Citrix Secure Email Deployment Guide White Paper

Citrix secure email deployment guide Facilitating email collaboration

citrix.com Citrix Secure Email Deployment Guide White Paper 2

Introduction Intelligent mobile devices are a growing component of daily business activity. In fact, more tablets and smartphones are sold each month than PCs and laptops. The average business information worker uses three devices every day, one of which they typically own. The BYOD trend will certainly continue; by 2015 it is estimated1 that the number of portable devices in the enterprise will be three times that of laptops and desktops.

Their cost, portability and exclusive WiFi connectivity, however, leaves them particularly vulnerable to theft, data leakage, and WiFi snooping. Apps are a particular point of concern. In a survey by Nielsen2, smartphone users were found to have installed an average of more than 40 applications. Most apps have permission to send data to the Internet.

Yet, smartphones and tablets have an undeniable business value. That value, however, needs to be balanced against the risks associated with their use. Uncontrolled use of mobile apps, including built-in iOS and Android mail clients, allows local storage of emails and associated attachments that could result in loss or exposure of confidential information. A non-password protected device or well- timed theft would allow a thief to impersonate the owner. For these reasons, many companies place restrictions on the use of mobile devices and apps and the most paranoid companies even forbid their use.

Several alternatives, each with some level of security and convenience, are available to IT departments to secure access to email and associated information. This guide discusses several typical deployments that use Citrix products, with tradeoffs. The most secure of them, that uses the Citrix WorxMail client and Citrix NetScaler Gateway, will be discussed in some detail. This guide is intended for use by IT architects and network engineers, but others will benefit from an understanding of the Citrix solutions. WorxMail easily integrates with existing Microsoft® Exchange® 2007 and 2010 infrastructures. No expansion of Exchange servers is required and only small configuration changes are required.

Email access alternatives Basic email access The most straightforward approach to email access is shown in Figure 1. Basic protection of the Microsoft Exchange environment is accomplished through basic protection mechanisms, such as those provided by Microsoft’s Forefront Threat Management Gateway or Citrix NetScaler Gateway. These gateways provide basic security services, such as firewall, anti-malware, and denial of service protection. The pros and cons of this type of email access are shown in Table 1.

1 Business Insider, “The Future of Mobile”, 2012. 2 http://blog.nielsen.com/nielsenwire/?p=31891 citrix.com Citrix Secure Email Deployment Guide White Paper 3

Datacenter Native Email Client

Microsoft TMG

3G/4G/Wi-Fi Microsoft Exchange Citrix NetScaler Gateway

Figure 1: Basic email access

Pros Cons • No client configuration—native email • ActiveSync traffic is not encrypted— clients are used may be intercepted • Exchange server is protected against • No protection for client’s Internet attacks downloaded data • Minimal datacenter configuration • No control over which clients can connect to Exchange • No control over client’s applications —apps may be used to forward confidential information

Table 1: Basic email access—pros and cons

Controlling client devices Additional control can be obtained through the use of Citrix XenMobile MDM Edition as shown in Figure 2. Mobile device management is supported by the XenMobile Network Controller (XNC) component that is installed on the security platform: Microsoft TMG or Citrix NetScaler Gateway in this example. XenMobile MDM provides role-based management, configuration, and security for both corporate and employee-owned devices. Upon user device enrollment, IT can provision policies and applications to devices automatically, blacklist or whitelist client apps, detect and protect against jailbroken devices, and selectively wipe a device that is lost, stolen or out of compliance. Users can use any device they choose, while IT can ensure compliance of corporate assets and secure corporate content on the device. This effectively limits and secures the client devices. The pros and cons of this solution are shown in Figure 2.

citrix.com Citrix Secure Email Deployment Guide White Paper 4

Datacenter Native Email Client Microsoft TMG with Citrix XenMobile Network Controller Microsoft Exchange

3G/4G/Wi-Fi Citrix NetScaler Gateway with XenMobile Network Controller Citrix XenMobile Device Manager

Figure 2: Controlling client devices

Pros Cons • Access to Exchange Server is limited • ActiveSync traffic is not encrypted— to approved clients may be intercepted • Dangerous apps can be blacklisted • Downloaded data on client is accessible to non-blacklisted • Exchange Server is protected against applications Internet attacks • Downloaded data on client can be wiped remotely

Table 2: Controlling client devices—pros and cons

Scalable secure access A high level of security can be accomplished through the use of Citrix XenMobile in conjunction with NetScaler Gateway and the WorxMail client, as shown in Figure 3. XenMobile prepares the WorxMail client’s applications.

