Send Android domain users to ActiveSync Gateway

Recently we added the Citrix Gateway connector for Exchange ActiveSync (formerly XenMobile NetScaler Connector) to a customer environment, with the intention of giving only known smartphones access to ActiveSync. The definition of known in this case, is a smartphone enrolled within Citrix Endpoint Management (formerly XenMobile). After some testing, we switched on “Blocking Mode” on the Gateway connector for Exchange ActiveSync and indeed all the ActiveSync traffic was nicely regulated. Only connections from device which existed in the Endpoint Management database were allowed access to ActiveSync. The check if a email client is allowed access is done based on the ActiveSync ID, which should be unique for every device.

Just to clarify, a short explanation how the Gateway connector for Exchange ActiveSync works. The Citrix Gateway connector for Exchange ActiveSync is connected to the Endpoint Management server(s) and periodically graps all ActiveSync ID’s. All the grapped ActiveSync ID’s are stored locally on the Gateway connector for Exchange server, in a .xml file. Depending you installation folder and provider name it’s stored on the Gateway connector for Exchange Server in : “%InstallFolder%\XenMobile NetScaler Connector\config\%ProviderName%.xml”

Depending your Endpoint Management ActiveSync Gateway configuration devices can be allowed or denied access based on several rules.

Read more

Citrix Gateway connector for Exchange ActiveSync with RegEx support

Recently I was asked to increase the security for a public reachable ActiveSync url. Although the customer was using Citrix Endpoint Management (XenMobile) and Citrix Secure Mail was available in their Enterprise AppStore, employees were also allowed to use their native “un-secure” mail client, which made use of a public reachable ActiveSync URL.

A big advantage they had, was that almost all mobile devices were already enrolled within Citrix Endpoint Management, so we knew which ActiveSync ID’s where legit and allowed to access ActiveSync.

Cause we were already making use of Citrix Endpoint Management, we decided to use the “Citrix Gateway connector for Exchange ActiveSync” (formerly XenMobile NetScaler Connector), to add an extra layer of security to the public reachable ActiveSync url.

The configuration was pretty straightforward and was running in no time. Although in this article I will not go into the architecture in more detail, you can find more information about this at Citrix.

We were only faced with one big challenge, the customer was still servicing a department, which consisted of several hundred users, who were in the process migrating their email to a different site. The mobile devices from this department where not enrolled in Citrix Endpoint Management and therefore being blocked by the Citrix Gateway connector for Exchange ActiveSync. Cause the Citrix Gateway connector for Exchange ActiveSync was configured with the policy “Static + PepperByte: Block Mode”, we had the opportunity to add “Static Rules”. A “Static Rule” was created to allow all users within the domain “PepperByte” access to ActiveSync. Unfortunately the “Static Rule” wasn’t working and the complete department was blocked

We contacted Citrix Support about this issue, after which we were informed the public version of XNC didn’t support RegEx expression, although you are able to enter them. They did however had a private version, in which RegEx expressions were working. We were given two new executables, which needed to be replaced within the Citrix Gateway Connector folder.

The private version has an additional option “Is Regex”, which allowed us to whitelist a complete AD domain, making us of a RegEx expression.
The “Static Rule” above allowed all users, within the AD Domain “PepperByte”, to access the ActiveSync URL, without being blocked by the Citrix Gateway connector for Exchange ActiveSync