FAQ: Worx Home for Mobile Devices and MicroVPN Technology

This article contains frequently asked questions about MicroVPN with XenMobile App or Enterprise editions and NetScaler Gateway deployments.

• Q: What are the recommended versions of components for MicroVPN?
• Q: What is MicroVPN?
• Q: What mobile platforms support MicroVPN?
• Q: How do I connect to my corporate network by using MicroVPN?
• Q: How do I enable MicroVPN in NetScaler Gateway?
• Q: How do I enable MicroVPN on Mobile Apps?
• Q: Is Split Tunneling in NetScaler Gateway supported with MicroVPN?
• Q: Is Split DNS feature of NetScaler Gateway supported with MicroVPN?
• Q: Is Intranet IP addresses of the NetScaler Gateway supported with MicroVPN?
• Q: What is MicroVPN Reverse Split Tunnel mode?
• Q: Which versions support MicroVPN Reverse split tunnel mode?
• Q: How is MicroVPN Reverse Split tunnel mode configured in Secure Browse mode?
• Q: How is MicroVPN Reverse Split tunnel mode configured in Full tunnel mode?
  ??

Q:What are the recommended versions of components for MicroVPN?

A: Customers who want to deploy XenMobile for remote users and leverage MicroVPN technology must use the correct combination of components. The following matrix lists the recommended versions of the various components:

Mobile Platform	MicroVPN Supported OS Version	Worx Home??	XenMobile Server	NetScaler Software Release??
Android	Android 4.0 and later	10.x and later	XenMobile Server 10 or later	NetScaler Gateway 10.5 build 54.9?? or later
iOS	iOS 6 and later	10.x and later	XenMobile Server 10 or later	NetScaler Gateway 10.5 build 54.9 or later
Windows Phone	8.1 and later	10.x and later	XenMobile Server 10 or later	NetScaler Gateway 10.5 build 54.9 or later

Note: Previous releases of XenMobile App Controller (such as 9.0 or 8.7) also support MicroVPN.

To access WorxMail and WorxWeb from an Android device through NetScaler Gateway, the device must be running from Android OS 4.1?? to 5.1.

Q: What is MicroVPN?

A: It is an on-demand application VPN connection that is initiated by Worx Home on mobile devices to access corporate network sites or resources. Usually, Worx Home client starts the MicroVPN connection when end-users open a mobile app such as WorxMail or WorxWeb, that requires corporate network access.

MicroVPN can leverage two sub-components to access securely Web portals: Secure Browse or Full Tunnel. Both of these options are configurable on either XenMobile Server 10 or App Controller components.
Note: Windows Phone 8.1 only supports MicroVPN (Secure Browse) feature.

Q: What mobile platforms support MicroVPN?

A: Currently, only Android,?? iOS and Windows Phone 8.1 platforms with the latest Worx Home client support this technology. See the table in Answer to know the latest Worx Home recommended.

Q: How do I connect to my corporate network by using MicroVPN?

A: For iOS devices, when mobile users open a mobile application such as WorxMail or WorxWeb that requires corporate network access, you might see the following prompt:

For Android devices, when launching WorxMail or WorxWeb, you might see the following prompt:

Q: How do I enable MicroVPN in NetScaler Gateway?

A: The following prerequisites are required to ensure MicroVPN works successfully with NetScaler Gateway:

• Ensure that you have NetScaler Gateway Universal licenses installed.

• Ensure that you set the NetScaler Gateway virtual server to SmartAccess mode.

• Ensure that you have Clientless Access set to ON and Clientless Access URL Encoding to Clear.

• Ensure that Interception is set to Transparent in the NetScaler Gateway Global Settings or Session Profile.

• Ensure that the DNS suffix is configured on the NetScaler Gateway appliance.

• Ensure that you have enabled Secure Browse.

For example:
From Web Graphical User Interface (GUI)
Transparent Interception

NetScaler 10.1

NetScaler 10.5

Secure Browse

NetScaler 10.1

NetScaler 10.5

From Command Line Interface

For XenMobile Server
add vpn sessionAction XM-AppC-CVPN-Receiver-Prof -splitTunnel ON -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -wihome "https://xm.example.ctx:8443" -ntDomain amc -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl https://xm.example.ctx:8443
Note: Ensure to add the port :8443 at the end of the XenMobile Server 10 URL.

For App Controller
add vpn sessionAction XM-AppC-CVPN-Receiver-Prof -splitTunnel ON -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -wihome "https://xm.example.ctx" -ntDomain amc -clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl https://xm.example.ctx

Q: How do I enable MicroVPN on Mobile Apps?

A: On the App Controller Web GUI console https://appcontrollerFQDN:4443/ControlPoint, ensure that you have set network access to Tunneled to Internal Network for MDX-wrapped mobile apps. This setting is available under mobile apps policies.

