Integrating Exchange Server or IBM Notes Traveler Server

To keep Secure Mail in sync with your mail servers, integrate Secure Mail with an Exchange Server or IBM Notes Traveler Server that resides in your internal network or is behind Citrix gateway.

Important:

You cannot sync mail from Secure Mail with IBM Notes Traveler (formerly IBM Lotus Notes Traveler). This Lotus Notes third-party capability is not currently supported. As a result, for example, when you delete a meeting mail from Secure Mail, the mail is not deleted on the IBM Notes Traveler server. [CXM-47936] To learn about known limitations with IBM/Lotus Notes, see this Citrix blog post.

Syncing is also available for Secure Notes and Secure Tasks, as follows.

  • To sync Secure Notes for iOS, integrate it with an Exchange Server.
  • To sync Secure Notes and Secure Tasks for Android, use the Secure Mail for Android account.

When you add Secure Mail, Secure Notes, and Secure Tasks to Citrix Endpoint Management (formerly, XenMobile), configure the MDX policies as mentioned in MDX app policies for the background services configuration.

Note:

Secure Mail for Android and iOS support the full path specified for a Notes Traveler Server. For example: https://mail.example.com/traveler/Microsoft-Server-ActiveSync.

It is no longer necessary to configure your Domino Directory with web site substitution rules for the Traveler Server.

Configuring IBM Notes Traveler Server for Secure Mail

In IBM Notes environments, you must configure the IBM Notes Traveler server before you deploy Secure Mail. This section shows a deployment illustration of this configuration as well as system requirements.

Important:

If your Notes Traveler Server uses SSL 3.0, be aware that SSL 3.0 contains a vulnerability called the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack, which is a man-in-the-middle attack affecting any app that connects to a server using SSL 3.0. To address the vulnerabilities introduced by the POODLE attack, Secure Mail disables SSL 3.0 connections by default and uses TLS 1.0 to connect to the server. As a result, Secure Mail cannot connect to a Notes Traveler Server that uses SSL 3.0. For details on a recommended workaround, see the Configuring SSL/TLS Security Level section in Integrating Exchange Server or IBM Notes Traveler Server.

In IBM Notes environments, you must configure the IBM Notes Traveler server before deploying Secure Mail.

The following diagram shows the network placement of IBM Notes Traveler servers and an IBM Domino mail server in a sample deployment.

Image of IBM Notes Traveler servers and IBM Domino mail server deployment with XenMobile

System requirements

Infrastructure server requirements

  • IBM Domino Mail Server 9.0.1
  • IBM Notes Traveler 9.0.1

Authentication protocols

  • Domino Database
  • Lotus Notes Authentication Protocol
  • Lightweight Directory Authentication Protocol

Port requirements

  • Exchange: Default SSL port is 443.
  • IBM Notes: SSL is supported on port 443. Non-SSL is supported, by default, on port 80.

Configuring SSL/TLS security level

Citrix made modifications to Secure Mail to address vulnerabilities introduced by the POODLE attack, as described in the preceding Important note. If your Notes Traveler Server uses SSL 3.0, therefore, to enable connections, the recommended workaround is to use TLS 1.2 on the IBM Notes Traveler Server 9.0.

IBM has a patch to prevent the use of SSL 3.0 in Notes Traveler secure server-to-server communication. The patch, released in November 2014, is included as interim fix updates for the following Notes Traveler server versions: 9.0.1 IF7, 9.0.0.1 IF8 and 8.5.3 Upgrade Pack 2 IF8 (and will be included in all future releases). For details about the patch, see LO82423: DISABLE SSLV3 FOR TRAVELER SERVER TO SERVER COMMUNICATION.

As an alternative workaround, when you add Secure Mail to Endpoint Management, change the Connection security level policy to SSLv3 and TLS. For the latest information about this issue, see SSLv3 Connections Disabled by Default on Secure Mail 10.0.3.

The following tables indicate the protocols that Secure Mail supports, by operating system, based on the Connection security level policy value. Your mail server must also be able to negotiate the protocol.

The following table shows supported protocols for Secure Mail when the connection security level is SSLv3 and TLS.

Operating system type SSLv3 TLS
Earlier than iOS 9 Yes Yes
iOS 9 and later No Yes
Earlier than Android M Yes Yes
Android M and Android N Yes Yes
Android O No Yes

The following table shows supported protocols for Secure Mail when the connection security level is TLS.

Operating system type SSLv3 TLS
Earlier than iOS 9 No Yes
iOS 9 and later No Yes
Earlier than Android M No Yes
Android M and Android N No Yes
Android O No Yes

Configuring Notes Traveler Server

The following information corresponds to the configuration pages in the IBM Domino Administrator client.

  • Security: Internet authentication is set to Fewer name variations with higher security. This setting is used to map UID to AD User ID in LDAP authentication protocols.
  • NOTES.INI Settings: Add NTS_AS_ENFORCE_POLICY=false. This allows Secure Mail policies to be managed by Endpoint Management rather than Traveler. This setting may conflict with current customer deployments, but will simplify the management of the device in Endpoint Management deployments.
  • Synchronization protocols: SyncML on IBM Notes and mobile device synchronization are not supported by Secure Mail at this time. Secure Mail synchronizes Mail, Calendar and Contacts items through the Microsoft ActiveSync protocol built into Traveler servers. If SyncML is forced as the primary protocol, Secure Mail cannot connect back through the Traveler infrastructure.
  • Domino Directory Configuration - Web Internet Sites: Override Session Authentication for /traveler to disable form-based authentication.

Integrating Exchange Server or IBM Notes Traveler Server