Professional Documents
Culture Documents
Proxy Guide
Securing Your Email Infrastructure
AirWatch v8.3
Have documentation feedback?Email docfeedback@air-watch.com. Note that if you require assistance from AirWatch
Support you should submit a support request through myAirWatch Support (support.air-watch.com).
Copyright 2016 VMware, Inc. All rights reserved. This product is protected by copyright and intellectual property laws in the United States and other countries as well as by
international treaties. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and other jurisdictions. All other marks and names mentioned herein may be trademarks of their
respective companies.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
1
Revision Table
The following table displays revisions to this guide since the release of AirWatch v8.3.
Date Reason
February 2016 Initial upload.
March 2016 Changed the Delta Sync refresh interval from five to ten minutes.
See Enabling SEG Proxy on AirWatch Admin Console and Configuring the SEG with the Setup Wizard.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
2
Table of Contents
Chapter 1: Overview 5
What's New 6
Introduction to the Secure Email Gateway (SEG) 6
In This Guide 6
Before You Begin 7
Chapter 4: SEGImplementation 18
Overview 19
Step 1: Enabling SEG Proxy on AirWatch Admin Console 19
Step 2: Preparing for the Installation 23
Step 3: Running the AirWatch SEG Installer 23
Step 4: Configuring the SEG with the Setup Wizard 25
Step 5: Deploying Mobile Email through the SEG Proxy 28
Chapter 5: Email Management through the Secure Email Gateway (SEG) Proxy 30
Overview 31
Securing with Email Policies 31
Discovering Devices 32
Email Dashboard 33
List View 33
SEG Targeted Logging 35
Comparing SEG Policies 36
3
Overview 42
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
4
Chapter 1:
Overview
What's New 6
Introduction to the Secure Email Gateway (SEG) 6
In This Guide 6
Before You Begin 7
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
5
Chapter 1: Overview
What's New
This guide has been updated with the latest features and functionality from the most recent release of AirWatch v8.3. The
list below includes the new feature and the sections and pages on which they appear.
l Delta Sync, a SEG policy sync with a refresh interval of ten minutes, has been introduced to return only those policy
records that have changed since the last bulk policy sync. This type of sync is particularly useful when multiple SEGs
are in use. See Enabling SEG Proxy on AirWatch Admin Console and Configuring the SEG with the Setup Wizard.
Note: The SEG Proxy model requires Exchange ActiveSync infrastructure (For example, Microsoft Exchange
2003/2007/2010/2013/2016, Lotus Traveler, and Novell GroupWise Data Synchronizer). Please consult your AirWatch
representative for more information.
The AirWatch SEG Proxy server is configured to reside in front of your corporate email server. Based on the settings you
define in the AirWatch Admin Console, the SEG Proxy server takes allow or block decisions for every mobile device it
manages. The SEG Proxy server relays traffic from approved devices and protects corporate email server by not allowing
any devices to directly communicate with it. Instead, the SEG Proxy server filters all communication requests to the
corporate email server. The SEG provides one more layer of security by controlling how the email attachments and
hyperlinks can be viewed. Through SEG, email attachments and hyperlinks are encrypted which can be opened only
through AirWatch Content Locker and AirWatch Browser respectively, thus protecting sensitive information.
The SEG server is installed inline with corporate email traffic. It may be installed in a DMZ or behind a reverse proxy
server, for example, F5 server. The SEG server must be hosted in the customer data-center, regardless of whether the
AirWatch MDM server is in the cloud or on premises.
You can download the most up-to-date version of the Secure Email Gateway Guide, which includes configuration and
installation, from AirWatch Resources.
In This Guide
l Secure Email Gateway Configuration - This section explains the SEG setup that is supported by AirWatch.
l Secure Email Gateway Implementation - This section details how to enable SEG in the AirWatch Admin Console.
l Upgrading Secure Email Gateway - Explains how to upgrade SEG to the latest version.
l Email Management through the SEG Proxy Integration - This section covers the features available in AirWatch to
manage your device fleet effectively with this integration type.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
6
Chapter 1: Overview
Requirements
For a complete listing of all requirements for installing SEG, refer to Prerequisites for SEG Connectivity.
