On-Premises XMS Servers Fly into Citrix Cloud – 7 Prep Tips for Successful Migration

by Daniel Weppeler

It‘s time to say goodbye to your on-premises XenMobile Server (XMS) environment. And now, it‘s time for Cloud transformation to Citrix Endpoint Management (CEM)…

The lifetime of XMS on-premises is a time-bomb and the End-of-Life date is currently still not released but could happen any week or month. And then start the last years of official support and Citrix will release only bug fixes and security patches. You can check the End-of-Life date on the Product Matrix:

You’ll see new features becoming available faster in Citrix Cloud. Citrix Dev will hopefully make it to the on-prem edition too, but no guarantees! New features are released only two times a year for XMS on-premises. CEM gets every new feature almost directly available, like new iOS device policies and other functions like Android Enterprise are first and sometimes only available in Cloud CEM instances.

Citrix offers a XenMobile Migration Service without having to re-enroll all devices. I found a two-year-old blog article: https://www.citrix.com/blogs/2018/02/16/new-xenmobile-migration-service-its-here-its-included-with-a-new-subscription/

But does it work?

Yes, it works, but you need to do some preparations before starting this migration. Citrix needs only a database export, some passwords and the used SSL listener certificate. That’s it. The Migration takes some time but it depends on how large your database / XMS environment is (forecast: ~2 days).

Here are my 7 Prep Tips for a successful migration of XMS into Citrix Cloud:


1. Choose your Cloud Region – Where should the instance be deployed?
Do you already have a Citrix Cloud account through some Citrix Synergy training or demos in the past? Then most likely your account was automatically deployed in the US region. You can check the region under your Citrix Cloud Account Settings.

If it’s the correct region, then you are ready to use Citrix Cloud components, congratulations! But if not, it is a little nightmare process to change the region with your Citrix Partner and Customer Success Services. To change the cloud region for your company, you must create a new Citrix OrgID with a new company mail address and run the onboarding process again (https://onboarding.cloud.com). During the process you will be able to select your desired region.

Above is only relevant to customers that need to migrate to the EU. If they are in the US or want to stay in the US zone all fine. 🙂

After the OrgID is successfully created, you have to speak with your Citrix Partner or Citrix Customer Success Services team for license asset transfer. That means your company has two Citrix OrgIDs, one for the wrong region and one for your desired region. Keep this in mind before renewing your subscription or maintenance.

Detailed information for onboarding process you can find here.

2. Install two Citrix Cloud Connectors and join them to your preferred Cloud Instance (OrgID)
The Cloud Connector server must be domain-joined and need outgoing access to cloud resources. I prefer to use a Web Proxy for internet traffic and that means you must create host exclusions for internal resources like your Citrix StoreFront server for the HDX app enumeration or an Issuing Certificate Authority.

A destination whitelist must be configured on the Web Proxy for Cloud Cloud communication:

Netsh winhttp will be your friend to configure a web proxy for your system. [Netsh winhttp show proxy] shows the currently configured settings and [Netsh winhttp set proxy] will set the proxy settings. Here’s an example to configure proxy settings and exclusions:

netsh winhttp set proxy proxy.domain.local:8080 “<local>;*.domain.local;domain.local;pki.domain.local;storefront.domain.local;10.*;192.168.*”

Additionally, you need to modify the web.config file of Microsoft.NET 4.x and also add your web proxy settings with local exclusions too. Citrix has released a CC ProxyCheck Tool for checking all required communications. You can download the tool here!

The Cloud Connector installation is straightforward. After running the setup, you need to login with your Citrix Cloud Account and automatically run a communication test. If this test is successful you are Cloud ready.

Citrix Cloud now displays a new Resource Location with your two Connector servers.

3. Collect all needed XMS credential passwords
For the XenMobile Migration, the following credential passwords are required:

  • SQL services user / password
  • If you are not using a single password for the XMS PKI infrastructure then you need all passwords for the PKI RootCA, DeviceCA and ClientCA
  • SSL listener certificate password

That’s the mission to find all these passwords, if you lost one of these PKI passwords, you will not be able to migrate your instance. Citrix released a CLI tool to check all needed cloud migration credentials. To use this tool, make sure to upgrade XMS to version 10.10 or later.

