Product Documentation

XenMobile NetScaler Connector

Oct 20, 2015

XenMobile NetScaler Connector is a solution that controls access to corporate email, calendar, and contacts from mobile devices. XenMobile NetScaler Connector allows customers to send a list of compliant devices from XenMobile Device Manager to NetScaler, which in turn controls which mobile devices are allowed to sync with the corporate Exchange Server.

Device Manager provides complete protection for mobile apps, network, and data, and ensures end-to-end security and compliance. NetScaler optimizes, secures, and controls the delivery of all enterprise and cloud services. Together, the two Citrix products provide the ability to scale, ensure high availability for apps, and maintain security while reducing mobility deployment and management costs.

XenMobile NetScaler Connector provides a device-level authorization service of ActiveSync clients to NetScaler acting as a reverse proxy for the Exchange ActiveSync protocol. Authorization is controlled by a combination of policies that you define within Device Manager and by rules defined locally by XenMobile NetScaler Connector.

Device Manager provides whitelisting (approved) and blacklisting (forbidden) policies for devices based on compliance with high-level policies, such as detection of jailbroken devices or detection of specific apps. XenMobile NetScaler Connector local rules are typically used to augment the Device Manager rules in cases where specific overrides are required; for example, to block all devices using a specific operating system version.

About This Release

XenMobile NetScaler Connector provides the following capabilities:

  • Filter-based rules to allow or block access. XenMobile NetScaler Connector evaluates a particular client request routed through NetScaler against the organization's rules. The end result is a binary state of allowed, in which the client is permitted to contact the Microsoft Exchange 2010 Client Access Server (CAS), or blocked, in which the client request is dropped and access to the Exchange CAS is not permitted. Paired with settings in the Device Manager console, you can prevent Exchange ActiveSync email access to device users based on compliance criteria, such as when a blacklisted app is installed on the device, if the device is jailbroken, and so on.
  • A two-tiered filter model. The first tier parses the incoming HTTP requests based on path-specific information. The second tier filters based on user- or device-specific information. You can configure both tiers.
  • Filter rules stored in configuration files. Specific filter rules pertaining to the user accounts and devices in your organization are stored in the gateway's XML configuration files.

Deploy

Provides deployment information for XenMobile NetScaler Connector.

Install and Setup

Provides information about how to install XenMobile NetScaler Connector on either its own server or on the same server as Device Manager.

Manage

Provides information on choosing a security model for your organization, creating block or allow policies, setting static or dynamic filters, and connecting to Device Manager. This section also provides information about enabling and understanding email attachment encryption.

Monitor

Provides information about enabling XenMobile NetScaler Connector logging.

Key Features of XenMobile NetScaler Connector

The key features of XenMobile NetScaler Connector are:

  • Access control of HTTP ActiveSync requests. XenMobile NetScaler Connector can control the HTTP ActiveSync requests that mobile devices make of Exchange Servers. You can build filters in XenMobile NetScaler Connector that enable you to allow or block user devices, based on rules and criteria that you specify. When you set the rules in XenMobile NetScaler Connector, you can turn on and off the rules in XenMobile Device Manager, which then manages the ability for devices to access email within the organization.
  • Remote configuration. Device Manager controls the baseline and delta intervals used by XenMobile NetScaler Connector.
  • Logging. On the Log tab of the XenMobile NetScaler Connector configuration utility, you can view when the encryption is enabled for a given user device at the request level, in addition to devices that are allowed or blocked.

XenMobile NetScaler Connector System Requirements

XenMobile NetScaler Connector communicates with NetScaler over an SSL bridge configured on the NetScaler appliance that enables the appliance to bridge all secure traffic directly to XenMobile Device Manager.

