Citrix XenMobile NetScaler Connector unifies the best of XenMobile MDM and NetScaler when it comes to delivering emails through a native mail client.

For a standard deployment scenario that uses native mail client, EAS server is exposed to the outside world, jeopardizing the security of sensitive data. XNC allows an admin to control access to corporate email, calendar and contacts from mobile devices based on compliance policies that are set on XDM, while leveraging the optimization and security provided by NetScaler (here acting as a reverse proxy); with a seamless user experience. This allows organizations to have internal-only Exchange access with the ability to use a device’s native mail client with rule-based allow/deny modes.

Here is a step-by-step document to help setup a XNC environment for demo purpose, presuming the fact that the XMS environment is already load balanced. You can add policies as desired when you move the environment to production.

 

Pre-Requisites

1)     XNC Sever

  1. Install XNC server on a windows machine
  2. Ensure .Net Framework 3.5 is installed before the XenMobile Netscaler Connector is installed

2)   Netscaler

  1.  An IP for the Exchange Active Sync LB VIP
  2. SSL Certificate for communication with the exchange server
  3. Exchange IP Address details
  4. XNC IP Address details

 3)     DNS Records

  1. Create a DNS record for XMS
  2. Create a DNS record for the Exchange Active Sync LB VIP

Recommendation 

1)     XMS server

  1. Complete the initial setup
  2. Make sure you have the SSL listener certificate imported and installed on the XMS server
  3. Make sure you have the server certificate imported and installed on the XMS server

1.    XNC Installation

Step

 
1

Download the XenMobile Netscaler connector from the Citrix website

2 (Note: Please ensure the .Net Framework 3.5 is installed before installing the XenMobile Netscaler Connector)

Run the XNC setup wizard and Click Next

3

Browse the desired installation path

Click Next

4

Click Next

5 Select  “I Agree” and Click Next on the license agreement window
6

The installation process will commence

7

Click Next on the XenMobile Netscaler Connector Information window

8

Click Close

2.    XNC Setup

Step

 
1 Launch the XNC icon from the desktop

Under Web Service tab

  • Select HTTP and let the port be set to default 9080
  • Click Save
  • Click Start Service

(Message displayed: XenMobile NetScaler Connector Service started successfully)

2
  • Click on Config Providers tab
  • Click Add
  • Enter a name for the config provider
  • In the URL field enter the XMSHostName as in the example  (Ex: https://XMSHostName/zdm/services/MagConfigService)
  • Enter the XMS service account username
  • Enter the XMS service account password
  • Click Test Connectivity to validate the reachability
  • Click Save

3

An Information popup window stating that the “XenMobile Configuration Service” must be started.

An Information popup window stating that the “XenMobile Notification Service” must be started.

Click OK

4 Go to Windows Start – Run and type services.msc,  Hit Enter 

Right click  XenMobile Configuration Service and start the service

Right click  XenMobile Notification Service and start the service

 

5 Click the Path Filters tab
Edit  Microsoft-Server-ActiveSync or click on Add
From the policy dropdown select the policy (Static + config provider name: Block Mode)
Click Save

3.    XNC Configuration on NS 

Step

 
1

Login to NS

2

Under Configuration, click XenMobile

Select XenMobile 10

Click Get Started

 

3

Check“Load Balance Microsoft Exchange Servers”, Click Continue

4
  • Enter an IP address to create and LB VIP for Exchange Active Sync
  • Set the port to communicate on 443
  • The virtual server name can be changed (By default it is EXCHG_LB)
  • Click Continue

5

Select the server certificate over which the Exch Active Sync LB VIP will communicate with the exchange server

Click Continue

6 If you do not have an existing certificate, select Install Certificate 
  • From the dropdown select the Certificate format either .PFX or .PEM
  • Browse and select the Certificate File
  • Enter the private key password
  • Click Continue

7

Click continue if the certificate chain is complete, else follow the instruction as given in the screenshot

8

Click Add Server to add the Exchange server details

(Note: If you already have the Exchange server managed on NS, Click the Add from existing server button)

9
  • Enter the exchange server IP address
  • Enter the port number 443
  • Click Add
  • Click Continue
10
  • Enter the XNC AS Filtering server details
  • Set the Callout protocol as http
  • Enter the IP address of the XNC server
  • Enter the port number of the XNC server 9080
  • Click Continue

11

Click Done on the summary page

12

With right details provided the Microsoft Exchange Load Balancing with Email Security Filtering status will be Up

 

4.    XMS – Exchange Active Sync Policy setup 

Step

 
1

Login to the XMS server

Click Configure and Device Policies 

Click Add

 

2

Click Exchange

3

Enter a name for this policy

(Note: For this use case we are using only iOS)

4 Enter
  • Exchange Active Sync account name which will be displayed to the end user
  • Enter the hostname of the Exchange Active sync filter LB VIP
  • SSL be set to ON
  • Enter the Domain value as ${user.domainname}
  • In the user field enter ${user.username}
  • In the Email address field enter ${user.mail}
  • Click Next

5
  • Select the delivery group

                 (Note:Recommend that you create a delivery group  to which this policy needs to be
applied, All Users not recommended
)

  • Click Save

 

5.    End User Experience

Step

 
1

Enroll the iOS device

Tap WorxHome and enter the external URL (Ex: rxms.wg.lab)

Tap Next

2

Tap Yes

3

Enter your AD username and password

Tap Sign On

4

Tap Install for the XenMobile CA profile installtion

5

Tap Install for the XenMobile Profile Service

6

Tap Trust

7

Tap on the Native Mail icon

8

A popup window will prompt you to enter the exchange credentails

Click OK after you have enter the password

9

Tap on the mail box which is pushed down from the XMS server (Ex: EXCH_AS_WG)

10

Tap on Inbox or Sent items to sync mails from the exchange server

6.    XNC Administration 

Step

 
1

Using the XNC server console the admin can either deny or allow the user’s email access

(Note: No rules are set initially and the action is set to default mode where no restrictions are applied)

 

2

For example let’s set the action to allow mode (static Allow)

For this right click the user’s ID under the Log tab and select “Add user to Static Allow” OR you can add devices to either the Static Allow or Static Deny rule under Static Rules tab

3

Click OK on the popup window

4 When the next sync has successfully occurred with the new action in place you can view in the log table where the result is displayed as in the screen shot below
5

Now let’s try and change the action to the deny mode (Static Deny)

Right click on the user account under the Log tab and select “Add user to Static Deny

(Note: Make sure you do not have the user configured for both modes. The Static Rules tab will list out the user’s in Static allow mode or Static Deny mode)

6

Click OK on the popup window

7

Sync email on your native email

8

The below Log screenshot displays a sync event being triggered, however the sync fails due to the static deny rule