See the previous posts in the series:
Part 1
Part 2
Part 3
In this post, we will configure the XenMobile Netscaler Connector and configure the Netscaler itself to query the Netscaler Connector on ActiveSync Connections.
Lets download the Netscaler Connector from http://www.citrix.com/downloads/xenmobile/product-software/xenmobile-86-mdm-edition.html

Copy the installer to PHDC-XENNC01. We need to ensure that we have Net Framework 3.5 installed before we install Netscaler Connector. But once that is done, lets begin the install.
This is a very simple, next, next finish install:

Next, lets run the XenMobile Connector Configuration:
On the Web Service Tab, select HTTP and leave it as the default port of 9080

Next, go to the Config Providers tab and click add. Fill out the information for your Device Manager Server:

Leave everything else default and click save.
Next navigate to the Path Filters tab. Select the only path there, and select edit.
Change the policy to be Static + mobile.accessabacus.com : Block Mode

What this does is tell the system that it will check local rules on the Netscaler Connector, then the Device Manager. If neither of those rules apply, it will deny the connection.
After you have made your changes, start up services.msc and manually start these three services:

Next, we configure the Netscaler to check in with the Netscaler Connector during ActiveSync connections.
Log into the Netscaler and go to Service Groups. Select Add. Name it NETSCALER-CONNECTOR
Add in your netscaler connector IP and set the Port to 9080, and protocol HTTP

Next go to Virtual Servers and click add to create a new one.
Name it NETSCALER-CONNECTOR, select the protocol as HTTP. Also uncheck “Directory Addressable” which will clear the IP address and port. This is completely expected.
Add the service group you created to the server:

Next go to AppExpert->HTTP Callouts->Add
Create the name as active_sync_filter. Set the virtual server to the NETSCALER CONNECTOR server you created earlier.

Click on Configure Request Attributes:
Method –> get
Host Expression – > “callout.asfilter.internal”
URL Stem Expression-> “/services/ActiveSync/Authorize”
user-> HTTP.REQ.HEADER(“authorization”).AFTER_STR(“Basic”).B64DECODE.BEFORE_STR(“:”).HTTP_URL_SAFE
agent –> HTTP.REQ.HEADER(“user-agent”).HTTP_URL_SAFE
ip –> CLIENT.IP.SRC
url –> (“https://”+HTTP.REQ.HOSTNAME+HTTP.REQ.URL).B64ENCODE
resultType->”json”


Under Server Response:
Return Type –> Text
Expression to extract data from the response –>HTTP.RES.BODY(20)

Now, create a second callout called active_sync_filter_deviceid. Create everything identical to the callout active_sync_filter, except under Parameters, add one additional
DeviceId-> HTTP.REQ.URL.QUERY.VALUE(“DeviceID”)
Next go to Responder->Policies->Add
Create a new policy named active_sync_filter
Select Action = Drop
Expression equals below:
HTTP.REQ.URL.QUERY.CONTAINS("DeviceId") && HTTP.REQ.URL.STARTSWITH("/Microsoft-Server-ActiveSync") && HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.HOSTNAME.EQ("callout.asfilter.internal").NOT && SYS.HTTP_CALLOUT(active_sync_filter).SET_TEXT_MODE(IGNORECASE).CONTAINS("allow").NOT

Create a second policy named active_sync_filter_deviceid
Again, set the Action = Drop
Expression equals below:
HTTP.REQ.URL.QUERY.CONTAINS("DeviceId") && HTTP.REQ.URL.STARTSWITH("/Microsoft-Server-ActiveSync") && HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.HOSTNAME.EQ("callout.asfilter.internal").NOT && SYS.HTTP_CALLOUT(active_sync_filter_deviceid).SET_TEXT_MODE(IGNORECASE).CONTAINS("allow").NOT

Okay, hang in there, we are almost done. Now, we need to find our Exchange Load Balancer server in the Netscaler.
Navigate to the Policy tab, select Responder. Add the policies so that active_sync_filter_deviceid is lower number priority than active_sync_filter

Okay, that’s enough for now. Next time we will configure Device Manager to deny certain devices based on set criteria and test it out!