Are you a Citrix XenMobile user? Do you have WorxMail Push Notifications enabled in your environment?

If yes, you might be a little worried about exposing your exchange server to cloud-hosted Citrix Push notification services. And why shouldn’t you be? After all, the exchange server is one of the most sensitive entities in an organization.

There is no need to worry anymore; you won’t be deprived of using Citrix elegant push notification services for WorxMail. Here is one handy solution.

What is the pain? Once the device is subscribed for push notifications with exchange server using Citrix Push Notification Services (CPNS), exchange server needs to notify CPNS for the new events in user’s mailbox. Many organizations have security concerns when the exchange server in their internal network receives traffic from public Internet.

IT admins must add new firewall rules to allow exchange servers to communicate with CPNS. Of course nobody would be comfortable doing this, and if there are multiple CAS servers, it’s a big pain to add firewall rules for each CAS server.

So, what do you do?

As said earlier, there is no need to worry. There is still one way to use Citrix’s delightful push notification services without making any firewall changes regardless of where and how many CAS servers are there.

Being a XenMobile customer, Citrix NetScaler must already be in your environment with Load Balancing (LB) and SSL features in place.

This solution is called “Reverse LB” approach. Usually when LB is used, VIP is always accessible from internet and internal resources are added as services. In this particular solution VIP has to be accessible from internal resource i.e. from exchange server and CPNS public FQDN should be added as service.

Also, as SSL bridge feature is used along with LB so no extra server certificate is required on NetScaler for the LB vServer. Refer Citrix eDocs for more details on SSL Bridge.

As shown in diagram above, the NetScaler LB will have CPNS bound as a service. The exchange server in internal network sends requests to LB VIP which in turn is forwarded to CPNS and so on. This way all traffic goes through LB which can be monitored in NetScaler and additional rules can be added for more security as required.

One important note for this solution to work is, the CPNS listener service’s FQDN must be resolved to LB VIP instead of real IP. This can be done by adding one DNS entry or making host file entry in exchange server. Make sure only in exchange server the FQDN is resolved to LB VIP, where as on NetScaler it must resolve to real IP.

Below are NetScaler commands to create LB vServer:

  •  enable ns feature SSL LB
  •  add server svr cpns_listener_fqdn
  •  add service src svr SSL_BRIDGE 443
  •  add lb vserver ssl_bridge_vip SSL_BRIDGE vserver_ip_address 443
  •  bind lb vserver ssl_bridge_vip src

Enjoy Push Notifications!!