You can install XenMobile NetScaler Connector on its own server or on the same server as Device Manager. XenMobile NetScaler Connector requires the following minimum system configuration:

Component Requirement

Computer and processor

733 MHz Pentium III 733 MHz or higher processor. 2.0 GHz Pentium III or higher processor (recommended)

NetScaler

NetScaler appliance with software version 1

Memory

1 gigabyte (GB)

Hard disk

NTFS-formatted local partition with 150 MB of available hard-disk space

Operating system

Microsoft Windows Server 2008 R2, Microsoft Windows Server 2008 SP2 (recommended)

Other devices

Network adapter compatible with the host operating system for communication with the internal network

Display

VGA or higher-resolution monitor

The host computer for XenMobile NetScaler Connector requires the following minimum available hard disk space:

  • Application. 10 -15 MB (100 MB recommended)
  • Logging. 1 GB (20 GB recommended)

Deploying XenMobile NetScaler Connector

XenMobile NetScaler Connector enables you to use NetScaler to proxy and load balance Device Manager communication with XenMobile managed devices. XenMobile NetScaler Connector communicates periodically with Device Manager to synchronize policies. XenMobile NetScaler Connector and Device Manager can be clustered, together or independently, and can be load balanced by NetScaler.
Figure 1. XenMobile NetScaler Connector Deployment

XenMobile NetScaler Connector Components

XenMobile NetScaler Connector consists of the following four components:
  • XenMobile NetScaler Connector service. This provides a REST web service interface that can be invoked by NetScaler to determine if an ActiveSync request from a device is authorized.
  • XenMobile configuration service. This service communicates with Device Manager to synchronize Device Manager policy changes with XenMobile NetScaler Connector.
  • XenMobile notification service. This service sends notifications of unauthorized device access to Device Manager so that Device Manager can take appropriate measures, such as notifying the user why the device was blocked.
  • XenMobile NetScaler configuration utility. This application allows the administrator to configure and monitor XenMobile NetScaler Connector.
Figure 2. XenMobile NetScaler Connector Components

Setting up listening addresses for XenMobile NetScaler Connector

In order for XenMobile NetScaler Connector to be able to receive requests from NetScaler to authorize ActiveSync traffic, you need to specify the port on which XenMobile NetScaler Connector listens to NetScaler web service calls.

  1. From the Start menu, select the XenMobile NetScaler configuration utility.
  2. Click the Web Service tab and then type the listening addresses for the XenMobile NetScaler Connector web service. You can select HTTP and/or HTTPS. If XenMobile NetScaler Connector is co-resident with Device Manager (installed on the same server), select port values that do not conflict with Device Manager.
  3. After the values are configured, click Save and then click Start Service to start the web service.

Configuring device access control policies in XenMobile NetScaler Connector

To configure the access control policy you want to apply to your managed devices, do the following:

  1. In the XenMobile NetScaler configuration utility, click the Path Filters tab.
  2. Select the first row, Microsoft-Server-ActiveSync is for ActiveSync and then click Edit.
  3. From the Policy list, select the desired policy. For a policy that is inclusive of Device Manager policies, select Static + ZDM: Permit Mode or Static + ZDM: Block Mode. These policies combine local (or, static) rules with the rules from Device Manager. Permit Mode means that all devices not explicitly identified by the rules will be permitted access to ActiveSync. Block Mode means that such devices will be blocked.
  4. After setting the policies, click Save.

To configure communication with the Device Manager server

In this task, you will specify the name and properties of the XenMobile Device Manager server (also known as a Config Provider) that you want to use with XenMobile NetScaler Connector and NetScaler.