Prerequisites
l Enable the Simple Object Access Protocol (SOAP) Application Programming Interface (API) for the required
organization group. To configure the SOAP API URLfor your AirWatch environment, navigate to Groups & Settings >
All Settings > System > Advanced > API > SOAPAPI. The AirWatch Admin Console gets the API certificate from the
SOAP API URL that is located on the Site URLs page. For SaaS deployments, use the format
asXX.airwatchportals.com.
l Create an Exchange Active Sync profile having the Assignment Type as Optional and EAS hostname as the SEG server
URL.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
7
Chapter 2:
Prerequisites for SEGConnectivity
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
8
Chapter 2: Prerequisites for SEGConnectivity
Hardware Requirements
Status
Requirement Notes
Checklist
VMor Physical Without content transformation (attachment encryption, hyperlinks security, tagging
Server and so on):
1 CPUCore (2 GBRAM) per 2,000 devices syncing email through the SEGserver. Max
16,000 devices per SEG.
With content transformation (attachment encryption, hyperlinks security, tagging and
so on):
2 CPUCore (4 GBRAM)per 2000 devices syncing email through the SEGserver. Max 8,000
devices per SEG. IIS App Pool Maximum Worker Processes should be configured as (# of
CPU Cores / 2).
Load-balanced SEGservers can be deployed with size requirements being cumulative.
5 GB Disk Space per SEGand dependent software (IIS). This does not include system
monitoring tools or additional server applications.
General Requirements
Status
Requirement Notes
Checklist
Remote access to AirWatch recommends setting up Remote Desktop Connection Manager for
Windows Servers multiple server management, installer can be downloaded from
available to AirWatch and http://www.microsoft.com/en-us/download/confirmation.aspx?id=21101
Administrator rights See General Requirements.
Installation of Notepad++ Installer can be downloaded from
(Recommended) http://download.tuxfamily.org/notepadplus/6.5.1/npp.6.5.1.Installer.exe
Ensure Exchange
ActiveSync is enabled for
a test account
Software Requirements
Status
Requirement Notes
Checklist
Windows Server 2008 R2 or
Windows Server 2012 or
Windows Server 2012 R2
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
9
Chapter 2: Prerequisites for SEGConnectivity
Software Requirements
Status
Requirement Notes
Checklist
Install Role from Server Manager IIS 7.0 (Server 2008 R2)
IIS 8.0 (Server 2012 or Server 2012 R2)
IIS8.5 (Server 2012 R2 only)
Install Role Services from Server Common HTTP Features: Static Content, Default Document,
Manager Directory Browsing, HTTP Errors, HTTP Redirection
Application Development: ASP.NET, .NET Extensibility, ASP, ISAPI
Extensions, ISAPI Filters, Server Side Includes
Management Tools: IIS Management Console, IIS 6 Metabase
Compatibility
Ensure WebDAV is not installed.
SSL Certificate from trusted third Ensure SSL certificate is trusted by all device types being used. (i.e.
party with Subject or Subject not all Comodo certificates are natively trusted by Android)
Alternative name of DNS In addition, the SEG server must be able to connect to the SSL
certificate CRL (For example: ocsp.verisign.com)
IIS 443 Binding with the same Validate that you can connect to the server over HTTPS
SSLcertificate (https://yourAirWatchDomain.com). At this point, you should see
the IIS splash page.
See Server Requirements.
For configuring the ports listed below, all traffic is uni-directional (outbound)from the source component to the
destination component.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
10
Chapter 2: Prerequisites for SEGConnectivity
Network Requirements
Source Destination
Protocol Port Verification
Component Component
Devices SEG HTTPS 443 Telnet from Internet to SEG server on port
(from
Internet
and Wi-Fi)
Console SEG HTTPS 443 Telnet from Internet to SEG server on port
Server
SEG AirWatch HTTP or 80 or 443 Verify that the following URL is trusted from the
SOAPAPI HTTPS browser on the SEG server:
(DS or https://<API URL>/AirWatchServices/
CNserver) Internal/0/ActiveSyncIntegrationServiceEndpoint.svc
'IP based Persistence' should be used in the event
when there are more than one API server.
l 443 (For
SaaS
instance
of
AirWatch)
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
11
Chapter 2: Prerequisites for SEGConnectivity
The following requirements apply based on the email configuration you are using:
SEG Exchange HTTPor 80 or 443 Verify that the following URL is trusted from the browser on
HTTPS the SEG server and gives a prompt for credentials:
For Exchange: http(s)://Exchange_Activesync_
FQDN/Microsoft-server-activesync
For Lotus Notes: http(s)://LotusNotesTraveler_
FQDN/servlet/traveler
SEG Lotus HTTPor 80 or 443
For Google: https://m.google.com/Microsoft-server-
Notes HTTPS
activesync
For Groupwise (depending on version): http(s):
//Groupwise_FQDN/EAS or http(s)://Groupwise_
FQDN/Microsoft-server-activesync
SEG Google HTTPS 443
Once you enter the credentials, verify that a 501/505 HTTP
page displays.
