NetScaler: Configuring ActiveSync Filtering with XenMobile XNC

NetScaler: Configuring ActiveSync Filtering with XenMobile Netscaler Connector (XNC)

When you have XenMobile XNC then it is possible to filter ActiveSync requests going thru the NetScaler.

It works as follows:

  1. The NetScaler appliance sits between the client and the XNC and CAS servers.
  2. All requests from the client devices go to the NetScaler appliance.
  3. The NetScaler then sends a request to the XNC with the device details to retrieve information about the device, whether the device is a whitelisted one or a blacklisted one.
  4. Based on the response from the XNC, the NetScaler either drops the connection from a blacklisted device or forwards the request from a whitelisted device to the backend server.

You need the following features on the NetScaler and configure this properly:

  • Load Balancing
  • SSL
  • HTTP Callout
  • Responder
  • Integrated Caching (IC)

This mean that you need NetScaler Enterprise + IC or NetScaler Platinum.

Integrated Caching is needed because of performance reasons. With IC it has the capability of storing the callout response from the XNC in the local cache. For subsequent requests from the same device, the NetScaler reuses the stored callout response to make decisions locally to either drop the connection or forward the request.

The process as mentioned above now on technical level:

  1. First, an ActiveSync request is sent from the client to the NetScaler.
  2. Then, the NetScaler sends a request to the XNC server for information on the client device details.
  3. Then, the XNC server sends the response – allow or deny to the NetScaler.
  4. If the request is allowed, NetScaler forwards it to the server. If the response is deny, NetScaler drops the request.
  5. For a request that is allowed, the NetScaler send the server’s response to the client.

Example:

  • MIP: 10.100.100.11
  • VIP: 10.100.100.21
  • Exchange CAS: 10.100.100.31
  • XNC: 10.100.100.41

Below is an example configuration:

Step 1
enable ns feature LB SSL IC RESPONDER
add ns ip 10.100.100.11 255.255.255.0 -type MIP

Step 2
add service XNC1 10.100.100.41 HTTP 9080
add lb vserver active_sync_filter_vserver HTTP 0.0.0.0 0
bind lb vserver active_sync_filter_vserver XNC1

Step 3
add service CAS1 10.100.100.31 SSL 443
add lb vserver ExchangeCAS SSL 10.100.100.21 443
bind lb vserver ExchangeCAS CAS1

Step 4
add ssl certKey customercert -cert “/nsconfig/ssl/customercert.cert” -key “/nsconfig/ssl/customercert.key”
bind ssl vserver ExchangeCAS -certkeyName customercert

Step 5
add policy httpCallout active_sync_filter
add policy httpCallout active_sync_filter_deviceid

Step 6
set policy httpCallout active_sync_filter -vServer active_sync_filter_vserver -returnType TEXT -hostExpr “\”callout.asfilter.internal\”” -urlStemExpr “\”/services/ActiveSync/Authorize\”” -parameters user(HTTP.REQ.HEADER(“authorization”).AFTER_STR(“Basic “).B64DECODE.BEFORE_STR(“:”).HTTP_URL_SAFE) agent(HTTP.REQ.HEADER(“user-agent”).HTTP_URL_SAFE) ip(CLIENT.IP.SRC) url((“https://”+HTTP.REQ.HOSTNAME+HTTP.REQ.URL).B64ENCODE) resultType(“json”) -resultExpr “HTTP.RES.BODY(20)”

Step 7
set policy httpCallout active_sync_filter_deviceid -vServer active_sync_filter_vserver -returnType TEXT -hostExpr “\”callout.asfilter.internal\”” -urlStemExpr “\”/services/ActiveSync/Authorize\”” -parameters user(HTTP.REQ.HEADER(“authorization”).AFTER_STR(“Basic “).B64DECODE.BEFORE_STR(“:”).HTTP_URL_SAFE) agent(HTTP.REQ.HEADER(“user-agent”).HTTP_URL_SAFE) ip(CLIENT.IP.SRC) url((“https://”+HTTP.REQ.HOSTNAME+HTTP.REQ.URL).B64ENCODE) resultType(“json”) DeviceId(HTTP.REQ.URL.QUERY.VALUE(“DeviceId”)) – resultExpr “HTTP.RES.BODY(20)”

