How to Restore Emails from OST file Outlook 2013?

MS Outlook 2013, like earlier Outlook versions, uses OST file to save a local replica of Exchange mailbox data. This file comes handy when user wishes to work on his mailbox even if Exchange isn’t available. But, it can’t be opened directly in Outlook if its parent account gets disconnected from Exchange. In such a case the OST file is called an ‘orphan’ file and extracting emails and other data from it can become a real pain.



Although Microsoft came up with the concept of using data files to save mailbox data locally in order to make backing up and archiving more convenient, OST and PST files have in some ways complicated mailbox management; and that holds especially true for OSTs. If you access an Exchange mailbox through Outlook, a local OST file is created to save a replica of mailbox data which the user can access and work with even if the mail server isn’t available. However, the basic nature of OST files makes managing mailbox data quite tricky for users.



The need to Restore mails from OST File

OST files have several shortcomings because of which, users often face the need to extract emails and other data stored within these files and save them in some other format:

  • OSTs cannot be transferred between different machines. If users need to access their mailbox data saved within OST files on another machine, it cannot be done directly through a simple copy-paste mechanism.
  • If the account that originally created an OST file gets deleted from the mail server, it cannot be opened directly from within Outlook.
  • In Outlook 2013 and 2016, data locally edited and saved within critical folders like Contacts, Calendars, Sent Items, etc. is not synced with the mail server and is thus not backed up there. In the event of damage to OST file, there’s no direct way to regain access to that local data since it doesn’t exist on the server.

Users who faced the need to extract OST file data because of any of the above-mentioned reasons make use of manual as well as automated ways to achieve it. For your reference, we’ve compiled a list of the most widely used and accepted techniques you can use to restore OST files if you’re sailing in the same boat.



Manual techniques to Restore OST files



In no specific order, these techniques can help you regain access to all your Exchange or other IMAP account data depending upon your exact problem scenario:



Scenario 1: If your Exchange account is intact but OST file gets corrupted



This is one of the most frequently encountered problems by Exchange users. OST files get damaged easily but if your Exchange profile is intact and you are in the habit of regularly syncing your local data with your server mailbox, regaining access to all your data should simply be a matter of manually creating a new OST file and downloading your mailbox data from the server again. Here are the steps:



  1. Quit all running instances of Outlook and open Control Panel
  2. Open the “Mail” option and in the ‘Mail Setup’ dialog box that opens, click on “Email Accounts”
  3. The next dialog that opens will display all your Outlook profiles / accounts. Here, click on the “Data Files” tab and choose the respective OST file from the list
  4. Now click on “Open File Location” to open the Windows Explorer window with the OST file’s location
  5. Close the ‘Account Settings’ and ‘Mail Setup’ windows
  6. In the Explorer window, create a copy (backup) of the OST file. Thereafter, right-click on it and click on “Delete”
  7. Start the Outlook application again to automatically create a new OST file for that account (doing so will download all the data from the Exchange server into the newly created OST file)

You should remember that if you’re using Outlook 2013 / 2016, only the data residing on the mail server will be downloaded into the new OST file. This will include your emails and the folders you have manually synced with the Exchange account. Any local data will not be downloaded since it doesn’t exist on the server. To get access to any such data you will need to convert the old OST to PST format and then open it directly within Outlook. You can either use the Outlook “Import & Export wizard” to convert OST to PST or take the help of reliable software Stellar OST to PST Converter to do so (skip to last section to discover how this product can help).



Scenario 2: If your Exchange account has been deleted or lost



If this happens, your “orphaned” OST file will most likely become useless since you won’t be able to open it directly unless you reconnect to Exchange and re-sync it. For this you will need a unique MAPI address to act as a bridge between Outlook and the Exchange server. However if this isn’t an option, the only way to access the data contained within the orphaned OST file is to convert it to PST format using Stellar OST to PST Converter. (Here you won’t have the option to use Outlook Import Export Wizard since you’ll need to open the OST file from within Outlook and without Exchange that won’t be possible).



Best Automated Solution to restore mails from OST file



If the manual technique doesn’t work or if you are dealing with an orphaned OST file, converting it to PST format is a task best handled by a professional product like Stellar OST to PST Converter. The advanced software is equipped with some very powerful algorithms that allow it to convert even the most severely damaged OST files to PST format files that can be used to access all mailbox contents including emails, attachments, contacts, calendars, notes, journals, etc. This software is your best bet if you wish to perform conversion of encrypted OST files or wish to extract only selected emails from within OST files and save them in MSG, EML, RTF, HTML, or PDF formats.



Final Thoughts…



So should a user completely shun the usage of OST files? Well obviously that isn’t an option since OST files are the Microsoft norm for saving Exchange data locally. What is needed is for users to stay aware of the techniques they can use to regain all their mailbox data if any disaster like virus infection or accidental deletion or severe corruption befalls their OST files. Converting OST files to PST format is the best way to salvage all the data stored within them and thus, having a product like Stellar OST to PST Converter handy goes a long way.

Related:

  • No Related Posts

Recovering ‘Deleted Mailbox’ with NMM

Recovering ‘Deleted Mailbox’ with NMM

This article covers the scenario of recovering a ‘deleted’ mailbox from NMM. The procedure documented in this article applies both to NMM 8 and NMM 9. Exchange server 2010 is used in this demo.

Before I cover this procedure in NMM, below is background on how the need for this restore may arise.

In Exchange 2010 a user mailbox can either be ‘Removed’ or ‘Disabled’.

1-EMC-Console.jpg

Difference between ‘Remove’ and Disable’ mailbox choice in EMC:

Disable: Will remove the Exchange attributes from the user account but will leave the user account in Active Directory. The mailbox for the user will still exists on the mailbox database and it gets purged when the retention time elapses (default of 30 days)

Remove: Remove will remove both the user mailbox and user account from Active directory. The mailbox will still be there on the mailbox database till the retention time has elapses.

If the mailbox was either ‘deleted’ or ‘removed’ (for some reason, like employee leaving a company), there may be a need to restore this mailbox in future. If the deleted mailbox retention time has not expired, it could be recovered as below:

  1. If the mailbox was ‘Disabled’. This mailbox will show in the ‘Exchange Management Console’ under ‘Disconnected Mailbox’ as shown below:

a.

2-EMC-Console.jpg

b. To recover this mailbox, Right click the mailbox and select ‘Connect…’

3-console.jpg

c. Select ‘User Mailbox’ , then ‘Next’

4-console.jpg

d. Click ‘Browse’ Under ‘matching user’ and then select the user to connect this mailbox to

5console.jpg

e. Provide the ‘Alias’, then select ‘next’



6-console.jpg



f. Review Summary and select ‘Connect’





7-console.jpg

g. Review and select ‘Finish’. This will ‘reconnect’ the disconnected mailbox to the user in Active directory.



2. If the mailbox was ‘removed’ and is still within the retention period, create a new ‘user’ in Active Directory with the same name as the original user and then follow the above steps to ‘connect’ the user to the mailbox on the database.



The following exchange shell command is useful to get a list of ‘Disabled’ or ‘Removed’ mailbox users that are still within the retention period:



Get-MailboxDatabase | Get-MailboxStatistics | where {$_.DisconnectReason -ne $null} | ft displayname,database,disconnectreason,*guid*,*server* -auto

DisplayName Database DisconnectReason MailboxGuid ServerName OriginatingServer

———– ——– —————- ———– ———- —————–

charlu carydb3 Disabled 3f91bda9-453c-4752-8b88-423d2f4ccc53 APPHOST1 apphost1.spring.local

Once the retention period expires and the mailbox is purged from the database, it will not show up in the above output.

Once the mailbox data is purged from the mailbox database, if a restore is required after the retention period, then you would need to depend on your backups for restore.

Restoring a deleted mailbox using NMM:

I have used NMM 8.2.4 to demo this procedure. It likely will work as is, with NMM 8.2.3 or NMM 8.2.2. Also the same procedure applies to NMM 9. The first step in performing mailbox restore of mailbox (deleted or otherwise) is to perform GLR or restore to RDB. Refer to the post https://community.emc.com/people/fpinto/blog/2018/05/14/recovering-exchange-data-with-nmm-8

  1. Once the initial phase of GLR or RDB restore is complete, the mailboxes can be browsed from NMM GUI:

8-console.jpg

2. When you click the ‘deleted’ mailbox it generates this error message (shown below). Note, because there is no user associated with this mailbox or the associated user has its mailbox properties removed, MAPI is not able to show the contents of this mailbox. You can only recover the ‘Entire’ mailbox and not individual folders or mail items within it.



9-console.jpg

3. Acknowledge the message window by click ‘ok’. When you switch to the ‘Monitor’ tab, you will notice the same message there:

Selecting Exchange RDB view

Mailbox SystemMailbox{18d1f726-3cd7-48cd-8983-12ec40779e8b} is a ArbitrationMailbox and is not browsable nor can it be recovered.

Error getting item list: Error browsing folders — Failed to fetch mailbox items. Please see libmapibrowse.raw for more information. [exch_get_mbx_list].

Error browsing folders — Failed to fetch mailbox items. Please see libmapibrowse.raw for more information. [exch_get_mbx_list].

4. Select the mailbox for ‘restore’. Once you select the mailbox for restore, there are 2 types of restores that can be done:

  1. Restore the mailbox to itself

If you want to restore the mailbox to itself, create the mailbox with the same name (you would do this before you do the restore with NMM. You can do this with Exchange Management Console or Exchange powershell and then come back to the NMM GUI and select ‘Recover..’ as shown below:

(Note: If you have disabled the mailbox, connect the mailbox shown under ‘Disconnected Mailbox in EMC to the original user. If the mailbox was removed, then connect, under ‘Disconnected mailbox’ to a new mailbox and a new AD user with the same name. If the mailbox was deleted from the database, due expiry of retention time or the mailbox was manually deleted from the database, using the ‘remove-storemailbox’, then create a new user and new mailbox with the same name and proceed with the restore. In all variations of deletions, the mailbox can be restored to the original mailbox name)

10-console.jpg

b. Restore the mailbox to another mailbox. (Alternate mailbox)

To restore this mailbox to another mailbox, you would choose ‘Advance Recover..’. Then in the ‘Select Alternate Mailbox User’ box, specify the user to which you want to restore to and click ‘Search’ to locate the user. Then select this user and click ‘Next’

11-console.jpg

Here we are performing the restore to an alternate mailbox ‘Andy’ and ‘Start Restore’

12-console.jpg

5. When the restore is complete, switch to the ‘Monitor’ tab to check on the progress.

13-console.jpg

6. Verify the restore by logging into the mailbox of the target user, in our case ‘Andy’ :



14-console.jpg

Restore using Exchange PowerShell:

This mailbox restore can also be done using Exchange Powershell:

  1. First get the GLR database name:

Get-mailboxdatabase



15-console.jpg



b. Issue the new-mailboxrestorerequest command:

new-mailboxrestorerequest -sourcedatabase GLR20180516163434 -sourcestoremailbox “charlu” -targetmailbox “Andy” -TargetRootFolder Restore201805161717 –AllowLegacyDNMismatch



16-console.jpg





Summary:

This article covered the procedure involved in restoring a deleted mailbox from NMM 8.2.4 backups. The procedure also applies to NMM 9. Key point to remember is that the deleted mailbox cannot be browsed for individual mail items recovery from the NMM GUI. The entire mailbox can be recovered from NMM GUI or using powershell. Powershell command can be further refined to recover individual folders within the mailbox if desired.