If Windows authentication is enabled on your CAS Activesync Endpoint, then one of the following will be required:
1. Certificate Authentication and KCD
2. SEGcannot be joined to the domain.
General Requirements
Remote Access to Servers
Ensure that you have remote access to the servers that AirWatch is installed on. Typically, installations are performed
remotely over a web meeting or screen share that an AirWatch consultant provides. Some customers also provide
AirWatch with VPN credentials to directly access the environment as well.
Server Requirements
External DNSName
The two main components of AirWatch are the Device Services server and the Console server. In a single server
deployment, these reside on the same server, and an external DNS entry needs to be registered for that server.
In a multi-server deployment, these are installed on separate servers, and only the device services component requires
an external DNS name, while the console component can remain only internally available.
SSL Certificate
The externally available URL of the AirWatch server must be setup with a trusted SSL certificate. A wildcard or individual
website certificate is required.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
12
Chapter 2: Prerequisites for SEGConnectivity
1. Obtain SSL certificates for each of your external DNS entries. A list of root certificates natively trusted by iOS can be
found here: http://support.apple.com/kb/HT5012
2. Upload your SSL certificate to the AirWatch server(s). Your certificate provider will have instructions for this process.
3. Once uploaded on your server you can use it to add a 443 binding to the Default Website in IIS. The bindings for a
completed server look like the following. Your SSL certificate should appear in the drop down menu of available
certificates.
4. Validate that you can connect to the server over HTTPS (https://yourAirWatchDomain.com). At this point you
should see the IIS splash page.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
13
Chapter 2: Prerequisites for SEGConnectivity
If SSL is used for admin console access, ensure that FQDN is enabled or the host file is configured.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
14
Chapter 3:
SEGArchitecture
Overview 16
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
15
Chapter 3: SEGArchitecture
Overview
The section outlines the architecture layout for setting up SEG with your email infrastructure.
Note: If OWA traffic must be routed through SEG, then ensure to select the Proxy webmail traffic through gateway
checkbox during the configuration step of the install wizard.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
16
Chapter 3: SEGArchitecture
Alternative Supported Setup: Exchange ActiveSync SEG Using Reverse Proxy Configuration
This configuration uses a reverse proxy to direct mobile device users to the SEG Proxy while routing browser users
directly to their webmail endpoints. Use the following network configuration to set up the reverse proxy to communicate
between devices and the SEG using the Exchange ActiveSync (EAS) protocol. This configuration should be used in cases
where the recommended setup is not feasible.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
17
Chapter 4:
SEGImplementation
Overview 19
Step 1: Enabling SEG Proxy on AirWatch Admin Console 19
Step 2: Preparing for the Installation 23
Step 3: Running the AirWatch SEG Installer 23
Step 4: Configuring the SEG with the Setup Wizard 25
Step 5: Deploying Mobile Email through the SEG Proxy 28
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
18
Chapter 4: SEGImplementation
Overview
Once you get a good understanding of the ways in which SEG can be configured, you can choose the type that fits your
organization's requirements. To implement the SEG proxy server on your chosen mail architecture, follow the below
steps.
l Select the Deployment Model and choose the Email Type, and then select Next.
l Select the Email Server Type from the drop-down menu and choose a Deployment Type for your selected email
architecture, and then select Next.
If you want to deploy the SEG Proxy server for Office 365, please contact AirWatch for additional information.
AirWatch recommends that a valid SSL trust should always be established between AirWatch and SEG server using
valid certificates. Also, ensure to restart IIS (on SEG) after changing the SEG settings 'Ignore SSL Errors between SEG
and email server' or 'Ignore SSL Errors between SEG and AirWatch server'.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
19
Chapter 4: SEGImplementation
l Select Next.
Setting Description
Platform Select the device platform from the dropdown field.
Mail Select an email client from the dropdown field.
Client
Action Select either Use Existing Profile to associate an existing profile of the chosen platform or Create New
profile if the existing profile do not match your requirement. Please note that only one profile per
device type and mail client can be associated.
Profile Select a profile from the drop down field if an existing profile is used for the chosen platform.
5. Select Next. The MEM Config Summary form provides a quick overview of the basic configuration you have just
created for the SEG deployment. Save the settings. You can then view the MEM configuration displaying on the
Mobile Email Management configuration main screen.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
20
Chapter 4: SEGImplementation
6. Select the Add option from the main configuration screen to configure more deployments.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
21
Chapter 4: SEGImplementation
7. You have completed the email configuration steps. You can now download the SEGinstaller. To do this, select the
icon corresponding to the MEM configuration and select Download SEG Installer.
