Secure Email Gateway (SEG) Install Overview

Secure Email Gateway Install Overview


The following article is intended to assist AirWatch Customers and Agents install, validate and troubleshoot the Secure Email Gateway (SEG).

CLICK HERE
for more information on an
assisted install. Reach out to
your Account Executive to
purchase.

SEG Install Guide

The install guide is intended to walk users through the preparation, installation and configuration of the Secure Email Gateway.

Pre-Install Requirements Worksheet

Provides a detailed explanation of all general, hardware, software and network requirements for a successful installation of the SEG. Please only reference the tab for the component you wish to install.

SEG Install Video

This instructional install video shows the step by step process for installing and validating the Secure Email Gateway.

Install Validation

Provides tests and checks to perform in order to validate that the component has been successfully installed and configured. These should always be performed after a new install or upgrade to confirm functionality.

SEG Logs

How to guide for gathering SEG logs. These logs will be needed if you run into any issues with the SEG during or after an install or upgrade. It will also help our support team assist you more quickly if these are provided up front.

Install Troubleshooting

This forum provides resolutions to common issues and error messages that are encountered during a SEG install. Please be sure to gather logs prior to beginning troubleshooting.


Install Validation


The following steps should be performed after a SEG install or On Premise upgrade to confirm the SEG was installed/updated successfully. If you encounter issues at any point during validation, please proceed to the SEG Logs and Install Troubleshooting sections.

Validation Step Actions Expected Results
Step 1 - SEG Test Connection Navigate to Console > Email > Email Settings > Test Connection Connection Succeeded
SEG_Step_1.jpg
Step 2 - Browse to Microsoft Server ActiveSync Endpoint In a browser, navigate to https://SEG_URL.com/microsoft-server-activesync You should be prompted for credentials and receive a 501/505 message if credentials are entered.

Feature Validation

 

The following steps should be performed after a SEG install or On Premise upgrade to confirm SEG and email functionality.

Validation Step Actions Expected Results
Step 1 - Email Dashboard Updating Navigate to Console > Email > List View New Records are generated after the install or upgrade.
SEG_Step_2.jpg
Step 2 - SEG Console Updating In a web browser, navigate to https://SEG_URL.com/segconsole and click on "Refresh Summary" The number of "Total Requests, Total Bytes Up and Total Bytes Down" should increase.
SEG_Step_3.jpg
Step 3 - Email on Devices Check the device mail client for email access Email should flow after being prompted for credentials.
Step 4 - Certificate Autentication (if enabled) Check the device mail client for email access Email should flow without being prompted for credentials.
Step 5 - Email Attachment Verification Send an email with an attachment to the device The attachment comes through with the email and can be opened.
Step 6 - Attachment Encryption Verification Send an email with an attachment to the device The attachment opens in the Content Locker application.
Step 7 - Email Compliance According to the compliance settings under Console > Email > Compliance Policy, check to ensure that enabled compliance policies are taking effect on the device. All enabled compliance policies are effective on the device.
SEG_Note_1.jpg

 

*Note: In the case of clustered SEGs, you should perform the above testing on each SEG. The following explains how to determine which SEG the connection goes to from the AirWatch console:

Step 1. Navigate to Console > Email > List View > Filters > Last Gateway Server
Step 2. Select the target SEG server name and version.

SEG_Note_2.jpg

SEG Logs


The following article provides information on how and when to collect and verbose logs related to the Secure Email Gateway.


I. IIS Logs


IIS Log records all requests processed by IIS. It contains useful information on the username, EAS Device ID, commands, HTTP Status and request time. The information on this log is concise and critical, which makes it one of the first logs to check facing an issue.

1. On the SEG server, follow the path given to access the IIS logs: \inetpub\logs\LogFiles\W3SVC1

SEG_Log_1.1.jpg


2. Check the http status code (sc-status column). A successfully request will return a 200.

SEG_Log_1.2.jpg



II. EAS Web Listener Logs


Web Listener Log records the mail-handling processes and their statuses by the SecureEmailGateway App residing on IIS. This is the log to check when encountering a mail flow issue. It will not only show what process fails but also the errors that come with the failure.


How to verbose Web Listener Log Method 1:
1. On the SEG Server, go to \AirWatch\AirWatch 8.2\AW.Eas.Web.Listener. Open the web.config file.

