Background services for Secure Mail

To access your mail server via the Citrix Gateway, you need to configure background services for Secure Mail. When you add Secure Mail to Citrix Endpoint Management (formerly, XenMobile), configure background services in MDX app policies settings.

To configure background services for Secure Mail

  1. Sign on to the Endpoint Management console using administrator credentials.

  2. In the console, click the Configure tab, click Apps, select the Secure Mail app, and then click Edit.

    Configure background services

  3. On the MDX policy settings page, in the Platform section, select the iOS or Android platform as required.

  4. In the App settings section, configure the policies.

    Choose platform and configure policies

MDX app policies for the background services configuration

The following MDX app policies affect Secure Mail communication with Citrix Gateway, Citrix Endpoint Management server, Secure Ticket Authority (STA) servers, and the mail server.

Network access: The Network Access policy specifies if Secure Mail can use VPN to access background network services or if all traffic goes unrestricted via that Internet.

  • If the network access policy is set to Tunneled to the internal network, only URLs listed in background network services pass through Citrix Gateway. The rest of the traffic goes unrestricted via the Internet. By default, Secure Mail access is Tunneled to the internal network.
  • If the network access policy is set to Unrestricted, all traffic originating from Secure Mail is sent unrestricted via the Internet. VPN isn’t used to access background services.

    Network access policy

Secure Mail Exchange Server: Set the Secure Mail Exchange Server policy to the fully qualified domain name (FQDN) for the mail server.

Background network service: The Background network service policy specifies the list of mail servers that are allowed access through Citrix Gateway. List hostnames and the port number as a comma-separated value. Ensure there are no leading and trailing spaces between the values. For mail server addresses, include: hostnameFQDN:portnumber. For example:, (no space between the comma).

Background network service gateway: The Background network service gateway policy specifies the Citrix Gateway that Secure Mail uses to connect to the mail server. For the Citrix Gateway address, include: citrixgatewayFQDN:portnumber. For example:

Background services ticket expiration: This policy specifies the validity of the background network service ticket. When Secure Mail connects through Citrix Gateway to a mail server, Citrix Endpoint Management issues a token that is used to connect to the internal mail server. This setting determines the duration until which Secure Mail can use this token. A new token for authentication and connection to the mail server is not required if the token is active. When the time limit expires, users must log on again to generate a new token. Default value of this token is 168 hours (7 days).

For more information about MDX app policies for background services, see:

The following figure shows the communication flow and where these policies are applicable.

Image of policies and where they apply

The following figures show the types of Secure Mail connections to a mail server. After each figure is a list of the related policy settings.

Direct connection to a mail server

Image of Secure Mail connection to mail server

Policies for a direct connection to a mail server:

  • Network access: Unrestricted

If network access is unrestricted, the following policies are not applicable:

  • Background network services: N/A
  • Background services ticket expiration: N/A
  • Background network service gateway: N/A

Connection to a mail server via the STA

Image of Secure Mail using STA

Policies for connecting to a mail server via the STA:

  • Network access: Tunneled - Web SSO
  • Background network services:,, or vanity URL:443
  • Background services ticket expiration: 168
  • Background network service gateway:


Citrix recommends that you use a STA connection for Secure Mail because a STA connection supports long-lived session connections.

For more information about the STA, see this Citrix Knowledge Center article.

Background services for Secure Mail