Reset Search



KB16787 - The Roaming Session feature is not supported by the web-based Email Client

« Go Back


Last Modified Date8/2/2015 9:07 PM
If clients have  their source IP altered during a session then web-based Email client mode will block their access irrespective of the Roaming Session setting.    The other two modes of Email Client do not block these connections.
Problem or Goal
If the client is using web-based Email Client and their source IP changes, they are blocked from sending e-mail even if Roaming Session is enabled.
A User Access log message of the following format is generated:
Info EML20800 <date> <time> - pcs - [] Root::Mail-Proxy()[] - SMTP: Check pcs Web Authentication fail for '<username>' because Web and Mail IP addresses do not match.
The Email Client allows the PCS to securely proxy client e-mail connections using SSL from clients to unsecured backend mail servers. It is configured under  Users > Resource Policies > Email Client, the same configuration is used for all roles which have Email Client enabled under their Access Features.  There are three different modes the Email Client can be set to use:

1. Web-based email session
Users sign in to the PCS and click a Start button to start an email session. Initially users must generate username and password credentials on their PCS home page by clicking the options icon to the right of the Start button of the Email Session part of the Client Application Sessions section, then enter the generated details into their e-mail client.  

2. Combined PCS and mail server authentication
Users do not need to sign in to the PCS to use e-mail but need to sign in for the initial setup by selecting Preferences > General tab > 'Email Setup..' button; where they can configure the settings to specify alternative mail servers or to generate a unique username, which must then be entered into their e-mail client.  For the client password, users enter a combination of their PCS and mail server passwords, delimited by an admin configurable password separator.

3. Mail server authentication only
Users do not need to sign in to the PCS to use e-mail, they simply configure their e-mail client with their e-mail username and password as normal.  Users who are not using the default mail server must sign in once to specify their email information. Name conflicts are also resolved in this way.   This option is the least secure and is not recommended.  The configuration for this is also done on the user's portal page by selecting 'Preferences > General tab > 'Email Setup..' button.

With the first method the user signs into the PCS via HTTPS before initiating the email proxy on their PCS homepage.  If the user changes source IP, when they next attempt to use the email proxy the PCS logs that the IP used to sign into the web page is different than the one attempting to access the email service and blocks the attempt. Stopping and starting the Email Client proxy on the user's home page allows the email connections to proceed.   Enabling Roaming Session for the role does not effect this behavior.

The other two methods do not require a user to sign into the PCS homepage before starting to use the secure Email Client feature so changes in client source IP do not effect the performance as there is no saved  browser session IP.

A workaround is to use source NAT for the clients so the change in source IP is not seen by the PCS.
Related Links
Attachment 1 
Created ByData Deployment



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255