The client uses Citrix secure ticketing authority (STA) or microVPN encrypted tunnel to access the NetScaler appliance, which encrypts and controls downloaded content. STA offers a better user experience through the use of a secure ticket that authenticates the user over a longer period of time. In this topology WorxMail uses the STA mode of authentication with the NetScaler Gateway. XenMobile serves as the ticketing authority. Whereas a microVPN connection will prompt the user for explicit authentication, a STA connection can be silently re-authenticated through ticket renewal3.

NetScaler Gateway4 is a powerful application delivery platform that accelerates and controls access to the enterprise Exchange servers and other Internet services. NetScaler can be installed on a virtual server, or as an independent appliance for higher capacity. The pros and cons for this alternative are shown in Table 3.

3 The STA-based approach is currently available for WorxMail on Android-based devices. A version for iOS-based devices is coming soon. In the interim, a microVPN-based setup can be used. 4 http://support.citrix.com/proddocs/topic/netscaler/ns-gen-netscaler-wrapper-con.html

citrix.com Citrix Secure Email Deployment Guide White Paper 5

Datacenter Citrix WorxMail Client

Microsoft Exchange

STA or Citrix NetScaler MicroVPN 3G/4G/Wi-Fi Gateway

Citrix XenMobile

Figure 3: Scalable secure access

Pros Cons • Access to the Exchange Server is • NetScaler appliance or VM running limited to approved clients NetScaler is required • Exchange Server is protected against • Additional, minor configuration Internet attacks requirements • Downloaded data on client is encrypted, access controlled and can be wiped • Large numbers of users can be safely controlled

Table 3: Scalable secure access—pros and cons

This alternative is sometimes compared to other solutions that connect users through an intermediate, third-party operated network operations center (NOC). With no significant benefits over data center resident solutions, NOC-based solutions present recurring costs, loss of control, and ability to make quick changes.

WorxMail overview Citrix WorxMail is an ideal mobile solution, one that enables IT organizations to manage secure email access for company-owned and personal mobile devices. When properly installed and configured, WorxMail becomes the only means by which mobile devices can access email. WorxMail is a component of the Citrix Worx Mobile Apps5 solution that establishes a closed, secure environment where data on mobile devices can only be used by apps that have been approved and prepared by IT. All communications between the mobile device and the enterprise’s servers is encrypted and only authorized and authenticated users are allowed to talk to the Exchange server.

5 http://www.citrix.com/products/worx-mobile-apps/overview.html

citrix.com Citrix Secure Email Deployment Guide White Paper 6

Citrix XenMobile is a key element of this solution. It leverages the Citrix Worx App SDK and Citrix MDX Technologies to establish a managed, secure environment for the execution of mobile device applications. With MDX Technologies, corporate apps and data reside in a container, separated from personal apps and data on the user’s mobile device. This allows IT to secure any custom developed, third-party or BYO mobile app with comprehensive policy-based controls. Three key technologies are at work:

• MDX Access: provides granular policy-based management and access controls over all native and HTML5 mobile apps. • MDX Vault: separates business mobile apps and data from personal apps on mobile devices in a secure business container. • MDX Interapp: controls the communications between mobile enterprise applications to ensure that data only moves between MDX-wrapped applications. Mobile users access their email, calendar and contacts through the WorxMail intuitive interface. Attachments are held encrypted on the mobile device in the MDX Vault and may only be accessed from approved apps. Confidential data stored on Citrix ShareFile servers may also be safely attached to emails.

WorxMail can be deployed to the entire workforce because device owners administer their own devices. IT involvement consists of selecting applications, applying policy controls to those applications and then making them available through the corporate App Store6 available in the Worx Home app. WorxMail is one such application that is provided for iOS and Android platforms. When employees leave the company or when their devices are stolen, IT can remotely wipe locally held data associated with each of the applications.

NetScaler Gateway Citrix NetScaler Gateway is the heart of the system, directing traffic between mobile clients and internal servers. With respect to email access, it serves several functions:

• Controls client access to the Exchange Client Access Server (CAS) • Establishes STA and microVPN connections with each mobile device • Load balances use of multiple CASs • Compresses data to optimize communications NetScaler, operating in an appliance or as a virtual server, performs similar additional functions for a broad range of Internet applications, including web and ftp. It performs load balancing, application acceleration, layer 4-7 traffic management, SSL termination, and application security. Load balancing provides fault tolerance and improves response time. When the CAS is implemented as a virtual service NetScaler can instantiate new CASs as load increases.

Apps The XenMobile StoreFront, which holds IT-approved applications is used by IT administrators to select applications and designate policies that control how those applications are to operate on client devices. These controls include authentication requirements, encryption algorithms, network access restrictions, limits on use of

6 http://support.citrix.com/proddocs/topic/cloudgateway/clg-cloudgateway.html citrix.com Citrix Secure Email Deployment Guide White Paper 7

jailbroken devices, web browsing restrictions and permissions for use of mobile device hardware. The values of key email parameters, including the ActiveSync server address and mail domain, can be pre-defined in the StoreFront-offered application. These controls are enforced by wrapping the application in a layer of software that works with the device-resident Worx Home and Citrix Receiver software.