Note: This task assumes that you have already installed and configured the Device Manager server.
  1. In the XenMobile NetScaler Connector configuration utility, click the Config Providers tab and then click Add.
  2. Enter the name and URL of the Device Manager server you are using in this deployment. If you have multiple XenMobile Device Manager servers deployed in a Multi-Tenant deployment, this name must be unique for each server instance. For example, for Name, you could type XDM.
  3. In Url, enter the Web address of the Device Manager GlobalConfig Provider (GCP), typically in the format https://DeviceManagerHost/zdm/services/MagConfigService. The MagConfigService name is case-sensitive.
  4. In Password, enter the password that will be used for basic HTTP authorization with the Device Manager web server.
  5. In Managing Host, enter the server name where you installed XenMobile NetScaler Connector.
  6. In Baseline Interval, specify a time period for when a new refreshed dynamic ruleset is pulled from Device Manager.
  7. In Request Timeout, specify the server request timeout interval.
  8. In Config Provider, select if the config provider server instance is providing the policy configuration.
  9. In Events Enabled, enable this option if you want Secure Mobile Gateway to notify Device Manager when a device is blocked. This option is required if you are using Secure Mobile Gateway rules in any of your Device Manager Automated Actions.
  10. Once the server is configured, click Test Connectivity to test the connection to the Device Manager server.
  11. When connectivity has been established, click Save.

Deploying XenMobile NetScaler Connector for Redundancy and Scalability

If you want to scale your XenMobile NetScaler Connector and Device Manager deployment, you can install instances of XenMobile NetScaler Connector on multiple Windows Servers, all pointing to the same Device Manager instance, and then you can use NetScaler to load balance the servers.

There are two modes for the XenMobile NetScaler Connector configuration:.
  • In non-shared mode, each XenMobile NetScaler Connector instance communicates with a Device Manager server and keeps its own private copy of the resulting policy. For example, if you had a cluster of Device Manager servers, you could run a XenMobile NetScaler Connector instance on each Device Manager server and XenMobile NetScaler Connector would get policies from the local Device Manager.
  • In shared mode, one XenMobile NetScaler Connector node is designated the primary node and it communicates with Device Manager. The resulting configuration is shared among the other nodes either by a Windows network share or by Windows (or third-party) replication.

The entire XenMobile NetScaler Connector configuration is in a single folder (consisting of a few XML files). The XenMobile NetScaler Connector process detects changes to any file in this folder and automatically reloads the configuration. There is no failover for the primary node in shared mode. But the system can tolerate the primary server being down for a few minutes (for example, to restart) because the last known good configuration is cached in the XenMobile NetScaler Connector process.

Installing XenMobile NetScaler Connector

You can install XenMobile NetScaler Connector on its own server or on the same server where you installed XenMobile Device Manager.

You can consider installing XenMobile NetScaler Connector on its own server (separate from Device Manager) for the following reasons:
  • If your Device Manager server is hosted remotely in the cloud (physical location).
  • If you do not want XenMobile NetScaler Connector to be affected by restarts of the Device Manager server (availability).
  • If you want a server's system resources to be devoted entirely to XenMobile NetScaler Connector (performance).

The CPU load that XenMobile NetScaler Connector puts on a server depends on how many devices are managed, but a general rule of thumb is to provision for one additional CPU core if XenMobile NetScaler Connector is deployed on the same server as Device Manager. For large numbers of devices (more than 50,000), you may need to provision additional cores if you do not have a clustered environment. The memory footprint of XenMobile NetScaler Connector is not significant enough to warrant additional memory.

  1. Run XncInstaller.exe with an administrator account to install XenMobile NetScaler Connector (XNC) or allow for upgrade or removal of an existing XenMobile NetScaler Connector.
  2. Follow the onscreen instructions to complete the installation, upgrade, or uninstallation.

After you install XenMobile NetScaler Connector, you must manually restart the XenMobile configuration service and the notification service.

Managing XenMobile NetScaler Connector

You can use XenMobile NetScaler Connector to build access control rules to either allow or block access to ActiveSync connection requests from managed devices, based on device status, app blacklists or whitelists, and other compliance conditions.

By using the XenMobile NetScaler Connector configuration utility, you can build dynamic and static rules that enforce corporate email policies, allowing you to block users who are in violation of compliance standards. You can also set up email attachment encryption, so that all attachments that pass through your Exchange Server to managed devices are encrypted and only viewable on managed devices by authorized users.

