Category Archives: Hosting

How to Install XenMobile 8.6 with XenMobile Netscaler Connector and XenMobile Mail Manager–Part 4

ActiveSync, Blackberry, Client Access, Exchange 2010, Exchange 2013, Hosting, Netscaler, Security, Xenmobile

See the previous posts in the series:

Part 1

Part 2

Part 3


In this post, we will configure the XenMobile Netscaler Connector and configure the Netscaler itself to query the Netscaler Connector on ActiveSync Connections. 

Lets download the Netscaler Connector from


Copy the installer to PHDC-XENNC01.  We need to ensure that we have Net Framework 3.5 installed before we install Netscaler Connector.  But once that is done, lets begin the install.

This is a very simple, next, next finish install:


Next, lets run the XenMobile Connector Configuration:

On the Web Service Tab, select HTTP and leave it as the default port of 9080


Next, go to the Config Providers tab and click add.  Fill out the information for your Device Manager Server:


Leave everything else default and click save.

Next navigate to the Path Filters tab. Select the only path there, and select edit.

Change the policy to be Static + : Block Mode


What this does is tell the system that it will check local rules on the Netscaler Connector, then the Device Manager.  If neither of those rules apply, it will deny the connection. 

After you have made your changes, start up services.msc and manually start these three services:


Next, we configure the Netscaler to check in with the Netscaler Connector during ActiveSync connections.

Log into the Netscaler and go to Service Groups.  Select Add.  Name it NETSCALER-CONNECTOR

Add in your netscaler connector IP and set the Port to 9080, and protocol HTTP


Next go to Virtual Servers and click add to create a new one.

Name it NETSCALER-CONNECTOR, select the protocol as HTTP.  Also uncheck “Directory Addressable” which will clear the IP address and port.  This is completely expected.

Add the service group you created to the server:



Next go to AppExpert->HTTP Callouts->Add

Create the name as active_sync_filter.  Set the virtual server to the NETSCALER CONNECTOR server you created earlier.


Click on Configure Request Attributes:

Method –> get

Host Expression – > “callout.asfilter.internal”

URL Stem Expression-> “/services/ActiveSync/Authorize”


user-> HTTP.REQ.HEADER(“authorization”).AFTER_STR(“Basic”).B64DECODE.BEFORE_STR(“:”).HTTP_URL_SAFE

agent –> HTTP.REQ.HEADER(“user-agent”).HTTP_URL_SAFE







Under Server Response:

Return Type –> Text

Expression to extract data from the response –>HTTP.RES.BODY(20)


Now, create a second callout called active_sync_filter_deviceid.  Create everything identical to the callout active_sync_filter, except under Parameters, add one additional


Next go to Responder->Policies->Add

Create a new policy named active_sync_filter

Select Action = Drop

Expression equals below:


HTTP.REQ.URL.QUERY.CONTAINS("DeviceId") && HTTP.REQ.URL.STARTSWITH("/Microsoft-Server-ActiveSync") && HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.HOSTNAME.EQ("callout.asfilter.internal").NOT && SYS.HTTP_CALLOUT(active_sync_filter).SET_TEXT_MODE(IGNORECASE).CONTAINS("allow").NOT


Create a second policy named active_sync_filter_deviceid

Again, set the Action = Drop

Expression equals below:

HTTP.REQ.URL.QUERY.CONTAINS("DeviceId") && HTTP.REQ.URL.STARTSWITH("/Microsoft-Server-ActiveSync") && HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.HOSTNAME.EQ("callout.asfilter.internal").NOT && SYS.HTTP_CALLOUT(active_sync_filter_deviceid).SET_TEXT_MODE(IGNORECASE).CONTAINS("allow").NOT 



Okay, hang in there, we are almost done.  Now, we need to find our Exchange Load Balancer server in the Netscaler.

Navigate to the Policy tab, select Responder.  Add the policies so that active_sync_filter_deviceid is lower number priority than active_sync_filter


Okay, that’s enough for now.  Next time we will configure Device Manager to deny certain devices based on set criteria and test it out!

