Introduction to the Secure Gateway (SEG)

Full text



Introduction to the Secure Email Gateway (SEG)


The Secure Email Gateway (SEG) Proxy server is a separate server installed in-line with your existing email server to proxy all email traffic going to devices.

Note: The SEG Proxy model requires Exchange ActiveSync infrastructure (For example, Microsoft Exchange 2003/2007/2010/2013, Lotus Traveler and Novell GroupWise Data Synchronizer). Please consult your AirWatch representative for more information.

The AirWatch SEG Proxy server is configured to reside in front of your corporate email server. Based on the settings you define in the AirWatch Admin Console, the SEG Proxy server takes allow/block decisions for every mobile device it manages. The SEG Proxy server relays traffic from approved devices and protects corporate email server by not allowing any devices to directly communicate with it. Instead, the SEG Proxy server filters all communication requests to the corporate email server.The SEG provides one more layer of security by controlling how the email attachments and hyperlinks can be viewed. Through SEG, email attachments and hyperlinks are encrypted which can be opened only through Secure Content Locker, thus protecting sensitive information.

The SEG server is installed inline with corporate email traffic. It may be installed in a DMZ or behind a reverse proxy server, for example, F5 server. The SEG server must be hosted in the customer data-center, regardless of whether the AirWatch MDM server is in the cloud or on-premise.

In This Guide

 Before You Begin - This section covers the basic requirements and other topics that would help you to get started with the solution.

 Secure Email Gateway Configuration - This section explains the SEG setup that is supported by AirWatch.

 Secure Email Gateway Implementation - This section details how to enable SEG in the AirWatch Admin Console.

 Upgrading Secure Email Gateway - Explains how to upgrade SEG to the latest version.



Before You Begin


The Before you Begin topic provides the information that helps you with the initial setup, configuration, and understanding of the requirements essential for a smooth user experience.

In This Section

Requirements - Lists all the software, hardware, and network requirements.

 Prerequisite - Mentions how to enable the API certificate.

Recommended Reading - This section provides helpful background and supporting information available from other AirWatch guides.


For a complete listing of all requirements for installing SEG, refer to Prerequisites for SEG Connectivity.


Enable the Simple Object Access Protocol (SOAP) Application Programming Interface (API) for the required organization group. To configure the SOAP API URL for your AirWatch environment, navigate to Groups & Settings ► All Settings ► System ► Advanced. The AirWatch Admin Console gets the API certificate from the SOAP API URL that is located on the Site URLs page. For SaaS deployments, use the format

Recommended Reading

AirWatch Mobile Email Management Administration Guide - A comprehensive guide to the AirWatch's mobile

email management functionality.

AirWatch Mobile Device Management Guide - A comprehensive guide to the AirWatch's device management



Prerequisites for SEG Connectivity

Status Checkli st Requirement Notes Hardware Requirements VM or Physical Server

Without content transformation (attachment handling, hyperlinks security, tagging and so on):

1 CPU Core (2 GB RAM) per 2,000 devices syncing email through the SEG server. Max 8 CPU cores per SEG.

With content transformation (attachment handling, hyperlinks security, tagging and so on):

1 CPU Core (2GB RAM) per 1,000 devices syncing email through the SEG server. Max 8 CPU cores per SEG.

Load-balanced SEG servers can be deployed with size requirements being cumulative.

Note: Sizing estimates vary based on actual email and attachment usage. Add additional SEG servers as necessary. If you are implementing attachment and hyperlinks security, the number of CPU cores needed to support the same number of devices will vary depending on the number of devices. Please contact your AirWatch representative for more details.

General Requirements Remote access to Windows Servers available to AirWatch and Administrator rights

Recommended to setup Remote Desktop Connection Manager for multiple server management, installer can be downloaded from

See General Requirements.