Related:

  • No Related Posts

Recovering Exchange Data with NMM 8

This article aims to describe the Restore options available for recovering Exchange backups performed with NMM (Networker Module for Microsoft) 8.2.4. While the procedure is shown with NMM 8.2.4 and Exchange 2010, it would also be applicable with other versions of NMM 8.x, like 8.2.3 and 8.2.2 with minor differences and also would apply to Exchange 2013. Exchange 2007 is not covered here. Exchange 2007 uses Storage groups and has some differences in the restore procedure. If recovery of NMM backups of Exchange 2007 Server is required, follow the NMM User guide for Exchange available at support site https://support.emc.com/products/1136_NetWorker-Module-for-Microsoft/Documentation/.

The goal of this article is to help someone who maybe performing restores with NMM for the first time and also for someone who may have not done the restores for a long time and could use a refresher. While this article covers the different types of restores, its not exhaustive and is not a replacement for the information in the NMM user guide. It compliments the user guide, by being more descriptive of the process.

Types of Restores

There are 3 types of restores. They are covered in the order of their popularity, i.e the most common type of restore is covered first:

Granular Level Restore (GLR).

GLR allows restoring mailbox or mailbox items without having to restore the entire database from backup media. It uses ‘Networker Virtual File system (NwFS)’ to mount the backups on a Data Domain Device or Advance File Type Device.

Following is the advantage of performing GLR:

  1. Restore of the entire database to Exchange server is not required. This means if you have 1 TB Exchange database to restore, you do not need to allocate 1 TB+ of disk space on the Exchange server to perform the restore. GLR virtually mounts the backup on to the Exchange server, creating a recovery database within Exchange in the process. Once this GLR database is created, one can proceed with the browse and restore of mailbox/mailbox items.

Disadvantages of performing GLR:

  1. GLR can be slow for restore of large mailboxes that contains 10’s of thousands of mail items. If GLR is get extremely slow for large mailbox restores then restoring the database to the exchange server and then performing mailbox restore may be beneficial from a performance point of view.
  2. GLR can only be performed from a level FULL backup. GLR from incremental backups is not supported.
  3. GLR can only be performed from backups done to disk type media, i.e from AFTD (Advanced File Type Device) and from Data domain devices. If backups to tape exists, then GLR from tapes cannot be done. Tape backups can be cloned to a disk media (AFTD or Data Domain) and GLR can then be performed from the disk media.

Prerequisites for GLR



Before GLR can be done, there are certain prerequisites that need to be met

1. Backups are done to either AFTD device or Data domain device.

2. Backups to be restored from must be at level FULL.

3. During NMM install, the GLR feature should be chosen to be installed. Note all Full level backups are GLR enabled, even if GLR was not chosen ding install. Even backups to Tapes are GLR enabled. If GLR was not enabled during backup, GLR is still possible. The GLR feature can be added before performing the restore, to allow for GLR.

Below are the Pre-requisites that are common for both ‘GLR’ and ‘Restore from RDB’ options from NMM GUI:

4. The service account used with NMM, should have the following permissions set:

    1. The ‘send-as’ and ‘receive-as’ rights need to be set to the Exchange server where the restore is being performed. Following is an example of how to set this permission. Execute this from a elevated Exchange powershell and replace environment specific information:

get-ExchangeServer Apphost2 | Add-AdPermission -user administrator@spring -extendedrights Receive-As, Send-As, ms-Exch-Store-Admin



b. The service account should have a mailbox on a database that’s mounted and it should be initialized with mail. I.e this mailbox should have either sent or received some mail.

5. The MAPI/CDO software needs to be installed. In the NMM user guide for Exchange the following versions are documented for Exchange 2010 and Exchange 2013.

    1. For Exchange 2010, MAPI/CDO 1.2.1 version 6.5.8244.0 or earlier. Note here that build 8244 or higher does work and you can safely use it. But if you are troubleshooting a GLR browse issue, you can choose to use adhere to this requirement.

b. For Exchange 2013 MAPI/CDO 1.2.1 version 6.5.8320.0 or later.

6. The service account needs to be a member of the following domain groups.

    1. Domain users
    2. Exchange Organization Management.

By default Exchange Organization Management group is a member of the local ‘administrators’ group on the Exchange server. If this not the case, then make sure it is.

If there is a requirement to get more granular with rights for the service account, i.e give it no more rights that needed, then create a Exchange role group and assign it the following roles:

Database Copies

Databases

Disaster Recovery

Mailbox Import Export

Mail Recipient Creation

Mail Recipients

View-Only Configuration

View-Only Recipients

Make the service account a member of the role group created above and also ensure this account is a member of the local administrators group on each Exchange server in the cluster.

***Note: if you choose not to get granular with regards to role assignments, in addition to the user being a member of Organization Management group, you would need to assign the ‘Mailbox Import Export’ role to the user performing the restore, when doing restore to ‘PST’.

How do to check if a save set is GLR enabled?:

mminfo -S -s vmmsrv -q ssid=1324416600

ssid=1324416600 savetime=5/7/2018 9:34:02 PM (1525743242) dag-2010.spring.local:APPLICATIONS:Microsoft Exchange 2010carydb3

level=full sflags=vF size=172065988 files=37 insert=5/7/2018

create=5/7/2018 complete=5/7/2018 browse=6/7/2018 11:59:59 PM retent=6/7/2018 11:59:59 PM

clientid=41c107ea-00000004-5add6330-5add6342-00025000-6064a456

*ACTUAL_HOST: apphost2;

*ACTUAL_PATH:

“C:\Program Files\EMC NetWorker\nsr\tmp\7140-1525743109-0”;

*appid: 1;

*backup start time: 1525743242;

*coverid: 1341193800;

*De-duplication: No;

*EXCHANGE_DATABASE_NAME: carydb3;

*GLR_HINT: “E:\Exchangedb\carydb3\”;

*GLR_OFFSET_MAP: Yes; ===> The GLR attributes are seen for GLR enabled save set

*GLR_OFFSET_MAP_FILENAME:

“C:\Program Files\EMC NetWorker\nsr\tmp\1324416600_om.bin”;

*policy action jobid: 128671;

*policy action name: “exchange2010-action: 1525743244”;

*policy name: “Exchange2010: 1525743244”;

*policy workflow name: “Exchange2010-wkfl: 1525743244”;

*snap_sessionid: 1525742832;

*ss data domain backup cloneid: 1525743244;

*ss data domain dedup statistics: “v1:1525743244:172465188:2157958:2157958”;

group: Exchange2010-grp;

Clone #1: cloneid=1525743244 time=5/7/2018 9:34:04 PM retent=6/7/2018 flags=F

frag@ 0 volid=1508963247 file/rec= 0/0 rn=0 last=5/7/2018

Now that we have covered the prerquisites for GLR, let’s review the procedure to perform GLR.

  1. Launch Networker User for Microsoft user GUI as ‘administrator’
  2. Select the client to restore from. In a DAG setup, this would be the DAG name. In the standalone setup, this would be the hostname of the Exchange server

1-NMM-GUI-Select-Client.JPG.jpg

3. Select GLR (Granular Level Recovery) option:

2-NMM-GUI-Select-GLR.JPG.jpg

4. Select the desired database and browse time for restore:

3-NMM-GUI-select-DB.JPG.jpg

5. Choose ‘Recover Options’. If you are troubleshooting a GLR restore issue and need to increase debug setting, you can set the debug setting here. This step is optional:



4-NMM-GUI-Select-DB-choose-recover-options-debug.JPG.jpg

6. Select ‘Start Recover’

5-NMM-GUI-Select-DB-start-recover.JPG.jpg

7. Click on ‘Monitor’ to follow the progress of the restore:



6-NMM-GUI-Select-DB-GLR-DB-Created.JPG.jpg

Notice it creates a RDB database. The name of the database starts with ‘GLR’ and the date and time of restore is appended to this to form the database name



8. When the restore is complete it, you will receive a pop up windows. Be careful, this window may be behind the main NMM window, so look out for this:

7-NMM-GUI-Recover-completion-status.JPG.jpg

7-NMM-GUI-Recovered-RDB-Pop-up.JPG.jpg

9. Once you click ‘ok’ to the above, the GUI will switch to the ‘recover’ section. Be patient over here as it may take some time for the GUI to refresh and show new information:

8-NMM-GUI-Switch-Recover.JPG.jpg

10. If after some time the GUI does not refresh, you can press ‘F5’ to manually refresh and then you can navigate to the mailboxes by click on the ‘+’ to expand the GLR db and then the mailboxes:



9-NMM-GUI-Showing-mailboxes.JPG.jpg

11. Select the desired mailbox or mailbox folders or individual items and the click ‘Recover’ to start recover of mailbox items. By default the recover will place the recovered items back into the original mailbox. In this case it’s the mailbox of ‘roger’



12. Look to the ‘Monitor’ pane to check for progress and completion:



11-mailitems-restore-complete.JPG.jpg



13. Verify the restore by logging into the mailbox of the user. You will see the mail items recovered under a new folder labelled with date and time of restore. Expand to find the recovered items:



12-Mailitems-recovered.JPG.jpg



This concludes the procedure for GLR Restore.





Restore to RDB:



If GLR is not an option, e.g if the backup data resides on tape or if GLR is not fast enough, then restoring the database to RDB is the next option. Following are the advantages of restoring to RDB:

  1. Once the restore is completed, recovering mailbox items from RDB is faster than restoring from GLR.
  2. Restore can be done from Full and incremental backups. GLRs can be done only from FULL level backup.

Disadvantage of restore to RDB:

  1. Requires free disk space to restore the full database. If you are restoring a 1 TB database, you need 1 TB+ free disk space. Restore cannot be done to a Network share. It needs to be done to a local disk.

2. May take a long time to do the restore as its restoring Full database.

Procedure for RDB restore.

  1. Launch the ‘Networker Module for Microsoft’ GUI as ‘administrator’
  2. Select ‘Database Recover’. Note, the selection of ‘RDB Data Recover’ implies recover mailbox data from RDB. This can only done after recover to RDB has been complete. So the first step to recover from RDB is to recover the database to RDB and this is done through ‘Database recover’

1-NMM-GUI-RDB-restore.JPG.jpg



3. Select the desired database from the desired browse time. Change browse time if needed. Then choose ‘Advance Recover’. From ‘Advanced Recovery’ window, select ‘Recovery Database (RDB) Recovery’



2-NMM-GUI-RDB-restore.JPG.jpg





4. If you are troubleshooting a restore failure and what to run the restore in Debug, select ‘Recover Options’ and then choose the debug level. We will perform this restore in normal level.