You also have the option Test Connection to test the connectivity between the SEG,web, and the AirWatch API
servers. The test result shows the success or failure connectivity status from Web to SEG and from SEGto AirWatch
API. These test results, help you identify the cause of connection failure.
For more information on test connection, see the following Knowledge Base article:
https://airwatch.zendesk.com/entries/93250708-Troubleshooting-SEG-Test-Connection
8. Optionally, you can configure the advanced settings. To do this, select the icon corresponding to the MEM
configuration located on the Email Configuration main screen.
Setting Description
Use Recommended By default, the Use Recommended Settings check box is enabled to capture all SEG traffic
Settings information from devices. Otherwise, specify what information and how frequently the SEG
should log for devices.
Enable Real-time Enable this option to enable the AirWatch Admin Console to remotely provision compliance
Compliance Sync policies to the SEG Proxy server.
KCDauthentication Enable this if you want certificate based authentication when your SEG server and email
infrastructure are in different domains
Required Enable or disable the required transactions such as Folder Sync, Settings etc.
transactions
Optional Enable or disable the optional transactions such as Get attachment, Search, Move Items etc.
transactions
Diagnostic Set the number and frequency of transaction for a device.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
22
Chapter 4: SEGImplementation
Setting Description
Sizing Set the frequency of SEG and APIserver interaction.
AirWatch recommends utilizing Delta Sync for policy updates as it minimizes the amount of
data sent to SEG, thereby improving the performance. Delta sync is refreshed at a default
time interval of ten minutes to ensure SEG has an updated policy set. This is particularly
useful when multiple SEGs are in use, as there is a maximum of ten minutes where SEG will be
out of sync with the AirWatch Admin console.
S/MIME Options Select Yes to disallow the encryption of attachments and transformation of hyperlinks
through SEG for emails signed with S/MIMEcertificates.
2. You might need to disable User Account Control (UAC) for the installation process. However, you can re-enable UAC
after the installation is complete. This is an environmental consideration that varies depending on the server
deployment.
3. In the AirWatch Admin Console, create an admin account for the SEG (this is required for the simple installation
wizard). Configure the admin account at an organization group level at or above where you want to configure the
SEG.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
23
Chapter 4: SEGImplementation
2. Accept the End User License Agreement, and then select Next.
3. Specify the Destination Folder to install the SEG. Select Change if you want to modify the destination folder for
installing the AirWatch application files.
The installer defaults to C:\AirWatch. However, the standard is to install AirWatch on a partition separate from the
OS.
4. The AirWatch IIS configuration dialog box appears. Select Default Web Site as the IIS Website location for the SEG
to install.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
24
Chapter 4: SEGImplementation
6. Once the installation process is complete, the SEG Installation Wizard dialog box appears. Select Finish to close the
installer. The AirWatch SEG setup shortcut icon is automatically created on the desktop, and the localhost URL
opens in Explorer.
l Specify the SEG Admin Account Username and Password with the 'SOAP API General' role resource in AirWatch
Admin Console that can be accessed from Accounts > Administrators > Roles > Add Role > API > SOAP. Create
your SEG Admin Account at that organization group or at a level above the organization group that you want to
configure the SEG for.
l If you have a proxy server, then enable Proxy for AirWatch services communication:
o Enter the URLof the outbound Proxy Host.
o Enter the Proxy Port number.
o Choose the type of Authentication; Anonymous Authentication or Basic Authentication.
n If you choose Authentication type as basic, then you need to enter the Username and Password.
l If you have a proxy email server, then enable Proxy for email server communication.
o Enter the URLof proxy host server.
o Enter the port of the proxy host server.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
25
Chapter 4: SEGImplementation
o Select the type of authentication required to access this proxy server. Options include:
n Anonymous Authentication - Unknown users can login based on the rights created by the admin.
When you have finished configuring the Setup options, choose Next.
2. Configure the SEG for your specific deployment. Enter the following information:
l In the Organization Group field, enter the Group ID for the SEG's organization group.
3. Next, specify the following SEG Configuration settings. This information will be pre-populated with the setting that
you have entered on the AirWatch Admin Console. Make any changes as needed, and at the end of the Setup
wizard, the changes are automatically reflected in the AirWatch Admin Console.
Settings Description
Email Server Select the Email Server type, Exchange version, and enter the Email Server Hostname for the
Email Server AirWatch SEG to communicate with your internal email servers.