Installation of Notepad++ (Recom mended)

Installer can be downloaded from Ensure Exchange


4 Status Checkli st Requirement Notes 2012 or Windows Server 2012 R2

Install Role from Server Manager

IIS 7.0 (Server 2008 R2)

IIS 8.0 (Server 2012 or Server 2012 R2) IIS 8.5 (Server 2012 R2 only)

Install Role Services from Server Manager

Common HTTP Features: Static Content, Default Document, Directory Browsing, HTTP Errors, HTTP Redirection

Application Development: ASP.NET, .NET Extensibility, ASP, ISAPI Extensions, ISAPI Filters, Server Side Includes

Management Tools: IIS Management Console, IIS 6 Metabase Compatibility Note: Ensure WebDAV is not installed

Install Features from Server Manager

.NET Framework 3.5.1 Features: Entire module (.NET Framework 3.5.1, WCF Activation)

Message Queuing: Message Queuing Server Telnet Client


.NET Framework 4.0

Download from

Note: The SEG Installer installs .NET 4.0 if it is not installed beforehand.

Externally registered DNS

See Server Requirements.

SSL Certificate

from trusted third party with Subject or Subject

Alternative name of DNS

Ensure SSL certificate is trusted by all device types being used. (i.e. not all Comodo certificates are natively trusted by Android)

IIS 443 Binding with the same SSL certificate

Validate that you can connect to the server over HTTPS

( At this point, you should see the IIS splash page.

See Server Requirements.


5 Source


Destination Component

Protocol Port Verification Devices (from

Internet and Wi-Fi)

AirWatch SEG HTTPS 443 Telnet from Internet to SEG server on port

SEG AirWatch SOAP API (DS or CN server) HTTP or HTTPS 80 or 443

Verify that the following URL is trusted from the browser on the SEG server:

https://<API URL>/AirWatchServices/

Internal/ActiveSyncIntegrationServiceEndpoint.svc SEG (OPTIONAL) Internal

hostname or IP of all other SEG servers

HTTP 8090 If you are using SEG Clustering (multiple load balanced SEG servers)

The following requirements apply based on the email configuration you are using:

SEG Exchange HTTP or


80 or 443

Verify that the following URL is trusted from the browser on the SEG server and gives a prompt for credentials:

For Exchange: http(s)://Exchange_Activesync_FQDN/Microsoft-server-activesync

For Lotus Notes:


For Google: For Groupwise (depending on version): http(s):

//Groupwise_FQDN/EAS or http(s)://Groupwise_FQDN/Microsoft-server-activesync

Once you enter the credentials, verify that a 501/505 HTTP page displays.

SEG Lotus Notes HTTP or HTTPS 80 or 443 SEG Google HTTPS 443 SEG Novell Groupwise HTTP or HTTPS 80 or 443

General Requirements

Remote Access to Servers

Ensure that you have remote access to the servers that AirWatch is installed on. Typically, installations are performed remotely over a web meeting or screen share that an AirWatch consultant provides. Some customers also provide AirWatch with VPN credentials to directly access the environment as well.

Server Requirements

External DNS Name


6 In a multi-server deployment, these are installed on separate servers, and only the “device services” component

requires an external DNS name, while the “console” component can remain only internally available.

SSL Certificate

The externally available URL of the AirWatch server must be setup with a trusted SSL certificate. A wildcard or individual website certificate is required.

1. Obtain SSL certificates for each of your external DNS entries. A list of root certificates natively trusted by iOS can be found here:

2. Upload your SSL certificate to the AirWatch server(s). Your certificate provider will have instructions for this process. 3. Once uploaded on your server you can use it to add a 443 binding to the Default Website in IIS. The bindings for a

completed server look like the following. Your SSL certificate should appear in the drop down menu of available certificates.

4. Validate that you can connect to the server over HTTPS ( At this point you should see the IIS splash page.



SEG Architecture


The section outlines the architecture layout for setting up SEG with your email infrastructure.

In This Section

 Recommended Setup - Explains the required setup and displays a schematic representation of this.

 Supported Setup - Explains the required setup and displays a schematic representation of this.

Recommended Setup: Exchange ActiveSync SEG Configuration

This configuration uses a reverse proxy to direct mobile device users to the SEG Proxy while routing browser users directly to their webmail endpoints. Use the following network configuration to set up the reverse proxy to communicate between devices and the SEG using the Exchange ActiveSync (EAS) protocol.