3-NMM-GUI-RDB-restore.JPG.jpg





5. In ‘Manage RDB’ window, select ‘Create’. Note if you have a previously created RDB, either select that RDB for ‘RDB overwrite’ or delete the previous RDB and ‘Create’ a new one. Deletion and creation of RDB can all be done from ‘Manage RDB’. Having more than one RDB will cause browsing issues.

4-NMM-GUI-RDB-restore.JPG.jpg

6. Specify a name for RDB and specify file paths for EDB and logs:



5-NMM-GUI-RDB-restore.JPG.jpg

7. Click ‘Create’

6-NMM-GUI-RDB-restore.JPG.jpg

8. Select the RDB and click ‘Next’

7-NMM-GUI-RDB-restore.JPG.jpg

9. Review the selections and click ‘Next’

8-NMM-GUI-RDB-restore.JPG.jpg

10. Click ‘Recover Options..’ and select Debug level, if you want to run the restore in debug mode for troubleshooting. Click ‘Next’ to proceed with restore



9-NMM-GUI-RDB-restore.JPG.jpg

11. Switch to the ‘Monitor’ view to monitor the progress of the restore. Once the restore has completed successfully, you will see this pop up window tilted ‘Recovered RDB Mailbox Items’. Look out for this window. Sometimes, this may get hidden behind the main NMM GUI. Click ‘ok’ to continue

10-NMM-GUI-RDB-restore.JPG.jpg

12. Once you click ‘ok’ above, then click ‘recover’ -> Exchange 2010 Recover Session -> ‘RDB Data Recover’. This will allow you to browse the contents of the RDB database.

11-NMM-GUI-RDB-restore.JPG.jpg

13. Depending on the size of the DB, it may take some time for the RDB DB to show. Expand to see the listing of mailboxes.

12-NMM-GUI-RDB-restore.JPG.jpg

14. The process of recovering mail items from RDB from this point on is identical to the restore of mail items from GLR.





The third type of restore is not a very common type of restore: Recovering a database and overwriting it. Disaster Recovery Situation

If there is a need to perform Disaster Recovery of the Exchange databases, due to data corruption or some other DR situation, then use the procedure below: (Note this is a destructive process as it will overwrite the existing database. So be sure this is what you want to do)

For Standalone Exchange servers:

1. Start the ‘Networker Module for Microsoft’ GUI as ‘administrator’

2. Choose ‘Database Recovery’

1-NMM-GUI-DB-restore.JPG.jpg

3. Choose the database that need to be restored and the required browse time. Then click ‘Recover’

2-NMM-GUI-DB-restore.JPG.jpg

4. The above message indicates that the ‘This database can be overwritten by a restore’ property on the database needs to be set. This can be done through Exchange PowerShell as or through Exchange Management Console. Once this is done. Try the restore again.

5. As usual, you get to choose to enable ‘Debug’ logging under ‘Recover options..’

3-NMM-GUI-DB-restore.JPG.jpg

6. Under ‘Exchange’ Tab, you get to pick a few options that are relevant to this type of restore. These options have bee explained below. The default choices are shown below:

4-NMM-GUI-DB-restore.JPG.jpg

Include Existing logs (Roll-forward Recovery’. This option is useful if the database and logs were on separate volumes and the volume containing logs is still available, or even if both DB and logs are on the same volume and only the ‘edb’ file is corrupt and the logs are good, then you can do the restore of the backup and then perform a roll forward recovery using the logs on the disk. This will bring the database to the most recent state with minimum or no data loss.



Include only logs from this restore (Point-in-time recovery)’. Select this option when point in time restore is required, i.e the database will be recovered to the time of the last backup.



Put database online after restore’. By default the restore process will replay the logs and put the database online after restore. If this is not required, then click on this option again to deselect it and select ‘Do not replay the transaction logs’. If ‘Do not replay the transaction logs’ is selected then the logs are restored, but they will need to be manually replayed using ‘eseutil’



Deleted Database Target’, This is used if a flat file restore of database is required. This option bypasses VSS method of restore and simply restores the ‘edb’ and ‘logs’ as files to the target directory. Further processing is required to mount the database.g. Once the desired options are selected, click ‘Start Recover’ to start the restore. Progress of the restore can be monitored under the ‘monitor’ tab

For Database Restore of a database that’s replicated in a DAG configuration, you first have to suspend the replication, otherwise the following error is seen in the Monitor tab:

NMM … Using client name APPHOST1, the version of the Exchange server is Exchange 2010.

96585:nsrsnap_vss_recover:NMM .. Initialization success — Exchange shell successfully initialized. Required for Exchange 2010 or Exchange 2013.

NMM .. MailboxStore [carydb3] is in replicated state, please suspend the replication on all DAG nodes and perform restore after that.



Once the replication is suspended, then the rest of the procedure to restore the database is same as in the standalone Exchange server. Also note, the restore cannot be done on the server hosting the passive copy. It has to be done on the server hosting the active copy of the database. Once the restore is successful, you will see this message below:



5-database-restore.png





Recovering Public Folder Database



Public folder Databases are implemented differently in Exchange 2010 vs Exchange 2013. In Exchange 2010, public folders databases are just like mailbox database’s but are identified separately as Public Folder database. They are not replicated through the DAG mechanism, but can use ‘Public Folder Replication’ for high availability. Public folder database cannot be recovered to an RDB



In Exchange 2013 and Exchange 2016 public folders are supported through public folder mailbox. This mailbox is stored in a regular mailbox database that allows support for high availability through DAG. This means Public folder database can be restored to RDB.



In Exchange 2010, NMM considers public folder databases as ‘Standalone Databases’ and backs them up as part of the DAG, if configured to include Standalone Database. The backups are indexed to the ‘DAG’ client index.



In Exchange 2016, since public folders are part of regular mailbox database (you could have a database dedicated to public folders), the backups for this follows the same workflow as regular mailbox database.



To restore Public Folder database for Exchange 2010, the method for restore would be same as restoring a mailbox database (Overwrite existing database). However they cannot be recovered to RDB and GLR cannot be done on them. The only choice is to overwrite the database. Note public folder databases belong to a specific Exchange server and restore can only done back to that server. So if a public folder resides on Server-A, it cannot be restored to Server-B, it has to be restored to Server-A. When you bring up the NMM GUI, if you see a ‘X’ on the database name as below:



Public-Folder-1.png



This means that the Public folder database ‘Public_Folder01’ is not owned by the Exchange server on which the NMM GUI is opened and was not backed up from this server and is not available for recovery. If the database is browsed from the server that owns it, it would show as below:



Public-Folder-2.png



What if you want to restore a Public Folder Database, but do not want to overwrite the existing database?. Flat file restore comes to the rescue. I will not be covering Flat File restore in this post.



Recovering a mailbox/mailbox items to PST file



1. NMM supports the restore of a mailbox /mailbox items to a PST file. The most important thing to remember here is that an additional ‘role’ is required for the NMM service account to allow for this restore. And this role is ‘Mailbox Import Export’ Role. By default this role is not assigned to the role group ‘Exchange Organization Management’.

Below command will list the roles assigned to the custom role group ‘nmm-backup-group’. Note the role ‘Mailbox Import Export’ is assigned to this role group. If this role and the others mentioned below are assigned to the service account of NMM, then you are all set to do restore to PST. If not assign this role manually:

Get-ManagementRoleAssignment -roleassignee nmm-backup-group | select name,role

Name Role

—- —-

Database Copies-NMM-Backup-Group Database Copies

Databases-NMM-Backup-Group Databases

Disaster Recovery-NMM-Backup-Group Disaster Recovery

Mail Recipient Creation-NMM-Backup-Group Mail Recipient Creation

Mail Recipients-NMM-Backup-Group Mail Recipients

Mailbox Import Export-NMM-Backup-Group Mailbox Import Export

View-Only Configuration-NMM-Backup-Group View-Only Configuration

View-Only Recipients-NMM-Backup-Group View-Only Recipients

2. Another prerequisite for restore to PST is a UNC path for the target location. The restore cannot be done to a local path. Create a UNC path. This share can be local or on a different server. Below is a share that’s been created on C:pst-restore. This share has read/write permission for ‘Everyone’

[PS] C:Windowssystem32>net share

Share name Resource Remark

——————————————————————————-

ADMIN$ C:Windows Remote Admin

C$ C: Default share

E$ E: Default share

IPC$ Remote IPC

Address E:Program FilesMicrosoftExchange ServerV14Mailboxaddress

“Access to address objects”

PST-Restore C:PST-Restore

The command completed successfully.

3. Perform GLR as explained before or Restore to RDB and then restore from RDB. Select the required mailbox or mail items, then under ‘Recover Options..’ , ‘Exchange’ Tab, specify path to PST Target. Notice the UNC path “\apphost1pst-restorerogerpstroger.pst”

PST-Restore.JPG.jpg

4. Review the selection and then click ‘Start Recover’

2-PST-Restore.JPG.jpg

5. Check the ‘Monitor’ tab to review the status of the restore.

6. When the restore is complete, the PST file can be found under the UNC path:

6-PST-restore.png

Related:

  • No Related Posts

FAQ: Citrix Secure Mail APNS for IT Admins

This article provides answers to frequently asked questions on Citrix Secure Mail APNS for IT Admins.For more information on Push Notifications for Secure Mail, refer to Citrix Documentation – Push Notifications for Secure Mail for iOS.

General Overview

Q1: Why does Secure Mail for iOS require APNS notifications?

A: In Avatar and previous releases, when Secure Mail application is in the background, it relies on background app refresh functionality of the iOS platform to “wake up” the application to:

  1. Update the badge
  2. Show notifications (if turned on)
  3. Sync emails

The frequency algorithm to wake up the application is more or less depending on the app usage (the more frequent the app is in use the more frequent it checks for new mail while in background mode). Therefore, at times the badge or the mails will not sync for hours.

For customers who want near real time of badge update and a higher frequency of mail syncing, it is recommended to use Secure Mail with Push Notifications.

Q2: Is APNS notification an optional feature in Beetlejuice for Secure Mail for iOS?

A: Yes, it is an optional feature in BeetleJuice. It is turned off by default. The Admin will have to enable the feature (as an app specific policy in AppC/ XMS server). If the customer is ok with background app refresh approach when Secure Mail is in background, then this feature does not need to be enabled.

Q3: How about push notifications for Secure Mail for Android?

A: Android OS allows 3rd party applications to maintain server connections both in foreground and background mode. Hence, Secure Mail for Android maintains a persistent ActiveSync connection to sync emails and sync is near real time.

Q4: Will APNS feature in Secure Mail for iOS work with both XM 9 and XM 10 servers?

A: Yes

Q5: What are the supported upgrade paths?

A: The following table provides supported upgrade paths.

