So I see this question from clients who have been exploring the XenMobile suite..and sometimes the answer comes as a surprise, sometimes not. So I thought I would lay it out here because I couldn’t find a clear answer out there, so I know the average Citrix Admin can’t either.
Short answer: Yes
Long answer: Maybe…lets explore..
Other load balancers can be used in place of NetScaler but the integration and full functionality will not be there. So for good reason, almost any XenMobile deployment will be accompanied by a NetScaler. To break down the specifics and why you need one lets go edition by edition through the stack.
XenMobile MDM Edition: This is the one deployment where you don’t have to have one and you will be OK. If you are running a single instance of XDM, you don’t need the NetScaler. If you run two instances of XDM, you need something..a load balancer of some sort to load balance 80/443/8443. If you deploy a NetScaler in front of XDM, its only going to be doing 1 of 2 things. It will be load balancing (that’s a given), and functioning as either an SSL bridge or doing SSL offload. There is still no reason to offload SSL unless you are running thousands of devices where the CPU hit for decryption makes it worthwhile to move it to the NetScaler. SSL Offload does not yet give you incentive to move the XDM to the internal LAN because authentication still takes place at the XDM. So you are letting unauthenticated traffic into your network…and that is never good.
XenMobile App Edition: This one is a trick question. Technically, you can run AppController in the DMZ and function if you meet its port requirements. However, I have never seen it done and its clearly not reference architecture. Also, there would be features sacrificed by not having a NetScaler Gateway in front. So if you like your job, never deploy it in this manner. At a minimum with AppEd you want a NetScaler Gateway for mVPN termination, ICA proxy, authentication, etc.
XenMobile Enterprise Edition: Obviously this is a combination of MDM and AppEd all in one, with ShareFile as the cherry on top. So you want at least a NetScaler Gateway. If you are running high availability with your components, you’ll want at least a NetScaler Standard Edition so you can run load balancing and gateway services.
What about XenMobile NetScaler Connector? First off, kudos if you even know what this is. In a nutshell its used for ActiveSync gating, where all ActiveSync traffic is passed through the NetScaler. In a highly available Exchange environment with multiple Client Access Servers (CAS) it requires a load balancer, so this is typical to see NetScaler in environments fronting Exchange with ActiveSync. XNC sits between MDM and the NetScaler and tells it who’s device to cut off email too because they’ve fallen out of compliance. IF you run XNC, you would do well to go with a full NetScaler Enterprise edition and enable the optional AppCache feature ($), thereby allowing the NetScaler to cache the device lists onboard and not have to chat with MDM about it.
Here is a good, if not slightly fun/silly, article on why XenMobile and NetScaler belong together: Top 10 Reasons Why XenMobile and NetScaler is the way to go.