Jump to content
Welcome to our new Citrix community!
  • 0

Secure Mail - Problems signing into Exchange Online Accounts when connection is tunnelled.


Question

I'm hoping someone can point me in the right direction with this.

 

We are in the process of moving from Exchange 2016 to Exchange Online and are having problems with getting SecureMail to work with migrated mailboxes. Everything seems to go well, it accepts the initial credentials, redirects the user to the Modern Authentication login page for Microsoft Online. It then appears to accept the Office 365 Credentials but gets stuck with a box saying 'Verifying' before returning the error 'Oops! We've encountered an issue during authentication'

 

We have setup secure mail to tunnel into our network first and connect to Office 365 from there, as we have location specific conditional access policies enabled for our Office 365 accounts that mean that it only works when connected from our network. If I turn off those policies and set SecureMail's network connection policy to 'Unrestricted', I can successfully sign-in to the mailbox and download the emails. With the Conditional Access policies enabled, I can sign-in to same account in OWA, through the SecureWeb app, without issue. As such, there appears to be an issue with the SecureMail tunnelled connection through the gateway (I've tried all of the different Tunnelled options).

 

I've been reviewing the logs in XenMobile and on the Netscaler, but have not been able to see anything out of the ordinary. As such, I was hoping someone might have encountered this problem before and have some idea on how to fix it.

 

Thanks.

Link to comment

4 answers to this question

Recommended Posts

  • 0

Hello @aharris738 


Can you please clarify if you are using :

  1. iOS or Android device to test this scenario. 
  2. What is the Network access policy you have configured  ? ( Full VPN or WebSSO ?)
  3. What are the URLs you configure in Network Background services ?

 

Our typical recommendations is to exempt SecureMail app from the Location policy and connect directly to O365 as this reduces unnecessary network hops and need to configure your internal firewall. As far as I reckon all our customer who used your model of location (trusted IP) based policy moved to exempting SecureMail app. Having said that if you still choose to continue same way, you need to make sure that your organisation's firewall allows each of the MicroSoft listed URLs and IPs https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges .  You also need to make sure you list them in BackGround servers. I know atleast one of our large scaler enterprise customer did this for one of their temporarily requirements and it worked perfectl y. 

 

Regards,
Gautam.

  • Like 1
Link to comment
  • 0

Hi Gautam,

 

We're working with iOS devices only and using Full VPN.

 

However, based on what you have said above, I think we have been making this more complicated than it needs to be. As such, we have decided to forget about trying to tunnel the connection into the internal network but instead pursue an approach of exempting SecureMail from the conditional access policies and allowing it to reach O365 directly. Hopefully that should make our lives easier.

 

Thanks again for the feedback taking the time to reply.

 

Andrew

Link to comment
  • 0

Yup, you seem to have made the right choice now. There is no need to tunnel the O365 specific traffic via VPN, you will be inviting a lots unnecessary hops and firewall complications. Just exempt SecureMail and have O365 traffic go directly over the internet. 

 

I will continue watching this thread, please update this thread if you have any further issues in your process. 

Link to comment
  • 0
2 hours ago, Andrew Harris1709160651 said:

Hi Gautam,

 

We're working with iOS devices only and using Full VPN.

 

However, based on what you have said above, I think we have been making this more complicated than it needs to be. As such, we have decided to forget about trying to tunnel the connection into the internal network but instead pursue an approach of exempting SecureMail from the conditional access policies and allowing it to reach O365 directly. Hopefully that should make our lives easier.

 

Thanks again for the feedback taking the time to reply.

 

Andrew

Btw, SecureBrowse is always better than Full VPN, it is used by overwhelming majority of deployments and is stablised much better. 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...