User-added image

Key points (to elaborate on the above table)

  • APNs support requires a unique App ID (Apple iOS requirement). Therefore, this solution will be supported for Secure Mail wrapped with a Unique App ID. Secure Mail that is using a provisioning profile created with a wildcard App ID is not supported for APNs.
  • It is not possible to upgrade a wildcard App ID wrapped Secure Mail to a Unique App ID wrapped Secure Mail on the users device. A re-install is required. So, for older customers wanting to leverage this push service, you will need to create a Unique App ID in the Apple Developers portal, a new provisioning profile, a new wrapped version of Secure Mail then load this up to the server as a new app.

Q6: Will the APNs feature work with Office365?

A: Yes, O365 is supported in addition to Exchange 2007, 2010 and 2013.

Q7: Is the APNs feature available for Lotus Notes?

A: The Beetlejuice release (10.0.7) only supports Exchange. We will investigate on what web services are available for Lotus Notes. When the due diligence is completed, we will provide a status update.

Q8: Do I need to install any server components on-premise?

A: No. Citrix will host a “listener” service in the cloud. This service will send out push notifications to your user’s Secure Mail application. Note that no personally identifiable information (PII) is stored or flows through this cloud service.

Q9: Why did you go with a cloud first approach for listener service?

A: Key reasons are:

  • Zero on-premise server footprint to support APNS notifications
    • No hardware/ software/ monitoring/ server scaling work effort for IT administrators
  • No change to mail data flow
    • Mail data traffic continues to flow between Device and Exchange Server
  • No sensitive data sent to listener service by Exchange server
    • APNS notification sends only the badge count to Secure Mail application.

Q10: Why does the feature require a listener service? The Native Mail client does not need a listener service.

A: The native mail client on iOS maintains a persistent ActiveSync connection with the exchange server. Apple allows this only for the native mail client. 3rd party mail clients have to leverage APNs to send remote notifications.

In order to support APNs, a server component is required. The server component receives a trigger from the exchange server and then send an APNs notification to Secure Mail application.

Q11: Where is the listener service hosted?

A: The listener service is hosted on Amazon Web Services (AWS). It is configured as an HA/DR service. The listener service will be available in three regions – Americas, EMEA, APAC. The IT admin will have to select the region that is closest to the Exchange Server.

Q12: What is the Citrix hosted listener service URL?

The listener service URLs and IP addresses are based on region:

– Americas:

– EMEA:

– APAC:

Configuration and Setup

Q1: What does the customer IT admin need to do to enable APNs push notifications for WM?

A: The document by the Mobility Experts team provides step-by-step instructions and screenshots to set up APNs notifications, Citrix Blog – Mobility Experts: A Step-by-Step Guide to Configuring Secure Mail APNS

Q2: Can I use the MDM server APNs certificate for my Secure Mail App ID?

A: No. The MDM server APNs certificate is required to enable XDM/ XMS manage iOS devices. The Secure Mail APNs certificate is required to support APNs push notifications for the Secure Mail application.

Q3: How do I generate the APNs certificate for Secure Mail?

A: The APNs certificate for Secure Mail application is generated by IT admin using the Apple developer portal. This is the same portal used to register the app with Apple (with a specific app ID). When the APNs certificate is generated, the IT admin can upload that using the Xenmobiletools portal. For more information, refer to the step-by-step instructions from Apple on generating and exporting APNs certificates – Configuring Push Notifications.

Q4: How do I renew the APNs certificate for Secure Mail when it expires?

A: A new APNs certificate should first be generated via the Apple developer portal and exported. You then go to xenmobiletools.citrix.com and update the certificate that has been previously uploaded for Secure Mail. This is done by selecting the ‘Update’ action for the Secure Mail app ID in the uploaded certificates list.

Q5: The Exchange server is behind a firewall. Do I need to allow outbound connection to the Citrix hosted listener service?

A: Yes. Ensure outbound SSL connections are not blocked by the Firewall to the Citrix hosted service for your region:

– Americas:

– EMEA:

– APAC:

Q6: How do I configure Exchange to reach the listener service when there is a proxy server?

A: If you have a proxy server, you should allow Exchange to bypass the proxy and route traffic directly to the listener service:

  • On Exchange for EWS, make the following update to the XML in the web.config file in the ClientAccessexchwebews folder:

     <configuration> <system.net> <defaultProxy> <proxy usesystemdefault="false" proxyaddress="http://proxy.ournetwork:8080" bypassonlocal="true” /> </defaultProxy> </system.net></configuration> 
  • For the Proxy: configure the bypass list to allow Exchange to make the connection to the listener service. Depending on the proxy you are using, you can filter this to the specific FQDN for the listener service. Refer to the section under Push notifications: https://msdn.microsoft.com/en-us/library/office/aa579128(v=exchg.140).aspx.

Q7: What are the configurations required when EWS and ActiveSync servers are different?

A: For Secure Mail to be able to connect to the EWS server, the following configuration is required:

  1. Update the hidden policy for the EWS server FQDN in the Secure Mail policy XML file:

    <key>PushNotificationsEWSHostName</key>

    <string></string>

  2. If using STA for Secure Mail, then you need to add the EWS FQDN to the background services policy just like the ActiveSync server FQDN.

    Note: EWS usage from the Secure Mail application is only during subscription of EWS push notifications. Mail data traffic will continue to flow via ActiveSync.

Q8: Can ActiveSync and EWS use different authentication methods?

A: No, Secure Mail requires that both Activesync and EWS use the same authentication method for SSO. If you want to enable EWS certificate based authentication only for Secure Mail clients so that other EWS mail clients are not impacted, the following configurations can be selected from:

  1. Using NetScaler KCD: Using the NetScaler AAA and KCD, the certificate can be used to authenticate at the NetScaler and then this is delegated to the Exchange CAS for authentication. See this post for more details on configuring Secure Mail and KCD with NetScaler AAA – How to: Single Sign on to XenMobile Secure Mail.
  2. New IIS Site on Exchange server with EWS Virtual Directory: Microsoft supports configuring a new EWS directory and ActiveSync directory in a separate IIS site on the Exchange server. This way, authentication methods can be set differently for EWS. Microsoft documentation for a new virtual directory in Exchange
  • As part of the site-creation process, you must bind an IP address to the site; each site should have a unique IP address.
  • After you assign an IP address, create a DNS record that allows users to access the new website using a new domain name.
  • Secure Mail can be configured to connect to this separate site while leaving all other clients to connect to the default site by specifying the FQDN of the new site in the Secure Mail Exchange server policy. This way the Autodiscovery used by other clients will not be impacted by the new configuration and will still connect to the default site.

Q9: What are the configuration changes required when Split Tunneling is set to Off and STA is enabled?

A: NetScaler Gateway must allow traffic from Secure Mail to the Citrix registration service URLs so that the initial registration of the Secure Mail client to the NetScaler does not fail.

Americas:

  • https://us-east-1.pushreg.xm.citrix.com
  • 52.7.65.6 & 52.7.147.0
EMEA:

  • https://eu-west-1.pushreg.xm.citrix.com
  • 54.154.200.233 & 54.154.204.192
APAC:

  • https://ap-southeast-1.pushreg.xm.citrix.com
  • 52.74.236.173 & 52.74.25.245

Q10: What do I set the Upload Read Ahead Size to?

A: If the Exchange Server is configured for client certificate authentication, the uploadReadAheadSize parameter needs to be changed in IIS for both the EWS site and the ActiveSync site:

Q11: How can I verify that the Outbound connections are working and APNs is setup?

  • The outbound connection from Exchange to the listener service can be verified either via the Exchange event logs which will log events when a subscription request or notification for a subscription is invalid/fails. You can also run Wireshark traces on the Exchange server to track outbound traffic to the listener service.
  • There are two easy checks that can be carried out to know whether APNs is working or the app is still using local badging:
    • First, validate that the badge unread count is equal to what you see for your Outlook client on your laptop/desktop.
    • As a second check, send the app to the background for more than 5 minutes and then check if the badge is still updating.

Q12: I do not see the Secure Mail updated APNs policies to configure the settings.

A: This is available in the Beetlejuice wrapper. Ensure that with the Beetlejuice upgrade, you are also using the latest version of the MDX toolkit.

Q13: Can I change the APNs policy from OFF to ON or ON to OFF?

A: This can be changed by the Admin from ‘OFF’ to ‘ON’. The next time Secure Mail checks in with the server to get the latest policies, the badge will begin to update. The scenario of going from ‘ON’ to ‘OFF’ is not supported. If turned OFF, the badge will continue to update.

Q14: Where do I upload the APNs certificate?

A: The listener service will require your Secure Mail’s APNs certificate to push notifications to your end users. The APNs certificate is uploaded via https://xenmobiletools.citrix.com. You will need your citrite id to get access to the portal. Ensure to select the 2nd option on the screen: “Upload Secure Mail APNs certificates”.

Q15: Can I upload the same certificate and app ID for multiple regions?

A: Yes, the same certificate and app ID can be uploaded for multiple regions. However, you can only have one entry per region. To upload for multiple regions, each region will need to be registered under a different citrite ID.

Information/Data Flow

Q1: After the admin enables APNs push, what is the end to end flow?

A: The end -to -end flow is as follows:

Set-up
  1. User launches APNs enabled Secure Mail application on their device.
  2. User is prompted by the iOS platform to allow Notifications. User clicks on “Allow”.
  3. The iOS platform obtains the device token from the Apple Push Notification service (on behalf of the Secure Mail application).
  4. Secure Mail registers with the Citrix hosted listener service.
  5. Secure Mail makes an EWS call to subscribe to EWS push notifications for the inbox folder. Upon success, the Exchange server sends the subscription id to Secure Mail.
  6. Secure Mail updates the Citrix hosted listener service with the subscription id.
Execution
  1. When there is mailbox activity, the Exchange server will send an EWS push notification to the listener service.
  2. Listener service will send out an APNs push notification via Apple APNs to Secure Mail. The APNs push notification will have the total unread count of the inbox.
  3. WM will connect to Exchange server via active sync and sync e-mails as well as trigger mail notifications if enabled by the user in Secure Mail settings.

Q2: Does anything need to be configured on the Exchange Server to make it aware of the Listener service?

  • EWS Push Notification APIs will be used by Secure Mail to communicate with the Exchange Server.
  • For most customers, EWS will be enabled on the Exchange server since Outlook for Mac uses EWS. Ensure with your Exchange Admin that EWS is not blocked or allowed for only specific user agents.
  • At FTU, after upgrade, or when the policy change to turn on APNs is received by the client, the client makes a push subscription request to Exchange. The URL of the listener service will also be communicated as part of this request to Exchange. This is how the Exchange server knows which Listener service to communicate with to trigger push notifications to the device.
  • Refer to the tech note on EWS Push notifications for complete details of the subscription request from the client.

Q3: What server role on Exchange carries out the communication with the listener service?

A: CAS – Client Access Server

Q4: What kind of information does the Listener service know about a Mailbox?