Hostname
Proxy web Select this checkbox if you want to proxy webmail traffic in addition to EAS traffic through the SEG.
mail traffic
through
gateway
Use Enable this check box to capture all SEG traffic information from devices. Otherwise, specify what
Recommended information SEG can log for devices and how frequently.
Settings
Ignore SSL Enable this check box to ignore SSL errors created by certificates between the SEG and EAS server.
errors With
Email Server
Rules Refresh Enter the interval time, in minutes, for SEG to refresh rules
Interval (min)
Transfer Rate Set the transfer rate for the transactions happening between the SEG and the AirWatch Admin
to Gateway Console.
(transactions)
Transfer Rate
to Console
(transactions)
Friendly Name Define a Friendly Name to help identify the SEG in the logs
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
26
Chapter 4: SEGImplementation
Enable Real- Select this check box so that the AirWatch Admin Console can send down compliance updates in a
time push-based mechanism instead of in a periodically timed poll-based mechanism. This allows your
Compliance compliance rule set to immediately update when actions occur instead at a specified rate.
Sync
Gateway Specify the hostname of the specific SEG Proxy server.
Hostname
If multiple SEG servers are load balanced, single policy broadcast messages apply to only one SEG. This includes the
messages sent from the AirWatch Admin Console to SEG upon enrollment or compliance violation or correction.
AirWatch recommends using Delta Sync with a refresh interval of ten minutes to facilitate newly enrolled or
compliant devices. These devices experience a waiting period of maximum ten minutes before email begins to sync.
Benefits of this approach include:
l Updated policies from the same APIsource for all SEG servers.
l Fewer failure points as each SEG is responsible for its own policy sets.
SEG Clustering is also available to facilitate the sharing of single policy updates to all nodes of a SEG cluster.
For more information on how to configure SEG clustering, see Frequently Asked Questions.
5. The SEG Service Settings screen displays. This screen is a summary page displaying information such as AirWatch
Group, API Certificate, Certificate expiry date, and the Log level. Select the Log level that the SEG Proxy server uses
for troubleshooting purposes. Select Save to automatically restart the Integration service.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
27
Chapter 4: SEGImplementation
Any changes that were made to the SEG configuration are automatically updated in the Console settings after the Setup
wizard completes.
2. Select a device platform. If you are leveraging the SEG for multiple device OSs then you must create a similar profile
for each platform.
3. On the General tab, enter the information about the profile and assign the profile to the applicable organization
groups and smart groups. Ensure to keep the assignment type as Automatic or Optional.
4. Select Exchange ActiveSync and choose Configure. From here, configure the parameters to access corporate mail
through the SEG.
l Select the Mail Client your organization intends for end users to utilize from the drop-down menu.
l Ensure that the Exchange ActiveSync Host is the hostname of the SEG server and not the Exchange server.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
28
Chapter 4: SEGImplementation
l Make sure to leverage lookup values so each user can get their own distinct email.
AirWatch recommends that the Password field be left blank. This prompts the end user to enter the password
once the profile is installed on the device.
5. Once complete, choose Save and Publish to begin utilizing secure mobile email. AirWatch recommends making
additional profiles for each device platform for which you want to provision mobile email.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
29
Chapter 5:
Email Management through the Secure
Email Gateway (SEG) Proxy
Overview 31
Securing with Email Policies 31
Discovering Devices 32
Email Dashboard 33
List View 33
SEG Targeted Logging 35
Comparing SEG Policies 36
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
30
Chapter 5: Email Management through the Secure Email Gateway (SEG) Proxy
Overview
After the SEGproxy integration setup is complete, you can manage the connected device email traffic, set email policies,
and take appropriate actions on the devices from the AirWatch Admin Console.
l User Restrict email access to a set of users based on the email user name.
l EASDevice Type Allow or block devices based on the EAS Device Type attribute reported by the end-user device.
Managed Device Policies
l Inactivity Allows you to prevent inactive, managed devices from accessing email. You can specify the number of
days a device shows up as inactive (i.e. does not check-in to AirWatch), before email access is cut off. The minimum
accepted value is 1 and maximum is 32767.
l Device Compromised Allows you to prevent compromised devices from accessing email. Note that this policy does
not block email access for devices that have not reported compromised status to AirWatch.
l Encryption Allows you to prevent email access for unencrypted devices. Note that this policy is applicable only to
devices that have reported data protection status to AirWatch.
l Model Allows you to restrict email access based on the Platform and Model of the device.
l Operating System Allows you to restrict email access to a set of operating systems for specific platforms.