Worx Home and Citrix Receiver must first be installed on each iOS- and Android- based device. It is used to download applications from the StoreFront, install them on the mobile device, and then to provide the run-time environment for their usage. When working with NetScaler, it establishes STA or microVPN tunnels for communications.

WorxMail client As shown in Figure 4 and Figure 5, the WorxMail interface7 is intuitive and similar to other iOS and Android applications. It encompasses email, calendar and contact management functions, with a close integration with ShareFile for confidential file attachment and viewing.

Figure 4: WorxMail usage

7 http://www.citrix.com/tv/#videos/8171 citrix.com Citrix Secure Email Deployment Guide White Paper 8

Figure 5: WorxMail calendar usage

Client access servers and Exchange mailbox CAS servers are the external interface for the Exchange service, permitting authorized access to mail storage, address lists and calendar events through several protocols. The ActiveSync protocol was developed for use by mobile devices. The CAS servers communicate with the mobile client through NetScaler in the WorxMail environment. There is no need to upgrade the Exchange infrastructure for use with WorxMail; only small configuration changes are required. Exchange usage for non-mobile clients remains unaffected.

Deploying WorxMail Deploying WorxMail is simple and straightforward: apps are installed on mobile clients, and NetScaler is installed and configured.

Deploying clients To start, Citrix Receiver and WorxMail must be installed on each mobile device. WorxWeb8, another Citrix Worx Mobile App can be used for web-based Internet and intranet viewing. Standard apps, such as Adobe® Reader® can be used for attachment viewing. Devices running Apple iOS 5.1.1 or Android 4.x or later are supported. XenMobile is used to prepare WorxMail and other apps for the corporate StoreFront. If STA is to be used, then the address of the XenMobile server must be configured in the application, as well as the ticket expiration time. After the expiration, users must re-authenticate themselves to their local Worx Home and Citrix Receiver to proceed. The default expiration time is 7 days.

MDX policies control how WorxMail clients operate. The full set of policies is described in the XenMobile App Controller documentation. The policies that are significant with respect to WorxMail operation are described in Table 4.

8 http://www.citrix.com/products/xenmobile/features/productivity-apps.html citrix.com Citrix Secure Email Deployment Guide White Paper 9

Category Policy Usage App interaction Cut and copy / Blocks, permits or restricts clipboard data. paste Restricted may be used to ensure that copied data is held on a private clipboard for use by MDX apps only. Document Blocks, permits or restricts access to documents. Authentication Reauthentication The time between reauthentication period challenges. Authentication The type of authentication required: • Enterprise logon required • Offline access permitted after challenge • Offline challenge only • Not required Device security Block jailbroken Restricts these modified devices. and rooted devices Encryption Enable database encryption Network access Network access Prevents, permits or redirects application network activity. Tunneled to the internal network sets up per-application tunnels to the internal network for utmost security. Network Require internal Can be used to restrict access to requirements network enterprise networks. Internal Wifi Can be used to restrict access to particular networks WiFi networks.

Table 4: MDX policies related to WorxMail

NetScaler configuration NetScaler is deployed in the demilitarized zone (DMZ) of the enterprise network. NetScaler is initially configured for use with Exchange servers as described in the Exchange 2010 NetScaler Deployment Guide9. A policy is used to drop a connection if the ActiveSync connection does not come from a WorxMail client.

In order to use STA NetScaler must be configured to use the appropriate XenMobile server as the ticketing authority for client connections. This process is described here.

On the NetScaler Gateway:

1. Configure and bind the XenMobile server as an STA service for the virtual server.

2. Ensure that the NetScaler Gateway is able to resolve the Exchange ActiveSync (EAS) server’s fully qualified domain name (FQDN) via the DNS server that is bound to the NetScaler Gateway.

9 http://www.citrix.com/content/dam/citrix/en_us/documents/products/netscalerexchange2010.pdf citrix.com Citrix Secure Email Deployment Guide White Paper 10

3. If the EAS FQDN is resolved by the internal DNS and the NetScaler Gateway split tunnel setting is ON, its internal IP must fall under the Intranet Application route list that is bound to the session policy.

4. Ensure that the NetScaler Gateway FQDN is resolvable both from external and internal network.

On the XenMobile server, when setting up the WorxMail app, the following MDX policies should be set:

1. Background Network Services should be set to: <>:443.

2. Background Network Service Gateway: <>.

3. Background Network Service Ticket Expiration: 7 days (7 is the default, specifying the duration of the ticket issued by XenMobile to allow WorxMail access the EAS.

