You can use XenMobile NetScaler Connector to build access control rules to either allow or block access to ActiveSync connection requests from managed devices based on device status, app blacklists or whitelists and a host of other compliance conditions. Using the XenMobile NetScaler Connector utility, you can build dynamic and static rules that enforce corporate email policies, allowing you to block those users in violation of compliance standards. You can also set up email attachment encryption so that all attachments that pass through your Exchange server to managed devices are encrypted and only viewable on managed devices by authorized users.
You can configure XenMobile NetScaler Connector to selectively block or allow ActiveSync requests based on the following properties: Active Sync Service ID, Device type, User Agent (device operating system), Authorized user, and ActiveSync Command.
The default configuration supports a combination of static and dynamic groups. You maintain Static groups by using the SMG Controller Configuration utility. The static groups may consist of known categories of devices, such as all devices using a given user agent. Dynamic groups are maintained by an external source called a Gateway Configuration Provider and collected by XenMobile NetScaler Connector on a periodic basis. XenMobile Device Manager is Gateway Configuration Provider and can export groups of allowed and blocked devices and users to XenMobile NetScaler Connector.
A policy is an ordered list of groups where each group has an associated action (allow or block) and a list of group members. A policy may have any number of groups. Group ordering within a policy is important because when a match is found the action of the group is taken, and subsequent groups are not evaluated.
A member defines a way to match the properties of a request. It can match a single property (such as device ID), or multiple properties (such as device type and user agent).
Establishing a security model is essential to a successful mobile device deployment for organizations of any size. Although it is not uncommon to allow access to a user, computer, or device by default, using some form of protected or quarantined network control, it is not always a good practice. Every organization that manages IT security may have a slightly different or tailored approach to security for mobile devices.
The same logic applies to mobile device security. The vast numbers of mobile devices and types, quantities of mobile devices per user, and the array of operating system platforms and applications available make the very idea of using a permissive model a weak choice. In most organizations the restrictive model will be the most logical choice. However, it will involve some thinking to successfully roll-out the XenMobile NetScaler Connector security model. Although it is not uncommon to allow access to a user, computer, or device by default, using some form of protected or quarantined network control, it is not always a good practice
The configuration scenarios that Citrix allows for integrating XenMobile NetScaler Connector with XenMobile Device Manager is as follows:
The permissive security model operates on the premise that everything is either allowed or granted access by default. Only in the case of rules and filtering will something be blocked and a restriction applied. The permissive security model is good for organizations that have a relatively loose security concern about mobile devices and only applies restrictive controls to deny access where appropriate (when a policy rule is failed).
The restrictive security model is based on the premise that nothing is allowed or granted access by default. Everything passing through the security check point is filtered and inspected, and is denied access unless the rules allowing access are passed. The restrictive security model is good for organizations that have a relatively tight security criterion about mobile devices. The mode only grants access for use and functionality with the network services when all rules to allow access have passed.
XenMobile NetScaler Connector can run in the following six modes:
The XenMobile NetScaler Connector process permits or blocks for dynamic rules based on unique ActiveSync IDs for iOS and Windows-based mobile devices received from Device Manager. Android devices differ in their behavior based on the manufacturer and some do not readily expose a unique ActiveSync ID. To compensate, Device Manager sends user ID information for Android devices to make a permit or block decision. As a result, if a user has only one Android device, permits and blocks function normally. If the user has multiple Android devices, all the devices are allowed because Android devices cannot be definitively differentiated. The gateway can still be configured to statically block these devices by ActiveSyncID, if they are known, and can also be configured to block based on device type or user agent.
You can review rules on the Policies tab of the configuration utility. The rules are processed on XenMobile NetScaler Connector from top to bottom. The Allow policies are displayed with green checkmark. The Deny policies are shown as a red circle with a line through it. To refresh the screen and see the most updated rules, click Refresh. You can also modify the ordering of rules in the config.xml file.
To test rules, click the Simulator tab. Specify values in the fields. These can also be obtained from the logs. A result message will appear specifying Allow or Block.
You must enter static rules with values that are read by the ISAPI filtering of the ActiveSync connection HTTP request. Static rules enable XenMobile NetScaler Connector to permit or block traffic by the following criteria:
The XenMobile NetScaler Connector utility running on the server always manages the static rules.
Dynamic rules are defined by device policies and properties in XenMobile Device Manager and can trigger a dynamic XenMobile NetScaler Connector filter based on the presence of a policy violation or property setting. The XenMobile NetScaler Connector filters work by analyzing a device for a given policy violation or property setting and if the device meets the criteria, the device is placed in a Device List. This Device List is neither an allow list or a block list. It is a list of devices that meet the criteria defined. The following configuration options enable you to define whether you want to allow or deny the devices in the Device List by using XenMobile NetScaler Connector.
You can view the basic policies in the default configuration on the Policies tab of the configuration tool. If you want to create custom policies, you can edit the XML configuration file (config\config.xml).
XenMobile NetScaler Connector uses an XML configuration file to guide its actions. Among other entries, the file specifies the group files and associated actions the filter will take when evaluating HTTP requests. By default, the file is named config.xml and can be found at the following location: ..\Program Files\Citrix\XenMobile NetScaler Connector\config\.
The id value of a GroupRef node identifies a logical container or collection of members that are used for matching specific user accounts or devices. The action attributes specifies how the filter will treat a member that matches a rule in the collection. For example, a user account or device that matches a rule in the AllowGroup set will "pass" (be allowed to access the Exchange CAS), while a user account or device that matches a rule in the DenyGroup set will be "rejected" (not allowed to access the Exchange CAS).
When a particular user account/device or combination meets rules in both groups, a precedence convention is used to direct the request's outcome. Precedence is embodied in the order of the GroupRef nodes in the config.xml file from top to bottom. The GroupRef nodes are ranked in priority order. Thus, the nodes shown in the figure above (which depicts the default order) are such that rules for a given condition in the Allow group will always take precedence over rules for the same condition in the Deny group.
The default installation implements two XML file in the configuration - allow.xml and deny.xml.
After you save the settings, open the GCS.
XenMobile NetScaler Connector communicates with XenMobile Device Manager and other remote configuration providers through secure web services.
When you add a new configuration provider, XenMobile NetScaler Connector automatically creates one or more policies associated with the provider. These policies are defined by a template definition contained in config\policyTemplates.xml in the NewPolicyTemplate> section. For each Policy element defined within this section, a new policy is created. The operator may add, remove, or modify policy elements provided that the policy element conforms to the schema definition, and that the standard substitution strings (enclosed in braces) are mot modified. Next, add new groups for the provider and update the policy to include the new groups.
The XenMobile NetScaler Connector utility provides detailed logging that you can use to view all traffic passing through your Exchange sever that is either allowed or blocked by Secure mobile Gateway.
Use the Log tab to view history of the ActiveSync requests forwarded to XenMobile NetScaler Connector by NetScaler for authorization.
Also, to make sure the XNC web service is running, ou can load the following URL into a browser on the XNC server http://<host:port>/services/ActiveSync/Version, and if this returns the product version as a string then this is an indication that the web service is responsive.