VMware AirWatch SEG Administration Guide v8 - 3

VMware AirWatch Secure Email Gateway
Proxy Guide
Securing Your Email Infrastructure
AirWatch v8.3
Have documentation feedback?Email docfeedback@air-watch.com. Note that if you require assistance from AirWatch
Support you should submit a support request through myAirWatch Support (support.air-watch.com).
Copyright 2016 VMware, Inc. All rights reserved. This product is protected by copyright and intellectual property laws in the United States and other countries as well as by
international treaties. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and other jurisdictions. All other marks and names mentioned herein may be trademarks of their
respective companies.
VMware AirWatch Secure Email Gateway Proxy Guide | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
1
Revision Table
The following table displays revisions to this guide since the release of AirWatch v8.3.
Date Reason
February 2016 Initial upload.
March 2016 Changed the Delta Sync refresh interval from five to ten minutes.
See Enabling SEG Proxy on AirWatch Admin Console and Configuring the SEG with the Setup Wizard.
2
Table of Contents
Chapter 1: Overview 5
What's New 6
Introduction to the Secure Email Gateway (SEG) 6
In This Guide 6
Before You Begin 7
Chapter 2: Prerequisites for SEGConnectivity 8

Chapter 3: SEGArchitecture 15
Overview 16
Chapter 4: SEGImplementation 18
Overview 19
Step 1: Enabling SEG Proxy on AirWatch Admin Console 19
Step 2: Preparing for the Installation 23
Step 3: Running the AirWatch SEG Installer 23
Step 4: Configuring the SEG with the Setup Wizard 25
Step 5: Deploying Mobile Email through the SEG Proxy 28
Chapter 5: Email Management through the Secure Email Gateway (SEG) Proxy 30
Overview 31
Securing with Email Policies 31
Discovering Devices 32
Email Dashboard 33
List View 33
SEG Targeted Logging 35
Comparing SEG Policies 36
Chapter 6: Frequently Asked Questions 37

Overview 38
SEGClustering FAQs 38
Appendix: Upgrading the SEG Proxy Server 42

3
Overview 42
Appendix: Securing with Basic Authentication 43

Overview 43
Appendix: Configuring with Reverse Proxy Server 44

Overview 44
Finding Additional Documentation 45
4
Chapter 1:
Overview
What's New 6
Introduction to the Secure Email Gateway (SEG) 6
In This Guide 6
Before You Begin 7
5
Chapter 1: Overview
What's New
This guide has been updated with the latest features and functionality from the most recent release of AirWatch v8.3. The
list below includes the new feature and the sections and pages on which they appear.
l Delta Sync, a SEG policy sync with a refresh interval of ten minutes, has been introduced to return only those policy
records that have changed since the last bulk policy sync. This type of sync is particularly useful when multiple SEGs
are in use. See Enabling SEG Proxy on AirWatch Admin Console and Configuring the SEG with the Setup Wizard.
Introduction to the Secure Email Gateway (SEG)

The Secure Email Gateway (SEG) Proxy server is a separate server installed in-line with your existing email server to proxy
all email traffic going to devices.
Note: The SEG Proxy model requires Exchange ActiveSync infrastructure (For example, Microsoft Exchange
2003/2007/2010/2013/2016, Lotus Traveler, and Novell GroupWise Data Synchronizer). Please consult your AirWatch
representative for more information.
The AirWatch SEG Proxy server is configured to reside in front of your corporate email server. Based on the settings you
define in the AirWatch Admin Console, the SEG Proxy server takes allow or block decisions for every mobile device it
manages. The SEG Proxy server relays traffic from approved devices and protects corporate email server by not allowing
any devices to directly communicate with it. Instead, the SEG Proxy server filters all communication requests to the
corporate email server. The SEG provides one more layer of security by controlling how the email attachments and
hyperlinks can be viewed. Through SEG, email attachments and hyperlinks are encrypted which can be opened only
through AirWatch Content Locker and AirWatch Browser respectively, thus protecting sensitive information.
The SEG server is installed inline with corporate email traffic. It may be installed in a DMZ or behind a reverse proxy
server, for example, F5 server. The SEG server must be hosted in the customer data-center, regardless of whether the
AirWatch MDM server is in the cloud or on premises.
You can download the most up-to-date version of the Secure Email Gateway Guide, which includes configuration and
installation, from AirWatch Resources.
In This Guide
l Secure Email Gateway Configuration - This section explains the SEG setup that is supported by AirWatch.
l Secure Email Gateway Implementation - This section details how to enable SEG in the AirWatch Admin Console.
l Upgrading Secure Email Gateway - Explains how to upgrade SEG to the latest version.
l Email Management through the SEG Proxy Integration - This section covers the features available in AirWatch to
manage your device fleet effectively with this integration type.
6
Chapter 1: Overview
Before You Begin