You find the XMS CLI option “Cloud Migration Credential Check” under [2] System > [12] Advanced Settings > [9] Cloud Migration Credential Check

If you have passed all passwords you are ready to migrate, but if not, you need to search for the correct passwords. I hope that you will find everything :-).

4. Upgrade your XMS server cluster
Citrix supports the latest version 10.12 and one previous version for the cloud migration (n-1). Bring your environment up2date and upgrade to the latest version. Before you start the upgrade process, remember to take VM snapshots and create a new database backup, safety first!

Don’t forget XMS rolling patches! There are 10.11 RP3, fixed Apple DEP connection failure if a web proxy for outgoing traffic is configured, and 10.12 RP2 for some bug fixes, are available.

5. Cleanup your SQL XenMobile Database
There are also some SQL cleanup jobs to do. Migration requires SQL Server 2008 R2 or newer. First of all, you have to check your SQL services user password if it would pass the Azure SQL DB password complexity. Azure SQL DB has the following password rules:

  • Minimum 8 characters (up to 128 characters)
  • Uppercase letter (A-Z)
  • Lowercase letter (a-z)
  • Digit (0-9)
  • Special characters

If the SQL services user password is not compliant, you must change this password and edit the database login settings on all XMS cluster servers. Don’t forget to reboot all XMS cluster servers. Here you can find a quick how-to change SQL password on XMS. [ https://support.citrix.com/article/CTX213858].

You must install the latest Microsoft SQL Management console that allows to export databases as data tier (BACPAC file).

Active Directory service users for SQL are also supported during the migration. However, you must delete all other domain users, like monitoring users, from your XenMobile database before you can export as an Azure data tier. Otherwise the export will fail.

Last SQL step is to truncate the XenMobile database with SQL queries that clean up all historical entries. This could shrink the database a lot and optimize the export / import time. With this you can reduce the downtime of your MDM and MAM service.

SQL Queries to verify the count of historical entries count:

  • SELECT COUNT(*) as total_record from dbo.EWDEPLOY_HISTO;
  • SELECT COUNT(*) as total_record from dbo.EWSESS;
  • SELECT COUNT(*) as total_record from dbo.EWAUDIT;

SQL Queries to delete the historical entries:

  • TRUNCATE TABLE dbo.EWDEPLOY_HISTO;
  • TRUNCATE TABLE dbo.EWSESS;
  • TRUNCATE TABLE dbo.EWAUDIT;

And now your SQL database is ready too.

6. Renew all expiring certificates
Check all your certificate expiration dates. If there are certificates that will expire soon, like APNS or SSL listener certificates, then renew them before starting the migration process. This ensures time for post-support of the Rapid Deployment team.

APNS certificates are managed by the customer himself. The Citrix Endpoint Management Tools helps you: https://tools.xm.cloud.com/
But be careful with renewing an APNS certificate. You must verify the APNS ID in the certificate before installing the new one. If there is a mismatch and you upload this certificate with the wrong ID, you must re-enroll all devices.

SSL listener certificates need to be changed via a support case because of the ADC reverse proxy configuration in front of the Citrix Cloud Endpoint Management.

Export the SSL listener certificate with the same passphrase that you use during setup XMS server. The full public certificate chain is needed.

7. Reduce the DNS TTL value for MDM public hostname

The last preparation step is the easiest one, but the most important. You need to reduce the DNS time-to-live (TTL) for your public MDM hostname. I prefer to set the TTL value to 5 minutes so that you can quickly rollback if something goes wrong with the cloud instance.

What is the reason for this change?

If the Cloud instance is successfully ready to activate, you must create a new DNS CNAME your MDM public hostname points to the Cloud instance hostname. And this new DNS record should spread quickly across the global DNS infrastructure, so we reduce the value of the DNS-TTL.

Here an example CNAME: mdm.customer.com > customer.xm.cloud.com

———————-

Special thanks goes to Michael Bastian (Citrix Systems) for successful cooperation and cloud migrations!
Additional credits go to Anton van Pelt and Julian Mooren for reviewing!
 
If you need help or have any questions feel free to contact me via Twitter or myCUGC! 😉

Cheers,
Daniel Weppeler

Leave a Reply