Configuring XenMobile NetScaler Connector

You can configure XenMobile NetScaler Connector to selectively block or allow ActiveSync requests based on the following properties: Active Sync Service ID, Device type, User Agent (device operating system), Authorized user, and ActiveSync Command.

The default configuration supports a combination of static and dynamic groups. You maintain static groups by using the SMG Controller Configuration utility. The static groups may consist of known categories of devices, such as all devices using a given user agent.

Dynamic groups are maintained by an external source called a Gateway Configuration Provider and collected by XenMobile NetScaler Connector on a periodic basis. XenMobile Device Manager can export groups of allowed and blocked devices and users to XenMobile NetScaler Connector.

A policy is an ordered list of groups in which each group has an associated action (allow or block) and a list of group members. A policy may have any number of groups. Group ordering within a policy is important because when a match is found the action of the group is taken, and subsequent groups are not evaluated.

A member defines a way to match the properties of a request. It can match a single property, such as device ID, or multiple properties, such as device type and user agent.

Choosing a Security Model for XenMobile NetScaler Connector

Permissive Model (Permit Mode)

Establishing a security model is essential to a successful mobile device deployment for organizations of any size. Although it is not uncommon to use some for or protected or quarantined network control to allow access to a user, computer, or device by default, it is not always a good practice. Every organization that manages IT security may have a slightly different or tailored approach to security for mobile devices.

The same logic applies to mobile device security. The vast numbers of mobile devices and types, quantities of mobile devices per user, and the array of operating system platforms and apps available make the very idea of using a permissive model a weak choice. In most organizations, the restrictive model will be the most logical choice.

The configuration scenarios that Citrix allows for integrating XenMobile NetScaler Connector with Device Manager are as follows:

The permissive security model operates on the premise that everything is either allowed or granted access by default. Only in the case of rules and filtering will something be blocked and a restriction applied. The permissive security model is good for organizations that have a relatively loose security concern about mobile devices and only applies restrictive controls to deny access where appropriate (when a policy rule is failed).

The Restrictive Model (Block Mode)

The restrictive security model is based on the premise that nothing is allowed or granted access by default. Everything passing through the security check point is filtered and inspected, and is denied access unless the rules allowing access are passed. The restrictive security model is good for organizations that have a relatively tight security criterion about mobile devices. The mode only grants access for use and functionality with the network services when all rules to allow access have passed.

Configuring XenMobile NetScaler Connector Policy Modes

XenMobile NetScaler Connector can run in the following six modes:

  • Allow All. This policy mode grants access for all traffic passing through XenMobile NetScaler Connector. No other filtering rules are used.
  • Deny All. This policy mode blocks access for all traffic passing through XenMobile NetScaler Connector. No other filtering rules are used.
  • Static Rules: Block Mode. This policy mode executes static rules with an implicit deny or block statement at the end. Devices that are not allowed or permitted via other filter rules are blocked by XenMobile NetScaler Connector.
  • Static Rules: Permit Mode. This policy mode executes static rules with an implicit permit or allow statement at the end. Devices that are not blocked or denied via other filter rules are allowed through XenMobile NetScaler Connector.
  • Static + ZDM Rules: Block Mode. This policy mode executes static rules first, followed by dynamic rules from Device Manager with an implicit deny or block statement at the end. Devices are permitted or denied based on defined filters and Device Manager rules. Any devices that do not match on defined filters and rules are blocked.
  • Static + ZDM Rules: Permit Mode. This policy mode executes static rules first, followed by dynamic rules from Device Manager with an implicit permit or allow statement at the end. Devices are permitted or denied based on defined filters and Device Manager rules. Any devices that do not match on defined filters and rules are allowed.