The Before You Begin topic provides the information that helps you with the initial setup, configuration, and
understanding of the requirements essential for a smooth user experience.
Requirements
For a complete listing of all requirements for installing SEG, refer to Prerequisites for SEG Connectivity.
Prerequisites
l Enable the Simple Object Access Protocol (SOAP) Application Programming Interface (API) for the required
organization group. To configure the SOAP API URLfor your AirWatch environment, navigate to Groups & Settings >
All Settings > System > Advanced > API > SOAPAPI. The AirWatch Admin Console gets the API certificate from the
SOAP API URL that is located on the Site URLs page. For SaaS deployments, use the format
asXX.airwatchportals.com.
l Create an Exchange Active Sync profile having the Assignment Type as Optional and EAS hostname as the SEG server
URL.
7
Chapter 2:
Prerequisites for SEGConnectivity
8
Chapter 2: Prerequisites for SEGConnectivity
Hardware Requirements
Status
Requirement Notes
Checklist
VMor Physical Without content transformation (attachment encryption, hyperlinks security, tagging
Server and so on):
1 CPUCore (2 GBRAM) per 2,000 devices syncing email through the SEGserver. Max
16,000 devices per SEG.
With content transformation (attachment encryption, hyperlinks security, tagging and
so on):
2 CPUCore (4 GBRAM)per 2000 devices syncing email through the SEGserver. Max 8,000
devices per SEG. IIS App Pool Maximum Worker Processes should be configured as (# of
CPU Cores / 2).
Load-balanced SEGservers can be deployed with size requirements being cumulative.
Important: An Intel processor is required.
5 GB Disk Space per SEGand dependent software (IIS). This does not include system
monitoring tools or additional server applications.
General Requirements
Status
Requirement Notes
Checklist
Remote access to AirWatch recommends setting up Remote Desktop Connection Manager for
Windows Servers multiple server management, installer can be downloaded from
available to AirWatch and http://www.microsoft.com/en-us/download/confirmation.aspx?id=21101
Administrator rights See General Requirements.
Installation of Notepad++ Installer can be downloaded from
(Recommended) http://download.tuxfamily.org/notepadplus/6.5.1/npp.6.5.1.Installer.exe
Ensure Exchange
ActiveSync is enabled for
a test account
Software Requirements
Status
Requirement Notes
Checklist
Windows Server 2008 R2 or
Windows Server 2012 or
Windows Server 2012 R2
9
Software Requirements
Status
Requirement Notes
Checklist
Install Role from Server Manager IIS 7.0 (Server 2008 R2)
IIS 8.0 (Server 2012 or Server 2012 R2)
IIS8.5 (Server 2012 R2 only)
Install Role Services from Server Common HTTP Features: Static Content, Default Document,
Manager Directory Browsing, HTTP Errors, HTTP Redirection
Application Development: ASP.NET, .NET Extensibility, ASP, ISAPI
Extensions, ISAPI Filters, Server Side Includes
Management Tools: IIS Management Console, IIS 6 Metabase
Compatibility
Ensure WebDAV is not installed.
Install Application Request Routing ARRcomponent is available at