4. Ensure that MDX policy for Network Access is set as Tunneled to internal network.

Microsoft Exchange configuration Microsoft Outlook Windows Access (OWA) should be disabled to ensure that no mobile clients can bypass the requirement to use ActiveSync.

Additional security If the NetScaler and CAS are not part of the same secure network, additional internal security can be gained through two techniques:

1. Use SSL encrypted connections between NetScaler and the CAS.

2. Place the CAS behind a separate firewall or virtual firewall instance.

Safe rollout WorxMail can be safely rolled out with an active Exchange infrastructure. A series of steps will bring it to the full user community:

1. Select an initial test group. If they are not already part of a common Active Directory group, then create one for them.

2. Configure Exchange to allow that group access to email via ActiveSync.

3. Deploy Worx Home, Citrix Receiver and the WorxMail app to the test group’s mobile devices.

4. Populate a set of files in ShareFile for use as email attachments.

citrix.com Citrix Secure Email Deployment Guide White Paper 11

5. Provide the test group with a checklist of function that they should test. They should verify the contents and operation of their WorxMail client versus their desktop email client:

a. Email

b. Calendar

c. Contacts

d. Attachments referencing contents in ShareFile

6. IT should execute a remote wipe of one or more of the test group

NetScaler and CAS logs can be used to diagnose any problems that might occur. At this point, the test group can be expanded in stages to include the entire company. Existing Active Directory groups can be used to roll out WorxMail to a growing audience.

Conclusion Citrix WorxMail unlocks the power of mobile devices to participate in business information exchange. With WorxMail, any Apple or Android smartphone or tablet can safely access and hold confidential information—information that only WorxMail clients can remotely access. Additionally, its intuitive interface and features makes WorxMail a superior product for email, calendar and contact management.

Citrix NetScaler Gateway provides the security and optimization needed to support secure, remote access to email and other corporate applications.

Complete enterprise mobility management A complete enterprise mobility strategy is essential to support the mobile workstyles that are driving greater collaboration, innovation and business growth. Citrix XenMobile is the only comprehensive enterprise mobility management solution that enables complete and secure mobile device, app and data freedom. Users gain quick, single-click access to all their mobile web, datacenter and Windows apps from a unified app store, including beautiful productivity apps—such as Citrix WorxMail and Citrix WorxWeb—that seamlessly integrate to offer a great user experience. The solution provides identity-based provisioning and control for all apps, data and devices, policy-based controls such as restriction of application access to authorized users, automatic account deprovisioning for terminated employees and selective wipe of apps and data stored on lost, stolen, or out-of-compliance devices. With XenMobile, IT can meet their compliance and control needs while users get the mobile freedom to experience work and life their way.

citrix.com Citrix Secure Email Deployment Guide White Paper 12

Additional resources

Video: Mobile Minute: How does Citrix Worxmail work?

White paper: Enterprise Mobility Management: Embracing BYOD Through Secure App and data Delivery

White paper: Citrix XenMobile Technology Overview

Website: Enterprise Mobility Management

Corporate Headquarters India Development Center Latin America Headquarters Fort Lauderdale, FL, USA Bangalore, India Coral Gables, FL, USA

Silicon Valley Headquarters Online Division Headquarters UK Development Center Santa Clara, CA, USA Santa Barbara, CA, USA Chalfont, United Kingdom

EMEA Headquarters Pacific Headquarters Schaffhausen, Switzerland Hong Kong, China

About Citrix Citrix (NASDAQ:CTXS) is the cloud computing company that enables mobile workstyles—empowering people to work and collaborate from anywhere, accessing apps and data on any of the latest devices, as easily as they would in their own office—simply and securely. Citrix cloud computing solutions help IT and service providers build both private and public clouds—leveraging virtualization and networking technologies to deliver high-performance, elastic and cost-effective services for mobile workstyles. With market leading solutions for mobility, desktop virtualization, cloud networking, cloud platforms, collaboration, and data sharing, Citrix helps organizations of all sizes achieve the kind of speed and agility necessary to succeed in an increasingly mobile and dynamic world. Citrix products are in use at more than 260,000 organizations and by over 100 million users globally. Annual revenue in 2012 was $2.59 billion. Learn more at www.citrix.com.

©2013 Citrix Systems, Inc. All rights reserved. Citrix, Citrix XenMobile, Citrix WorxMail, Citrix WorxWeb, Citrix Worx Mobile Apps, Citrix Receiver, Citrix NetScaler and Citrix NetScaler Gateway are trademarks of Citrix Systems, Inc., or a subsidiary thereof, and are or may be registered in the United States Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are property of their respective owners.

0613/PDF citrix.com