SEG_Log_2.1.jpg


2. Search for the keyword “level” and change the parameter to level = “Verbose”. Save the file.

SEG_Log_2.2.jpg


How to verbose Web Listener Log Method 2:
On the SEG server, navigate to https://localhost/SEGSetup . Change to “Log Level” to “Verbose”.

SEG_Log_2.3.jpg


Note: This method will verbose both Web Listener logs and the Integration Service logs.


III. EAS Integration Service Logs


EAS Integration Service Log records the policies and settings sync processes and their statuses by the AirWatchEASIntegrationService Windows Service. This is the log to check when encountering a policy sync issue or any discrepancies between AirWatch Console and the SEG. It will not only show what process fails but also the errors that come with the failure.


How to verbose Integration Service Log Method 1:
1. On the SEG Server, go to \AirWatch\AirWatch 8.2\AW.Eas.IntegrationService. Open the AW.Eas.IntegraionService.exe.config file.

SEG_Log_3.1.jpg


2. Search for the keyword “level” and change the parameter to level = “Verbose”. Save the file.

SEG_Log_3.2.jpg


3. Restart the AirWatch EAS Integration Service from the Windows Services.


How to verbose Integration Service Log Method 2:
On the SEG server, navigate to https://localhost/SEGSetup . Change to “Log Level” to “Verbose”.

SEG_Log_3.3.jpg


Note: This method will verbose both Web Listener logs and the Integration Service logs.


IV. How to Check Clustering


Clustering is used to ensure policy sync among different SEGs in the case of a load-balancing setup. Delays in email enablement can be caused by a broken cluster.

On the SEG server, go to to \AirWatch\AirWatch 8.2\AW.Eas.IntegrationService Open the AppClusterDirectory.xml.

SEG_Log_4.1.jpg


Since this file is updated dynamically, check the nodes in the file to see active SEGs in the cluster. In the example above, there are no nodes present. Therefore, this SEG is not clustered with other SEGs.


V. Kerberos Constrained Delegation (KCD) Logs

KCD enables users to authenticate with client certificate. The KCD log is useful to troubleshoot mail flow issues with the certificate authentication.

1. On the SEG Server, go to \AirWatch\AirWatch 8.2\AW.Eas.Web.Listener. Open the web.config. file.

SEG_Log_5.1.jpg


2. Search for the keyword “level” and change the parameter to level = “Verbose”. Save the file.
3. Search for the keyword “WhatToLog”, and add the value KCD.
4. Save the file.

SEG_Log_5.2.jpg

VI. WireShark Log


WireShark captures network traffic deeper than the application layer. It’s often used to inspect any issues with SSL handshake processes and Kerberos tickets exchanges.

1. Download and install WireShark from https://www.wireshark.org/download.html.
2. Select the target network as an interface in Capture > Options. Then start capturing packets.

SEG_Log_6.1.jpg


3. To troubleshooting KCD issue, type “Kerberos” into the filter and search. To troubleshoot SSL handshake issue, type ‘ssl.hankshake.type ==”Client Hello”’ into the filter and search.


VII. V Web Listener Targeted Logging (SEG v8.0 +)


Web Listener Log records the mail-handling processes for a specific user and their statuses by the SecureEmailGateway App residing on IIS. This log is useful to troubleshoot the device or user specific issues.

1. On the SEG Server, navigate to https://localhost/segconsole in the browser.
2. Under Targeted Logging section, type the EAS Device Identifier or Username. Then click on “Add Target”.
3. Click on “Start Targeted Logging”.
4. You’ll find the log file with the same name of the EAS Device Identifier or Username showing up under \AirWatch\Logs\EASListener.

SEG_Log_7.1.jpg

VIII. Enable CAPI2 Logs


The CAPI2 log is useful to troubleshoot any issues concerned with certificate chain validation, certificate store operations, and signature verification.

1. Enable CAPI2 logging by opening the Event Viewer and navigating to the Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2 directory and expanding it. You should see a view named Operational as shown below.

Powershell_Log_3.1.jpg

2. Right-click on the Operational view and click the Enable Log menu item as shown.

Powershell_Log_3.2.jpg

3. Once enabled, any warnings or errors are logged into the viewer. Reproduce the problem you are experiencing and check if the issue is logged.

Have more questions? Submit a request

0 Comments

Article is closed for comments.