l Require ActiveSync Profile - Allows you to restrict email access to devices whose emails are not managed through an
Exchange ActiveSync profile.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
31
Chapter 5: Email Management through the Secure Email Gateway (SEG) Proxy
l Attachments (managed devices) Encrypt email attachments of selected file type with an encryption key unique to
the device - user combination. These attachments are secured on the device and are only available for viewing on the
AirWatch Content Locker. Currently, this feature is only available on managed iOS, Android, and Windows Phone
devices with the AirWatch Content Locker application. For other managed devices, you can choose to either allow
encrypted attachments, block attachments, or allow unencrypted attachments.
l Attachments (unmanaged devices) Allow encrypted attachments, block attachments, or allow unencrypted
attachments for un-managed devices. Attachments encrypted for unmanaged devices are done to prevent data loss
and maintain email integrity (i.e for Forward or Reply messages). Please note that attachments of un-managed
devices cannot be opened in AirWatch Content Locker.
l Hyperlink Allow device users to open hyperlinks contained within an email directly with AirWatch Browser present
on the device. The Secure Email Gateway dynamically modifies the hyperlink to open in AirWatch Browser.
o You may choose one of the Modification Type:
n All - Choose to open all the hyperlinks with AirWatch Browser.
n Include - Choose if you want the device users to open only the hyperlinks through the AirWatch Browser.
Mention the included domains in the Only modify hyperlinks for these domains field. You can bulk upload
the domain names from a .csv file as well.
n Exclude - Choose if you do not want the device users to open the mentioned domains through the AirWatch
Browser. Mention the excluded domains in the Modify all hyperlinks except for these domains field. You
can bulk upload the domain names from a .csv file as well.
Best Practice
Testing the email policies before deploying on the devices is a good practice. AirWatch recommends using the following
method to test the capabilities of these policies before applying them on the devices.
l Enable the Test Mode option on the Email Dashboard. This ensures you can test compliance capabilities without
applying the policies on the devices.
Discovering Devices
Before you can begin managing the devices from the Email Dashboard, the configured MEMshould discover the devices
enrolled to the organization group. This section discusses how devices with or without an EAS profile are discovered by
configured MEMdeployment.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
32
Chapter 5: Email Management through the Secure Email Gateway (SEG) Proxy
Email Dashboard
Gain visibility into the email traffic and monitor the devices through the AirWatch Email Dashboard. This dashboard gives
you a real-time summary of the status of the devices connected to the email traffic. You can access the Dashboard from
Email > Dashboard. From the Email Dashboard, you can access the List View page which enables you to:
l Whitelist or blacklist a device to allow or deny access to email respectively.
l View the devices which are managed, un-managed, compliant, non- compliant, blocked, or allowed.
l View the device details such as OS, Model, Platform, Phone Number, IMEI, IP address.
From the Dashboard, you can also use the available Graphs to filter your search. For example, if you want to view all the
managed devices of that organization group, select the Managed Devices graph. This displays the results in the List View
screen.
List View
View all the real-time updates of your end user devices that you are managing with AirWatch MEM. You can access the
List View from Email > List View. You can view the device or user specific information by switching between the two
tabs; Device and User available here. You can change the Layout to either view the summary or the detailed list of the
information based on your requirement.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
33
Chapter 5: Email Management through the Secure Email Gateway (SEG) Proxy
l MEM Config - The configured MEM deployment that is managing the device.
l Identifier - The unique alpha-numeric identification code associated with the device.
l Mail Client - The email client syncing the emails on the device.
l Last Command - The command triggers the last state change of the device and populates the Last Request column.
l Status - The real time status of the device and whether email is blocked or allowed on it as per the defined policy.
l Reason - The reason code for allowing or blocking email on a device. Please note that the reason code displays
'Global' and 'Individual' only when the access state of the email is changed by an entity other than AirWatch (for
example, an external administrator).
l Platform, Model, OS, IMEI, EASDevice Type, IP Address -The device information displays in these fields.
l Mailbox Identity - The location of the user mailbox in the Active Directory.
Note: In the Email Dashboard, an iOS device shows mailbox record if at the time of enrollment a native email client is
already configured on the device or when an EAS profile is pushed for other email clients. An Android device shows
mailbox record when a device enrolls or when the email clients are installed on the enrolled device with the exception
of AirWatch Inbox.
l Policy Violation - Compromised, Device Inactive, Not data Protected/Enrolled/MDM Compliant, Unapproved
EASDevice Type/Email Account/Mail Client/Model/OS.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
34
Chapter 5: Email Management through the Secure Email Gateway (SEG) Proxy
Performing Actions
The Override,Actions,and the Administration dropdown menu provides a single location to perform multiple actions on
the device.