A: No Personally Identifiable Information (PII) is available to the Listener Service. The Listener service will store the following information:

  1. Device Token ID: Assigned to the device during initial registration with the listener service
  2. EWS subscription ID: assigned by Exchange to the client upon EWS Push subscription request
  3. EWS folder ID of inbox.
  4. Active Sync ID hashed with SHA-256
  5. Email address hashed with SHA-256
  6. iOS version
  7. APNs specific information: notification id, etc
  8. No mail data will flow through the listener service.

Q5: How will the actual mail data traffic flow?

A: This will continue to flow between the device and the exchange server via ActiveSync (no change in the behavior).

Q6: What happens if the EWS connection from Exchange to the Listener service fails?

  • The connection will be retried for up to 15 minutes based on the algorithm described in this StatusFrequency.
  • If within 15 minutes, there is still no success, Exchange will terminate the subscription request for the client.
  • When Secure Mail is brought into the foreground, it will check its registration status with the listener service every 5 minutes.
  • If it has been 30 minutes since the listener service last received an update from Exchange, the client will send a new subscription request to Exchange since Exchange would have terminated the subscription after retrying for 15 minutes.

Q7: Why are we using ‘Push’ instead of ‘Streaming’ notifications? Microsoft seems to recommend the latter.

A: The only reason Microsoft recommends streaming over push is because of the reduction in overhead of an additional listener service that needs to be written and maintained. Since Citrix is hosting the listener service, a push solution is just as viable and effective.

In addition, to use the streaming approach, the server would have to subscribe itself to Exchange for the updates and would require the credentials of the user. For a cloud based offering, this cannot be done. This would be the approach for an On-prem solution.

Q8: What info will help Citrix support if I need assistance troubleshooting my APNs setup?

  • Secure Mail logs – set this to Debug level 10 or 15 (preferred)
  • Your APNs tenant ID
  • Screenshots of the badge count and AppController policy settings

Additional Resources

CTX200971 – How to Prepare Secure Mail for APNs XenMobile App

CTX201025 – FAQ: Badge Behavior and Notifications Behavior for End Users

Citrix Blog – Mobility Experts: A Step-by-Step Guide to Configuring Secure Mail APNS

XenMobile How Do I

Related:

  • No Related Posts

Re: NMM 9.2 DAG doesn´t find all mailboxdatabases

Hello,

we´re running Networker Server 9.2.1.1 on W2K12R2 and upgraded our Exchange Clients to NMM 9.2.

Since that Networker DAG Client isn´t able to find all MailboxDatabases and backup doesn´t work.

There are:

– 6 Exchange nodes (W2K8R2, Exchange 2010) holding several active/passive databases and 2 standalone databases

– 2 DAG Clients in Networker (1 for standalone backup, 1 for backup of passive databases)

– Federated backup was already configured in NMM 8.2

– nsrnmmsv -P working fine on all 6 Exchange nodes

When we use Client config wizard to update DAG Client we see only 8 instead of 24 mailboxdatabases.

When we start a backup we always get an error Messages:

“cannot process Argument Transformation on Parameter `identity`, cannot convert value `mailboxdatabaseServer` `didn´t find Server Name of Exchange Server”. Parameter Name `identiy`

Any Suggestion would be appreciated.

Best regards,

Christian

Related:

  • No Related Posts

NMM 9.2 DAG doesn´t find all mailboxdatabases

Hello,

we´re running Networker Server 9.2.1.1 on W2K12R2 and upgraded our Exchange Clients to NMM 9.2.

Since that Networker DAG Client isn´t able to find all MailboxDatabases and backup doesn´t work.

There are:

– 6 Exchange nodes (W2K8R2, Exchange 2010) holding several active/passive databases and 2 standalone databases

– 2 DAG Clients in Networker (1 for standalone backup, 1 for backup of passive databases)

– Federated backup was already configured in NMM 8.2

– nsrnmmsv -P working fine on all 6 Exchange nodes

When we use Client config wizard to update DAG Client we see only 8 instead of 24 mailboxdatabases.

When we start a backup we always get an error Messages:

“cannot process Argument Transformation on Parameter `identity`, cannot convert value `mailboxdatabaseServer` `didn´t find Server Name of Exchange Server”. Parameter Name `identiy`

Any Suggestion would be appreciated.

Best regards,

Christian

Related:

  • No Related Posts

XENMOBILE MAIL MANAGER 10.1.2 – RELEASED 2-Apr-2018

Apr 06, 2018

XenMobile Mail Manager provides the functionality that extends the capabilities of XenMobile in the following ways:

  • Dynamic Access Control for Exchange Active Sync (EAS) devices. EAS devices can be automatically allowed or blocked access to Exchange services.
  • The ability for XenMobile to access EAS device partnership information provided by Exchange.
  • The ability for XenMobile to perform an EAS Wipe on a mobile device.
  • The ability for XenMobile to access information about Blackberry devices, and to perform control operations such as Wipe and ResetPassword.

To download XenMobile Mail Manager, go to the Server Components section under XenMobile 10 Server on Citrix.com.

This article includes the following sections:

What’s new in version 10.1.2

  • Improved connection to Exchange: XenMobile Mail Manager uses PowerShell sessions to communicate with Exchange. A PowerShell session, especially when dealing with Office 365, can become unstable after awhile, blocking subsequent commands from succeeding. XenMobile Mail Manager can now set an expiration period for connections. When the connection reaches its expiration time, XenMobile Mail Manager gracefully shuts down the PowerShell session and creates a new session. By doing so, the PowerShell session is less likely to become unstable, significantly reducing the chance of a snapshot failure.
  • Improved snapshot workflow: Major snapshots are a time-consuming and process-intensive operation. If an error occurs during a snapshot, XenMobile Mail Manager now attempts multiple times (up to three) to complete a snapshot. Subsequent attempts do not start from the beginning. XenMobile Mail Manager continues from where it left off. This enhancement improves the success rate of snapshots in general by allowing transient errors to pass while a snapshot is still in progress.
  • Improved diagnostics: Troubleshooting snapshot operations are now easier with three new diagnostics files optionally generated during a snapshot. These files help identify PowerShell command issues, mailboxes with missing information, and devices that cannot be related to a mailbox. An admin can use these files to identify data that may not be correct in Exchange.
  • Improved memory usage: XenMobile Mail Manager is now more efficient in its use of memory. Admins can schedule XenMobile Mail Manager to restart automatically to provide a clean slate to the system.
  • Microsoft .NET Framework 4.6 prerequisite: The prerequisite for Microsoft .NET Framework is now version 4.6.

Fixed issues

  • Prompt for credentials error: Office 365 session instability often caused this error. The Improved Connection to Exchange enhancement addresses the problem. (XMHELP-293, XMHELP-311, XMHELP-801)
  • Mailbox and device count inaccuracies: XenMobile Mail Manager has an improved Mailbox-to-Device association algorithm. The Improved Diagnostics feature helps in the identification of mailboxes and devices that XenMobile Mail Manager deems are not within its realm of responsibility. (XMHELP-623)
  • Allow/Block/Wipe commands not being recognized: A bug was fixed where sometimes, XenMobile Mail Manager allow/block/wipe commands are not recognized. (XMHELP-489)
  • Memory management: Better memory management and mitigation. (XMHELP-419)

Architecture

The following diagram shows the main components of XenMobile Mail Manager. For a detailed reference architecture diagram, see the XenMobile Deployment Handbook article, Reference Architecture for On-Premises Deployments.

The three main components are:

  • Exchange ActiveSync Access Control Management. Communicates with XenMobile to retrieve an Exchange ActiveSync policy from XenMobile, and merges this policy with any locally defined policy to determine the Exchange ActiveSync devices that should be allowed or denied access to Exchange. Local policy allows extending the policy rules to allow access control by Active Directory Group, User, Device Type, or Device User Agent (generally the mobile platform version).
  • Remote PowerShell Management. Responsible for scheduling and invoking remote PowerShell commands to enact the policy compiled by Exchange ActiveSync Access Control Management. Periodically takes a snapshot of the Exchange ActiveSync database to detect new or changed Exchange ActiveSync devices.
  • Mobile Service Provider. Provides a web service interface so that XenMobile can query Exchange ActiveSync and/or Blackberry devices, as well as issue control operations such as Wipe against them.

System requirements and prerequisites

The following minimum system requirements are required to use XenMobile Mail Manager:

  • Windows Server 2012 R2, Windows Server 2008 R2 (must be an English-based server)
  • Microsoft SQL Server 2016, SQL Server 2014, SQL Server 2012, SQL Server 2012 Express LocalDB, or SQL Server Express 2008
  • Microsoft .NET Framework 4.6
  • Blackberry Enterprise Service, version 5 (optional)

Minimum supported versions of Microsoft Exchange Server:

  • Microsoft Office 365
  • Exchange Server 2016
  • Exchange Server 2013
  • Exchange Server 2010 SP2

Prerequisites:

  • Windows Management Framework must be installed.
    • PowerShell V5, V4, and V3
  • The PowerShell execution policy must be set to RemoteSigned via Set-ExecutionPolicy RemoteSigned.
  • TCP port 80 must be open between the computer running XenMobile Mail Manager and the remote Exchange Server.

Device email clients: Not all email clients consistently return the same ActiveSync ID for a device. Because XenMobile Mail Manager expects a unique ActiveSync ID for each device, only email clients that consistently generate the same, unique ActiveSync ID for each device are supported. These email clients have been tested by Citrix and performed without errors:

  • HTC native email client
  • Samsung native email client
  • iOS native email client
  • Touchdown for Smartphones

Exchange: The requirements for on-premises computer running Exchange are as follows:

The credentials specified in the Exchange Configuration UI must be able to connect to the Exchange Server and be given full access to execute the following Exchange-specific PowerShell cmdlets.

  • For Exchange Server 2010 SP2:
    • Get-CASMailbox
    • Set-CASMailbox
    • Get-Mailbox
    • Get-ActiveSyncDevice
    • Get-ActiveSyncDeviceStatistics
    • Clear-ActiveSyncDevice
    • Get-ExchangeServer
    • Get-ManagementRole
    • Get-ManagementRoleAssignment
  • For Exchange Server 2013 and Exchange Server 2016:
    • Get-CASMailbox
    • Set-CASMailbox
    • Get-Mailbox
    • Get-MobileDevice
    • Get-MobileDeviceStatistics
    • Clear-MobileDevice
    • Get-ExchangeServer
    • Get-ManagementRole
    • Get-ManagementRoleAssignment
  • If XenMobile Mail Manager is configured to view the entire forest, permission must have been granted to run: Set-AdServerSettings -ViewEntireForest $true
  • The supplied credentials must have been granted the right to connect to the Exchange Server via the remote Shell. By default, the user who installed Exchange has this right.
  • Per the Microsoft TechNet article, about_Remote_Requirements, in order to establish a remote connection and run remote commands, the credentials must correspond to a user who is an administrator on the remote machine. Per this blog post, You Don’t Have to Be An Administrator to Run Remote PowerShell Commands, Set-PSSessionConfiguration can be used to eliminate the administrative requirement, but the support and discussion of the particulars of this command are beyond the scope of this document.
  • The Exchange Server must be configured to support remote PowerShell requests via HTTP. Typically, an administrator running the following PowerShell command on the Exchange Server is all that is required: WinRM QuickConfig.
  • Exchange has many throttling policies. One of the policies controls how many concurrent PowerShell connections are allowed per user. The default number of simultaneous connections allowed for a user is 18 on Exchange 2010. When the connection limit is reached, XenMobile Mail Manager is not able to connect to Exchange Server. There are ways to change the maximum allowed simultaneous connections via PowerShell that are beyond the scope of this documentation. If interested, investigate Exchange throttling policies as related to remote management with PowerShell.