5.3.2 STOREDRV.Deliver: Missing or bad StoreDriver MDB Properties When Using Address Book Policy Routing in Exchange 2013

Exchange 2013, Hosting, hub transport


If your using the new Address Book Policy Routing Agent to assist in separating your tenant organizations, you may run into a situation where a user is not able to receive email sent to them.  If you check the message tracking logs with:

Get-MessageTrackingLog –Recipients

You may get a result similar to this one below:


As we can see, our original email to generated an Undeliverable.

Of particular note is the Recipient Status where it lists 532 5.3.2 STOREDRV.Deliver: Missing or bad StoreDriver MDB properties.

There are two causes of this.  The first seems to be a bug where the mailbox is hidden from address lists:


This appears to be fixed in Exchange 2013 CU2.  A workaround is to uncheck the hide from address lists box.  See this forum post by Greg Taylor of Microsoft:

The second cause, is not a bug but expected behavior. If the user you are trying to email to, is not a member of the GAL that is in their Address Book Policy, the email routing will fail.  I’ll give you an example.

In our case, we tried to email

The user has an Address Book Policy applied to him called ABP-Soa


If we check that address book policy with Get-AddressBookPolicy ABP-Soa we can see that the Default Global Address List is GAL-SOA


If we check the filter of that Global Address list with Get-GlobalAddressList GAL-SOA | select RecipientFilter:


We can see that the GAL is filtering for all recipients that are of the type UserMailbox that also has CustomAttribute1 set to value SOA.

If we check the mailbox


So, there is our problem.  SOA-User1 has the Address Book Policy ABP-SOA assigned to him, which forces him to get the Global Address List GAL-SOA.  But since we failed to set CustomAttribute1 to SOA on his mailbox, he is actually not even showing up in his own GAL.  This is causing the routing issue.  We can simply fix this by ensuring the user is presented in his own GAL, in this case adding CustomAttribute1 with a value of SOA:


And you should be all set. 

User’s Cannot Log into Exchange 2007 or Exchange 2010 OWA with UPN Suffix

Client Access, Exchange 2010, Hosting, Resource Forest


Lets say you have the following environment:


ExchangeResource.corp hosts all the Microsoft Exchange 2010 servers, and linked mailbox accounts.  The actual user accounts are stored in the Tailspin.corp and Mantech.corp forests.  The Tailspin.corp and Mantech.corp forests have a one way forest trust with ExchangeResource.corp so that users in the Tailspin.corp and Mantech.corp forests can access their linked mailboxes in the ExchangeResource.corp domain.

Now to make things easy on the users, you set the OWA directory to use UPN suffix names instead of Domainuser:


This will allow users in Tailspin to login using username@tailspin.corp and users in Mantech to use username@mantech.corp.

Everything works fine, but then you add a UPN suffix to each individual forest that makes the UPN suffix match the users email address. Below is an example shown with the user Tom Jones in the Tailspin forest:


Now users in Tailspin login using and users at Mantech login using

A user goes to login with the new UPN and is greeted with an error message that they could not login:


But using the old UPN still works fine, so what’s going on?

Well, if we check the event logs of the DC in the ExchangeResource.corp domain we find EventID 6034 for LsaSrv in the security event log:


The DC is telling us that it does not know how to route the suffix.  It notes that it has been added to the forest tailspin.corp, as it learns it through the forest trust, but that the name suffix is not enabled.  It does very nicely tell us how to fix this.  Go to Active Directory Domains and Trusts->Right click on ExchangeResource.corp->Properties


Go to the Trusts tab.  Here you will see all the forests that you have trusts with.  Highlight the tailspin.corp forest and click on properties:


Navigate to the Name Suffix Routing tab:


Here we can see the new suffix has been added, it even has a status of “New”, but the Routing is disabled.  Highlight the suffix and then click Enable:


If you do not see the new suffix you created listed here, simply click the Refresh button and it should appear.

After hitting apply both names should be enabled:


Now if a user try’s to login, they should be all set!


Keep in mind you will need to do this each time you add a new UPN Suffix to one of the domains that are being trusted by ExchangeResource.corp.