Citrix Endpoint Management

NetScaler Gateway connector for Exchange ActiveSync

XenMobile NetScaler Connector is now the NetScaler Gateway connector for Exchange ActiveSync. For more details about the Citrix unified portfolio, see the Citrix product guide.

The connector for Exchange ActiveSync provides a device-level authorization service of ActiveSync clients to NetScaler Gateway acting as a reverse proxy for the Exchange ActiveSync protocol. You control authorization through a combination of:

  • Policies that you define in Citrix Endpoint Management
  • Rules defined locally by the NetScaler Gateway connector for Exchange ActiveSync

For more information, see ActiveSync Gateway.

For a detailed reference architecture diagram, see Architecture.

The current version of the NetScaler Gateway connector for Exchange ActiveSync is version 8.5.3.

To download the connector:

  1. Go to https://www.citrix.com/downloads.
  2. Navigate to Citrix Endpoint Management (and Citrix XenMobile Server) > XenMobile Server (on-premises) > Product Software > XenMobile Server 10 > Server Components.
  3. On the NetScaler Gateway Connector tile, click Download File.

To install the connector, see Installing the NetScaler Gateway connector for Exchange ActiveSync).

Important:

Starting in October 2022, the Citrix Endpoint Management and NetScaler Gateway connectors for Exchange ActiveSync will no longer support Exchange Online given the authentication changes announced by Microsoft here. The Citrix Endpoint Management connector for Exchange continues to work with Microsoft Exchange Server (on-premises).

What’s new in version 8.5.3

  • This release adds support for ActiveSync protocols 16.0 and 16.1.
  • More detail has been added to the analytics sent to Google Analytics, especially concerning snapshots. [CXM-52261]

What’s new in earlier versions

Note:

The following What’s new section refers to the NetScaler Gateway connector for Exchange ActiveSync by its former name, XenMobile NetScaler Connector. The name changed from version 8.5.2.

What’s new in version 8.5.2

  • XenMobile NetScaler Connector is now the NetScaler Gateway connector for Exchange ActiveSync.

The following issues are fixed in this version:

  • If more than one criterion is used in defining a policy rule and if a criterion involves the user ID, the following issue can occur: If a user has more aliases, the aliases aren’t also checked when applying the rule. [CXM-55355]

What’s new in version 8.5.1.11

  • System requirement change: The current version of NetScaler Connector requires Microsoft .NET Framework 4.5.

  • Google Analytics support: We want to know how you use the Connector so we can focus on where we can make the product better.

  • Support for TLS 1.1 and 1.2: Due to its weakening security, the PCI Council is deprecating TLS 1.0 and TLS 1.1. Support for TLS 1.2 is added to the XenMobile NetScaler Connector.

Monitoring NetScaler Gateway connector for Exchange ActiveSync

The NetScaler Gateway connector for the Exchange ActiveSync configuration utility provides detailed logging. Use the logs to view all traffic passing through your Exchange Server that the Secure Mobile Gateway either allows or blocks.

Use the Log tab to view the history of the ActiveSync requests forwarded to the connector for Exchange ActiveSync for authorization.

Also, to make sure that the connector for the Exchange ActiveSync web service is running, load the following URL into a browser on the connector server https://<host:port>/services/ActiveSync/Version. If the URL returns the product version as a string, the web service is responsive.

To simulate ActiveSync traffic with the connector for Exchange ActiveSync

You can use the NetScaler Gateway connector for Exchange ActiveSync to simulate ActiveSync traffic with your policies. In the connector configuration utility, click the Simulator tab. The results show how your policies apply according to the rules you configured.

Choosing filters for the connector for Exchange ActiveSync

The NetScaler Gateway connector for Exchange ActiveSync filters work by analyzing a device for a given policy violation or property setting. If the device meets the criteria, the device is placed in a Device List. This Device List is neither an allow list or a block list. It is a list of devices that meet the criteria defined. The following filters are available for the connector for Exchange ActiveSync within Citrix Endpoint Management. The two options for each filter are Allow or Deny.

