This article describes how to manually configure Citrix Gateway connector for Exchange ActiveSync formerly known as XenMobile NetScaler Connector (XNC) on the NetScaler.

Note: Configuration on the NetScaler for the Email Active-Sync Filtering should be done through the wizard whenever possible. Refer Configuring Settings for Your XenMobile Environment.
The wizard might have a dependency on the Integrated Caching feature. Customers who do not have this feature licensed will not be able to use the wizard properly, and will need to perform this configuration manually.

Background

The entire configuration assumes that nothing is configured on the NetScaler for Citrix Gateway connector for Exchange ActiveSync or exchange. It consists of 2 HTTP callouts, 2 responder policies, exchange vserver and services, and Citrix Gateway connector for Exchange ActiveSync vserver and service. The caching polices are also included for reference. If IC is not licensed, skip that portion of the configuration. (The caching configuration is there for optimization, but does not impact core functionality.)
When an active sync request is received on the exchange vserver, it triggers  of the responder policies, which in turn, triggers an HTTP callout to the "Citrix Gateway connector for Exchange ActiveSync" server. If the response to the callout is not “Allow”, the traffic is dropped by the responder policy.
Note: Whether an Allow is returned or not is determined by the policies configured on the "Citrix Gateway connector for Exchange ActiveSync" server. If no response is received to the HTTP callout, the active sync request is  allowed. (This is a fail open solution.) For the customer’s policies to take effect, the NetScaler must receive a response to the callout.

Relevant Entities and IPs

Note: The names display as they were created by the wizard in the lab. Modify the IP portion of the names to match what is in your environment.

• Citrix Gateway connector for Exchange ActiveSync Server IP: 3.3.3.3
• CAS Server  IP: 2.2.2.2
• Exchange LB Vserver :  _XM_LB_mail.brochlab.local_1.1.1.1_443
• CAS Service: cas.brochlab.local
• Citrix Gateway connector for Exchange ActiveSync LB Vserver: _XM_LB_CACHE_3.3.3.3 (NOTE: This lb vserver is not directly addressable.)
• Citrix Gateway connector for Exchange ActiveSync Service: _XM_SERVICE_3.3.3.3

---

Instructions

Important! If you want the callout to be made to the Citrix Gateway connector for Exchange ActiveSync server to be made via SSL, you must create the _XM_SERVICE_as type SSL with the appropriate port number. The _XM_LB_CACHE_ server can still be HTTP ))
 
add policy httpCallout _XM_WO_DEVICEID_3_3_3_3

add policy httpCallout _XM_W_DEVICEID_3_3_3_3

set policy httpCallout _XM_WO_DEVICEID_3_3_3_3 -vServer _XM_LB_CACHE_3.3.3.3 -returnType TEXT -hostExpr "\"callout.asfilter.internal\"" -urlStemExpr "\"/services/ActiveSync/Authorize\"" -parameters user(HTTP.REQ.HEADER("authorization").AFTER_STR("Basic ").B64DECODE.BEFORE_STR(":").HTTP_URL_SAFE) agent(HTTP.REQ.HEADER("user-agent").HTTP_URL_SAFE) ip(CLIENT.IP.SRC) url(("https://"+HTTP.REQ.HOSTNAME+HTTP.REQ.URL).B64ENCODE) resultType("json") -scheme http -resultExpr "HTTP.RES.BODY(20)"

set policy httpCallout _XM_W_DEVICEID_3_3_3_3 -vServer _XM_LB_CACHE_3.3.3.3 -returnType TEXT -hostExpr "\"callout.asfilter.internal\"" -urlStemExpr "\"/services/ActiveSync/Authorize\"" -parameters user(HTTP.REQ.HEADER("authorization").AFTER_STR("Basic ").B64DECODE.BEFORE_STR(":").HTTP_URL_SAFE) agent(HTTP.REQ.HEADER("user-agent").HTTP_URL_SAFE) ip(CLIENT.IP.SRC) url(("https://"+HTTP.REQ.HOSTNAME+HTTP.REQ.URL).B64ENCODE) resultType("json") DeviceId(HTTP.REQ.URL.QUERY.VALUE("DeviceId")) -scheme http -resultExpr "HTTP.RES.BODY(20)"

add server 2.2.2.2 2.2.2.2

add server 3.3.3.3 3.3.3.3

add service cas.brochlab.local 2.2.2.2 SSL 443 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO

add service _XM_SERVICE_3.3.3.3 3.3.3.3 SSL 443 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO

add lb vserver _XM_LB_mail.brochlab.local_1.1.1.1_443 SSL 1.1.1.1 443 -persistenceType NONE -cltTimeout 180

add lb vserver _XM_LB_CACHE_3.3.3.3 HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180

add responder policy _XM_RESP_WO_DEVICEID_3.3.3.3 "HTTP.REQ.URL.QUERY.CONTAINS(\"DeviceId\").NOT && HTTP.REQ.URL.STARTSWITH(\"/Microsoft-Server-ActiveSync\") && HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.HOSTNAME.EQ(\"callout.asfilter.internal\").NOT && SYS.HTTP_CALLOUT(_XM_WO_DEVICEID_3_3_3_3).SET_TEXT_MODE(IGNORECASE).CONTAINS(\"allow\").NOT" DROP

add responder policy _XM_RESP_W_DEVICEID_3.3.3.3 "HTTP.REQ.URL.QUERY.CONTAINS(\"DeviceId\") && HTTP.REQ.URL.STARTSWITH(\"/Microsoft-Server-ActiveSync\") && HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.HOSTNAME.EQ(\"callout.asfilter.internal\").NOT && SYS.HTTP_CALLOUT(_XM_W_DEVICEID_3_3_3_3).SET_TEXT_MODE(IGNORECASE).CONTAINS(\"allow\").NOT" DROP                                                                

bind lb vserver _XM_LB_mail.brochlab.local_1.1.1.1_443 cas.brochlab.local

bind lb vserver _XM_LB_CACHE_3.3.3.3 _XM_SERVICE_3.3.3.3

bind lb vserver _XM_LB_mail.brochlab.local_1.1.1.1_443 -policyName _XM_RESP_W_DEVICEID_3.3.3.3 -priority 90 -gotoPriorityExpression END -type REQUEST

bind lb vserver _XM_LB_mail.brochlab.local_1.1.1.1_443 -policyName _XM_RESP_WO_DEVICEID_3.3.3.3 -priority 100 -gotoPriorityExpression END -type REQUEST

set ssl vserver _XM_LB_mail.brochlab.local_1.1.1.1_443 -tls11 DISABLED -tls12 DISABLED

bind ssl vserver _XM_LB_mail.brochlab.local_1.1.1.1_443 -certkeyName wildcard.Brochlab.local

Cache Configuration

add cache selector _XM_URL_3.3.3.3 "HTTP.REQ.URL.QUERY.VALUE(\"url\")"

add cache selector _XM_DEVICE_ID_3.3.3.3 HTTP.REQ.URL.PATH HTTP.REQ.HOSTNAME
"HTTP.REQ.URL.QUERY.VALUE(\"DeviceId\") +  \"-\" + HTTP.REQ.URL.QUERY.VALUE(\"user\")"

add cache contentGroup _XM_WO_DEVICEID_3.3.3.3 -relExpiry 60 -hitSelector _XM_URL_3.3.3.3

add cache contentGroup _XM_W_DEVICEID_3.3.3.3 -relExpiry 60 -hitSelector _XM_DEVICE_ID_3.3.3.3

add cache policy _XM_CACHE_WO_DEVICEID_3.3.3.3 -rule "HTTP.REQ.HEADER(\"Host\").CONTAINS(\"callout\") && HTTP.REQ.URL.QUERY.CONTAINS(\"DeviceId\").NOT && HTTP.REQ.URL.QUERY.CONTAINS(\"url\")" -action CACHE -storeInGroup _XM_WO_DEVICEID_3.3.3.3

add cache policy _XM_CACHE_W_DEVICEID_3.3.3.3 -rule "HTTP.REQ.HEADER(\"Host\").CONTAINS(\"callout\") && HTTP.REQ.URL.QUERY.CONTAINS(\"DeviceId\")" -action CACHE -storeInGroup _XM_W_DEVICEID_3.3.3.3

bind lb vserver _XM_LB_CACHE_3.3.3.3 -policyName _XM_CACHE_WO_DEVICEID_3.3.3.3 -priority 90 -gotoPriorityExpression END -type REQUEST

bind lb vserver _XM_LB_CACHE_3.3.3.3 -policyName _XM_CACHE_W_DEVICEID_3.3.3.3 -priority 100 -gotoPriorityExpression END -type REQUEST

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

This article describes how to manually configure Citrix Gateway connector for Exchange ActiveSync formerly called as (XNC) on the NetScaler.