Requirements for Office 365 Exchange

  • Permissions. The credentials specified in the Exchange Configuration UI must be able to connect to Office 365 and be given full access to execute the following Exchange-specific PowerShell cmdlets:
    • Get-CASMailbox
    • Set-CASMailbox
    • Get-Mailbox
    • Get-MobileDevice
    • Get-MobileDeviceStatistics
    • Clear-MobileDevice
    • Get-ExchangeServer
    • Get-ManagementRole
    • Get-ManagementRoleAssignment
  • Privileges. The supplied credentials must have been granted the right to connect to the Office 365 server via the remote Shell. By default, Office 365 online administrator has the requisite privileges.
  • Throttling policies. Exchange has many throttling policies. One of the policies controls how many concurrent PowerShell connections are allowed per user. The default number of simultaneous connections allowed for a user is three on Office 365. When the connection limit is reached, XenMobile Mail Manager is not able to connect to Exchange Server. There are ways to change the maximum allowed simultaneous connections via PowerShell that are beyond the scope of this documentation. If interested, investigate Exchange throttling policies as related to remote management with PowerShell.

Install and configure

1. Click the XmmSetup.msi file and then follow the prompts in the installer to install XenMobile Mail Manager.

localized image

2. Leave Launch the Configure utility selected in the last screen of the set-up wizard. Or, from the Start menu, open XenMobile Mail Manager.

localized image

3. Configure the following database properties:

  • Select the Configure > Database tab.
  • Enter the name of the SQL Server (defaults to localhost).
  • Keep the database as the default CitrixXmm.

4. Select one of the following authentication modes used for SQL:

  • Sql. Enter the user name and password of a valid SQL user.
  • Windows Integrated. If you select this option, the logon credentials of the XenMobile Mail Manager Service must be changed to a Windows account that has permissions to access the SQL Server. To do this, open Control Panel > Administrative Tools > Services, right-click the XenMobile Mail Manager Service entry and then click the Log On tab.

Note: If Windows Integrated is also chosen for the BlackBerry database connection, the Windows account specified here must also be given access to the BlackBerry database.

5. Click Test Connectivity to check that a connection can be made to the SQL Server and then click Save.

6. A message prompts you to restart the service. Click Yes.

localized image

7. Configure one or more Exchange Servers:

  • If managing a single Exchange environment, you only need a single server specified. If managing multiple Exchange environments, you need a single Exchange Server specified for each Exchange environment.
  • Click the Configure > Exchange tab and then click Add.
localized image

8. Select the type of Exchange Server environment: On Premise or Office 365.

localized image
  • If you select On Premise, enter the name of the Exchange Server that will be used for Remote PowerShell commands.
  • Enter the user name of a Windows identity that has appropriate rights on the Exchange Server as specified within the Requirements section and then enter the Password for the user.
  • Select the schedule for running Major snapshots. A major snapshot detects every Exchange ActiveSync partnership.
  • Select the schedule for running Minor snapshots. A minor snapshot detects newly created Exchange ActiveSync partnerships.
  • Select the Snapshot Type: Deep or Shallow. Shallow snapshots are typically much faster and are sufficient to perform all the Exchange ActiveSync Access Control functions of XenMobile Mail Manager. Deep snapshots may take significantly longer and are only needed if the Mobile Service Provider is enabled for ActiveSync. This option allows XenMobile to query for unmanaged devices.
  • Select the Default Access: Allow, Block, or Unchanged. This controls how all devices other than those identified by explicit XenMobile or Local rules are treated. If you select Allow, ActiveSync access to all such devices is allowed. If you select Block, access is denied. If you select Unchanged, no change is made.
  • Select the ActiveSync Command Mode: PowerShell or Simulation.
  • In PowerShell mode, XenMobile Mail Manager issues PowerShell commands to enact the desired access control. In Simulation mode, XenMobile Mail Manager does not issue PowerShell commands, but logs the intended command and intended outcomes to the database. In Simulation mode, the user can then use the Monitor tab to see what would have happened if PowerShell mode was enabled.
  • In Connection Expiration, set the hours and minutes for the life of a connection. When a connection reaches the age specified, the connection is marked as expired, so that the connection is never used again. When the expired connection is no longer used, XenMobile Mail Manager gracefully shuts the connection down. When a connection is needed again, a new connection is initialized if none is available. If none is specified, the default of 30 minutes is used.
  • Select View Entire Forest to configure XenMobile Mail Manager to view the entire Active Directory forest in the Exchange environment.
  • Select the authenication protocol: Kerberos or Basic. XenMobile Mail Manager supports Basic authentication for on-premises deployments. This enables XenMobile Mail Manager to be used when the XenMobile Mail Manager server is not a member of the domain in which the Exchange server resides.
  • Click Test Connectivity to check that a connection can be made to the Exchange Server and then click Save.
  • A message prompts you to restart the service. Click Yes.

9. Configure the access rules: Select the Configure > Access Rules tab, click the XMS Rules tab and then click Add.

localized image

10. On the XenMobile Server Service Properties page, modify the URL string to refer to the XenMobile Server. For example, if the instance name is zdm, enter http://XdmHostName/zdm/services/MagConfigService. In the example, replace XdmHostName with the IP or DNS address of the XenMobile Server.

localized image
  • Enter an authorized user of the server.
  • Enter the password of the user.
  • Keep the default values for the Baseline Interval, Delta Interval, and Timeout values.
  • Click Test Connectivity to check the connection to the server and then click OK.

Note: If the Disabled check box is selected, the XenMobile Mail Service will not collect policies from the XenMobile Server.

11. Click the Local Rules tab.

localized image
  • You can add local rules based on ActiveSync Device ID, Device Type, AD Group, User, or device UserAgent. In the list, select the appropriate type.
  • Enter text or text fragments in the text box. Optionally, click the query button to view the entities that match the fragment.

Note: For all types other than Group, the system relies on the devices that have been found in a snapshot. Therefore, if you are just starting and haven’t completed a snapshot, no entities will be available.

  • Select a text value and then click Allow or Deny to add it to the Rule List pane on the right side. You can change the order of rules or remove them using the buttons to the right of the Rule List pane. The order is important because, for a given user and device, rules are evaluated in the order shown and a match on a higher rule (nearer the top) will cause subsequent rules to have no effect. For example, if you have a rule allowing all iPad devices and a subsequent rule blocking the user Matt, Matt’s iPad will still be allowed because the iPad rule has a higher effective priority than the Matt rule.
  • To perform an analysis of the rules within the rules list to find any potential overrides, conflicts, or supplemental constructs, click Analyze and then click Save.

12. If you want to construct local rules that operate on Active Directory Groups, click Configure LDAP and then configure the LDAP connection properties.

localized image

13. Configure the Mobile Service Provider.

Note: The Mobile Service Provider is optional and is necessary only if XenMobile is also configured to use the Mobile Service Provider interface to query unmanaged devices.

  • Click the Configure > MSP tab.
localized image
  • Set the Service Transport type as HTTP or HTTPS for the Mobile Service Provider service.
  • Set the Service port (typically 80 or 443) for the Mobile Service Provider service.

    Note: If you use port 443, the port requires an SSL certificate bound to it in IIS.
  • Set the Authorization Group or User. This sets the user or set of users who will be able to connect to the Mobile Service Provider service from XenMobile.
  • Set whether ActiveSync queries are enabled or not.

    Note: if ActiveSync queries are enabled for the XenMobile Server, the Snapshot type for one or more Exchange Servers must be set to Deep; this may have significant performance costs for taking snapshots.
  • By default, ActiveSync devices that match the regular expression Secure Mail.* will not be sent to XenMobile. To change this behavior, alter the Filter ActiveSync field as necessary.

    Note: Blank means that all devices are forwarded to XenMobile.
  • Click Save.

14. Optionally, configure one or more instances of BlackBerry Enterprise Server (BES): Click Addand then enter the server name of the BES SQL Server.

localized image
  • Enter the database name of the BES management database.
  • Select the Authentication mode. If you select Windows Integrated authentication, the user account of the XenMobile Mail Manager service is the account that is used to connect to the BES SQL Server.

    Note: If you also choose Windows Integrated for the XenMobile Mail Manager database connection, the Windows account specified here must also be given access to the XenMobile Mail Manager database.
  • If you select SQL authentication, enter the user name and password.
  • Set the Sync Schedule. This is the schedule used to connect to the BES SQL Server and checks for any device updates.
  • Click Test Connectivity to check connectivity to the SQL Server.

    Note: If you select Windows Integrated, this test uses the current logged on user and not the XenMobile Mail Manager service user and therefore does not accurately test SQL authentication.
  • If you want to support remote Wipe and/or ResetPassword of BlackBerry devices from XenMobile, select the Enabled check box.
  • Enter the BES fully qualified domain name (FQDN).
  • Enter the BES port used for the admin web service.
  • Enter the fully qualified user and password required by the BES service.
  • Click Test Connectivity to test the connection to the BES.
  • Click Save.

Enforce email policies with ActiveSync IDs

Your corporate email policy may dictate that certain devices are not approved for corporate email use. To comply with this policy, you want to ensure that employees cannot access corporate email from such devices. XenMobile Mail Manager and XenMobile work together to enforce such an email policy. XenMobile sets the policy for corporate email access and, when an unapproved device enrolls with XenMobile, XenMobile Mail Manager enforces the policy.

The email client on a device advertises itself to Exchange Server (or Office 365) using the device ID, also known as the ActiveSync ID, which is used to uniquely identify the device. Secure Hub obtains a similar identifier and sends the identifier to XenMobile when the device is enrolled. By comparing the two device IDs, XenMobile Mail Manager can determine whether a specific device should have corporate email access. The following figure illustrates this concept:

Detect ActiveSync ID

If XenMobile sends XenMobile Mail Manager an ActiveSync ID that is different from the ID the device publishes to Exchange, XenMobile Mail Manager cannot indicate to Exchange what to do with the device.

Matching ActiveSync IDs works reliably on most platforms; however, Citrix has found that on some Android implementations, the ActiveSync ID from the device is different from the ID that the mail client advertises to Exchange. To mitigate this problem, you can do the following:

  • On the Samsung SAFE platform, push the device ActiveSync configuration from XenMobile.
  • On all other Android platforms, push both the Touchdown app and the Touchdown ActiveSync configuration from XenMobile.

