XenMobile Servers (XMS) fly into Citrix Cloud

7 Prep Tips for successful migration

Update: Multiple XenMobile vulnerabilities CVE (CVE-2020-8208 to CVE-2020-8212) have been discovered and please update your local servers to the latest firmware build or rolling patch. This is mandatory to protect your environment and data. You can find more details CTX277457 here.

Other option is to following this steps to prepare your XenMobile Server setup for Citrix Cloud migration. These cloud instances are always updated as soon as possible to be protected against zero-day attacks.

It‘s time to say goodbye to your on-premises XenMobile Server (XMS) environment. In other words the Citrix Cloud is waiting for your transformation to Citrix Endpoint Management (CEM).

Overview XenMobile Server Database migration to Citrix Cloud

The lifetime of XenMobile Server on-promises is a time-bomb and the End-of-Life date was currently still not released but could happen every week or month. And then start the last years of official support and Citrix will release only bug fixes and security patches.

In the meantime you can check the End-of-Life date on the Product Matrix:
https://www.citrix.com/de-de/support/product-lifecycle/product-matrix.html

Citrix Produkt Matrix of XenMobile Server

You’ll see new features getting available faster in Citrix Cloud. Citrix Dev will hopefully make it to the on-prem edition too but no guarantees! New features are released only two times a year for XenMobile Server on-premises. But CEM gets every new feature almost directly available. New iOS devices policies and other functions for Android Enterprise are first and sometimes only available in Cloud CEM instances. 

Further, Citrix offers a XenMobile Migration Service without having to re-enroll all devices. This service is free, only the license transformation to a Cloud subscription is needed.

I found a two years old blog article.

But does it work? 

Yes, it works, but you need to do some preparations before starting this migration. Finally Citrix needs only a database export, some passwords and the used SSL listener certificate. That’s it. The Migration takes some time but it dependents on how large your database / XenMobile environment is (Forecast: ~2 days). 

Here are my 7 Prep Tips for a successful migration of XenMobile Server into Citrix Cloud:

1. Choose your Cloud Region – Where should the instance be deployed?

Do you already have a Citrix Cloud account through some Citrix Synergy training or demos in the past? Then most likely your account was automatically deployed in the US region. You can check the region under your Citrix Cloud Account Settings. 

How to open the Citrix Cloud Account Settings
Citrix Cloud Account Settings - Region

If it’s the correct region then you are ready to use Citrix Cloud components, congratulations. But if not it is a little nightmare process to change the region with your Citrix Partner and Customer Success Services. To change the cloud region for your company you must create a new Citrix OrgID with a new company mail address and run the onboarding process again (https://onboarding.cloud.com). During the process you will be able to select your desired region.

Above all is relevant to customers that need to migrate to the EU. But if they are in the US or want to stay in the US zone all fine. 🙂

Citrix Cloud Onboarding - Select Region

After the OrgID was successfully created you have to speak with your Citrix Partner or Citrix Customer Success Services team for license asset transfer. That means your company has two Citrix OrgIDs, one for the wrong region and one for your desired region. Keep this in mind before renewing your subscription or maintenance. 

Detailed information for onboarding process you can find here: https://docs.citrix.com/en-us/citrix-cloud/overview/signing-up-for-citrix-cloud/signing-up-for-citrix-cloud.html

2. Install two Citrix Cloud Connectors and join them to your preferred Cloud Instance (OrgID)

The Cloud Connector server must be domain-joined and need outgoing access to cloud resources. I prefer to use a Web Proxy for internet traffic and that means you must create host exclusions for internal resources like your Citrix StoreFront server for the HDX app enumeration or an Issuing Certificate Authority. 

A destination whitelist must be configured on the Web Proxy for Cloud Cloud communication:

Netsh winhttp will be your friend to configure a web proxy for your system. [Netsh winhttp show proxy] shows the currently configured settings and [Netsh winhttp set proxy] will set the proxy settings. Here a example to configure proxy settings and exclusions:

netsh winhttp set proxy proxy.domain.local:8080 "<local>;*.domain.local;domain.local;pki.domain.local;storefront.domain.local;10.*;192.168.*"

Additionally you need to modify the web.config file of Microsoft.NET 4.x and also add your web proxy settings with local exclusions too.

Citrix has released a CC ProxyCheck Tool for checking all required communications. You can download the tool here: https://support.citrix.com/article/CTX260337 

However, the Cloud Connector installation is straightforward. After running the setup, you need to login with your Citrix Cloud Account and automatically run a communication test. If this test is successful you are Cloud ready. 

Citrix Cloud now displays a new Resource Location with your two Connector servers.

Citrix Cloud - Resource Locations

3. Collect all needed XenMobile credential passwords

For the XenMobile Migration the following credential passwords are required:

  • SQL services user / password
  • If you are not using a single password for the XMS PKI infrastructure then you need all passwords for the PKI RootCA, DeviceCA and ClientCA
  • SSL listener certificate password 

That’s the mission to find all these passwords, if you lost one of these PKI passwords, you will not be able to migrate your instance. Citrix released a CLI tool to check all needed cloud migration credentials. To use this tool, make sure to upgrade  XMS to version 10.10 or later.