(ARR) http://www.iis.net/downloads/microsoft/application-request-
routing
ARR is mandatory for routing OWA traffic. For Lotus Notes, ARR is
mandatory only when Traveler Mail Client is being used.
Install Features from Server Manager .NET Framework 4.5.2 Features: Entire module
Telnet Client
Install .NETFramework 4.5.2 The SEG Installer installs .NET 4.5.2 if it is not installed beforehand.
Externally registered DNS See Server Requirements.
SSL Certificate from trusted third Ensure SSL certificate is trusted by all device types being used. (i.e.
party with Subject or Subject not all Comodo certificates are natively trusted by Android)
Alternative name of DNS In addition, the SEG server must be able to connect to the SSL
certificate CRL (For example: ocsp.verisign.com)
IIS 443 Binding with the same Validate that you can connect to the server over HTTPS
SSLcertificate (https://yourAirWatchDomain.com). At this point, you should see
the IIS splash page.
See Server Requirements.
For configuring the ports listed below, all traffic is uni-directional (outbound)from the source component to the
destination component.
10
Network Requirements
Source Destination
Protocol Port Verification
Component Component
Devices SEG HTTPS 443 Telnet from Internet to SEG server on port
(from
Internet
and Wi-Fi)
Console SEG HTTPS 443 Telnet from Internet to SEG server on port
Server
SEG AirWatch HTTP or 80 or 443 Verify that the following URL is trusted from the
SOAPAPI HTTPS browser on the SEG server:
(DS or https://<API URL>/AirWatchServices/
CNserver) Internal/0/ActiveSyncIntegrationServiceEndpoint.svc
'IP based Persistence' should be used in the event
when there are more than one API server.
When the communication between SEG and the API

server is through a proxy, SEG cannot make use of
the proxy details defined in the browser settings.
Therefore, the proxy settings must be specified
during SEG configuration.
For more information on configuring proxy settings
see Configuring the SEG with the Setup Wizard on
page 25.
SEG Internal UDP and 9090 If you are using SEG Clustering (multiple load
(OPTIONAL) hostname TCP (Configurable) balanced SEG servers) SEG Clustering across Data
or IPof all Centers is not supported.
other
SEGservers
Device SEG HTTPS 443 Telnet from Device Services to SEG server on port
Services
SEG AirWatch HTTPS l 2001(For Telnet from SEG server to AWCM on port
Cloud on
Messaging premise
(AWCM) instance
server of
AirWatch)
l 443 (For
SaaS
instance
of
AirWatch)
11
The following requirements apply based on the email configuration you are using:
SEG Exchange HTTPor 80 or 443 Verify that the following URL is trusted from the browser on
HTTPS the SEG server and gives a prompt for credentials:
For Exchange: http(s)://Exchange_Activesync_
FQDN/Microsoft-server-activesync
For Lotus Notes: http(s)://LotusNotesTraveler_
FQDN/servlet/traveler
SEG Lotus HTTPor 80 or 443
For Google: https://m.google.com/Microsoft-server-
Notes HTTPS
activesync
For Groupwise (depending on version): http(s):
//Groupwise_FQDN/EAS or http(s)://Groupwise_
FQDN/Microsoft-server-activesync
SEG Google HTTPS 443
Once you enter the credentials, verify that a 501/505 HTTP
page displays.
Important: If your are using SSL from the SEG server to

SEG Novell HTTPor 80 or 443 the mail endpoint, ensure the SEG server is able to reach
Groupwise HTTPS the Certificate Revocation List URL for the mail server's SSL
certificate. Failure to reach this endpoint may result in
performance issues.
If Windows authentication is enabled on your CAS Activesync Endpoint, then one of the following will be required:
1. Certificate Authentication and KCD
2. SEGcannot be joined to the domain.
General Requirements
Remote Access to Servers
Ensure that you have remote access to the servers that AirWatch is installed on. Typically, installations are performed
remotely over a web meeting or screen share that an AirWatch consultant provides. Some customers also provide
AirWatch with VPN credentials to directly access the environment as well.
Server Requirements
External DNSName
The two main components of AirWatch are the Device Services server and the Console server. In a single server
deployment, these reside on the same server, and an external DNS entry needs to be registered for that server.
In a multi-server deployment, these are installed on separate servers, and only the device services component requires
an external DNS name, while the console component can remain only internally available.
SSL Certificate
The externally available URL of the AirWatch server must be setup with a trusted SSL certificate. A wildcard or individual
website certificate is required.
12
1. Obtain SSL certificates for each of your external DNS entries. A list of root certificates natively trusted by iOS can be
found here: http://support.apple.com/kb/HT5012
2. Upload your SSL certificate to the AirWatch server(s). Your certificate provider will have instructions for this process.
3. Once uploaded on your server you can use it to add a 443 binding to the Default Website in IIS. The bindings for a
completed server look like the following. Your SSL certificate should appear in the drop down menu of available
certificates.
4. Validate that you can connect to the server over HTTPS (https://yourAirWatchDomain.com). At this point you
should see the IIS splash page.
13
If SSL is used for admin console access, ensure that FQDN is enabled or the host file is configured.
14
Chapter 3:
SEGArchitecture
Overview 16
15
Chapter 3: SEGArchitecture
Overview
The section outlines the architecture layout for setting up SEG with your email infrastructure.
Recommended Setup: Exchange ActiveSync SEG Configuration