This does not, however, prevent an employee from installing an email client other than Touchdown on an Android device. To guarantee that your corporate email access policy is enforced properly, you can adopt a defensive security stance and configure XenMobile Mail Manager to block emails by setting the static policy to Deny by default. This means that if an employee does configure an email client on an Android device other than Touchdown, and if ActiveSync ID detection does not work properly, the employee is denied corporate email access.

Access control rules

XenMobile Mail Manager provides a rule-based approach for dynamically configuring access control for Exchange ActiveSync devices. A XenMobile Mail Manager access control rule consists of two parts: a matching expression and a desired access state (Allow or Block). A rule may be evaluated against a given Exchange ActiveSync device to determine if the rule applies to, or matches the device. There are multiple kinds of matching expressions; for example, a rule may match all devices of a given Device Type, or a specific Exchange ActiveSync device ID, or all devices of a specific user, and so on.

At any point during the adding, removing, and rearranging of the rules in the rule list, clicking the Cancel button will revert the rules list back to the state at which it was when first opened. Unless you click Save, any changes made to this window are lost if you close the Configure tool.

XenMobile Mail Manager has three types of rules: local rules, XenMobile server rules (also known as XDM rules), and the default access rule.

Local rules. Local rules have the highest priority: If a device is matched by a local rule, rule evaluation stops. Neither XenMobile server rules nor the default access rule will be consulted. Local rules are configured locally to XenMobile Mail Manager via the Configure>Access Rules>Local Rules tab. Support matching is based upon a user’s membership within a given Active Directory group. Support matching is based upon regular expressions for the following fields:

  • Active Sync Device ID
  • ActiveSync Device Type
  • User Principal Name (UPN)
  • ActiveSync User Agent (typically the device platform or email client)

As long as a major snapshot has completed and found devices, you should be able to add either a normal or regular expression rule. If a major snapshot has not completed, you can only add regular expression rules.

XenMobile server rules. XenMobile server rules are references to an external XenMobile server that provides rules about managed devices. The XenMobile server can be configured with its own high-level rules that identify the devices to be allowed or blocked based on properties known to XenMobile, such as whether the device is jailbroken or whether the device contains forbidden apps. XenMobile evaluates the high-level rules and produces a set of allowed or blocked ActiveSync Device IDs, which are then delivered to XenMobile Mail Manager.

Default access rule. The default access rule is unique in that it can potentially match every device and is always evaluated last. This rule is the catch-all rule, which means that if a given device does not match a local or XenMoble server rule, the desired access state of the device is determined by the desired access state of the default access rule.

  • Default Access – Allow. Any device that is not matched by either a local or XenMoble server rule will be allowed.
  • Default Access – Block. Any device that is not matched by either a local or XenMoble server rule will be blocked.
  • Default Access – Unchanged. Any device that is not matched by either a local or XenMoble server rule will not have its access state modified in any way by XenMobile Mail Manager. If a device has been placed into Quarantine mode by Exchange, no action is taken; for example, the only way to remove a device from Quarantine mode is to have an explicitly Local or XDM rule override the quarantine.

About Rule Evaluations

For each device that Exchange reports to XenMobile Mail Manager, the rules are evaluated in sequence, from highest to lowest priority as follows:

  • Local rules
  • XenMobile server rules
  • Default access rule

When a match is found, evaluation stops. For example, if a local rule matches a given device, the device will not be evaluated against any of the XenMobile server rules or the default access rule. This holds true within a given rule type as well. For example, if there’s more than a single match for a given device in the local rule list, as soon as the first match is encountered, evaluation stops.

XenMobile Mail Manager reevaluates the currently defined set of rules when device properties change, or when devices are added or removed, or when the rules themselves change. Major snapshots pick up device property changes and removals at configurable intervals. Minor Snapshots pick up new devices at configurable intervals.

Exchange ActiveSync has rules governing access as well. It is important to understand how these rules work in the context of XenMobile Mail Manager. Exchange may be configured with three levels of rules: personal exemptions, device rules, and organization settings. XenMobile Mail Manager automates access control by programmatically issuing Remote PowerShell requests to affect the personal exemptions lists. These are lists of allowed or blocked Exchange ActiveSync device IDs associated with a given mailbox. When deployed, XenMobile Mail Manager effectively takes over management of the exemption lists capability within Exchange. For details, see this Microsoft article.

Analyzing is particularly useful in situations in which multiple rules for the same field have been defined. You can troubleshoot the relationships between rules. You perform analysis from the perspective of rule fields; for example, rules are analyzed in groups based upon the field that is being matched, such as ActiveSync device ID, ActiveSync device type, User, User Agent, and so on.

Rule terminology:

  • Overriding rule. An override occurs when more than a single rule could apply to the same device. Because rules are evaluated by priority in the list, the later rule instance(s) which might apply might never be evaluated.
  • Conflicting rule. A conflict occurs when more than a single rule could apply to the same device but the access (Allow/Block) does not match. If the conflicting rules are not regular expression rules, a conflict always implicitly connotes an override
  • Supplemental rule. A supplement occurs when more than one rule is a regular expression rule and hence there might be a need to ensure that the two (or more) regular expressions can either be combined into a single regular expression rule, or are not duplicating functionality. A supplementary rule may also conflict in its access (Allow/Block).
  • Primary rule. The primary rule is the rule that has been clicked within the dialog box. The rule is indicated visually by a solid border line that surrounds it. The rule will also have one or two green arrows pointing up or down. If an arrow points up, the arrow indicates that there are ancillary rules that precede the primary rule. If an arrow points down, this indicates that there are ancillary rules that come after the primary rule. Only a single primary rule can be active at any time.
  • Ancillary rule. An ancillary rule is related in some way to the primary rule either through override, conflict, or a supplementary relationship. The rules are indicated visually by a dashed border that surrounds them. For each primary rule, there can be one to many ancillary rules. When clicking on any underlined entry, the ancillary rule or rules that are highlighted are always from the perspective of the primary rule. For example, the ancillary rule will be overridden by the primary rule, and/or the ancillary rule will conflict in its access with the primary rule, and/or the ancillary rule will supplement the primary rule.

The Appearance of the Types of Rules in the Rule Analysis Dialog Box

When there are no conflicts, overrides, or supplements, the Rule Analysis dialog box has no underlined entries. Clicking on any of the items has no impact; for example, normal selected item visuals will occur.

The Rule Analysis window has a check box which, when selected, displays only those rules which are conflicts, overrides, redundancies, or supplements.


When an override occurs, at least two rules will be underlined: the primary rule and the ancillary rule or rules. At least one ancillary rule will appear in a lighter font to indicate that the rule has been overridden by a higher priority rule. You can click on the overridden rule to find out which rule or rules have overriden the rule. Any time an overridden rule has been highlighted either as a result of the rule being the primary or ancillary rule, a black circle will appear next to it as a further visual indication that the rule is inactive. For example, before clicking on the rule, the dialog box appears as follows:

When you click the highest-priority rule, the dialog box appears as follows:

In this example, the regular expression rule WorkMail.* is the primary rule (indicated by the solid border) and the normal rule workmailc633313818 is an ancillary rule (indicated by the dashed border). The black dot next to the ancillary rule is a visual cue that further indicates that the rule is inactive (will never be evaluated) due to the higher-priority regular expression rule that precedes it. After clicking on the overridden rule, the dialog box appears as follows:

In the preceding example, the regular expression rule WorkMail.* is the ancillary rule (indicated by the dashed border) and the normal rule workmailc633313818 is a primary rule (indicated by the solid border). For this simple example, there’s not much difference. For a more complicated example, see the complex expression example later in this topic. In a scenario with many rules defined, clicking the overridden rule would quickly identify which rule or rules had overridden it.

When a conflict occurs, at least two rules will be underlined, the primary rule and the ancillary rule or rules. The rules in conflict are indicated by a red dot. Rules that only conflict with one another are only possible with two or more regular expression rules defined. In all other conflict scenarios, there will not only be a conflict, but an override at play. Prior to clicking on either of the rules in a simple example, the dialog box appears as follows:

By inspecting the two regular expression rules, it’s evident that the first rule allows all devices with a device ID that contains “App” and that the second rule denies all devices with a device ID that contains Appl. In addition, even though the second rule denies all devices with a device ID that contains Appl, no devices with that match criteria will ever be denied because of the higher precedence of the allow rule. After clicking on the first rule, the dialog box appears as follows:

In the preceding scenario, both the primary rule (regular expression rule App.*) and the ancillary rule (regular expression rule Appl.*) are both highlighted in yellow. This is simply a visual warning to alert you to the fact that you have applied more than a single regular expression rule to a single matchable field, which could mean a redundancy issue or something more serious.

In a scenario with both a conflict and override, both the primary rule (regular expression rule App.*) and the ancillary rule (regular expression rule Appl.*) are highlighted in yellow. This is simply a visual warning to alert you to the fact that you have applied more than a single regular expression rule to a single matchable field, which could mean a redundancy issue or something more serious.

It is easy to see in the preceding example that the first rule (regular expression rule SAMSUNG.*) not only overrides the next rule (normal rule SAMSUNG-SM-G900A/101.40402), but that the two rules differ in their access (primary specifies Allow, ancillary specifies Block). The second rule (normal rule SAMSUNG-SM-G900A/101.40402) is displayed in lighter text to indicate that it has been overridden and is therefore inactive.

After clicking on the regular expression rule, the dialog box appears as follows:

The primary rule (regular expression rule SAMSUNG.*) is followed by a red dot to indicate that its access state conflicts with one or more ancillary rules. The ancillary rule (normal rule SAMSUNG-SM-G900A/101.40402) is followed by a red dot to indicate that its access state conflicts with the primary rule, as well as with a black dot to further indicate that it has been overridden and is therefore inactive.

At least two rules will be underlined, the primary rule and the ancillary rule or rules. Rules that only supplement one another will only involve regular expression rules. When rules supplement one another they are indicated with a yellow overlay. Prior to clicking on either of the rules, in a simple example, the dialog box appears as follows:

Visual inspection easily reveals that both rules are regular expression rules which have both been applied to the ActiveSync device ID field in XenMobile Mail Manager. After clicking on the first rule, the dialog box looks as follows:

The primary rule (regular expression rule WorkMail.*) is highlighted with a yellow overlay to indicate that there exists at least one additional ancillary rule which is a regular expression. The ancillary rule (regular expression rule SAMSUNG.*) is highlighted with a yellow overlay to indicate that both it and the primary rule are regular expression rules being applied to the same field within XenMobile Mail Manager; in this case, the ActiveSync device ID field.The regular expressions may or may not overlap. It is up to you to decide if your regular expressions are properly crafted.