The XenMobile NetScaler Connector process permits or blocks for dynamic rules based on unique ActiveSync IDs for iOS and Windows-based mobile devices received from Device Manager. Android devices differ in their behavior based on the manufacturer and some do not readily expose a unique ActiveSync ID. To compensate, Device Manager sends user ID information for Android devices to make a permit or block decision. As a result, if a user has only one Android device, permits and blocks function normally. If the user has multiple Android devices, all the devices are allowed because Android devices cannot be definitively differentiated. The gateway can still be configured to statically block these devices by ActiveSyncID, if they are known, and can also be configured to block based on device type or user agent.

To specify the policy mode, in the SMG Controller Configuration utility, do the following:
  1. Click the Path Filters tab and then click Add.
  2. In the Path Properties dialog box, select a policy mode from the Policy drop-down list and then click Save.

You can review rules on the Policies tab of the configuration utility. The rules are processed on XenMobile NetScaler Connector from top to bottom. The Allow policies are displayed with green checkmark. The Deny policies are shown as a red circle with a line through it. To refresh the screen and see the most updated rules, click Refresh. You can also modify the ordering of rules in the config.xml file.

To test rules, click the Simulator tab. Specify values in the fields. These can also be obtained from the logs. A result message will appear specifying Allow or Block.

To configure static rules

You must enter static rules with values that are read by the ISAPI filtering of the ActiveSync connection HTTP request. Static rules enable XenMobile NetScaler Connector to permit or block traffic by the following criteria:

  • User. XenMobile NetScaler Connector uses the authorized user value and name structure that was captured during device enrollment. This is commonly found as domain\username as referenced by the server running Device Manager connected to Active Directory via LDAP. The Log tab within the XenMobile NetScaler Connector configuration utility will show the values that are passed through XenMobile NetScaler Connector if the value structure needs to be determined or is different.
  • Deviceid (ActiveSyncID). Also known as the ActiveSyncID of the connected device. This value is commonly found within the specific device properties page in the Device Manager web console. This value can also be screened from the Log tab in the XenMobile NetScaler Connector configuration utility.
  • DeviceType. XenMobile NetScaler Connector can determine if a device is an iPhone, iPad, or other device type and can permit or block based on that criteria. As with other values, the XenMobile NetScaler Connector configuration utility can reveal all connected device types being processed for the ActiveSync connection.
  • UserAgent. Contains information on the ActiveSync client that is used. In most cases, the value specified corresponds to a specific operating system build and version for the mobile device platform.

The XenMobile NetScaler Connector configuration utility running on the server always manages the static rules.

  1. In the SMG Controller Configuration utility, click the Static Rules tab and then click Add.
  2. In the Static Rule Properties dialog box, specify the values that you want to use as criteria. For example, you can enter a user to allow access by entering the user name (for example, AllowedUser) and then clearing the Disabled check box.
  3. Click Save.

    The static rule is now in effect. Additionally, you can use regular expressions to define values, but you must enable the rule processing mode in the config.xml file.

To configure dynamic rules

Dynamic rules are defined by device policies and properties in Device Manager and can trigger a dynamic XenMobile NetScaler Connector filter based on the presence of a policy violation or property setting. The XenMobile NetScaler Connector filters work by analyzing a device for a given policy violation or property setting. If the device meets the criteria, the device is placed in a Device List. This Device List is neither an allow list or a block list. It is a list of devices that meets the criteria defined. The following configuration options enable you to define whether you want to allow or deny the devices in the Device List by using XenMobile NetScaler Connector.

Note: These dynamic rules must be configured on the Device Manager web console.
  1. Open the Device Manager web console and then click Options from the console banner.
  2. In the left-hand navigation, click Mobile Configuration and then click XenMobile NetScaler Connector.
  3. In the Enable column, select the check boxes for the filters that you want to enable and then select either the Allow or Deny check box.

To configure custom policies by editing the XenMobile NetScaler Connector XML file

You can view the basic policies in the default configuration on the Policies tab of the XenMobile NetScaler Connector configuration utility. If you want to create custom policies, you can edit the XenMobile NetScaler Connector XML configuration file (config\config.xml).

