Jump to content
Welcome to our new Citrix community!
  • 0

Secure Mail connection to Office 365 -- Active Sync Throttling Policy


Question

Good afternoon,

After an iOS devices updates the Secure Mail app to 20.5.0, our users are being disabled in Active Sync due to a throttling policy. I have been working with Citrix support for a week and we can't figure out the solution. Has anyone else seen this? 

 

What happens is a user will open Secure Mail, it will attempt to sync, it will be successful for inbox and outbox, then within a minute, it will be blocked due to a throttling policy (in Exchange ActiveSync). After about 20 minutes, it will be unlocked, and the cycle will repeat. 

 

My assumption is this has to do with adding support for the newer Exchange Server version, but without being able to force an app downgrade, I cannot verify my suspicion. 

 

Has anyone seen this before? Any ideas on what to try or look at? 

Link to comment

5 answers to this question

Recommended Posts

  • 0

Hi there,

 

It is worth confirming that the version of Exchange being used is a supported one. From https://docs.citrix.com/en-us/citrix-secure-mail/whats-new.html, this might be Exchange Server 2016 Cumulative Update 16 or  Exchange Server 2019 Cumulative Update 5 (or older, not newer).

 

If this checks out ok, then the only other thing needed should be details from https://docs.microsoft.com/en-us/powershell/module/exchange/get-throttlingpolicy?view=exchange-ps.

Any Throttling Policy which is configured might well be behaving properly. If there is no such policy in place (and still the problem occurs), then an inspection should take place to confirm if the problem is on the Exchange side (event viewer logs, perhaps? maybe the configuration of web.config checked over also via https://docs.microsoft.com/en-us/exchange/architecture/client-access/client-message-size-limits?view=exchserver-2019).

 

There is also the ability to collect ActiveSync logs from the server via https://support.citrix.com/article/CTX228077. The 'Debug' level logs in Secure Mail might not contain much detail about what is happening with throttling on the server.

 

Best regards,

David

Link to comment
  • 0
2 hours ago, David Egan1709157332 said:

Hi there,

 

It is worth confirming that the version of Exchange being used is a supported one. From https://docs.citrix.com/en-us/citrix-secure-mail/whats-new.html, this might be Exchange Server 2016 Cumulative Update 16 or  Exchange Server 2019 Cumulative Update 5 (or older, not newer).

 

If this checks out ok, then the only other thing needed should be details from https://docs.microsoft.com/en-us/powershell/module/exchange/get-throttlingpolicy?view=exchange-ps.

Any Throttling Policy which is configured might well be behaving properly. If there is no such policy in place (and still the problem occurs), then an inspection should take place to confirm if the problem is on the Exchange side (event viewer logs, perhaps? maybe the configuration of web.config checked over also via https://docs.microsoft.com/en-us/exchange/architecture/client-access/client-message-size-limits?view=exchserver-2019).

 

There is also the ability to collect ActiveSync logs from the server via https://support.citrix.com/article/CTX228077. The 'Debug' level logs in Secure Mail might not contain much detail about what is happening with throttling on the server.

 

Best regards,

David


Hi David,

thanks for the reply. Unfortunately this is Exchange Online so I can not configure the throttling policies, view the Exchange version, or gather any server side logs. 

I did gather the EAS logs and Secure Mail logs. The EAS logs show that a device is trying to gather mail, the folders update but there is some sort of exception thrown, and after 7 retries, it locks the device due to too many attempts. 
 

This all started within 10 days of the latest version of Secure Mail being published which is why I suspect some bad code in the app. 

Link to comment
  • 0

I don't seem to have noticed many more support cases than usual about the latest Secure Mail app upgrade. Perhaps there is some combination of changes in the app and also some configuration on the server, which together cause the behaviour?

 

The following links can help you investigate Exchange Online more closely:

 

 

 

Based on the links above (and the content inside of them), it seems likely that the quickest way to get an answer about what specific throttling limit is being reached is by checking with Microsoft directly. Although the behaviour is typically being seen only after upgrading Secure Mail, it could be that the EWS throttling limit is being reached, based around how Secure Mail on Android goes about subscribing for Push Notifications. Instead, perhaps this truly is related to ActiveSync throttling, where the actual mail content sync takes place. Once this detail is discovered and confirmed, efforts being made to check over Secure Mail itself should become much more straight forward.

