NetScaler SSL OffLoad for Device Manager – Updated

As on today XenMobile Device Manager has a limitation where device manager should be placed in the DMZ network instead of Internal Network or the device manager traffic is front ended by NetScaler doing a SSL bridge. But now with XenMobile Device Manager SSL Offload Server Patch you can place the device manager in the internal network and offload all the SSL(443 &  8443) traffic @ NetScaler and reinitaite the traffic from NetScaler to the Device Manager on port 80.


  1. You need to have the NS with relevant license applied to it.
  2. You need to have the XenMobile Device Manager SSL Offload Server Patch.
  3. Valid Certificates on NetScaler.
  4. Port 80 opened from NetScaler to Device Manager Server.
Steps to Install XenMobile Device Manager SSL Offload Server Patch
  1. Download the SSL Offload patch from Citrix Downloads
  2. Copy the .jar file to: \XenMobile Device Manager\tomcat\webapps\[instance_name]\WEB-INF\lib (on all cluster nodes, in a clustered Device Manager configuration)
  3. Restart the XenMobile Device Manager Service.
  4. To confirm the installation of the patch, access http://XDM server/zdm/helper.jsp. You can find the installed patch details.
Export of Java Tomcat Root and Device CA Certs from Device Manager server
  1. Login to Device Manager Server.
  2. Navigate to C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\conf folder
  3. Copy cacerts.pem and copy it to your local hard drive (you will need to upload this into NetScaler.)
  4. Open the cacerts.pem cert with Notepad, copy the first section of the pem certificate and save it as Device CA and the second section of the pem certificate a Root CA.

Steps to Configure SSL Offload in NetScaler to XenMobile Device Manager

  • Login to NetScaler.
  • Expand SSL, Select Certificates and Install the Device CA and Root CA, also Install the Server certificate in NetScaler.
  • Under SSL, Select Policies,  Under Actions Click on Add to create SSL Action.
  • Provide the Action Name, Enable the Client Certificate from the drop down select and provide the Certificate Tag as NSClientCert and Click Create.
  • Under SSL, Select Policies,  Under Policies Click on Add to create SSL Policy.
  • Provide the Policy Name, select the Action from the drop down that you have created in the previous step and provide the expression value as CLIENT.SSL.CLIENT_CERT.EXISTS Click Create.
  • Expand Traffic Management, select Service under SSL Offload and click Add.
  • Provide the Service Name, provide XDM Server IP address and the protocol based on the Port (80), and from the Available Monitors Add the tcp monitor to the  Configured list of Monitors and Click Create.
  • Verify the service that you have created is up.(if the service is down please verify if XDM server is reachable from NS on port 80, Also make sure you have patch applied on the Device Manager).
  • Again, Expand Traffic Management, select Virtual Servers under SSL Offload and click Add.
  •  Provide the Server Name, provide Server IP address which is unused/that you have reserved to SSLOffload and the Port as 443 and select the XDM Service.
  • Under SSL Settings add the Server Certificate to the configured list.
  •  Push the Device CA and Root CA as Cert as CA from the Add drop down.
  • In the same pane, select SSL Policies and Insert the SSL Policy that you have created in the previous step and Click Ok.
  • Select SSL Parameter, check the check box for Client Authentication and set Client Certificate to Optional.
  • Provide the Server Name, provide Server IP address which is unused/that you have reserved to SSLOffload and the Port as 8443 and select the XDM Service,  Under SSL Settings select the certificate appropriately and click create. (You can find the steps to upload a cert in NS @
Note: You do not need to add the Root and Device CA certs and bind SSL policy for the VServer on port 8443.
  • Verify the Servers that you have created is up.
  • Once the above configuration is completed in NetScaler you can go ahead and access/enroll the device manager server on Virtual Server IP.

Note: If you are not able to access/login to Device Manager console after the above steps, enable “SSL Redirect” under SSL Offload>Certificates>SSL Parameter>Configure SSL Params.