Secure Email Gateway (SEG) Installation

Secure Email Gateway Installation

This guide will walk you through the installation and setup process for the Secure Email Gateway proxy solution provided by AirWatch. By the end of this guide, you should be able to proxy mail through the SEG as well as enable compliance policies to manage incoming ActiveSync connections.


Server Requirements

Server Requirements
VM or Physical Server

Without content transformation (attachment encryption, hyperlink security, tagging, etc.): 1 CPU Core (2 GB RAM) per 2,000 devices syncing email through the SEG server. Max 8 CPU cores per SEG.

With content transformation: 1 CPU Core (2 GB RAM) per 1,200 devices syncing email through the SEG server. Max 8 CPU cores per SEG.

Load-balanced SEG servers can be deployed with size requirements being cumulative.

Windows Server 2008 R2 or

Windows Server 2012 or

Windows Server 2012 R2

Install Role from Server Manager

IIS 7.0 (2008 R2)

IIS 8.0 (2012 or 2012 R2)

IIS 8.5 (2012 R2 only)

Install Role Services from Server Manager Common HTTP Features: Static Content, Default Document, Directory Browsing, HTTP Errors, HTTP Redirection

Application Development: ASP.NET, .NET Extensibility, ASP, ISAPI Extensions, ISAPI Filters, Server Side Includes Management Tools: IIS Management Console, IIS 6 Metabase Compatibility

Note: Ensure WebDAV is not installed

Install Application Request Routing (ARR) ARR component is available at
Install Features from Server Manager .NET Framework 3.5.1 (4.5 for Server 2012) Features: Entire module (.NET Framework 3.5.1, WCF Activation, HTTP Activation)

Telnet Client

Externally registered DNS  
SSL Certificate from trusted third party with Subject or Subject Alternative name of DNS Ensure SSL certificate is trusted by all device types being used. (i.e. not all Comodo certificates are natively trusted by Android)

Binding in IIS for port 443

Network Requirements

Network Requirements
Source Component Destination Component Protocol Port Verification
Devices (Internet and Wi-Fi) AW SEG HTTPS 443 telnet <seg_hostname>:443
AW SEG AirWatch API HTTP(S) 443/80 Browse to API at https://API_HOSTNAME/AirWatchServices/Internal/0/ActiveSyncIntegrationServiceEndpoint.svc

Expected behavior is viewing source XML Note: IP-based persistence should be used in configurations with multiple API servers.

SEG1 SEG2 UDP & TCP 9090 If clustering multiple SEGs, they will need to be able to talk over the desired port. This can be customized while running SEG Setup

Note: Clustering across data centers is not supported.

AW DS/CN SEG HTTPS 443 telnet <seg_hostname>:443
SEG Mail Server HTTP(S) 443/80 For Exchange: http(s)://exchange_FQDN/Microsoft-Server-Activesync

For Notes Traveler: http(s)://traveler_FQDN/servlet/traveler
For Google
For Groupwisehttps://Groupwise_FQDN/EAS or /Microsoft-Server-Activesync
Note: If you are using SSL between SEG and mail endpoint, verify SEG can reach the endpoint certificate's Certificate Revocation List

Note: If Windows authentication is enabled on the mail server's ActiveSync endpoint, then either (1) the SEG cannot be domain-joined or (2) certificate authentication with KCD will be required.

Preparing API and MEM Config

In the AirWatch console, navigate to Settings / System / Advanced / API / SOAP and generate a client certificate. The SEG will use this to establish trust with the API.


Next, follow the configuration steps in Settings / Email / Configuration to create a MEM configuration for SEG. One configuration is used to support multiple SEGs for "High Availability" installations.


Select your mail server type and deployment type With SEG Proxy.



Supply the specific details for your SEG. Note this is the hostname used by the Console and Device Services to communicate with the SEG. This may be different then the external hostname devices use to connect, but should use the server certificate's Subject (Issued To) or a valid Subject Alternative Name (SAN) attribute. Note if Use Basic Authentication is checked, the "Gateway Username" is a local admin account existing on the SEG. This user is used to authenticate to the /segconsole site to communicate policy changes registered by the Console and Device Services.




You may now choose to create device profiles for your new MEM configuration. This is only required if using Google Apps for Business. If using Multi-MEM, this page is also used to associate profiles for migration purposes only.




Verify SEG Settings

Review your configuration and choose Save



Download the SEG Installer

  • Review and adjust Advanced settings, such as KCD Authentication, Diagnostic, Sizing, and S/MIME Options
  • Click the link to the AirWatch Secure Email Gateway Installer and stage it on the prepared server



Create a SEG Service Account in AirWatch

  • Navigate to Accounts > Administrators
  • Choose Add User and specify all details
  • Choose a Default Role that has the SOAP API > SOAP API – Read/Write/Update resource enabled and select Save

Note: You can verify whether a role has these permissions enabled from the Roles ta on the left of the Admin Accounts Page



Running the SEG Installer

Execute the SEG Installer

  • Start the SEG Installer executable the prepared server
  • Accept the Terms of User
  • Specify the Destination Folder for all the SEG Components
  • Choose which IIS Website to utilize
  • Install ISS, if it has yet to be installed
  • Confirm SEG Installation



Configuring the SEG Setup Wizard

The SEG Setup Wizard automatically appears.

  • Specify the Console URL (containing the API) and SEG Service Account Username and Password, then choose Next
  • Choose the AirWatch OG where the SEG will be managed and choose Next
  • Input advanced settings and security settings and choose Next
  • If using multiple, load-balanced SEG servers, add SEG cluster information
  • Specify the Log Level and click Save

Note: A SEG cannot be deployed under the parent OG where a SEG is defined


Verify Communication

Test Connection

Select Test Connection to verify the connection between the Web to the SEG, and from the SEG to the API


Deploying Corporate Mail through the SEG

With the SEG in place, deploy corporate mail to enrolled users using an Exchange ActiveSync profile.

  • Navigate to Profiles & Policies > Profiles
  • Choose Add and specify general settings
  • Select Exchange ActiveSync
  • Add the SEG URL to Exchange ActiveSync Host
  • Leverage lookup values to ensure that each user gets their own distinct mail
  • Save & Publish to deploy the profile


Have more questions? Submit a request


Article is closed for comments.