  • Anonymous Devices: Allows or denies devices that are enrolled in Citrix Endpoint Management but the user’s identity is unknown. For example, an enrolled user has an unknown identity if the user has an expired Active Directory password or unknown credentials.
  • Forbidden Apps: Allows or denies devices based on the Device List defined by block lists in policies and the presence of apps on a block list.
  • Implicit Allow/Deny: Creates a Device List of all devices that do not meet any of the other filter rule criteria and allows or denies based on that list. The Implicit Allow/Deny option makes sure that the connector for Exchange ActiveSync status in the Devices tab is enabled and shows the connector status for your devices. The Implicit Allow/Deny option also controls all other connector filters that aren’t selected. For example, the connector denies apps on the block list. However, the connector allows all other filters because the Implicit Allow/Deny option is set to Allow.
  • Inactive devices: Creates a Device List of devices that haven’t communicated with Citrix Endpoint Management within a specified time. These devices are considered inactive. The filter allows or denies the devices accordingly.
  • Missing required apps: When a user enrolls, the user receives a list of required apps that must be installed. The missing required apps filter indicates that one or more of the apps is no longer present; for example, the user deleted one or more apps.
  • Non-Suggested Apps: When a user enrolls, the user receives a list of the apps to install. The non-suggested apps filter checks the device for apps that aren’t in that list.
  • Noncompliant password: Creates a Device List of all devices that do not have a passcode on the device.
  • Out of Compliance Devices: Allows you to deny or allow devices that meet your own internal IT compliance criteria. Compliance is an arbitrary setting defined by the device property named Out of Compliance, which is a Boolean flag that can be either True or False. (You can create this property manually and set the value. Or you can use automated actions to create this property on a device, based on whether the device meets specific criteria.)
    • Out of Compliance = True: If a device does not meet the compliance standards and policy definitions set by your IT department, the device is out of compliance.
    • Out of Compliance = False: If a device does meet the compliance standards and policy definitions set by your IT department, the device is compliant.
  • Revoked Status: Creates a Device List of all revoked devices and allows or denies based on revoked status.
  • Rooted Android/Jailbroken iOS Devices: Creates a Device List of all devices flagged as rooted and allows or denies based on rooted status.
  • Unmanaged Devices: Creates a Device List of all devices in the Citrix Endpoint Management database. Deploy the Mobile Application Gateway in a Block Mode.

To configure a connection to NetScaler Gateway connector for Exchange ActiveSync

The NetScaler Gateway connector for Exchange ActiveSync communicates with Citrix Endpoint Management and other remote configuration providers through Citrix Secure Web services.

  1. In the connector for the Exchange ActiveSync configuration utility, click the Config Providers tab and then click Add.
  2. In the Config Providers dialog box, in Name, enter a user name that has administrative privileges and are used for basic HTTP authorization with the Citrix Endpoint Management server.
  3. In Url, enter the web address of the Citrix Endpoint Management GCS, typically in the format https://<FQDN>/<instanceName>/services/<MagConfigService>. The MagConfigService name is case-sensitive.
  4. In Password, enter the password to use for basic HTTP authorization with the Citrix Endpoint Management server.
  5. In Managing Host, enter the connector for the Exchange ActiveSync server name.
  6. In Baseline Interval, specify a time period for when to pull a new refreshed dynamic ruleset from Citrix Endpoint Management.
  7. In Delta interval, specify a time period for when to pull an update of the dynamic rules.
  8. In Request Timeout, specify the server request timeout interval.
  9. In Config Provider, select if the configuration provider server instance is providing the policy configuration.
  10. In Events Enabled, enable this option if you want the connector for Exchange ActiveSync to notify Citrix Endpoint Management when a device is blocked. This option is required if you’re using the connector rules in any of your Citrix Endpoint Management Automated Actions.
  11. Click Save and then click Test Connectivity to test gateway-to-configuration provider connectivity. If the connection fails, check that the local firewall settings allow the connection or contact your administrator.
  12. When the connection succeeds, clear the Disabled checkbox and then click Save.

When you add a configuration provider, the connector for Exchange ActiveSync automatically creates one or more policies associated with the provider. A template definition contained in config\policyTemplates.xml in the NewPolicyTemplate section defines the policies. For each Policy element defined within this section, a new policy is created.

The operator can add, remove, or modify policy elements if the following is true: The policy element conforms to the schema definition and the standard substitution strings (enclosed in braces) aren’t modified. Next, add new groups for the provider and update the policy to include the new groups.

