Leveraging SEG with IP filtering


IP filtering provides you with the ability to allow only the managed and the Workspace ONE-enrolled devices to have access to company email via the Secure Email Gateway (SEG). IP filtering provides you with the ability to simultaneously block users from bypassing the SEG and accessing company email through a direct connection to your Exchange ActiveSync mailbox. This leverages the full functionality of Workspace ONE email compliance policies and enhances email security.

 This article provides instructions on how to deny access to unmanaged devices and provide mail access to only enrolled devices to enhance your email security.


  • Secure Email Gateway
  • Windows Server 2008 R2
  • Microsoft Exchange ActiveSync (IIS7)

Enhancing Email Security

The IP Address and Domain Restrictions feature page in IIS Server Manager defines and manages rules that allow or deny access for a range of IP addresses, or a domain name or names. Enable IP filtering and properly configure the feature to allow a connection from the Secure Email Gateway (SEG) while blocking all other connections to the Exchange server.

Note: The following steps are Workspace ONE recommendations. Please consult with Microsoft support to understand exact details, the impact that IP Filtering implementation can have on a specific network configuration and also to confirm that these steps are adequate and appropriate for your Mobile Email Management (MEM) goals.

Adding IP and Domain Restrictions Role to Exchange

The default installation of IIS 7 does not include the role service for IP security. To use IP security on IIS, you must install the role service using the following steps:

 1. On the taskbar, click Start and then point to Administrative Tools. Then, click Server Manager.

2. In the Server Manager Hierarchy pane, expand Roles, and then click Web Server (IIS).

3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.

4. On the Select Role Services page of the Add Role Services Wizard, select IP and Domain Restrictions, click Next.

5. On the Confirm Installation Selections page, click Install.

6. On the Results page, click Close.

Adding IP Restrictions to Allow Only Traffic from One Proxy

The following steps enable the IP Restrictions and force all connections to the Exchange Sever to be directed through the SEG providing an added security and requiring Workspace ONE managed email profiles.

 1. In the Connections pane, expand the server name, expand Sites, and then select the Microsoft-ServerActiveSync site.

2. In the Home pane, double-click the IPv4 Address and Domain Restrictions feature.

3. In the IPv4 Address and Domain Restrictions feature, click Add Allow Entry.

4. Enter the SEG IP address(s) that you wish to allow, and then click OK.

5. In the Home pane, double-click the IPv4 Address and Domain Restrictions feature.

6. Click the Edit Feature Settings above to set the default access behavior for unspecified clients to Deny and then click OK. Do not enable domain name restrictions. 

Note: Do not enable domain name restrictions as it requires a DNS reverse lookup on each connection. This is a very expensive operation and will dramatically affect server performance.

Have more questions? Submit a request


Article is closed for comments.