You find the XMS CLI option: “Cloud Migration Credential Check” under [2] System > [12] Advanced Settings > [9] Cloud Migration Credential Check

XenMobile Server - Cloud Migration Credential Check

If you have passed all passwords you are ready to migrate, but if not you need to search for the correct passwords. I hope that you will find everything :-).

4. Upgrade your XenMobile Server cluster

Citrix supports the latest version 10.12 and one previous version for the cloud migration (n-1). Bring your environment up2date and upgrade to the latest version. Before you start the upgrade process, remember to take VM snapshots and create a new database backup, safety first!

But don’t forget XenMoblile Server rolling patches. For example, there are 10.11 RP6, fixed some issues for Android Enterprise and 10.12 RP3 for some bug fixes and enable Apple VPP App auto-update, are available.

Links: 

10.11 RP6 https://support.citrix.com/article/CTX270790

10.12 RP3 https://support.citrix.com/article/CTX277473

5. Cleanup your SQL Citrix XenMobile Database

There are also some SQL cleanup jobs to do. Migration requires SQL Server 2008 R2 or newer. First of all you have to check your SQL services user password if it would pass the Azure SQL DB password complexity. Azure SQL DB has the following password rules:

  • Minimum 12 characters (up to 128 characters)
  • Uppercase letter (A-Z) 
  • Lowercase letter (a-z) 
  • Digit (0-9) 
  • Special characters
  • No words

But if the SQL services user password is not compliant, you must change this password and edit the database login settings on all XMS cluster servers. Don’t forget to reboot all XMS cluster servers. Here you can find a quick how-to change SQL password on XMS. [ https://support.citrix.com/article/CTX213858].

Meanwhile, you must install the latest Microsoft SQL Management console that allows to export databases as data tier (BACPAC file).

XenMobile SQL database task export Data-tier Application

Active Directory service users for SQL are also supported during the migration. However, you must delete all other domain users, like monitoring users, from your XenMobile database before you can export as an Azure data tier. Otherwise the export will fail. 

XenMobile SQL database export error

Last SQL step is to truncate the XenMobile database with SQL queries that clean up all historical entries. This could shrink the database a lot and optimize the export / import time. Above all, with this you can reduce the downtime of your MDM and MAM service.

SQL Queries to verify the count of historical entries count:

  • SELECT COUNT(*) as total_record from dbo.EWDEPLOY_HISTO;
  • SELECT COUNT(*) as total_record from dbo.EWSESS;
  • SELECT COUNT(*) as total_record from dbo.EWAUDIT;

SQL Queries to delete the historical entries:

  • TRUNCATE TABLE dbo.EWDEPLOY_HISTO;
  • TRUNCATE TABLE dbo.EWSESS;
  • TRUNCATE TABLE dbo.EWAUDIT;

And now your SQL database is ready too.

6. Renew all expiring certificates

Further, check all your certificate expiration dates. If there are certificates that will expire soon, like APNS or SSL listener certificates then renew them before starting the migration process. This ensures time for post-support of the Rapid Deployment team.

APNS certificates are managed by the customer himself. The Citrix Endpoint Management Tools helps you: https://tools.xm.cloud.com/ 

But be careful with renewing an APNS certificate you must verify the APNS ID in the certificate before installing the new one. If there is a mismatch and you upload this certificate with the wrong ID you must re-enroll all devices. 

In other words the SSL listener certificates need to be changed via a support case. Because of the ADC reverse proxy configuration in front of the CEM instance.

Export the SSL listener certificate with the same passphrase that you use during setup XMS server. The full public certificate chain is needed.

7. Reduce the DNS TTL value for XenMobile MDM public hostname

The last preparation step is the easiest one, but the most important. You need to reduce the DNS time-to-live (TTL) for your public MDM hostname. I prefer to set the TTL value to 5 minutes so that you can quickly rollback if something goes wrong with the cloud instance. 

What is the reason for this change? 

If the Cloud instance is successfully ready to activate, you must create a new DNS CNAME your MDM public hostname points to the Cloud CEM instance hostname. Therefore this new DNS record should spread quickly across the global DNS infrastructure, so we reduce the value of the DNS-TTL.

Here an example DNS CNAME:
mdm.customer.com > customer.xm.cloud.com

Summary

In conclusion, do not think that is impossible to migration your on-premises XenMobile Server to the Citrix Cloud environment. If you follow this 7 preparation steps you will ready to migrate. A good preparation is half of work.

Special thanks goes to Michael Bastian, Citrix for successful cooperation and cloud migrations.  Additional credits go to Anton van Pelt and Julian Mooren for reviewing.

If you need help or have any questions feel free to contact or follow me on Twitter.

Cheers,

Daniel Weppeler

Leave a Reply

Your email address will not be published. Required fields are marked *