Secure Email Gateway Installation
This guide will walk you through the installation and setup process for the Secure Email Gateway proxy solution provided by AirWatch. By the end of this guide, you should be able to proxy mail through the SEG as well as enable compliance policies to manage incoming ActiveSync connections.
|VM or Physical Server||
Without content transformation (attachment encryption, hyperlink security, tagging, etc.): 1 CPU Core (2 GB RAM) per 2,000 devices syncing email through the SEG server. Max 8 CPU cores per SEG.
With content transformation: 1 CPU Core (2 GB RAM) per 1,200 devices syncing email through the SEG server. Max 8 CPU cores per SEG.
Load-balanced SEG servers can be deployed with size requirements being cumulative.
Windows Server 2008 R2 or
Windows Server 2012 or
Windows Server 2012 R2
|Install Role from Server Manager||
IIS 7.0 (2008 R2)
IIS 8.0 (2012 or 2012 R2)
IIS 8.5 (2012 R2 only)
|Install Role Services from Server Manager||Common HTTP Features: Static Content, Default Document, Directory Browsing, HTTP Errors, HTTP Redirection
Application Development: ASP.NET, .NET Extensibility, ASP, ISAPI Extensions, ISAPI Filters, Server Side Includes Management Tools: IIS Management Console, IIS 6 Metabase Compatibility
Note: Ensure WebDAV is not installed
|Install Application Request Routing (ARR)||ARR component is available at http://www.iis.net/downloads/microsoft/application-request-routing|
|Install Features from Server Manager||.NET Framework 3.5.1 (4.5 for Server 2012) Features: Entire module (.NET Framework 3.5.1, WCF Activation, HTTP Activation)
|Externally registered DNS|
|SSL Certificate from trusted third party with Subject or Subject Alternative name of DNS||Ensure SSL certificate is trusted by all device types being used. (i.e. not all Comodo certificates are natively trusted by Android)
Binding in IIS for port 443
|Source Component||Destination Component||Protocol||Port||Verification|
|Devices (Internet and Wi-Fi)||AW SEG||HTTPS||443||telnet <seg_hostname>:443|
|AW SEG||AirWatch API||HTTP(S)||443/80||Browse to API at https://API_HOSTNAME/AirWatchServices/Internal/0/ActiveSyncIntegrationServiceEndpoint.svc
Expected behavior is viewing source XML Note: IP-based persistence should be used in configurations with multiple API servers.
|SEG1||SEG2||UDP & TCP||9090||If clustering multiple SEGs, they will need to be able to talk over the desired port. This can be customized while running SEG Setup
Note: Clustering across data centers is not supported.
|AW DS/CN||SEG||HTTPS||443||telnet <seg_hostname>:443|
|SEG||Mail Server||HTTP(S)||443/80||For Exchange: http(s)://exchange_FQDN/Microsoft-Server-Activesync
For Notes Traveler: http(s)://traveler_FQDN/servlet/traveler
Note: If Windows authentication is enabled on the mail server's ActiveSync endpoint, then either (1) the SEG cannot be domain-joined or (2) certificate authentication with KCD will be required.
Preparing API and MEM Config
In the AirWatch console, navigate to Settings / System / Advanced / API / SOAP and generate a client certificate. The SEG will use this to establish trust with the API.
Next, follow the configuration steps in Settings / Email / Configuration to create a MEM configuration for SEG. One configuration is used to support multiple SEGs for "High Availability" installations.
Select your mail server type and deployment type With SEG Proxy.
Supply the specific details for your SEG. Note this is the hostname used by the Console and Device Services to communicate with the SEG. This may be different then the external hostname devices use to connect, but should use the server certificate's Subject (Issued To) or a valid Subject Alternative Name (SAN) attribute. Note if Use Basic Authentication is checked, the "Gateway Username" is a local admin account existing on the SEG. This user is used to authenticate to the /segconsole site to communicate policy changes registered by the Console and Device Services.
You may now choose to create device profiles for your new MEM configuration. This is only required if using Google Apps for Business. If using Multi-MEM, this page is also used to associate profiles for migration purposes only.
Verify SEG Settings
Review your configuration and choose Save
Download the SEG Installer
- Review and adjust Advanced settings, such as KCD Authentication, Diagnostic, Sizing, and S/MIME Options
- Click the link to the AirWatch Secure Email Gateway Installer and stage it on the prepared server
Create a SEG Service Account in AirWatch
- Navigate to Accounts > Administrators
- Choose Add User and specify all details
- Choose a Default Role that has the SOAP API > SOAP API – Read/Write/Update resource enabled and select Save
Note: You can verify whether a role has these permissions enabled from the Roles ta on the left of the Admin Accounts Page
Running the SEG Installer
Execute the SEG Installer
- Start the SEG Installer executable the prepared server
- Specify the Destination Folder for all the SEG Components
- Choose which IIS Website to utilize
- Install ISS, if it has yet to be installed
- Confirm SEG Installation
Configuring the SEG Setup Wizard
The SEG Setup Wizard automatically appears.
- Specify the Console URL (containing the API) and SEG Service Account Username and Password, then choose Next
- Choose the AirWatch OG where the SEG will be managed and choose Next
- Input advanced settings and security settings and choose Next
- If using multiple, load-balanced SEG servers, add SEG cluster information
- Specify the Log Level and click Save
Note: A SEG cannot be deployed under the parent OG where a SEG is defined
Select Test Connection to verify the connection between the Web to the SEG, and from the SEG to the API
Deploying Corporate Mail through the SEG
With the SEG in place, deploy corporate mail to enrolled users using an Exchange ActiveSync profile.
- Navigate to Profiles & Policies > Profiles
- Choose Add and specify general settings
- Select Exchange ActiveSync
- Add the SEG URL to Exchange ActiveSync Host
- Leverage lookup values to ensure that each user gets their own distinct mail
- Save & Publish to deploy the profile