Supported Setup: Exchange ActiveSync SEG Configuration

AirWatch also supports the following configuration, in which the SEG proxy routes all incoming traffic (including Outlook Web Access).



SEG Implementation


Once you get a good understanding of the ways in which SEG can be configured, you can choose the type that fits your organization's requirements. To implement the SEG proxy server on your chosen mail architecture, follow the below steps.

In This Section

 Prerequisites - Explains the initial setup required to implement SEG.

 Enabling SEG Proxy - Details the steps required to enable SEG from the AirWatch Admin Console.

 Downloading Installer - Explains the steps required to download SEG.

 Installing the SEG - Explains the steps associated with installing SEG.

 Configuring SEG - Explains the steps associated with configuring SEG.

 Deploying Email through SEG - It explains how emails are deployed to the devices via SEG.


1. Enable the Simple Object Access Protocol (SOAP) Application Programming Interface (API) for the required

organization group. To configure the SOAP API URL for your AirWatch environment, navigate to Groups & Settings ►

All Settings ► System ► Advanced. The AirWatch Admin Console gets the API certificate from the SOAP API URL that

is located on the Site URLs page. For SaaS deployments, use the format

2. Create an Exchange Active Sync profile having the Assignment Type as Optional and EAS hostname as the SEG server URL.

Step 1: Enabling SEG Proxy on AirWatch Admin Console

1. Navigate to ► Email ► Settings in the AirWatch Admin Console and click Configure. The Mobile Email Management


10 2. In the Mail Platform wizard form:

Select the Email Server Type from the drop-down menu and choose a Deployment Type for your selected email architecture, and then click Next.

Note: By default, the SEG proxy is deployed for Exchange 2003 / 2007 environments. But, for Exchange 2010 /2013 or Office 365 / BPOS environments, select the deployment type With SEG Proxy. If you wish to deploy the SEG Proxy server for Office365, please contact your AirWatch representative for additional information.

3. In the MEM Deployment wizard form:

 Enter a friendly name for the SEG deployment. This name gets displayed on the MEM dashboard screen for devices managed by SEG.

Enter the URL for the SEG server in the Secure Email Gateway URL field. This URL provisions email policies to the SEG server.

You may choose to enable the Ignore SSL Errors between SEG and AirWatch Server check box to ignore Secure Socket Layer (SSL) certificate errors between AirWatch component and SEG server.



(Recommended) Select the Use Basic Authentication check box and enter the Gateway Username and Gateway Password in order to authenticate and secure traffic (including policy updates sent to the SEG server) between AirWatch components and SEG. If disabled, anonymous authentication is used.

Use the Test Connection option to confirm the validity of the server URL entered. If the test fails, a list of

reasons display to help you identify the cause of connection failure. If in the initial setup, this succeeds but other options fail, you can still proceed with the installation. Upon completing the installation, the Test Connection option may be used to verify connectivity across all components and features between AirWatch and the SEG server.

Click Next.

4. In the MEM Profile Deployment form:

This is highly recommended for new installs and upgrades.

 Select a device platform from the available list.

 Select an email client from the available list.

 Associate an existing profile of the above chosen platform and email client. Please note that only one profile per device type and mail client can be associated.


12 5. Click Next. The Summary form provides a quick overview of the basic configuration you have just created for the

SEG deployment. Save the settings.

6. Optionally, you can configure the advanced settings. To do this, navigate to Email ► Settings page and then click the icon located on the Email Configuration main screen.

By default, the Use Recommended Settings check box is enabled to capture all SEG traffic information from devices. Otherwise, specify what information and how frequently the SEG should log for devices.

Select the Enable Real-time Compliance Sync option to enable the AirWatch Admin Console to remotely provision compliance policies to the SEG Proxy server.

Enable the Ignore SSL Errors check box to ignore Secure Socket Layer (SSL) certificate errors between SEG and the email server.

Enable the Ignore SSL Errors check box to ignore Secure Socket Layer (SSL) certificate errors between AirWatch component and SEG server.

KCD authentication - Enable or disable the Cross Domain KCD authentication using the settings available.

Required transactions - Enable or disable the required transactions such as Folder Sync, Settings etc.