 

The exception errors which are noted could indeed be caused by a problem within the app itself. I'm unsure if this behaviour is the cause of the throttling message. Perhaps instead the throttling message can cause the exception. There might not be any correlation between these two symptoms of course, which is probably the safest way to assume to proceed. This way, each symptom can be investigated and treated separately, with the possibility of linking them together later on based on log entries and other direct evidence.

 

Best regards,

David 

Link to comment
  • 0
1 hour ago, David Egan1709157332 said:

I don't seem to have noticed many more support cases than usual about the latest Secure Mail app upgrade. Perhaps there is some combination of changes in the app and also some configuration on the server, which together cause the behaviour?

 

The following links can help you investigate Exchange Online more closely:

 

 

 

Based on the links above (and the content inside of them), it seems likely that the quickest way to get an answer about what specific throttling limit is being reached is by checking with Microsoft directly. Although the behaviour is typically being seen only after upgrading Secure Mail, it could be that the EWS throttling limit is being reached, based around how Secure Mail on Android goes about subscribing for Push Notifications. Instead, perhaps this truly is related to ActiveSync throttling, where the actual mail content sync takes place. Once this detail is discovered and confirmed, efforts being made to check over Secure Mail itself should become much more straight forward.

 

The exception errors which are noted could indeed be caused by a problem within the app itself. I'm unsure if this behaviour is the cause of the throttling message. Perhaps instead the throttling message can cause the exception. There might not be any correlation between these two symptoms of course, which is probably the safest way to assume to proceed. This way, each symptom can be investigated and treated separately, with the possibility of linking them together later on based on log entries and other direct evidence.

 

Best regards,

David 

 

 

Thank you for this additional reply.. Unfortunately Microsoft points their finger at Citrix, and Citrix points their finger at Microsoft, and I am stuck in a the middle, having to tell the CEO and all his direct reports that we cannot give them access while they are on the road. 

 

This issue does not occur on Android, and from my EWS logs on Android, I do not see the exception message. Microsoft doesn't have an answer on the exception yet, and I am a week into my case with no direction from Citrix with the dev logs.  

Link to comment
  • 0

I appreciate your concerns around having to work with two different vendors on this problem. Your support case with Citrix should indeed stay open and active until you are satisfied that the problem is either confirmed to be something which Citrix can solve directly or instead you are happy that the problem is indeed caused by something on the Microsoft server side.

 

To clarify the main points from my advice above:

 

Seek the following from Microsoft....

- any relevant details around throttling (these details are not available from Citrix. Microsoft have these details on the server which they host for you and there is no way to gather confirmed details about any throttling from a referral to Citrix).

- because a throttling message is seen in the Secure Mail app, on the client side, there is a definite need for confirmed details from Microsoft about what the server side record of this looks like

- the provided documentation does make it very clear that 'Get-ThrottlingPolicy' is for on-premises Exchange only. For Exchange Online, it is Microsoft who can help with this specific request

 

Seek the following from Citrix...

- any direct input or assistance with the exception type error being experienced (assuming it still exists, even after any potential issue around throttling is addressed)

- provide Citrix with any relevant and confirmed details around throttling, as provided by Microsoft

- insist that Citrix keep the support case open (provide details of this post, if required for any reason) until you are satisfied that the right support team is inspecting the right parts of these problems

 

The exception error received is likely the more difficult scenario to find the true root cause for. The reason for this is that an exception is, by it's very nature, not something which will leave any elegant logs anywhere for. The throttling message is entirely different though; that is something which should have much more direct feedback available on the server side.

 

Citrix should be much better placed to directly assist with this problem, if for example, the report from Microsoft confirms a throttling breach at (for example) 1GB on a device. This provides a clear target for inspection to take place against. Without confirmation of 'if' or 'what' throttling policy might become triggered, there is a much bigger challenge to identifying the true root cause of both behaviours.

 

Best regards,

David

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...