To import a policy from Citrix Endpoint Management

  1. In the connector for the Exchange ActiveSync configuration utility, click the Config Providers tab and then click Add.
  2. In the Config Providers dialog box, in Name, enter a user name for basic HTTP authorization with Citrix Endpoint Management. The user must have administrative privileges.
  3. In Url, enter the web address of the Citrix Endpoint Management Gateway Configuration Service (GCS), typically in the format https://<xdmHost>/xdm/services/<MagConfigService>. The MagConfigService name is case-sensitive.
  4. In Password, enter the password that is used for basic HTTP authorization with the Citrix Endpoint Management server.
  5. Click Test Connectivity to test gateway-to-configuration provider connectivity. If the connection fails, check that your local firewall settings allow the connection or check with your administrator.
  6. When a connection is successfully made, clear the Disabled checkbox and then click Save.
  7. In Managing Host, leave the default DNS name of the local host computer. This setting used to coordinate communication with Citrix Endpoint Management when multiple Forefront Threat Management Gateway (TMG) servers are configured in an array.

    After you save the settings, open the GCS.

Configuring NetScaler Gateway connector for Exchange ActiveSync policy mode

The NetScaler Gateway connector for Exchange ActiveSync can run in the following six modes:

  • Allow All: This policy mode grants access for all traffic passing through the connector for Exchange ActiveSync. No other filtering rules are used.
  • Deny All: This policy mode blocks access for all traffic passing through the connector for Exchange ActiveSync. No other filtering rules are used.
  • Static Rules: Block Mode: This policy mode runs static rules with an implicit deny or block statement at the end. The connector for Exchange ActiveSync blocks devices that aren’t allowed or permitted via other filter rules.
  • Static Rules: Permit Mode: This policy mode runs static rules with an implicit permit or allow statement at the end. Devices that aren’t blocked or denied via other filter rules are allowed through the connector for Exchange ActiveSync.
  • Static + ZDM Rules: Block Mode. This policy mode runs static rules first, followed by dynamic rules from Citrix Endpoint Management with an implicit deny or block statement at the end. Devices are permitted or denied based on defined filters and Citrix Endpoint Management rules. Any devices that do not match on defined filters and rules are blocked.
  • Static + ZDM Rules: Permit Mode. This policy mode runs static rules first, followed by dynamic rules from Citrix Endpoint Management with an implicit permit or allow statement at the end. Devices are permitted or denied based on defined filters and Citrix Endpoint Management rules. Any devices that do not match on defined filters and rules are allowed.

The connector for the Exchange ActiveSync process permits or blocks for dynamic rules based on unique ActiveSync IDs for iOS and Windows-based mobile devices received from Citrix Endpoint Management. Android devices differ in their behavior based on the manufacturer and some do not readily expose a unique ActiveSync ID. To compensate, Citrix Endpoint Management sends user ID information for Android devices to make a permit or block decision. As a result, if a user has only one Android device, permits and blocks function normally. If the user has multiple Android devices, all the devices are allowed because Android devices can’t be differentiated. You can configure the gateway to statically block these devices by ActiveSyncID, if they’re known. You can also configure the gateway to block based on device type or user agent.

To specify the policy mode, in the SMG Controller Configuration utility, do the following:

  1. Click the Path Filters tab and then click Add.
  2. In the Path Properties dialog box, select a policy mode from the Policy list and then click Save.

You can review the rules on the Policies tab of the configuration utility. The rules are processed on the connector for Exchange ActiveSync from top to bottom. The Allow policies are displayed with a green check mark. The Deny policies are shown as a red circle with a line through it. To refresh the screen and see the most updated rules, click Refresh. You can also modify the ordering of rules in the config.xml file.

To test the rules, click the Simulator tab. Specify values in the fields. You can get the values from the logs. A result message specifies Allow or Block.

