give you the ability of offloading the MDM SSL traffic through ports (443 &  8443) at the Netscaler, instead it SSL-bridges the traffic to the device manager at the backend which adds CPU load on the MDM server.

Here are the steps required to perform an SSL offload of all MDM traffic at the netscaler level and therefor reinitaite the traffic from NetScaler to the Device Manager on port 80 or 8443

Do not use port 443 at any condition!
XenMobile 10: If you prefer to use port 80 as communication port to the XenMobile appliance, you need to allow port 80 traffic on XenMobile’s built-in firewall

To enable HTTP communication to XenMobile 10 appliance via port 80, navigate to the CLI console – Configuration Menu – Firewall and Set “y” to enable port 80.








1. Copy cacerts.pem and copy it to your desktop, Open it with Notepad++, copy the first section of the pem certificate and save it as “DeviceCA.pem” and the second section of the pem certificate a “RootCA.pem”.

How to find the Devices CA certificates?

XenMobile 9: Navigate to C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\conf
XenMobile 10: Logon to your MDM through “https://ip-to-your-xms-appliance:4443”, Hit Configure tab – Settings – Certificates and export the Device CA Cert…

2. Logon to the Netscaler (Traffic Management – SSL – Certificates) and install both server certificates (Do not forget to bind the Device CA to the Root CA)

3. Move over to (Traffic Management – SSL – Policies)

  • Under SSL Actions Click on Add to create an SSL Action.
  • Provide an Action Name, Enable the Client Certificate from the drop down select and provide the Certificate Tag as NSClientCert and Click Create.
  • Select Policies,  Under Policies Click on Add to create SSL Policy.
  • Provide a Policy Name, select the Action from the drop down that you have created in the previous step and provide the expression value as CLIENT.SSL.CLIENT_CERT.EXISTS Click Create.




4. Create a HTTP profile to disable Multiplexing…
Navigate to: System – Profiles – HTTP Profiles.

  • Add a new HTTP Profile and give it a name.
  • Uncheck Connection Multiplexing and click Create

5. Navigate to Traffic Management – Load Balancing – “Services” or “Service Groups”.

5.1 Add a new virtual Load Balancing Service or Service Group

  • Protocol – SSL
  • Port – 8443
  • IP – IP of the XenMobile Device Manager server

Create it!

5.2. Navigate to Traffic Management > Load Balancing > Virtual Servers.

Add a new virtual server (port: 443) with the following settings:

  • Protocol – SSL
  •  Port – 443
  • Bind the “services or service group” you just created (step 5.1)
  • Click SSL Settings and add the following certificates:
    Select your External Load Balancer SSL Certificate and Add it as server certificate.
    Select both Devices-CA and Root-CA certificate and Add those as CA (OCSP Optional).
  • Select SSL Parameters and hit “Edit”
    check the option Client Authentication and select Optional from the drop-down list and
    Verify that Enable Session Reuse is checked and change the Time-Out to 15
  • Select SSL Policies and insert the Policy that was created on Step 3.
  • Select Persistance and choose SSLSESSION with Time-out 1440 min
  • Select Profiles and bind the Multiplexing profile we created in section 4

5.3. Add another new virtual server (port: 8443) with the following settings:

  • Protocol – SSL
  • Port – 8443
  • Under the Services and Service Groups tab, Bind your existing XenMobile Device Manager Server service or service group.
  • Under Certificates tab , select only your External Load Balancer SSL Certificate and bind it. (Do not add any of the CA certificates).
  • SelectSelect SSL Parameters and hit “Edit”, and verify that Enable Session Reuse is checked and change the Time-Out to 15
  • Select Persistance and choose SSLSESSION with Time-out 2 min
  • Select Profiles and bind the Multiplexing profile we created in section 4 and create the virtual Server.

Note: Do not bind the SSL Parameters or the SSL policy to 8443 Virtual Server. Those should be bound only to 443 Virtual server.

You should be able to enroll your devices now 🙂