Note: Please note that these actions once performed cannot be undone.
Override
Select the check box corresponding to a device to perform actions on it.
l Whitelist - Allows a device to receive emails.
l Default - Allows or blocks a device based on whether the device is compliant or non compliant.
Actions
l Run Compliance - Triggers the compliance engine to run for the selected MEM configuration.
l Enable Test Mode - Test email policies without applying them on devices. Once enabled, you can view a message
displaying 'Test Mode Enabled' on the List View screen. Please note that enabling /disabling Test Mode does not
require you to run compliance engine.
Administration
l Dx Mode On - Runs the diagnostic for the selected user mailbox.
l Dx Mode Off - Turns off the diagnostic for the selected user mailbox.
l Update Encryption Key - Resets the encryption and the re-syncs the emails for the selected devices.
l Delete Unmanaged Devices - Deletes the selected unmanaged device record from the dashboard. Please note that
this record may reappear after the next sync.
Note: Please note that for security reasons, the targeted logging is available only on the SEGserver through
'localhost/SEGConsole'.
2. Select the required query from the options EASDevice Identifier and Username in the Targeted Logging screen.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
35
Chapter 5: Email Management through the Secure Email Gateway (SEG) Proxy
5. Once complete, select Stop Targeted Logging. By default, logs are written to the Logs > EASListener folder.
2. Select Export Device Policies from the Device Policies section. The .csv file gets downloaded to the default location.
3. Select OK.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
36
Chapter 6:
Frequently Asked Questions
Overview 38
SEGClustering FAQs 38
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
37
Chapter 6: Frequently Asked Questions
Overview
The answers to some of the questions regarding SEG Clustering and the troubleshooting steps to follow in case of an
error are listed down in this chapter.
SEGClustering FAQs
How to enable SEGclustering?
SEGclustering can be enabled while configuring SEGwith the Secure Email Gateway Setup Wizard. In the SEG Setup
Wizard:
1. Enter the setup details in the Setup page and select Next.
2. Enter the configuration settings details in the Configuration page and select Next. The Cluster Configuration page
appears.
To know what the setup details and configuration settings are that must be entered, see steps 1-3 of Configuring the SEG
with the Setup Wizard.
l Specify the name you want to assign to the cluster in the Cluster Directory Name field.
l Define the default port for the SEG servers to communicate with each other in the Default Portfield.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
38
Chapter 6: Frequently Asked Questions
l Specify the host name of each SEG server in the cluster in the Node Address field.
<?xmlversion="1.0"?>
<applicationClusterDirectoryname="SecureEmailGateway"port="9090">
<nodeaddress="servername1"name="seg@servername1"/>
<nodeaddress="servername2"name="seg@servername2"/>
</applicationClusterDirectory>
The value name in the initial applicationClusterDirectory tag reflects the name of the cluster as defined during
configuration, and any changes to this will be reflected in different clusters being created. For example, if SEG1 is a
member of SEG Cluster name= SEG1 and SEG2 is a member of SEG Cluster name= SEG2, these two SEGs will never
initiate communication.
Note: The value "name" will not be updated if a new SEG server is elected master.
How should the SEGs be re-clustered in the event the cluster breaks?
Clustering issues are typically seen when communication between the SEG servers is broken. In such scenarios, follow the
steps below:
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
39
Chapter 6: Frequently Asked Questions
1. Verify if the EAS Integration Service is configured properly for clustering on all servers.
l EAS Integration Service Config file (\AW.Eas.IntegrationService\AW.Eas.IntegrationService.exe.config):
o In the configSections section, the cacheConfiguration field should be set equal to Clustered.
l Add the node address of the chosen SEG in the AppCluster Directory.xml. This should be the only node listed in
the AppCluster Directory.xml.
3. Restart the EAS Integration Service for the chosen SEGserver. This SEGserver now becomes the master node.
l Verification - In the Integration service log file for this SEG server, verify if this server joins the cluster as the
Master.
l Configure the AppClusterDirectory.xml identical to the master SEG. This means the AppClusterDirectory.xml of
other SEG servers should only show the master SEG listed in it.
5. Restart the EAS Integration Service for the other SEG servers in the cluster.
l These SEGservers now act as slave nodes and seeks the master node. The AppClusterDirectory.xml lists the
information of the master SEGand the slave SEGservers.
l Verification:
o In the Integration service log file for each SEG server, verify if the server joins the cluster as a Slave server.
o Verify if the AppClusterDirectory.xml is updated with information regarding all servers in the cluster, with the
Master node on top of the server list.