To configure static rules

Enter static rules with values that the ISAPI filtering of the ActiveSync connection HTTP requests reads. Static rules enable the connector for Exchange ActiveSync to permit or block traffic by the following criteria:

  • User: The connector for Exchange ActiveSync uses the authorized user value and name structure that was captured during device enrollment. That structure is commonly found as domain\username as referenced by the server running Citrix Endpoint Management connected to the Active Directory via LDAP. The Log tab in the connector configuration utility shows the values that pass through the connector. The values get passed if the connector must determine the value structure or if the structure differs.
  • DeviceID (ActiveSyncID): Also known as the ActiveSyncID of the connected device. This value is commonly found within the specific device properties page in the Citrix Endpoint Management console. This value can also be screened from the Log tab in the connector for the Exchange ActiveSync configuration utility.
  • DeviceType: The connector for Exchange ActiveSync can determine if a device is an iPhone, iPad, or other device type and can permit or block based on that criteria. As with other values, the connector configuration utility can reveal all connected device types being processed for the ActiveSync connection.
  • UserAgent: Contains information on the ActiveSync client that is used. Usually, the value specified corresponds to a specific operating system build and version for the mobile device platform.

The connector for the Exchange ActiveSync configuration utility running on the server always manages the static rules.

  1. In the SMG Controller Configuration utility, click the Static Rules tab and then click Add.
  2. In the Static Rule Properties dialog box, specify the values that you want to use as criteria. For example, you can enter a user to allow access by entering the user name (for example, AllowedUser) and then clearing the Disabled checkbox.
  3. Click Save.

    The static rule is now in effect. Also, you can use regular expressions to define values, but you must enable the rule processing mode in the config.xml file.

To configure dynamic rules

Device policies and properties in Citrix Endpoint Management define dynamic rules and can trigger a dynamic connector for the Exchange ActiveSync filter. The triggers are based on the presence of a policy violation or property setting. The connector for Exchange ActiveSync filters work by analyzing a device for a given policy violation or property setting. If the device meets the criteria, the device is placed in a Device List. This Device List is not an allow list or a block list. It is a list of devices that meets the criteria defined. The following configuration options enable you to define whether you want to allow or deny the devices in the Device List by using the connector for Exchange ActiveSync.

Note:

Use the Citrix Endpoint Management console to configure dynamic rules.

  1. In the Citrix Endpoint Management console, click the gear icon in the upper-right corner. The Settings page appears.

  2. Under Server, click ActiveSync Gateway. The ActiveSync Gateway page appears.

  3. In Activate the following rules, select one or more rules you want to activate.

  4. In Android-only, in Send Android domain users to ActiveSync Gateway, click YES to make sure that Citrix Endpoint Management sends Android device information to the Secure Mobile Gateway.

    With this option enabled, Citrix Endpoint Management sends Android device information to the connector if Citrix Endpoint Management doesn’t have the ActiveSync identifier for the device user.

To configure custom policies by editing the connector for the Exchange ActiveSync XML file

You can view the basic policies in the default configuration on the Policies tab of the connector for the Exchange ActiveSync configuration utility. If you want to create custom policies, you can edit the NetScaler Gateway connector for the Exchange ActiveSync XML configuration file (config\config.xml).

  1. Find the PolicyList section in the file and then add a new Policy element.
  2. If a new group is also required, such as another static group or a group to support another GCP, add the new Group element to the GroupList section.
  3. Optionally, you can change the ordering of groups within an existing policy by rearranging the GroupRef elements.

Configuring the connector for Exchange ActiveSync XML File

The connector for Exchange ActiveSync uses an XML configuration file to dictate the actions of the connector. Among other entries, the file specifies the group files and associated actions the filter take when evaluating HTTP requests. By default, the file is named config.xml and can be found at the following location: ..\Program Files\Citrix\XenMobile NetScaler Connector\config.

GroupRef Nodes

The GroupRef nodes define the logical group names. The defaults are AllowGroup and DenyGroup.

Note:

The order of the GroupRef nodes as they appear in the GroupRefList node is significant.

The ID value of a GroupRef node identifies a logical container or collection of members that are used for matching specific user accounts or devices. The action attributes specify how the filter treats a member that matches a rule in the collection. For example, a user account or device that matches a rule in the AllowGroup set “passes.” To pass means to be allowed to access the Exchange CAS. A user account or device that matches a rule in the DenyGroup set is “rejected.” Rejected means not to be allowed to access the Exchange CAS.

When a particular user account/device or combination meets rules in both groups, a precedence convention is used to direct the request’s outcome. Precedence is embodied in the order of the GroupRef nodes in the config.xml file from top to bottom. The GroupRef nodes are ranked in priority order. Rules for a given condition in the Allow group will always take precedence over rules for the same condition in the Deny group.

