XenMobile: Configuring WorxMail APNs
This step-by-step guide shows how to configure WorxMail APNs to achieve near real-time mail sync.
A brief history of how mail sync in the background was achieved in WorxMail.
Prior to XM 9.0, WorxMail achieved background sync using a VOIP tagging mechanism, which maintained a constant connection to the server when WorxMail was in the background to deliver near real-time mail sync. However this mechanism has certain drawbacks like battery drain etc.
Thus, the Background Refresh Model was introduced in XenMobile 9.0 to replace the VOIP-tagging mechanism.
This model handles mail sync when WorxMail is in background through callbacks that are invoked by iOS platform. The frequency of callback is determined by iOS and is hard to quantify as it is dependent on Apple’s unpublished algorithms. Users may experience varying levels of delay in automatic sync of mail in Background Refresh Model.
To address the need of near real-time mail sync when WorxMail is in background, Citrix has added Push based notifications that leverage APNs.
At a high level, this is how the flow looks:
- At FTU, after upgrade, or when the policy change to turn On APNs is received by the client, the client will make an initial EWS Push subscription request to Exchange with the URL of the listener service and folder ID for badge updates. This is how Exchange knows that it needs to ping the listener service for updates to the client’s mailbox
- When there is a mailbox activity (new email, calendar event) for any registered WorxMail user, Exchange server will notify the Citrix Notification service.
- The Citrix Notification service will send an APNS based push notification to WorxMail. If the user has installed WorxMail on more than one device, the APNS based notification will be sent to all those devices.
- The APNS notification will not have content of the email (Sender, Subject etc).
- If WorxMail is in background, upon receipt of APNS notification, WorxMail badge icon will get updated. The user can then launch WorxMail to sync with Exchange server.
- Refer to EWS Push Notifications.
1) Pre-Configured XMS Server.
2) MDX ToolKit 10.0.7
3) Access to Apple Developer portal.
UPDATE: Static IPs are updated in this blog for Citrix Listener Service, these can be used to configure firewall / proxy rules.
4) Allow outbound SSL (over 443) connection from Exchange Server (or web proxy) to Citrix listener service.
- For Americas: https://us-east-1.mailboxlistener.xm.citrix.com (IP: 188.8.131.52; 184.108.40.206)
- For EMEA: https://eu-west-1.mailboxlistener.xm.citrix.com (IP: 220.127.116.11; 18.104.22.168)
- For APAC: https://ap-southeast-1.mailboxlistener.xm.citrix.com (IP: 22.214.171.124; 126.96.36.199)
5) If Exchange Server is configured for client certificate authentication there is one parameter that needs to be updated:
- uploadReadAheadSize on EWS folder
6) If you have a proxy server, the bypasslist will need to be configured to bypass the proxy for push notifications
- Refer to the section under Push notifications:
UPDATE: Static IPs are updated in this blog for Citrix Registration Service, these can be used to configure firewall / proxy rules.
7) If your NetScaler Gateway configuration includes Secure Ticket Authority (STA) and split tunneling is off, NetScaler Gateway must allow outbound SSL (over 443) connection from NetScaler and WorxMail (when tunneled from Secure Mail)
1. For Americas: https://us-east-1.pushreg.xm.citrix.com (IP: 188.8.131.52; 184.108.40.206)
2. For EMEA: https://eu-west-1. pushreg.xm.citrix.com (IP: 220.127.116.11; 18.104.22.168)
3. For APAC: https://ap-southeast-1. pushreg.xm.citrix.com (IP: 22.214.171.124; 126.96.36.199)
Note: ALL SCREENSHOTS are for representational purposes, they may vary as versions change.
2.1. Create new App ID and Profile
2.2. Generate WorxMail APNs Certificate
2.3. Wrap WorxMail APNs
2.4. Upload WorxMail APNs Certificate
2.5. Upload WorxMail APNs App to XMS
Users are shown a popup to accept Push Notifications from WorxMail, upon accepting they can experience near real-time mail sync.
I have taken care to minimize the formatting errors to my best, however due to updates to the blog few screenshots are not behaving according to the rules of gravity!!! Please excuse formatting and grammatical errors.
The Apple push services certificate that you are using expires every year, which is just to make sure end users don’t face any inconsistency with push notifications. Just before your old certificate expires, you’ll need to create a new certificate “Apple Push Notification service SSL Certificates” and update it in Citrix portal
Click on this link for Apple Push Sevices Certificate Update