In this post, we will go through the steps required to configure LDAPS+Radius Authentication for XenMobile.


  • Term                                            Definition
  • AD                                                Active Directory
  • NSG VIP                                     Netscaler Gateway VIP
  • VIP                                               Virtual IP
  • LB VIP                                         Netscaler Load Balancer Virtual IP
  • MSSQL                                        MS-SQL 2012 Server Edition
  • Node                                             XMS Cluster Node
  • NSG                                              NetScaler Gateway
  • XMS                                              XenMobile Server
  • FQDN                                           Fully Qualified Domain Name
  • SHP                                               Self Help Portal


The Hostnames, Usernames and IP Addresses used in the screenshots are for the illustration purposes only. Please use the appropriate Hostnames, Usernames and IP Addresses from your environment.


  • Public SSL Certificate needs to be obtained for the XMS FQDN (Fully Qualified Domain Name)
  • Public SSL Certificate needs to be obtained for the Netscaler Gateway
  • APNS (Apple Push Notification Service) Certificate to be obtained.

Please goto  to upload the CSR and get the APNS Certificate.

  • IP Address Requirements
Type of IP Address Purpose           IP Address
NSIP (Netscaler IP) Netscaler Management
SNIP (SubNet IP) Backend Communication from Netscaler to Internal Servers
VIP (Virtual IP) VIP1 – For MDM Enrollment through Netscaler (DMZ or Public IP). If we assign a DMZ IP then we need to NAT the Public IP to this DMZ IP.VIP2 – MAM LB VIP (DMZ IP). This is used for the Load Balancing Vserver which load balances the XMS Servers. NG communicates to the XMS Server via this MAM LB VIPVIP3 – For Netscaler Gateway (DMZ or Public IP).
XMS IP IP address for the XMS Server
  • Hypervisors Required to Import the XMS Virtual Machine
    • XenServer
    • VMware
    • Microsoft Hyper-V

Steps to Configure the Ldaps+Radius Based Authentication

1. Launch the XMS server via browser and enter user name and password to sign into the server

Ex: https://<FQDN>:4443

2. Goto Configure -> Settings and Cick on Ldap.

3. Edit the Ldap Configuration.

4. Please enter the Port as 636 for Ldaps communication and set Use Secure Connection to Yes. 

Configuring Netscaler Gateway Settings in XMS for

Domain+Security Token Authentication

1. Click on Configure and Click on Netscaler Gateway

2. Select the Netscaler Gateway and click Edit

3. Select Domain and Security Token for Logon Type and Click Save.

Netscaler for XenMobile Configuration

1. Please launch Browser and enter the Netscaler Management IP address and Logon to Netscaler GUI

2. Click on the configuration tab and click on XenMobile Wizard on left Side.

3. Click on Get Started

4. Select Access Through Access Gateway and Load Balance Device Manager Servers and Click Continue. Here we are going to configure one Load Balancing VIP which will be used for the enrollment purpose and the Second Netscaler Gateway VIP for the secure delivery of application from XMS through the Netscaler.

5. Enter the IP address for the Netscaler Gateway.

When we deploy XMS in our internal network, when users connect from the Internet or a remote location, the connection must route through NetScaler Gateway. XMS server resides in the internal network behind the firewall.

6. Please refer to the Citrix Article and import a Public SSL Certificate on Netscaler.

SSL Certificate is required on the Netscaler Gateway Vserver for the client to establish secure connection to the Netscaler Gateway.

7. Select Use Existing Certificate.

8. Under Server Certificate, Use the Certificate we uploaded in step 6 on Netscaler.

Click Continue

9. Under Authentication Settings, Add your LDAP Server details such as IP Address, LDAPs port number 636 (default LDAPS port), Base DN which is the location of the Users in Active Directory and Service Account used for queries to the LDAP directory and its password as shown below.

Under Server Logon Name Attribute you can enter the SAMAccountName or the Userprincipalname as per your requirements.

10. Here we need to add the Load Balancing FQDN for MAM. Enter the XMS Server FQDN.

All Traffic to the XMS servers will be routed through this MAM Load Balancing (LB) VIP.

Enter the IP Address for the LB VIP (VIP2 from Prerequisites Section) and click Continue.

11. Select the Server Certificate for the MAM LB Vserver. Since we are using a wildcard certificate here, we are selecting the same certificate we uploaded in step 6 above.

12. Click on Add Server under XenMobile Servers. Here we are going to add the XMS Server which is going to be bound to the LB VIP.

13. Enter the IP Address of the XMS server and Click Add.

14. Click Continue

15. Click on Load Balance Device Manager Servers. Here we are going to configure the LB VIP which will be used for the Device Enrollment Purpose. We are going to bind the Same XMS Server to this LB VIP.

16. Enter the Load Balancing IP Address for MDM(VIP1).

17. Click Continue as the XMS Server we added earlier appear as shown below.

18. Click Done

19. Goto Netscaler Gateway -> Virtual Servers and on the Right side select the Virtual Server and Click Edit

20. Click on > Mark for “No CA Certificate

21. Click > Sign to select the CA Certificate.

22.  Select the CA Certificate and Click OK.

23. Click on Bind

24. Click on Done

25. On  Netscaler Gateway , Goto Policies -> Session -> Session Profiles and Select the Profile which starts with “AC_OS” name and Click on Edit.

26. Click on the Client Experience Tab and goto the Bottom of the page.

27. Under Credential Index, Select SECONDARY.

28. Click OK.

Netscaler Gateway Authentication Configuration

1. On Netscaler Gateway, Goto Policies -> Authentication -> LDAP and Select the LDAP Policy on the Right Side.

2. Delete NS_TRUE.

3. Put the Expression REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver in place of NS_TRUE and Click OK.

4. On Netscaler Gateway, Goto Policies -> Authentication -> Radius and Select Servers on the Right Side.

5. Enter the Radius Server Details such as Name, IP address, Radius Port and Secret Key and click Create.

6. Goto Policies and Click Add

7. Enter the Name of the Policy and Select the Radius Server from the Drop Down in the Server Field.

Set the expression as REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver and click create.

8. Select the Virtual Server and Click Edit

9. Under Primary Authentication, Click on LDAP Policy.

10. Select the Policy, Click on Unbind and Click Close

11. Under Authentication Click on “+” Icon to add the Radius Authentication.

12. Select the Authentication Type as Radius

13. Click on Bind

14. Check the Radius Authentication Policy you created earlier and click Insert.

15. Click Ok.

16. Now let’s Add LDAP as the Secondary Authentication Policy. Click on “+” Icon Under Authentication.

17. Select LDAP from the Drop Down.

18. Choose Secondary

19. Click on “>” Icon to Select Policy.

20. Select the LDAP Policy and Click OK.

21. Click on Bind

22. Click Done

23. Make sure the Policies we created above should always have the Highest Priority in case if you go ahead and add further policies for non-mobile users.

Please refer to the Citrix Article  for further information.