Group Nodes

Also, the config.xml defines Group nodes. These nodes link the logical containers AllowGroup and DenyGroup to external XML files. Entries stored in the external files form the basis of the filter rules.

Note:

In this version, only external XML files are supported.

The default installation implements two XML files in the configuration: allow.xml and deny.xml.

Configuring NetScaler Gateway connector for Exchange ActiveSync

You can configure the NetScaler Gateway connector for Exchange ActiveSync to selectively block or allow ActiveSync requests based on the following properties: Active Sync Service ID, Device type, User Agent (device operating system), Authorized user, and ActiveSync Command.

The default configuration supports a combination of static and dynamic groups. You maintain static groups by using the SMG Controller Configuration utility. The static groups can consist of known categories of devices, such as all devices using a given user agent.

An external source called a Gateway Configuration Provider maintains dynamic groups. The connector for Exchange ActiveSync connects the groups on a periodic basis. Citrix Endpoint Management can export groups of allowed and blocked devices and users to the connector for Exchange ActiveSync.

An external source called a Gateway Configuration Provider maintains dynamic groups. The connector for Exchange ActiveSync collects dynamic groups periodically. Citrix Endpoint Management can export groups of allowed and blocked devices and users to the connector.

A policy is an ordered list of groups in which each group has an associated action (allow or block) and a list of group members. A policy can have any number of groups. Group ordering within a policy is important because when a match is found the action of the group is taken, and subsequent groups aren’t evaluated.

A member defines a way to match the properties of a request. It can match a single property, such as device ID, or multiple properties, such as device type and user agent.

Choosing a Security Model for NetScaler Gateway connector for Exchange ActiveSync

Establishing a security model is essential to a successful mobile device deployment for organizations of any size. It is common to use protected or quarantined network control to allow access to a user, computer, or device by default. This practice isn’t always ideal. Every organization that manages IT security might have a slightly different or tailored approach to security for mobile devices.

The same logic applies to mobile device security. Using a permissive model is a weak choice because of the multitude of mobile devices and types, mobile devices per user, and available operating system platforms and apps. In most organizations, the restrictive model is the most logical choice.

The configuration scenarios that Citrix allows for integrating the connector for Exchange ActiveSync with Citrix Endpoint Management are as follows:

Permissive Model (Permit Mode)

The permissive security model operates on the premise that everything is either allowed or granted access by default. Only through rules and filtering is something blocked and a restriction applied. The permissive security model is good for organizations that have a relatively loose security concern about mobile devices. The model only applies restrictive controls to deny access where appropriate (when a policy rule is failed).

Restrictive Model (Block Mode)

The restrictive security model is based on the premise that nothing is allowed or granted access by default. Everything passing through the security check point is filtered and inspected, and is denied access unless the rules allowing access are passed. The restrictive security model is good for organizations that have a relatively tight security criterion about mobile devices. The mode only grants access for use and functionality with the network services when all rules to allow access have passed.

Managing NetScaler Gateway connector for Exchange ActiveSync

You can use the NetScaler Gateway connector for Exchange ActiveSync to build access control rules. The rules either allow or block access to ActiveSync connection requests from managed devices. Access is based on device status, app allow or block lists, and other compliance conditions.

By using the connector for the Exchange ActiveSync configuration utility, you can build dynamic and static rules that enforce corporate email policies. Those rules and policies allow you to block users who are in violation of compliance standards. You can also set up email attachment encryption, so that all attachments that pass through your Exchange Server to managed devices are encrypted. Only authorized users with managed devices can view encrypted attachments.

To uninstall the XNC

  1. Run XncInstaller.exe with an administrator account.
  2. Follow the onscreen instructions to complete the uninstallation.

To install, upgrade, or uninstall the connector for Exchange ActiveSync

  1. Run XncInstaller.exe with an administrator account to install the connector for Exchange ActiveSync or allow for upgrade or removal of an existing connector.
  2. Follow the onscreen instructions to complete the installation, upgrade, or uninstallation.

After you install the connector for Exchange ActiveSync, you must manually restart the Citrix Endpoint Management configuration service and the notification service.