Optional transactions - Enable or disable the optional transactions such as Get attachment, Search, Move Items


Diagnostic -Set the number and frequency of transaction for a device.

Sizing - Set the frequency of SEG and API server interaction.

S/MIME Options - Enable the checkbox to disallow the encryption of attachments and hyperlinks through the



Step 2: Preparing for the Installation

1. Download the SEG Installer from the AirWatch Admin Console to the SEG server attached to your network. To download, navigate to the Email ► Settings page and click the Download the SEG Installer option.

This page is available only upon completion of the Email Configuration steps in the above section.

2. You might need to disable User Account Control (UAC) for the installation process. However, you can re-enable UAC after the installation is complete. This is an environmental consideration that varies depending on the server deployment.

3. In the AirWatch Admin Console, create an admin account for the SEG (this is required for the simple installation wizard).

Note: Configure the admin account at an organization group level at or above where you wish to configure the SEG.

Step 3: Running the AirWatch SEG 7.2 Installer

Run the AirWatch SEG v7.2 installer.

1. Double-click the AirWatch SEG 7.2 Installer.exe file, or right-click to choose Run as Administrator. The Setup dialog box displays, and it is followed by a Welcome dialog box. Click Next.

Note: If you receive a Security Warning, choose Run.

2. Accept the End User License Agreement, and then click Next.

3. Specify the Destination Folder to install the SEG. Click Change if you want to modify the destination folder for installing the AirWatch application files.

Note: The installer defaults to C:\AirWatch. However, the standard is to install AirWatch on a partition separate from the OS.


14 5. Click Install to begin the SEG installation.

6. Once the installation process is complete, the SEG Installation Wizard dialog box appears. Click Finish to close the installer. The AirWatch SEG setup shortcut icon is automatically created on the desktop, and the localhost URL opens in Explorer.

Step 4: Configuring the SEG with the Setup Wizard

Once the installation process is complete, the Secure Email Gateway Setup Wizard auto-launches. If not, double-click the SEG shortcut icon on the desktop to open the wizard.

1. Specify the following information on the Setup page:

 Enter the AirWatch Server Hostname that contains the API. This is usually the AirWatch API Service URL.

Specify the SEG Admin Account Username and Password. This account is used to integrate with the API and should be enabled with the 'Allow Remote Access' role resource in AirWatch Admin Console. Create your SEG Admin Account at that organization group or at a level above the organization group that you wish to configure the SEG for.


15 2. Configure the SEG for your specific deployment. Enter the following information:

In the Organization Group field, enter the Group ID for the SEG's Organization Group.

 Select the MEM configuration from the dropdown.

3. Next,specify the following SEG Configuration settings. This information will be pre-populated with the setting that you have entered on the AirWatch Admin Console. Make any changes as needed, and at the end of the Setup wizard, the changes are automatically reflected in the AirWatch Admin Console.

Select the Email Server type, Exchange version, and enter the Email Server Hostname for the AirWatch SEG to communicate with your internal email servers.

 Optionally, select the check box if you want to proxy webmail traffic in addition to EAS traffic through the SEG.


16 specify what information SEG can log for devices and how frequently.

 Choose whether to ignore SSL errors created by certificates between the SEG and EAS server.

 Enter the interval time, in minutes,for SEG to refresh rules.

 Set the transfer rate for the transactions happening between the SEG and the AirWatch Admin Console.

Define a Friendly Name to help identify the SEG in the logs.

Select Enable Real-time Compliance Sync so that the AirWatch Admin Console can send down compliance updates in a push-based mechanism instead of in a periodically timed poll-based mechanism. This allows your compliance rule set to immediately update when actions occur instead at a specified rate.

Specify a Gateway Hostname, the Gateway Hostname is the hostname of the specific SEG Proxy server.

Click Next when complete.

4. If you are load balancing multiple SEG servers, select the Enable SEG Clustering checkbox.

a. Specify the name you wish to assign to the cluster in the Cluster Directory Name field. b. Define the default port for the SEG servers to communicate with each other.

c. Specify the host name of each SEG server in the cluster in the Node Address field. d. Click Next when complete.

