Product Documentation

Integrating Exchange Server or IBM Notes Traveler Server

Aug 23, 2016

To keep WorxMail in sync with Microsoft Exchange or IBM Notes, you can integrate WorxMail with an Exchange Server or IBM Notes Traveler Server that resides in your internal network or is behind NetScaler Gateway.

Syncing is also available for WorxNotes and WorxTasks, as follows.

  • You can integrate WorxNotes for iOS with an Exchange Server.
  • WorxNotes for Android and WorxTasks for Android use the WorxMail for Android account to sync Exchange notes and tasks.

To learn about known limitations with IBM/Lotus Notes, please see this Citrix blog post.

When you add WorxMail, WorxNotes, and WorxTasks to XenMobile, configure the following MDX policies for integration with Exchange or IBM Notes:

  • For WorxMail: Set the WorxMail Exchange Server policy to the fully qualified domain name (FQDN) for Exchange Server or IBM Notes Traveler server.

    The WorxMail requirements for specifying a connection to a Notes Traveler Server differ by platform, as follows:

    WorxMail for Android
     and WorxMail for iOS support the full path specified for a Notes Traveler Server. For example: https://mail.example.com/traveler/Microsoft-Server-ActiveSync. (It is no longer necessary to configure your Domino Directory with web site substitution rules for the Traveler Server.)

    WorxMail for Windows Phone
     supports the full path specified for a Notes Traveler Server. For example: https://mail.example.com/traveler/Microsoft-Server-ActiveSync. If you enter a hostname or a URL without a path, WorxMail for Windows Phone uses the default path https://hostname/Microsoft-Server-ActiveSync.

    If you provide a domain name, users cannot edit the name. If you leave the field empty, users provide their own server information. Set the WorxMail user domain to the default Active Directory domain name for Exchange or Notes users.
  • For WorxNotes and WorxTasks: Specify values for the WorxNotes Exchange Server, WorxNotes user domain, WorxTasks Exchange Server, and WorxTasks user domain policies.

The following MDX policies affect WorxMail communication flow:

Network access. The Network access policy specifies whether restrictions are placed on network access. By default, WorxMail access is unrestricted, which means no restrictions are placed on network access; apps have unrestricted access to networks to which the device is connected. The Network access policy interacts with the Background network service policy, as follows.

Background network service. The Background network services policy specifies the service addresses permitted for background network access. The service addresses might be for Exchange Server or ActiveSync server, either in your internal network or in another network that WorxMail connects to, such as mail.example.com:443.

When you configure the Background network services policy, also set the Network access policy to Tunneled to the internal network. The Background network services policy takes affect when you configure the Network access policy.

Background network service gateway. The Background network service gateway policy specifies the NetScaler Gateway that WorxMail uses to connect to the internal Exchange Server. If you specify an alternate gateway address, set the Network access policy to Tunneled to the internal network. The Background network service gateway policy takes affect when you configure the Network access policy.

Background services ticket expiration. The Background services ticket expiration policy specifies the time period that a background network service ticket remains valid. When WorxMail connects through NetScaler Gateway to an Exchange Server running ActiveSync, XenMobile issues a token that WorxMail uses to connect to the internal Exchange Server. This setting determines the duration that WorxMail can use the token without requiring a new token for authentication and the connection to the Exchange Server. When the time limit expires, users must log on again to generate a new token. Default value is 168 hours (7 days).

For details about related XenMobile server settings, see these XenMobile articles: ActiveSync Gateway in XenMobile and Mobile Service Provider.

The following figures show the types of WorxMail connections to a mail server. After each figure is a list of the related policy settings.

localized image

Policies for a direct connection to a mail server:

  • Network access: Unrestricted
  • Background network services: blank
  • Background services ticket expiration: 168
  • Background network service gateway: blank

     
localized image

Policies for a direct connection to a mail server:

  • Network access: Tunneled to the internal network
  • Background network services: blank
  • Background services ticket expiration: 168
  • Background network service gateway: blank

     
localized image

Policies for STA access to a mail server:

  • Network access: Tunneled to the internal network
  • Background network services: mail.example.com: 443
  • Background services ticket expiration: 168
  • Background network service gateway: gateway3.example.com:443

The following figure shows where those policies apply:

localized image

Configuring IBM Notes Traveler Server for WorxMail

In IBM Notes environments, you must configure the IBM Notes Traveler server before you deploy WorxMail. This section shows a diagram of this configuration in a XenMobile deployment as well as system requirements.   