Installing NetScaler Gateway connector for Exchange ActiveSync

You can install the connector for Exchange ActiveSync on its own server or on the same server where you installed Citrix Endpoint Management.

You can consider installing the connector for Exchange ActiveSync on its own server (separate from Citrix Endpoint Management) for the following reasons:

  • If your Citrix Endpoint Management server is hosted remotely in the cloud (physical location)
  • If you do not want restarts of the Citrix Endpoint Management server to affect the connector for Exchange ActiveSync (availability)
  • If you want to devote a server’s system resources entirely to the connector for Exchange ActiveSync (performance)

The CPU load that the connector for Exchange ActiveSync puts on a server depends on how many devices are managed. A general recommendation is to provision for one more CPU core if the connector is deployed on the same server as Citrix Endpoint Management. For large numbers of devices (more than 50,000), you might need to provision more cores if you do not have a clustered environment. The memory footprint of the connector isn’t significant enough to warrant more memory.

NetScaler Gateway connector for Exchange ActiveSync system requirements

The NetScaler Gateway connector for Exchange ActiveSync communicates with NetScaler Gateway over an SSL bridge configured on the NetScaler Gateway appliance. The bridge enables the appliance to bridge all secure traffic directly to Citrix Endpoint Management. The connector for Exchange ActiveSync the following minimum system configuration:

Component Requirement
Computer and processor 733 MHz Pentium III 733 MHz or higher processor. 2.0 GHz Pentium III or higher processor (recommended)
Citrix Gateway Citrix Gateway appliance with software version 10
Memory 1 GB
Hard disk NTFS-formatted local partition with 150 MB of available hard-disk space
Operating system Windows Server 2016, Windows Server 2012 R2, or Windows Server 2008 R2 Service Pack 1. Must be an English-based server. Support for Windows Server 2008 R2 Service Pack 1 ends on January 14, 2020 and support for Windows Server 2012 R2 ends on October 10, 2023.
Other devices Network adapter compatible with the host operating system for communication with the internal network
Microsoft .NET Framework Version 8.5.1.11 requires Microsoft .NET Framework 4.5.
Display VGA or higher-resolution monitor

The host computer for the connector for Exchange ActiveSync requires the following minimum available hard disk space:

  • Application: 10–15 MB (100 MB recommended)
  • Logging: 1 GB (20 GB recommended)

For information about platform support for the connector for Exchange ActiveSync, see Supported device operating systems.

Device email clients

Not all email clients consistently return the same ActiveSync ID for a device. Because the connector for Exchange ActiveSync expects a unique ActiveSync ID for each device, the following is true: Only email clients that consistently generate the same, unique ActiveSync ID for each device is supported. Citrix has tested these email clients and the clients have done without errors:

  • Samsung native email client
  • iOS native email client

Deploying NetScaler Gateway connector for Exchange ActiveSync

The NetScaler Gateway connector for Exchange ActiveSync enables you to use NetScaler Gateway to proxy and load balance Citrix Endpoint Management server communication with Citrix Endpoint Management managed devices. The connector for Exchange ActiveSync communicates periodically with Citrix Endpoint Management to synchronize policies. You can cluster the connector for Exchange ActiveSync and Citrix Endpoint Management, together or independently.

The connector for Exchange ActiveSync components

  • The connector for Exchange ActiveSync service: This service provides a REST web service interface that NetScaler Gateway can invoke to determine if an ActiveSync request from a device is authorized.
  • Citrix Endpoint Management configuration service: This service communicates with Citrix Endpoint Management to synchronize Citrix Endpoint Management policy changes with the connector for Exchange ActiveSync.
  • Citrix Endpoint Management notification service: This service sends notifications of unauthorized device access to Citrix Endpoint Management. In this way, Citrix Endpoint Management can take appropriate measures, such as notifying the user why the device was blocked.
  • The connector for Exchange ActiveSync configuration utility: This application allows the administrator to configure and monitor the connector for Exchange ActiveSync.

To set up listening addresses for NetScaler Gateway connector for Exchange ActiveSync

For the NetScaler Gateway connector for Exchange ActiveSync to receive requests from NetScaler Gateway to authorize ActiveSync traffic, do the following. Specify the port on which the connector for Exchange ActiveSync listens to NetScaler Gateway web service calls.