Note: Any changes that were made to the SEG configuration are automatically updated in the Console settings after the Setup wizard completes.



Step 5: Deploying Mobile Email through the SEG Proxy

Now that the SEG is fully configured, it is ready to begin protecting mobile email. To start using SEG, configure all mobile devices to fetch email through the SEG server instead of the EAS server. To do this, deploy an EAS profile to your mobile fleet.

1. Navigate to the Devices ► Profiles ► List View page, and then click Add to create a new profile. 2. Select a device platform.

Note: If you are leveraging the SEG for multiple device OS’s then you must create a similar profile for each platform. 3. On the General tab, enter the information about the profile and assign the profile to the applicable Organization


18 4. Select Exchange ActiveSync and choose Configure. From here, configure the parameters to access corporate mail

through the SEG.

Select the Mail Client your organization intends for end users to utilize from the drop-down menu.

Ensure that the Exchange ActiveSync Host is the hostname of the SEG server and not the Exchange server. Note: If you have chosen Lotus Notes as your email client then:

a. You need to affix your SEG server URL with 'microsoft-server-activesync' . For example,

b. For Android Agent 4.2 and above, the end users have to install the Lotus Notes manually.


19 Note: As a best practice, the Password field must be left blank. This prompts the end user to enter their

password once the profile is installed on the device.



Email Management through the Secure Email Gateway

(SEG) Proxy


After the SEG proxy integration setup is complete, you can manage the connected device email traffic, set email policies, and take appropriate actions on the devices from the AirWatch Admin console.

In This Section

 Securing with Email Policies - This section covers the features you can configure in AirWatch to provide a deeper level of security for the device fleet.

 Email Dashboard - This section covers the features available on the Email Dashboard to manage and monitor devices effectively.

 List View - This section covers the features available from the List View screen that enable you to perform administrative actions on devices.

Securing with Email Policies

Compliance Policies

Enable the below policies from Email ► Compliance Policies.You can activate or deactivate the policies using the colored buttons under the Active column. Use the edit policy icon under the Actions column to allow or block a policy

General Email Policies

Sync Settings – Prevent the device from syncing with specific EAS folders. Note that AirWatch prevents devices from

syncing with the selected folders irrespective of other compliance policies. For the policy to take effect, it is necessary to republish the EAS profile to the devices (this forces devices to re-sync with the email server).

Managed Device – Restrict email access only to managed devices.

Mail Client – Restrict email access to a set of mail clients.

User – Restrict email access to a set of users.

EAS Device Type – Allow or block devices based on the EAS Device Type attribute reported by the end-user device.

Note: The Android Lotus Notes Client does not support the EAS device type policy. Managed Device Policies

Inactivity – Allows you to prevent inactive, managed devices from accessing email. You can specify the number of



Device Compromised – Allows you to prevent compromised devices from accessing email. Note that this policy does

not block email access for devices that have not reported compromised status to AirWatch.

Encryption – Allows you to prevent email access for unencrypted devices. Note that this policy is applicable only to

devices that have reported data protection status to AirWatch.

Model – Allows you to restrict email access based on the Platform and Model of the device.

Operating System – Allows you to restrict email access to a set of operating systems for specific platforms.

Email Security Policies

Attachments (managed devices) – Encrypt email attachments of selected file types. These attachments are secured

on the device and are only available for viewing on the AirWatch Secure Content Locker. Currently, this feature is only available on managed iOS and Android devices with the Secure Content Locker application. For other managed devices, you can choose to either allow encrypted attachments, block attachments, or allow unencrypted


Attachments (unmanaged devices) – Allow encrypted attachments, block attachments, or allow unencrypted

attachments for un-managed devices.

Hyperlink – Allow device users to open hyperlinks contained within an email directly with a secure AirWatch

application (e.g. AirWatch Browser) present on the device. Based on the application list sample, AirWatch dynamically modifies the hyperlink for the appropriate application on the device.

Note: The Android Lotus Notes Client and iOS Touchdown presently does not support the attachment encryption security email policy.