Important

If your Notes Traveler Server uses SSL 3.0, be aware that SSL 3.0 contains a vulnerability called the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack, which is a man-in-the-middle attack affecting any app that connects to a server using SSL 3.0. To address the vulnerabilities introduced by the POODLE attack, WorxMail 10.0.3 disables SSL 3.0 connections by default and uses TLS 1.0 to connect to the server. As a result, WorxMail 10.0.3 cannot connect to a Notes Traveler Server that uses SSL 3.0. See the following section, Configuring SSL/TLS Security Level, for details on a recommended workaround.  

In IBM Notes environments, you must configure the IBM Notes Traveler server before deploying WorxMail.

The following diagram shows the network placement of IBM Notes Traveler servers and an IBM Domino mail server in a sample XenMobile deployment.

localized image

System Requirements

Infrastructure Server Requirements
  • IBM Domino Mail Server
  • IBM Notes Traveler 9.0.1

Authentication Protocols

  • Domino Database
  • Lotus Notes Authentication Protocol
  • Lightweight Directory Authentication Protocol

Port Requirements

  • Exchange: Default SSL port is 443.
  • IBM Notes: SSL is supported on port 443. Non-SSL is supported, by default, on port 80.

Configuring SSL/TLS Security Level

Citrix made modifications to WorxMail to address vulnerabilities introduced by the POODLE attack, as described in the preceding Important note. If your Notes Traveler Server uses SSL 3.0, therefore, to enable connections, the recommended workaround is to use TLS 1.2 on the IBM Notes Traveler Server 9.0.

IBM has a patch to prevent the use of SSL 3.0 in Notes Traveler secure server-to-server communication. The patch, released in November 2014, is included as interim fix updates for the following Notes Traveler server versions: 9.0.1 IF7, 9.0.0.1 IF8 and 8.5.3 Upgrade Pack 2 IF8 (and will be included in all future releases). For details about the patch, see LO82423: DISABLE SSLV3 FOR TRAVELER SERVER TO SERVER COMMUNICATION.

As an alternative workaround, when you add WorxMail to XenMobile, change the Connection security level policy to SSLv3 and TLS. For the latest information about this issue, see SSLv3 Connections Disabled by Default on WorxMail 10.0.3.

The following tables indicate the protocols that WorxMail supports, by operating system, based on  the Connection security level policy value. Your mail server must also be able to negotiate the protocol.

When connection security level is SSLv3 and TLS

Operating system type

Supported protocols for WorxMail

SSLv3

TLS

Earlier than iOS 9

Yes

Yes

iOS 9

No

Yes

Earlier than Android M

Yes

Yes

Android M

Yes

Yes

When connection security level is TLS

Operating system type

Supported protocols for WorxMail

SSLv3

TLS

Earlier than iOS 9

No

Yes

iOS 9

No

Yes

Earlier than Android M

No

Yes

Android M

No

Yes

Configuring Notes Traveler Server

The following information corresponds to the configuration pages in the IBM Domino Administrator client.

  • Security. Internet authentication is set to Fewer name variations with higher security. This setting is used to map UID to AD User ID in LDAP authentication protocols.
  • NOTES.INI Settings. Add NTS_AS_ENFORCE_POLICY=false. This allows WorxMail policies to be managed by XenMobile rather than Traveler. This setting may conflict with current customer deployments, but will simplify the management of the device in XenMobile deployments.
  • Synchronization protocols. SyncML on IBM Notes and mobile device synchronization are not supported by WorxMail at this time. WorxMail synchronizes Mail, Calendar and Contacts items through the Microsoft ActiveSync protocol built into Traveler servers. If SyncML is forced as the primary protocol, WorxMail cannot connect back through the Traveler infrastructure.
  • Domino Directory Configuration - Web Internet Sites. Override Session Authentication for /traveler to disable form-based authentication.