2. Monitor the Integration service log files for each SEG server to check if any errors pertaining to the following:
l Communication errors between the SEG servers.
l Policy update errors (perform a manual update of policies from the SEG Console or AirWatch Console).
3. Enter the command netstat -an | find "9090" to return a listener for both TCP and UDP.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
40
Chapter 6: Frequently Asked Questions
Note: While the integration service is not running, SEG falls back to the default setting in the Web Listener web.config
file.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
41
Appendix: Upgrading the SEG Proxy Server
Appendix:
Upgrading the SEG Proxy Server
Overview
The SEG is designed to make the upgrade process quick and easy. Perform the following steps to upgrade the SEG to the
latest version.
2. AirWatch recommends running the MEM Configuration wizard again and associating the existing EAS profile to the
SEG deployment.
2. Click Install to begin the upgrade. The SEG Installer automatically performs the SEG upgrade.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
42
Appendix: Securing with Basic Authentication
Appendix:
Securing with Basic Authentication
Overview
AirWatch recommends using of basic authentication for securing the SEG endpoint with AirWatch console and for
enhanced security while sending policy updates.
c. Navigate to Server Manager > Local Users and Groups > Users. Create a basic username and a password.
b. Enter the username and password that you had earlier created in the above step c.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
43
Appendix: Configuring with Reverse Proxy Server
Appendix:
Configuring with Reverse Proxy Server
Overview
SEG can be configured to work with reverse proxy servers in a normal fashion. You can set up load balancing between the
SEGs and reverse proxy, but take care to configure the load balancers in front of the Central Authentication Service (CAS).
Recommendations
l IP based affinity: Recommended if you are using Certificate authentication and there is no proxy or other
component in front of the load balancer that would change the source IP from the original device.
l Authentication Header Cookie based Affinity: Recommended if you are using Basic authentication, especially if
there is a proxy or other network component that would change the source IP from the original device.
For more information, please see
http://technet.microsoft.com/en-us/library/ff625248%28v=exchg.141%29.aspx
http://technet.microsoft.com/en-us/library/ff625247
Note: Exchange ActiveSync is a stateless protocol, and persistence is not explicitly required by MSFT. The best
method of load balancing may vary from implementation to implementation.
Configuration
l Generally, they may be set to do a round-robin on the CAS with a persistence based on the source IP address. This
works well when devices connect directly to the reverse proxy but causes issues when we put a SEG in front of it.
Suppose you have one or two SEGs and the source IP as far as the load balancer in front of the CAS that is concerned
will also be one or two. Hence, this can damage the load balancing and all the traffic can end up going to one or two
CAS.
l Another issue can arise if there is some kind of limits set up on the reverse proxy server. For example, on an Internet
Security and Acceleration (ISA) server, the default number of concurrent connections accepted from a single IP
address is about 150. You need to set this to at least 5000 connections. On an ISA server, this can be set up under the
Flood Mitigation settings.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
44
Finding Additional Documentation
Note: AirWatch recommends you always pull the document from AirWatch Resources each time you need to
reference it.
To search for and access additional documentation on the AirWatch Resources page, perform the following step-by-step
instructions:
1. Navigate to http://my.air-watch.com and log in using your AirWatch ID credentials.
2. Select AirWatch Resources from the navigation bar or home screen. The AirWatchResources page displays with a list
of recent documentation and a list of Resources Categories on the left.
3. Select your AirWatch Version from the drop-down list in the search parameters to filter a displayed list of documents.
Once selected, you will only see documentation that pertains to your particular version of AirWatch.
l Search for a particular resource using the search box in the top-right by entering keywords or document names.
l Add a document to your favorites and it will be added to My Resources. Access documents you have favorited
by selecting myAirWatch from the navigation bar and then selected My Resources from the toolbar.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
45
Finding Additional Documentation
l Download a PDF of a document by selecting the button. Note, however, that documentation is frequently
updated with the latest bug fixes and feature enhancements. Therefore, AirWatch recommends you always pull
the document from AirWatch Resources each time you need to reference it.
Having trouble finding a document?Make sure a specific AirWatch Version is selected. All Versions will typically
return many results. Make sure you select Documentation from the category list, at a minimum. If you know which
category you want to search (e.g., Platform, Install &Architecture, EmailManagement) then selecting that will also
further narrow your search and provide better results. Filtering by PDFas a File Type will also narrow your search
even further to only include technical documentation manuals.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
46