  1. From the Start menu, select the connector for the Exchange ActiveSync configuration utility.
  2. Click the Web Service tab and then type the listening addresses for the connector web service. You can select HTTP or HTTPS or both. If the connector for Exchange ActiveSync is co-resident with Citrix Endpoint Management (installed on the same server), select port values that do not conflict with Citrix Endpoint Management.
  3. After the values are configured, click Save and then click Start Service to start the web service.

To configure device access control policies in NetScaler Gateway connector for Exchange ActiveSync

To configure the access control policy you want to apply to your managed devices, do the following:

  1. In the connector for the Exchange ActiveSync configuration utility, click the Path Filters tab.
  2. Select the first row, Microsoft-Server-ActiveSync is for ActiveSync and then click Edit.
  3. From the Policy list, select the desired policy. For a policy that is inclusive of Citrix Endpoint Management policies, select Static + ZDM: Permit Mode or Static + ZDM: Block Mode. These policies combine local (or static) rules with the rules from Citrix Endpoint Management. Permit Mode means that all devices not explicitly identified by the rules are permitted access to ActiveSync. Block Mode means that such devices are blocked.
  4. After setting the policies, click Save.

To configure communication with Citrix Endpoint Management

Specify the name and properties of the Citrix Endpoint Management server that you want to use with the NetScaler Gateway connector for Exchange ActiveSync and NetScaler Gateway.

Note:

This task assumes that you have already installed and configured Citrix Endpoint Management. The Exchange ActiveSync configuration utility uses the term Config Provider for Citrix Endpoint Management.

  1. In the connector for the Exchange ActiveSync configuration utility, click the Config Providers tab and then click Add.
  2. Enter the name and URL of the Citrix Endpoint Management server that you’re using in this deployment. If you have multiple Citrix Endpoint Management servers deployed in a multitenant deployment, this name must be unique for each server instance.
  3. In Url, enter the Web address of the Citrix Endpoint Management GlobalConfig Provider (GCP), typically in the format https://<FQDN>/<instanceName>/services/<MagConfigService>. The MagConfigService name is case-sensitive.
  4. In Password, enter the password to use for basic HTTP authorization with the Citrix Endpoint Management web server.
  5. In Managing Host, enter the server name where you installed the connector for Exchange ActiveSync.
  6. In Baseline Interval, specify a time period for when a new refreshed dynamic ruleset is pulled from Citrix Endpoint Management.
  7. In Request Timeout, specify the server request timeout interval.
  8. In Config Provider, select if the config provider server instance is providing the policy configuration.
  9. In Events Enabled, enable this option if you want Secure Mobile Gateway to notify Citrix Endpoint Management when a device is blocked. This option is required if you’re using the Secure Mobile Gateway rules in any of your Citrix Endpoint Management Automated Actions.
  10. After configuring the server, click Test Connectivity to test the connection to Citrix Endpoint Management.
  11. When connectivity has been established, click Save.

Deploying NetScaler Gateway connector for Exchange ActiveSync for redundancy and scalability

To scale your NetScaler Gateway connector for Exchange ActiveSync and Citrix Endpoint Management deployment, you can install instances of the connector for Exchange ActiveSync on multiple Windows Servers. All connector instances point to the same Citrix Endpoint Management instance. Then you can use NetScaler Gateway to load balance the servers.

There are two modes for the connector for Exchange ActiveSync configuration:

  • In non-shared mode, each connector for an Exchange ActiveSync instance communicates with an Citrix Endpoint Management server and keeps its own private copy of the resulting policy. For example, for a cluster of Citrix Endpoint Management servers you can run a connector instance on each Citrix Endpoint Management server. The connector then gets policies from the local Citrix Endpoint Management instance.
  • In shared mode, one connector for an Exchange ActiveSync node is designated the primary node. The connector communicates with Citrix Endpoint Management. The other nodes share the resulting configuration through a Windows network share or by Windows (or third-party) replication.

The entire connector for Exchange ActiveSync configuration is in a single folder (consisting of a few XML files). The connector process detects changes to any file in this folder and automatically reloads the configuration. There is no failover for the primary node in shared mode. However, the system can tolerate the primary server being down for a few minutes (for example, to restart). The last known good configuration is cached in the connector process.

NetScaler Gateway connector for Exchange ActiveSync