Jump to content
Welcome to our new Citrix community!
  • When Two Tales Come Together: AppVPN Meets MicroVPN, ADC Meets Endpoint Management


    thorstenround.png by Thorsten Rood, CTP

    Ingredients for a modern workplace design with mobile devices

    It's been a while now that Citrix owns an ADC product that over the course of time gained superior VPN features, including a SAML-capable always-on flavor. Previously known as NetScaler, it's now labeled Citrix ADC/Gateway.

    It's also years ago now, that Citrix acquired a MDM vendor and made this a UEM solution (unified endpoint management). Previously known as Zenprise, and a while in between also called XenMobile, it's now called Citrix Endpoint Management.

    Five years ago, Citrix entered the Smartphone/Tablet world, providing a business suite of enterprise-grade apps such as Citrix SecureMail and Citrix Files, which sells as Citrix Mobile Productivity Apps today–and along with that, secure networking technology (microVPN) was given birth.

    Now we have the product tiers and vocabulary completed. :-) Let's discuss the solution and its gaps – and why we today have made a huge step forward!

    Enterprise Connectivity

    To my understanding and conversations, it will take enterprise customers still a bunch of years before all their on-premises assets have been fully cloudified. Even when having migrated into modern, operational cloud design principles, there still remains an important need to ensure confidential data is perfectly protected against unprivileged access. While VPN feels like an ancient recipe and outdated answer to the problem, its underlying idea to create a secure transport, combined with secure strong authentication capabilities still represents a key-play in any given security architecture. With more and more apps, and more and more web services, a lot of offerings unfortunately lack secure authentication design, so you need to overlay (or underlay, from a technology perspective) secure connectivity for those apps and vendor solutions that don't provide an in-box perfect answer to your security requirements anyway.

    There are many endpoint types - let's discuss iOS today (Android to come later)...

    The Product Tier Completeness

    Within Citrix Mobile Productivity Apps, Citrix provides MDX network access, which is a micro-VPN technology that operates at the application level and acts fully transparent to the end-user. Mission completed. Checkbox.

    As part of Citrix ADC/Gateway, a mature VPN-Plugin (Citrix SSO, the name sounds a bit confusing) is available that allows for seamless client certificate-based authentication without any user interaction to provide secure networking transport for your mobile workforce. Mission completed. Checkbox.

    By leveraging Citrix Endpoint Management, you can securely deliver apps (including the VPN-plugin), configuration profiles and access certificates for authentication purposes to your managed devices, again with no user interaction. Guess what? Mission completed. Checkbox.

    Using the Citrix Mobile Productivity Apps is a no-brainer from a security perspective, the included micro-VPN just works without special preparations. Checkbox.

    For those 3rd-party apps that do not participate or leverage MDX microVPN, Apple allows configuring a so-called appVPN-mode that hides the functionality gap by automating VPN session creation for those apps that you define. The end-user has no direct clue about the helping hands and at the same time the VPN is not exposed at the system level. Citrix Endpoint Management can deliver those settings for a long time now. Checkbox.

    So what has been missing? Well, the devil is in love for details...

    Imagine you wish to protect data transport into your environment for one of the many "other" non-Citrix apps that are available in store today – a lot of those apps require simultaneous access to both corporate and public internet resources to work properly. Let's call this "hybrid networking" to simplify the requirement specification. The natural answer to that is deploying the underlying VPN in split-tunnel mode. That is an available functionality for a long time and when you deploy the Citrix VPN configuration to your devices for testing purposes at the device level you can easily verify it is working as intended. To everybody’s surprise, the identical configuration will revert into a full tunnel mode when being deployed as part of appVPN-configurations!? This essentially kills the design of hybrid networking stacks – you simply do not want to peer all the app-based internet traffic through VPN across public networks directly into your environment just to forward it back into public networks afterwards. It slows down performance and creates impact on user experience, along with transport bottleneck situations. Just imagine the affected app is an Office 365 heavyweight product…

    Doing some more research, you find out it works exactly according to Apple's appVPN-specifications (from a default perspective). It becomes a no-go? Sorry, no checkbox this time! A bunch of calls and discussions later on, you notice hybrid networking requires special attention. ;-)

    The Solution

    iOS Citrix SSO Vpn App build 140 (release 1.1.12) allows split-tunnel modes in both system level and appVPN-level connections. It is available in app store, starting today.


    Citrix and Apple have agreed to allow the app oversteering the API defaults to better reflect modern workplace and mobility needs. You now can establish split-VPN support not only in Safari (this has been the only app so far which by design supported the modern requirement), but also in Chrome, inside the Office 365 apps and any other 3rd party iOS app you find in app store. Checkbox. :-)


    Configuration Details

    Inside your existing Endpoint Management VPN device policy, add a custom key to the XML parameters PerAppSplitTunnel=1. It has become easy as this now! The only thing to make sure is your VPN session profiles and intranet application definitions inside Citrix Gateway, along with correct DNS suffix arrays and authorization policies reflect the intended split-design. The existing DNS-based configuration for Safari domains inside the Endpoint Management profile is not matched against this setup and has just to be kept to support the built-in Safari app.



    It sounds like a very small hotfix feature delivery situation. The overall picture, however, is way more important:

    When two tales finally come together...

    1. You now can choose and mix in between microVPN and appVPN on the same device, depending on technology/app needs.
    2. Citrix ADC/Gateway has become the ideal supporting product for Citrix Endpoint Management for any MDX and non-MDX networking transport and security scenario.

    Why does this mattter?

    With the new enhanced functionality the Citrix mobility stack allows you satisfying any kind of application request, access profile and security requirements. The number of moving parts, components and services is kept to a minimum and it all works side-by-side in great coexistence. I see a lot of new applications coming that will benefit from these options around hybrid networking, both from major brands (Microsoft, SAP, Atlassian, just two name a few) as well as from smaller niche players.

    Thank you to the Citrix crew (Sachin Mandya Shankar, Kevin Brock, and many others I unintentionally might have not mentioned) to make this happen!

    One more thing...

    Imagine what you could do now by making ADFS an internal endpoint for your managed devices...


    User Feedback

    Recommended Comments

    There are no comments to display.

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...