Email Dashboard

Gain visibility into the email traffic and monitor the devices through the AirWatch Email Dashboard. This dashboard gives you a real-time summary of the status of the devices connected to the email traffic. You can access the Dashboard from Email ► Dashboard. From the Email Dashboard, you can access the List View page which enables you to:

 Whitelist or blacklist a device to allow or deny access to email respectively.

 View the devices which are managed, un-managed, compliant, non- compliant, blocked, or allowed.


22 From the Dashboard, you can also use the available Graphs to filter your search. For example, if you want to view all the managed devices of that organization group, select the Managed Devices graph. This displays the results in the List View screen.

List View

View all the real-time updates of your end user devices that you are managing with AirWatch MEM. You can access the List View from Email ► List View. You can view the device or user specific information by switching between the two tabs; Device and User available here. You can change the Layout to either view the summary or the detailed list of the information based on your requirement.

The List View screen provides detailed information that include:

Last Request - In SEG integration this column shows the last time a device synced mail.

User - The user account name.

Friendly Name - The friendly name of the device.

MEM Config - The configured MEM deployment that is managing the device.

Email Address - The email address of the user account.

Identifier - The unique alpha-numeric identification code associated with the device.

Mail Client - The email client syncing the emails on the device.

Last Command - The command triggers the last state change of the device and populates the Last Request column.

Last Gateway Server -The server to which the device connected.

Status - The real time status of the device and whether email is blocked or allowed on it as per the defined policy.

Reason - The reason code for allowing or blocking email on a device. Please note that the reason code displays



Platform, Model, OS, IMEI, EAS Device Type, IP Address -The device information displays in these fields.

Mailbox Identity - The location of the user mailbox in the Active Directory.

Filters for Quick Search

From here, using the Filter option,you can narrow your device search based on:

Last Seen - All, less than 24 hours, 12 hours, 6 hours, 2 hours.

Managed - All, Managed, Unmanaged.

Allowed - All, Allowed, Blocked.

Policy Override - All, Blacklisted, Whitelisted, Default.

Policy Violation - Compromised, Device Inactive, Not data Protected/Enrolled/MDM Compliant, Unapproved

EAS Device Type/Email Account/Mail Client/Model/OS.

MEM Config - Filter devices based on the configured MEM deployments.

Performing Actions

The Override,Actions,and the Administration dropdown menu provides a single location to perform multiple actions on the device.

Note: Please note that these actions once performed cannot be undone.


Select the check box corresponding to a device to perform actions on it.

Whitelist - Allows a device to receive emails.

Blacklist - Blocks a device from receiving emails.

Default - Allows or blocks a device based on whether the device is compliant or non compliant.

Remote Wipe - Resets the device to factory settings.


Run Compliance - Triggers the compliance engine to run for the selected MEM configuration.

Enable Test Mode - Tests email policies without applying them on devices.


Dx Mode On - Runs the diagnostic for the selected user mailbox.

Dx Mode Off - Turns off the diagnostic for the selected user mailbox.

Update Encryption Key - Resets the encryption and the re-syncs the emails for the selected devices.

Delete Unmanaged Devices - Deletes the selected unmanaged device record from the dashboard. Please note that



Migrate Devices - Migrates selected device to other chosen MEM configurations by deleting the installed EAS profile



Appendix: Upgrading the SEG Proxy Server


The SEG is designed to make the upgrade process quick and easy. Perform the following steps to upgrade the SEG to the latest version.

In This Section

 Preparing for the SEG Upgrade - Details the location and requirements for downloading SEG.

 Running the SEG Installer - Explains the steps to install SEG to the latest version.

Step 1: Preparing for the Upgrade

1. Download the SEG Installer from the AirWatch Admin Console under Email ► Settings ► General. Ensure that the environment from where the SEG Installer was downloaded is running AirWatch v7.2.

2. It is recommended to run the MEM Configuration wizard again and associate the existing EAS profile to the SEG


Step 2: Running the AirWatch SEG v7.2 Installer

1. Double-click the AirWatch SEG v7.2 Installer.exe file, or right-click to choose Run as Administrator.

Upon opening, the SEG Installer detects if a previous version is installed and verifies if you want to upgrade to the new version. Click Yes, and then click Next.



Related subjects :