Jump to content
Welcome to our new Citrix community!
  • 0

How to configure SecureMail for using Exchange on-premise


Marc Kuhn

Question

Hi guy's

i have a on-premise XenMobile Server with the version 10.10.0.7, which sits in the DMZ. In the LAN i have an Exchange 2019 server. The access to webmail.domain.com is not possible from the internet. I want to configure Secure Mail for using the mailserver.

 

When i read this article i should be able to configure in the MDX Policy: Tunneled to the internal network

 

https://docs.citrix.com/en-us/citrix-secure-mail/configuring-background-services-secure-mail.html

 

But with the newest version of SecureMail for Android 19.6.5-24 i only see this:

 

image.thumb.png.9cfbfa882c0e58ff133d8cdcdc5d3a08.png

 

What do i miss here to configure it correctly? I had "use previous settings" configured for a couple of month with was working just fine. Now that isn't working anymore and i receive the message: The connection to the enterprise network is not possible"

 

Many thanks for your help

 

Best regards,

Marc

Link to comment

13 answers to this question

Recommended Posts

  • 0

Hi Ryan

wow, that was fast! Thanks a lot for your feedback. That worked like a charm. Is that documentation made for the the XS in the cloud and there it looks a little different or do you know why that is different?

 

I have kind of the same issue with Secure Web. I think i need to configure the same there as well, right? I did the proxy configuration on the Citrix Netscaler with traffic policies. Am i able to configure the app with a proxy.pac or wpad.dat file within the MDX policies now?

 

Many thanks for your help.

 

Best regards,

Marc

Link to comment
  • 0

Hi Ryan

okey, thanks for that. How about the Proxy Settings? How can i configure the SecureWeb for going over the internal Proxy server with is also in the DMZ and authenticate with the user? Is that possible or am i able to setup a service user with is used for authentication? Or do i need to configure the proxy that the traffic from the XS doesn‘t need to have a user?

 

Best regards,

Marc 

Link to comment
  • 0

It depends on the proxy you use, and I generally don't recommend routing Secure Web to a proxy unless your IT Security requires it. The Netscaler will pass NTLM to internal sites, or Kerberos if you have it setup, which you would not want to send to your proxy (since it's internal traffic). For outbound traffic you would use Traffic Policies to setup redirection to your proxy based on the URL or type of traffic it is. We set this up years ago so it may be out of date, but this is the general process that we used and it works for the most part:

 

https://www.citrix.com/blogs/2015/07/29/mobility-experts-xenmobile-worxweb-traffic-through-proxy-server-in-securebrowse-mode/

 

Let me know if you have questions about it.

Link to comment
  • 0

Hi Ryan, hi Ashrar

 

i will need to look into it deeper, it's a little confusing that it was working for several month just nice. But i think the Web SSO is working just nice, i just need to find the correct way to configure the Proxy there. With no proxy i don't see a reason for the user to use SecureWeb instead of a local installed app.

 

Best regards,
Marc

Link to comment
  • 0

Hi Ryan

 

i'm not sure if i understud it correctly. Do you recommend to configure the SecureWeb like that, that i use Web SSO and the traffic policies on the Netscaler. There i can configure internal URL's which should be available for the user. For external traffic just make sure that the XS Server itself can reach the Internet via Ports 80 & 443, is that correct?

 

Many thanks for your feedback.

 

Best regards,

Marc

 

Link to comment
  • 0
1 hour ago, Marc Kuhn said:

i'm not sure if i understud it correctly. Do you recommend to configure the SecureWeb like that, that i use Web SSO and the traffic policies on the Netscaler. There i can configure internal URL's which should be available for the user. For external traffic just make sure that the XS Server itself can reach the Internet via Ports 80 & 443, is that correct?

 

It depends on what you want to do. A few questions:

  1. Do you want them to be able to access both internal and external sites?
  2. If they go to the internet, do you always want that traffic to go through your proxy?
  3. Do you want to route them to the proxy for IT Security purposes, or for SSO?
Link to comment
  • 0

Hi Ryan

we would like to have the following setup:

 

1. The users need to be able to access both, external and internal

2. I would like to have the traffic go trough the internal proxy

3. I want to route them to the internal proxy for simplicity reasons, the same websites are blocked than in the Citrix desktop. If it isn't possible with SSO i could also use a service user for that which has the configuration on the proxy.

 

Best regards,
Marc

Link to comment
  • 0
On 7/16/2019 at 9:22 AM, Marc Kuhn said:

1. The users need to be able to access both, external and internal

2. I would like to have the traffic go trough the internal proxy

3. I want to route them to the internal proxy for simplicity reasons, the same websites are blocked than in the Citrix desktop. If it isn't possible with SSO i could also use a service user for that which has the configuration on the proxy.

 

This is basically the same scenario we have, except we do not route intranet traffic through a proxy, only internet traffic. Here is what we have:

  • The XenMobile Gateway includes 3 Traffic Policies:
    • image.thumb.png.d5148e38fb8fe621f1cd1d1d37a14444.png
  • The first Traffic Policy goes to a Traffic Profile that does not route to any proxy:
    • image.thumb.png.a9990a779a572546ad42bfcc095ec1ce.png
  • The second and third Traffic Policies both route to our proxy (one for port 80, one for 443):
    • image.thumb.png.859e7061ef28f936cec452cd2dfd96f2.png

SSO is provided by the Netscaler with NTLM or Kerberos Impersonation if you set it up on the Netscaler.

Link to comment
  • 0

Hi Ryan

many thanks for your feedback. You are right, we also do not route the intranet traffic over a proxy, only the traffic for internet. I will compare my Traffic Policies with yours and retest then. I don't made any settings on the Netscaler for SSO either NTLM or Kerberos Impersonation. Which one do you use?

 

Thanks for sharing your configuration!! That really helps me.

 

Best regards,
Marc

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...