Step 8
add responder policy active_sync_filter “HTTP.REQ.URL.QUERY.CONTAINS(\”DeviceId\”).NOT && HTTP.REQ.URL.STARTSWITH(\”/Microsoft-Server-ActiveSync\”) && HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.HOSTNAME.EQ(\”callout.asfilter.internal\”).NOT && SYS.HTTP_CALLOUT(active_sync_filter).SET_TEXT_MODE(IGNORECASE).CONTA INS(\”allow\”).NOT” DROP

Step 9
add responder policy active_sync_filter_deviceid “HTTP.REQ.URL.QUERY.CONTAINS(\”DeviceId\”) && HTTP.REQ.URL.STARTSWITH(\”/Microsoft-Server-ActiveSync\”) && HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.HOSTNAME.EQ(\”callout.asfilter.internal\”).NOT && SYS.HTTP_CALLOUT(active_sync_filter_deviceid).SET_TEXT_MODE(IGNORECA SE).CONTAINS(\”allow\”).NOT” DROP

If you have NetScaler Gateway or NetScaler Standard you still can use the XNC but it can have a significant impact because every request needs to go the backend server. See step 18.

Step 10
set cache parameter -memLimit 200 -via “NS-CACHE-10.1: 180”
add cache selector Url_Match “HTTP.REQ.URL.QUERY.VALUE(\”url\”)”

Step 11
add cache selector DeviceId_Match HTTP.REQ.URL.PATH HTTP.REQ.HOSTNAME “HTTP.REQ.URL.QUERY.VALUE(\”DeviceId\”) + \”-\” + HTTP.REQ.URL.QUERY.VALUE(\”user\”)”

Step 12
add cache contentGroup Req_with_DeviceId -relExpiry 300 -hitSelector DeviceId_Match

Step 13
add cache contentGroup Req_without_DeviceId -relExpiry 300 -hitSelector Url_Match

Step 14
add cache policy cache_req_with_DeviceId -rule “HTTP.REQ.HEADER(\”Host\”).CONTAINS(\”callout\”) && HTTP.REQ.URL.QUERY.CONTAINS(\”DeviceId\”)” -action CACHE -storeInGroup Req_with_DeviceId

Step 15
add cache policy cache_req_without_DeviceId -rule “HTTP.REQ.HEADER(\”Host\”).CONTAINS(\”callout\”) && HTTP.REQ.URL.QUERY.CONTAINS(\”DeviceId\”).NOT && HTTP.REQ.URL.QUERY.CONTAINS(\”url\”)” -action CACHE -storeInGroup Req_without_DeviceId

Step 16
bind lb vserver active_sync_filter_vserver -policyName cache_req_without_DeviceId -priority 90 -gotoPriorityExpression END -type REQUEST
bind lb vserver active_sync_filter_vserver -policyName cache_req_with_DeviceId -priority 100 -gotoPriorityExpression END – type REQUEST

Step 17
bind lb vserver ExchangeCAS -policyName active_sync_filter_deviceid -priority 90 -gotoPriorityExpression END -type REQUEST
bind lb vserver ExchangeCAS -policyName active_sync_filter – priority 100 -gotoPriorityExpression END -type REQUEST

Step 18 (WITHOUT IC license)
bind lb vserver ExchangeCAS -policyName active_sync_filter_deviceid -priority 90 -gotoPriorityExpression END -type REQUEST

bind lb vserver ExchangeCAS -policyName active_sync_filter -priority 100 -gotoPriorityExpression END -type REQUEST

 

 

 

 


Posted

in

, ,

by

x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
Shield Security