  1. Find the PolicyList section in the file and then add a new Policy element.
  2. If a new group is also required, such as an additional static group or a group to support an additional GCP, add the new Group element to the GroupList section.
  3. Optionally, you can change the ordering of groups within an existing policy by rearranging the GroupRef elements.

Configuring the XenMobile NetScaler Connector XML File

The XenMobile NetScaler Connector uses an XML configuration file to dictate the actions of XenMobile NetScaler Connector. Among other entries, the file specifies the group files and associated actions the filter will take when evaluating HTTP requests. By default, the file is named config.xml and can be found at the following location: ..\Program Files\Citrix\XenMobile NetScaler Connector\config\.

GroupRef Nodes
The GroupRef nodes define the logical group names - by default, the AllowGroup and the DenyGroup.
Note: The order of the GroupRef nodes as they appear in the GroupRefList node is significant.

The ID value of a GroupRef node identifies a logical container or collection of members that are used for matching specific user accounts or devices. The action attributes specifies how the filter will treat a member that matches a rule in the collection. For example, a user account or device that matches a rule in the AllowGroup set will "pass" (be allowed to access the Exchange CAS), while a user account or device that matches a rule in the DenyGroup set will be "rejected" (not allowed to access the Exchange CAS).

When a particular user account/device or combination meets rules in both groups, a precedence convention is used to direct the request's outcome. Precedence is embodied in the order of the GroupRef nodes in the config.xml file from top to bottom. The GroupRef nodes are ranked in priority order. Rules for a given condition in the Allow group will always take precedence over rules for the same condition in the Deny group.

Group Nodes
Additionally, the config.xml defines Group nodes. These nodes link the logical containers AllowGroup and DenyGroup to external XML files. Entries stored in the external files form the basis of the filter rules.
Note: In this release, only external XML files are supported.

The default installation implements two XML file in the configuration - allow.xml and deny.xml.

To import a policy from Device Manager

  1. n the XenMobile NetScaler Configuration configuration utility, click the Config Providers tab and then click Add.
  2. In the Config Providers dialog box, in Name, enter a user name that will be used for basic HTTP authorization with the Device Manager web server and that has administrative privileges.
  3. In Url, enter the web address of the XenMobile Device Manager Gateway Configuration Service (GCS), typically in the format https://xdmHost/xdm/services/MagConfigService.

    The MagConfigService name is case-sensitive.

  4. In Password, enter the password that will be used for basic HTTP authorization with the Device Manager web server.

To configure a connection to XenMobile NetScaler Connector

XenMobile NetScaler Connector communicates with XenMobile Device Manager and other remote configuration providers through secure web services.

  1. In the XenMobile NetScaler Connector configuration utility, click the Config Providers tab and then click Add.
  2. In the Config Providers dialog box, in Name, enter a user name that has administrative privileges and will be used for basic HTTP authorization with the Device Manager web server.
  3. In Url, enter the web address of the Device Manager GCS, typically in the format https://ZdmHost/zdm/services/MagConfigService.

    The MagConfigService name is case-sensitive.

  4. In Password, enter the password that will be used for basic HTTP authorization with the Device Manager web server.
  5. In Managing Host, enter the XenMobile NetScaler Connector server name.
  6. In Baseline Interval, specify a time period for when a new refreshed dynamic ruleset is pulled from Device Manager.
  7. In Delta interval, specify a time period for when an update of dynamic rules is pulled.
  8. In Request Timeout, specify the server request timeout interval.
  9. In Config Provider, select if the configuration provider server instance is providing the policy configuration.
  10. In Events Enabled, enable this option if you want XenMobile NetScaler Connector to notify Device Manager when a device is blocked. This option is required if you are using the XenMobile NetScaler Connector rules in any of your Device Manager Automated Actions.
  11. Click Save and then click Test Connectivity to test gateway-to-configuration provider connectivity.
  12. When the connection succeeds, clear the Disabled check box and then click Save.

