Cloud-hosted Exchange services

Cloud-hosted Exchange services, such as Microsoft Office 365, are becoming more popular. In the context of XenMobile, this scenario may be treated in the same way as the first scenario, because the ActiveSync service is exposed to the Internet as well. In this case, the client choices are dictated by the cloud service provider requirements, but the choices generally include support for most ActiveSync clients like WorxMail and other native or third-party clients.

XenMobile can add value in three areas when it comes to this scenario:

 Client wrapping with MDX policies and app management with WorxMail

 Client configuration with the use of an MDM policy on supported clients (native, such as TouchDown)

 ActiveSync filtering options with the use of XenMobile Mail Manager

Mail traffic filtering considerations

As with most services exposed to the Internet, you must secure the path and provide filtering for authorized access. The XenMobile solution includes two components designed specifically to provide ActiveSync filtering capabilities for native and third-party clients: XenMobile NetScaler Connector and XenMobile Mail Manager.

XenMobile NetScaler Connector

The use of XenMobile NetScaler Connector provides ActiveSync filtering at the perimeter, through the use of NetScaler as a proxy for ActiveSync traffic. This means that the filtering component sits in the path of mail traffic flow, intercepting mail as it enters or leaves the environment. XenMobile NetScaler

Connector acts an intermediary between NetScaler and the XenMobile server. When a device attempts communication to Exchange via the ActiveSync virtual server on the NetScaler, the NetScaler performs a HTTP callout to the XenMobile NetScaler Connector service, which then checks the device status with XenMobile. Based on the status of the device, XenMobile NetScaler Connector replies to NetScaler to either allow or deny the connection. You may also configure static rules to filter access based on user, agent, and device type or ID.

This setup allows Exchange ActiveSync services to be exposed to the Internet with an added layer of security to prevent unauthorized access. Design considerations include the following:

 Windows Server: The XenMobile NetScaler Connector component will require the deployment of

a Windows Server.

 Filtering rule set: XenMobile NetScaler Connector is designed for filtering based on device state

and information, rather than user information. Although you may configure static rules to filter by user ID, no options exist for filtering based on Active Directory group membership, for example. If there is a requirement for Active Directory group filtering, you may use XenMobile Mail Manager instead.

 NetScaler scalability: Given the requirement to proxy ActiveSync traffic via NetScaler, proper

sizing of the NetScaler instance is critical to support the added workload of all ActiveSync SSL connections.

XenMobile Deployment Handbook

© 2016 Citrix Systems, Inc. All rights reserved 31

 NetScaler Integrated Caching: The XenMobile NetScaler Connector configuration on the

NetScaler leverages the Integrated Caching function in order to cache responses from XenMobile NetScaler Connector. This eliminates the need for the NetScaler to issue a request to XenMobile NetScaler Connector for every ActiveSync transaction in a given session; it is also critical for adequate performance and scale. Integrated Caching is available with the NetScaler Platinum Edition or may be licensed separately for Enterprise Editions.

 Custom filtering policies: You may need to create custom NetScaler policies to restrict certain

ActiveSync clients outside of the standard native mobile clients. This configuration requires knowledge on ActiveSync HTTP requests and NetScaler responder policy creation.

 WorxMail clients: WorxMail has micro VPN capabilities which eliminate the need for filtering at

the perimeter. The WorxMail client would generally be treated as an internal (trusted) ActiveSync client when connected through the NetScaler Gateway. In the event that support for both native and third-party (with XenMobile NetScaler Connector) and WorxMail clients is required, Citrix recommends that WorxMail traffic does not flow via the NetScaler virtual server used for XenMobile NetScaler Connector. You can accomplish this traffic flow via DNS and keep the XenMobile NetScaler Connector policy from affecting WorxMail clients.

For a diagram of XenMobile NetScaler Connector in a XenMobile deployment, see Reference Architecture for On-Premises Deployments.

XenMobile Mail Manager

XenMobile Mail Manager is a XenMobile component that provides ActiveSync filtering at the Exchange service level. This means that filtering only occurs once the mail reaches the exchange servic e, rather than as soon as it enters the XenMobile environment. XenMobile Mail Manager uses PowerShell to query Exchange ActiveSync for device partnership information and control access through device quarantine actions, where devices are taken in and out of quarantine based on XenMobile Mail Manager rule criteria. Similar to XenMobile NetScaler Connector, XenMobile Mail Manager checks the device status with

XenMobile in order to filter access based on device compliance. You may also configure static rules to filter access based on device type or ID, agent version, and Active Directory group membership. This solution does not require the use of NetScaler. You can deploy XenMobile Mail Manager without making any changes in terms of routing for the existing ActiveSync traffic. Design considerations include:

 Windows Server: The XenMobile Mail Manager component requires you to deploy Windows

Server.

 Filtering rule set: Just like XenMobile NetScaler Connector, XenMobile Mail Manager includes

filtering rules to evaluate device state and. Additionally, XenMobile Mail Manager also supports static rules to filter based on Active Directory group membership.

 Exchange integration: XenMobile Mail Manager requires direct access to the Exchange Client

Access Server (CAS) hosting the ActiveSync role and control over device quarantine actions. This may present a challenge depending on the environment's architecture and security posture, so it is critical that you evaluate this technical requirement up front.

 Other ActiveSync clients: Because XenMobile Mail Manager is filtering at the ActiveSync

service level, you need to take into consideration other ActiveSync clients outside the XenMobile environment. You can configure XenMobile Mail Manager static rules to avoid unintended impact to other ActiveSync clients.

 Extended Exchange functions: Through direct integration with Exchange ActiveSync, XenMobile

Mail Manager provides the ability for XenMobile to perform an Exchange ActiveSync wipe on a mobile device. XenMobile Mail Manager also allows XenMobile to access information about Blackberry devices, and to perform control operations , such as wipe and reset password. For a diagram of XenMobile Mail Manager in a XenMobile deployment, see Reference Architecture for On-Premises Deployments.

33