For XenMobile Server 10, access the unified Web GUI console via https://XenMobileServerFQDN:4443. Ensure that you have set the network access to Tunneled to Internal Network for MDX-wrapped mobile apps. This setting is available under mobile apps policies:

Q: Is Split Tunneling in NetScaler Gateway supported with MicroVPN?

A: Yes. If you enable Split Tunnel in the session profile or at a global level and you configure the Intranet Applications correctly with the subnet or host machines with the TCP, UDP, or ANY protocol, then only corporate network traffic is sent through the tunnel. All other network traffic will go outside the tunnel.
For Intranet Applications, ensure that the interception used is TRANSPARENT.

Example:
Enable Split Tunnel

NetScaler 10.1

NetScaler 10.5

Intranet Applications Configuration
Defining explicit hosts

add vpn intranetApplication DNS-Web ANY 172.16.0.2 -destPort 1-65535 -interception TRANSPARENT
add vpn intranetApplication Exchange ANY 172.16.0.31 -destPort 1-65535 -interception TRANSPARENT <commands to be bolded/ unbold the command marked in GREEN for consistency>

Defining a subnet

add vpn intranetApplication "Internal Resources" ANY 172.16.0.0 -netmask 255.255.0.0 -destPort 1-65535 -interception TRANSPARENT

Binding Intranet Applications to virtual server

bind vpn vserver ag -intranetApplication "Internal Resources"
bind vpn vserver ag -policy CLT_LESS_172.16.0.96 -priority 80 -gotoPriorityExpression END -type REQUEST -intranetApplication "Internal Resources"
bind vpn vserver ag -policy CLT_LESS_RF_172.16.0.96 -priority 100 -gotoPriorityExpression END -type REQUEST -intranetApplication "Internal Resources"

Example:

Adding Intranet Applications to virtual server from the GUI:

For more information on how to configure Intranet Applications, see Configuring Client Interception.

Q: Is Split DNS feature of NetScaler Gateway supported with MicroVPN?

A: Split DNS is honored on Worx Home for iOS and Android only.

Q: Is Intranet IP addresses?? of the NetScaler Gateway supported with MicroVPN?

A: Intranet IP Addresses are?? supported with MicroVPN. ?? Mobile devices will leverage the IP Address assigned by the NetScaler to contact backend resources.

Note:?? NetScaler ADC configuration utility is now integrated with Citrix XenMobile. For more information on configuration utility changes in NetScaler 10.5, refer to Citrix Documentation -?? Configuration Utility Changes.

Q:What is MicroVPN Reverse Split Tunnel mode?

MicroVPN Reverse split tunnel mode is a configuration which supports an exclusion list of IP addresses which would not be tunnelled to the NetScaler but would be sent out using the local area network (LAN) of the device. For more detailed information about Reverse Split Tunnel mode, check out http://docs.citrix.com/en-us/netscaler-gateway/11/vpn-user-config/configure-plugin-connections/ng-plugin-split-tunneling-tsk.html

??
Q?? :Which versions support MicroVPN Reverse split tunnel mode?

Both iOS and Android are supported

??
Q:How is MicroVPN Reverse Split tunnel mode configured in Secure Browse mode?

Step 1: Configure Split Tunneling Reverse mode on the NetScaler Gateway
To configure Reverse mode for the Split Tunneling feature, navigate to Policies -> Session Policy. Choose the Worx Home Policy and navigate to Client Experience -> Split Tunnel. Select REVERSE.

??

Step 2: Configure MDX Policy
XenMobile 10.3.5 or later introduces a new MDX policy titled "Reverse Split Tunnel Mode Exclusion List”. This is configured with the 'Exclusion' range based on a comma-separated list of DNS suffixes and FQDN, which defines the URLs for which traffic must be sent out on the local area network (LAN) of the device and would not be sent to the NetScaler.

??
Q:How is MicroVPN Reverse Split tunnel mode configured in Full tunnel mode?

Step 1: Configure Split Tunneling Reverse mode on the NetScaler Gateway
To configure Reverse mode for the Split Tunneling feature, navigate to Policies -> Session Policy. Choose the Worx Home Policy, select Action and then navigate to Client Experience -> Split Tunnel. Select REVERSE.

Step 2: Configure the Exclusion range on the NetScaler Gateway
This is configured on the NetScaler Gateway and the configuration will be respected by the MDX applications. In this scenario, the ‘Exclusion” range is based on IP address ranges, for which traffic must be sent out on the local area network (LAN) of the device and would not be sent to the NetScaler.

To configure this setting, refer to the section within this KB article: Q: Is Split Tunneling in NetScaler Gateway supported with MicroVPN? -> Intranet Applications Configuration

?? NOTE: There is no need to configure any MDX policy on the XenMobile Server for full tunnel mode VPN.

Additional Resources

Myth Buster: NetScaler Gateway MicroVPNs – multiple tunnels?

Understanding Authentication Timeout Values in XenMobile