Recently I was asked to increase the security for a public reachable ActiveSync url. Although the customer was using Citrix Endpoint Management (XenMobile) and Citrix Secure Mail was available in their Enterprise AppStore, employees were also allowed to use their native “un-secure” mail client, which made use of a public reachable ActiveSync URL.

A big advantage they had, was that almost all mobile devices were already enrolled within Citrix Endpoint Management, so we knew which ActiveSync ID’s where legit and allowed to access ActiveSync.

Cause we were already making use of Citrix Endpoint Management, we decided to use the Citrix Gateway connector for Exchange ActiveSync (formerly XenMobile NetScaler Connector), to add an extra layer of security to the public reachable ActiveSync url.

The configuration was pretty straightforward and was running in no time. Although in this article I will not go into the architecture in more detail, you can find more information about this at Citrix.

We were only faced with one big challenge, the customer was still servicing a department, which consisted of several hundred users, who were in the process migrating their email to a different site. The mobile devices from this department where not enrolled in Citrix Endpoint Management and therefore being blocked by the Citrix Gateway connector for Exchange ActiveSync. Cause the Citrix Gateway connector for Exchange ActiveSync was configured with the policy “Static + PepperByte: Block Mode”, we had the opportunity to add “Static Rules”. A “Static Rule” was created to allow all users within the domain “PepperByte” access to ActiveSync. Unfortunately the “Static Rule” wasn’t working and the complete department was blocked

We contacted Citrix Support about this issue, after which we were informed the public version of XNC didn’t support RegEx expression, although you are able to enter them. They did however had a private version, in which RegEx expressions were working. We were given two new executables, which needed to be replaced within the Citrix Gateway Connector folder.


The private version has an additional option “Is Regex”, which allowed us to whitelist a complete AD domain, making us of a RegEx expression.

The “Static Rule” above allowed all users, within the AD Domain “PepperByte”, to access the ActiveSync URL, without being blocked by the
Citrix Gateway connector for Exchange ActiveSync

Post Navigation