When you add a new configuration provider, XenMobile NetScaler Connector automatically creates one or more policies associated with the provider. These policies are defined by a template definition contained in config\policyTemplates.xml in the NewPolicyTemplate section. For each Policy element defined within this section, a new policy is created. The operator may add, remove, or modify policy elements provided that the policy element conforms to the schema definition, and that the standard substitution strings (enclosed in braces) are not modified. Next, add new groups for the provider and update the policy to include the new groups.

Choosing Filters for XenMobile NetScaler Connector

The XenMobile NetScaler Connector filters work by analyzing a device for a given policy violation or property setting. If the device meets the criteria, the device is placed in a Device List. This Device List is neither an allow list or a block list. It is a list of devices that meet the criteria defined. The following filters are available for XenMobile NetScaler Connector within XenMobile Device Manager.
  • Blacklisted Apps. Allows or denies devices based on the Device List defined by blacklist policies and the presence of blacklisted apps.
  • Whitelisted Apps only. Allows or denies devices based on the Device List defined by whitelist policies and the presence of non-whitelisted apps.
  • Unmanaged Devices. Creates a Device List of all devices in the Device Manager database. The Mobile Application Gateway needs to be deployed in a Block Mode.
  • Rooted Android /Jailbroken iOS Devices. Creates a Device List of all devices flagged as rooted and allows or denies based on rooted status.
  • Out of Compliance Devices. Allows you to deny or allow devices that meet your own internal IT compliance criteria. Compliance is an arbitrary setting defined by the device property named Out of Compliance, which is a Boolean flag that can be either True or False. (You can create this property manually and set the value, or you can use Automated Actions to create this property on a device if the device does or does not meet specific criteria.)
    • Out of Compliance = True. If a device does not meet the compliance standards and policy definitions set by your IT department, the device is out of compliance.
    • Out of Compliance = False. If a device does meet the compliance standards and policy definitions set by your IT department, the device is compliant.
  • Noncompliant password. Creates a Device List of all devices that do not have a passcode on the device.
  • Revoked Status. Creates a Device List of all revoked devices and allows or denies based on revoked status.
  • Inactive devices. Creates a Device List of devices that have not communicated with Device Manager within a specified period of time and are thus considered inactive and allows or denies the devices accordingly.
  • Anonymous Devices. Allows or denies devices that are enrolled in Device Manager but the user's identity is unknown. For example, this could be a user who was enrolled, but the user's Active Directory password is expired, or a user who enrolled with unknown credentials.
  • Implicit Allow / Deny. Creates a Device List of all devices that do not meet any of the other filter rule criteria and allows or denies based on that list. The Implicit Allow/Deny option ensures that the XenMobile NetScaler Connector status in the Devices tab is enabled and shows the XenMobile NetScaler Connector status for your devices. The Implicit Allow/Deny option also controls all of the other XenMobile NetScaler Connector filters that have not been selected. For example, Blacklists Apps will be denied (blocked) by XenMobile NetScaler Connector, whereas all other filters will be allowed because the Implicit Allow/Deny option is selected to Allow.

To simulate ActiveSync traffic with XenMobile NetScaler Connector

You can use the XenMobile NetScaler Connector to simulate what ActiveSync traffic will look like in conjunction with your policies. In the XenMobile NetScaler Connector configuration utility, select the Simulations tab. The results show you how your policies will apply according to the rules you have configured.

Monitoring XenMobile NetScaler Connector

The XenMobile NetScaler Connector configuration utility provides detailed logging that you can use to view all traffic passing through your Exchange Server that is either allowed or blocked by Secure Mobile Gateway.

Use the Log tab to view the history of the ActiveSync requests forwarded to XenMobile NetScaler Connector by NetScaler for authorization.

Also, to make sure the XenMobile NetScaler Connector web service is running, you can load the following URL into a browser on the XenMobile NetScaler Connector server http://<host:port>/services/ActiveSync/Version. If the URL returns the product version as a string, the web service is responsive.