Example of a Complex Expression

Many potential overrides, conflicts, or supplements can occur, making it impossible to give an example of all possible scenarios. The following example discusses what not to do, while also serving to illustrate the full power of the rule analysis visual construct. Most of the items are underlined in the following figure. Many of the items render in a lighter font, which indicates that the rule in question has been overridden by a higher priority rule in some manner. A number of regular expression rules are included in the list as well, as indicated by the icon.

How to Analyze an Override

To see which rule or rules have overridden a particular rule, you click the rule.

Example 1: This example examines why zentrain01@zenprise.com has been overridden.

The primary rule (AD-Group rule zenprise/TRAINING/ZenTraining B, of which zentrain01@zenprise.com is a member) has the following characteristics:

  • Is highlighted in blue and has a solid border.
  • Has an upwards pointing green arrow (to indicate that the ancillary rule or rules are all to be found above it).
  • Is followed by both a red circle and black circle to indicate respectively that one or more ancillary rule conflicts with its access and that the primary rule has been overridden and is hence inactive.

When you scroll up, you see the following:

In this case, there are two ancillary rules that override the primary rule: the regular expression rule zen.* and the normal rule zentrain01@zenprise.com (of zenprise/TRAINING/ZenTraining A). In the case of the latter ancillary rule, what has occurred is that the Active Directory Group rule ZenTraining A contains the user zentrain01@zenprise.com, and the Active Directory Group rule ZenTraining B also contains the user zentrain01@zenprise.com. Because the ancillary rule has a higher precedence than the primary rule, however, the primary rule has been overridden. The primary rule’s access is Allow, and because both of the ancillary rule’s access is Block, all are followed with a red circle to further indicate an access conflict.

Example 2: This example shows why the device with an ActiveSync device ID of 069026593E0C4AEAB8DE7DD589ACED33 has been overridden:

The primary rule (normal device ID rule 069026593E0C4AEAB8DE7DD589ACED33) has the following characteristics:

  • Is highlighted in blue and has a solid border.
  • Has an upwards pointing green arrow (to indicate that the ancillary rule is to be found above it).
  • Is followed by a black circle to indicate an ancillary rule has overridden the primary rule and is hence inactive.

In this case, a single ancillary rule overrides the primary rule: the regular expression ActiveSynce device ID rule 3E.* Because the regular expression 3E.* would match 069026593E0C4AEAB8DE7DD589ACED33, the primary rule will never be evaluated.

How to Analyze a Supplement and Conflict

In this case, the primary rule is the regular expression ActiveSync device type rule touch.* The characteristics are as follows:

  • Is indicated by a solid border with a yellow overlay as a warning that there is more than a single regular expression rule operating against a particular rule field, in this case ActiveSync device type.
  • Two arrows are pointing up and down respectively, indicating that there is at least one ancillary rule with higher priority and at least one ancillary rule with lower priority.
  • The red circle next to it indicates that at least one ancillary rule has its access set to Allow which conflicts with the primary rule’s access of Block
  • There are two ancillary rules: the regular expression ActiveSync device type rule SAM.* and the regular expression ActiveSync device type rule Andro.*
  • Both of the ancillary rules are bordered with dashes to indicate that they are ancillary.
  • Both of the ancillary rules are overlayed with yellow to indicate that they are supplementally being applied to the rule field of ActiveSync device type.
  • You should ensure in such scenarios that their regular expression rules are not redundant.

How to Further Analyze the Rules

This example explores how rule relationships are always from the perspective of the primary rule. The preceding example showed how a click on the regular expression rule applied to the rule field of device type with a value of touch.* Clicking on the ancillary rule Andro.* shows a different set of ancillary rules highlighted.

The example shows an overridden rule that is included in the rule relationship. This rule is the normal ActiveSync device type rule Android, which is overridden (indicated by the lightened font and the black circle next to it) and also conflicts in its access with the primary rule regular expression ActiveSync device type rule Andro.*; that rule was formerly an ancillary rule prior to being clicked. In the preceding example, the normal ActiveSync device type rule Android, was not displayed as an ancillary rule because, from the perspective of the then primary rule (the regular expression ActiveSync device type rule touch.*), it was not related to it.

To configure a normal expression local rule

  1. Click the Access Rules tab.
  2. In the Device ID list, select the field for which you want to create a Local Rule.
  3. Click on the magnifying glass icon to display all of the unique matches for the chosen field. In this example, the field Device Type has been chosen and the choices are shown below in the list box.
  4. Click one of the items in the results list box and then click one of the following options:
    • Allow means that Exchange will be configured to allow ActiveSync traffic for all matching devices.
    • Deny means that Exchange will be configured to deny ActiveSync traffic for all matching devices.

    In this example, all devices that have a device type of TouchDown are denied access.

To add a regular expression

Regular expression local rules can be distinguished by the icon which appears next to them – . To add a regular expression rule, you can either build a regular expression rule from an existing value from the results list for a given field (as long as a major snapshot has completed), or you can simply type in the regular expression that you want.

To build a regular expression from an existing field value

1. Click the Access Rules tab.

2. In the Device ID list, select the field for which you want to create a regular expression Local Rule.

3. Click on the magnifying glass icon to display all of the unique matches for the chosen field. In this example, the field Device Type has been chosen and the choices are shown below in the list box.

4. Click one of the items in the results list. In this example, SAMSUNGSPHL720 has been selected and appears in the text box adjacent to Device Type.

5. To allow all device types that have “Samsung” in their device type value, add a regular expression rule by following these steps:

a. Click within the selected item text box.

b. Change the text from SAMSUNGSPHL720 to SAMSUNG.*

c. Make sure that the regular expression check box is selected.

d. Click Allow.

To build an access rule

  1. Click the Local Rules tab.
  2. To enter the regular expression, you need to make use of both the Device ID list and the selected item text box.

  3. Select the field you want to match against. This example uses Device Type.
  4. Type in the regular expression. This example uses samsung.*
  5. Ensure that the regular expression check box is selected and then click Allow or Deny. In this example, the choice is Allow so that the final result is as follows:

To find devices

By selecting the regular expression check box, you can run searches for specific devices that match the given expression. This feature is only available if a major snapshot has successfully completed. You can use this feature even if there is no plan to use regular expression rules. For example, assume that you want to find all devices that have the text “workmail” in their ActiveSync device ID. To do so, follow this procedure.

  1. Click the Access Rules tab.
  2. Ensure that the device match field selector is set to Device ID (the default).
  3. Click within the selected item text box (as shown in blue in the preceding figure) and then type workmail.*.
  4. Make sure the regular expression check box is selected and then click the magnifying glass icon to display matches as shown in the following figure.

To add an individual user, device, or device type to a static rule

You can add static rules based on user, device ID, or device type on the ActiveSync Devices tab.

  1. Click the ActiveSync Devices tab.
  2. In the list, right-click a user, device, or device type and select whether to allow or deny your selection.

    The following image shows the Allow/Deny option when user1 is selected.

Device monitoring

The Monitor tab in XenMobile Mail Manager lets you browse the Exchange ActiveSync and BlackBerry devices that have been detected and the history of automated PowerShell commands that have been issued. The Monitor tab has the following three tabs:

  • ActiveSync Devices:
    • You can export the displayed ActiveSync device partnerships by clicking the Export button.
    • You can add Local (static) rules by right-clicking the User, Device ID, or Type columns and selecting the appropriate allow or block rule type.
    • To collapse an expanded row, Ctrl-click the expanded row.
  • Blackberry Devices
  • Automation History

The Configure tab shows the history of all snapshots. Snapshot history shows when the snapshot took place, how long it took, how many devices were detected and any errors that occurred:

  • On the Exchange tab, click the Info icon for the desired Exchange Server.
  • Under the MSP tab, click the Info icon for the desired BlackBerry Server.

Troubleshooting and diagnostics

XenMobile Mail Manager logs errors and other operational information to its log file: <Install Folder>logXmmWindowsService.log. XenMobile Mail Manager also logs significant events to the Windows Event Log.

Common Errors

The following list includes common errors:

XenMobile Mail Manager service doesn’t start
Check the log file and the Windows Event Log for errors. Typical causes are as follows:

  • The XenMobile Mail Manager service cannot access the SQL Server. This may be caused by these issues:
    • The SQL Server service is not running.
    • Authentication failure.

    If Windows Integrated authentication is configured, the user account of the XenMobile Mail Manager service must be an allowed SQL logon. The account of the XenMobile Mail Manager service defaults to Local System, but may be changed to any account that has local administrator privileges. If SQL authentication is configured, the SQL logon must be properly configured in SQL.

  • The port configured for the Mobile Service Provider (MSP) is not available. A listening port must be selected that is not used by another process on the system.
XenMobile cannot connect to the MSP
Check that the MSP service port and transport is properly configured in the Configure> MSP tab of the XenMobile Mail Manager console. Check that the Authorization Group or User is set properly.

If HTTPS is configured, a valid SSL server certificate must be installed. If IIS is installed, IIS Manager can be used to install the certificate. If IIS is not installed, see http://msdn.microsoft.com/en-us/library/ms733791.aspx for details on installing certificates.

XenMobile Mail Manager contains a utility program to test connectivity to the MSP service. Run the <InstallFolder>MspTestServiceClient.exe program and set the URL and credentials to a URL and credentials that will be configured in the XenMobile and then click Test Connectivity. This simulates the web service requests that XenMobile service issues. Note that if HTTPS is configured, you must specify the actual host name of the server (the name specified in the SSL certificate).

Note: When using Test Connectivity, be sure to have at least one ActiveSyncDevice record or the test may fail.

Troubleshooting Tools

A set of PowerShell utilities for troubleshooting is available in the SupportPowerShell folder.

A troubleshooting tool performs in-depth analysis of user mailboxes and devices, detecting error conditions and potential areas of failure, and in-depth RBAC analysis of users. It can save raw output of all cdmlets to a text file.

Related:

  • No Related Posts

Exchange Backups Failing

Article Number: 500438Article Version: 3 Article Type: Break Fix



Avamar Plug-in for Exchange VSS

Exchange backups fail with errors similar to the following:

avexvss Error <0000>: Error [avamar.dellemc.com] Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.

avexvss Error <16954>: Unable to initialize Powershell interface process — cannot continue.

avexvss Error <13077>: Unable to complete backup.

You might also see the first error when opening the Exchange Management Shell on the Exchange server.

The system time on the Exchange server is not synchronized with the time on the Active Directory Domain Controller/NTP server.

Time sync issues will create Kerberos authentication errors. In many environments, time differences greater than 5 minutes will cause the the Windows server to be out of sync with the DC/NTP server.

The Exchange server time clock becomes out of sync with the DC or NTP server.

1. Resync the time between the Exchange server and the domain controller. The following Microsoft URL provides more information on the commands to do this:

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/windows-time-service/windows-time-service-tools-and-settings

2. Restart the Backup Agent service so that avagent protocol is also aware of the correct time on the Exchange server.

The following URL provides more information on this issue:

https://www.experts-exchange.com/questions/27892225/Exchange-2010-Connecting-to-remote-server-failed-with-the-following-error-message-Access-is-denied.html

Related:

  • No Related Posts