AirWatch best practices support this configuration. The SEG is placed in the DMZ with no OWA (Outlook Web Access)
routing. If required, SEG can proxy webmail traffic as well, however SEG then becomes a single point of failure for device
and browser email traffic. If there is another network component that can handle this job, it should also be considered.
Note: If OWA traffic must be routed through SEG, then ensure to select the Proxy webmail traffic through gateway
checkbox during the configuration step of the install wizard.
16
Chapter 3: SEGArchitecture
Alternative Supported Setup: Exchange ActiveSync SEG Using Reverse Proxy Configuration
This configuration uses a reverse proxy to direct mobile device users to the SEG Proxy while routing browser users
directly to their webmail endpoints. Use the following network configuration to set up the reverse proxy to communicate
between devices and the SEG using the Exchange ActiveSync (EAS) protocol. This configuration should be used in cases
where the recommended setup is not feasible.
17
Chapter 4:
SEGImplementation
Overview 19
Step 1: Enabling SEG Proxy on AirWatch Admin Console 19
Step 2: Preparing for the Installation 23
Step 3: Running the AirWatch SEG Installer 23
Step 4: Configuring the SEG with the Setup Wizard 25
Step 5: Deploying Mobile Email through the SEG Proxy 28
18
Chapter 4: SEGImplementation
Overview
Once you get a good understanding of the ways in which SEG can be configured, you can choose the type that fits your
organization's requirements. To implement the SEG proxy server on your chosen mail architecture, follow the below
steps.
Step 1: Enabling SEG Proxy on AirWatch Admin Console

1. Navigate to > Email > Settings in the AirWatch Admin Console and select Configure. The Email Config Add wizard
displays.
2. In the Platform wizard form:
l Select the Deployment Model and choose the Email Type, and then select Next.
l Select the Email Server Type from the drop-down menu and choose a Deployment Type for your selected email
architecture, and then select Next.
If you want to deploy the SEG Proxy server for Office 365, please contact AirWatch for additional information.
3. In the Deployment wizard form:

Setting Description
Friendly Name Enter a friendly name for the SEGdeployment. This name gets displayed on the MEM
dashboard screen for devices managed by SEG.
Secure Email Gateway Enter the URL for the SEG server in this field. This URL provisions email policies to the SEG
URL server.
Ignore SSL Errors Select Yes to ignore the Secure Socket Layer (SSL) certificate errors between email server
between SEGand and SEG server.
email server
Ignore SSL Errors Select Yes to ignore Secure Socket Layer (SSL) certificate errors between AirWatch
between SEGand component and SEGserver.
AirWatch server
Use Basic Select Yes if the SEGserver is configured to enforce Basic Authentication.AirWatch
Authentication recommends using basic authentication.
Gateway Username Enter the credentials in order to authenticate and secure traffic (including policy updates
to the SEG server) between AirWatch components and SEG, if disabled, anonymous
authentication is used.
Gateway Password
AirWatch recommends that a valid SSL trust should always be established between AirWatch and SEG server using
valid certificates. Also, ensure to restart IIS (on SEG) after changing the SEG settings 'Ignore SSL Errors between SEG
and email server' or 'Ignore SSL Errors between SEG and AirWatch server'.
19
l Select Next.
4. In the Profiles wizard form, configure the following:
Setting Description
Platform Select the device platform from the dropdown field.
Mail Select an email client from the dropdown field.
Client
Action Select either Use Existing Profile to associate an existing profile of the chosen platform or Create New
profile if the existing profile do not match your requirement. Please note that only one profile per
device type and mail client can be associated.
Profile Select a profile from the drop down field if an existing profile is used for the chosen platform.
5. Select Next. The MEM Config Summary form provides a quick overview of the basic configuration you have just
created for the SEG deployment. Save the settings. You can then view the MEM configuration displaying on the
Mobile Email Management configuration main screen.
20
6. Select the Add option from the main configuration screen to configure more deployments.
21
7. You have completed the email configuration steps. You can now download the SEGinstaller. To do this, select the
icon corresponding to the MEM configuration and select Download SEG Installer.
You also have the option Test Connection to test the connectivity between the SEG,web, and the AirWatch API
servers. The test result shows the success or failure connectivity status from Web to SEG and from SEGto AirWatch
API. These test results, help you identify the cause of connection failure.
For more information on test connection, see the following Knowledge Base article:
https://airwatch.zendesk.com/entries/93250708-Troubleshooting-SEG-Test-Connection
8. Optionally, you can configure the advanced settings. To do this, select the icon corresponding to the MEM
configuration located on the Email Configuration main screen.
Setting Description
Use Recommended By default, the Use Recommended Settings check box is enabled to capture all SEG traffic
Settings information from devices. Otherwise, specify what information and how frequently the SEG
should log for devices.
Enable Real-time Enable this option to enable the AirWatch Admin Console to remotely provision compliance
Compliance Sync policies to the SEG Proxy server.
KCDauthentication Enable this if you want certificate based authentication when your SEG server and email
infrastructure are in different domains
Required Enable or disable the required transactions such as Folder Sync, Settings etc.
transactions
Optional Enable or disable the optional transactions such as Get attachment, Search, Move Items etc.
transactions
Diagnostic Set the number and frequency of transaction for a device.
22
Setting Description
Sizing Set the frequency of SEG and APIserver interaction.
AirWatch recommends utilizing Delta Sync for policy updates as it minimizes the amount of
data sent to SEG, thereby improving the performance. Delta sync is refreshed at a default
time interval of ten minutes to ensure SEG has an updated policy set. This is particularly
useful when multiple SEGs are in use, as there is a maximum of ten minutes where SEG will be
out of sync with the AirWatch Admin console.
S/MIME Options Select Yes to disallow the encryption of attachments and transformation of hyperlinks
through SEG for emails signed with S/MIMEcertificates.
Step 2: Preparing for the Installation

1. Download the SEG Installer from the AirWatch Admin Console to the SEG server attached to your network. To
download, navigate to the Email > Settings page and select AirWatch Secure Email Gateway Installer option.
This page is available only upon completion of the Email Configuration steps mentioned in the above section.
2. You might need to disable User Account Control (UAC) for the installation process. However, you can re-enable UAC
after the installation is complete. This is an environmental consideration that varies depending on the server
deployment.
3. In the AirWatch Admin Console, create an admin account for the SEG (this is required for the simple installation
wizard). Configure the admin account at an organization group level at or above where you want to configure the
SEG.
Step 3: Running the AirWatch SEG Installer

Run the AirWatch SEG installer.
1. Double-click the AirWatch SEG Installer.exe file, or right-click to choose Run as Administrator. The Setup dialog box
displays, and it is followed by a Welcome dialog box. Select Next.
If you receive a Security Warning, choose Run.
23
2. Accept the End User License Agreement, and then select Next.
3. Specify the Destination Folder to install the SEG. Select Change if you want to modify the destination folder for
installing the AirWatch application files.
The installer defaults to C:\AirWatch. However, the standard is to install AirWatch on a partition separate from the
OS.
4. The AirWatch IIS configuration dialog box appears. Select Default Web Site as the IIS Website location for the SEG
to install.
5. Select Install to begin the SEG installation.
24
6. Once the installation process is complete, the SEG Installation Wizard dialog box appears. Select Finish to close the
installer. The AirWatch SEG setup shortcut icon is automatically created on the desktop, and the localhost URL
opens in Explorer.
Step 4: Configuring the SEG with the Setup Wizard

Once the installation process is complete, the Secure Email Gateway Setup Wizard auto-launches. If not, double-click
the SEG shortcut icon on the desktop to open the wizard.
1. Specify the following information on the Setup page:
l Enter the AirWatch Server Hostname that contains the API. This is usually the AirWatch API Service URL.
l Specify the SEG Admin Account Username and Password with the 'SOAP API General' role resource in AirWatch
Admin Console that can be accessed from Accounts > Administrators > Roles > Add Role > API > SOAP. Create
your SEG Admin Account at that organization group or at a level above the organization group that you want to
configure the SEG for.
l If you have a proxy server, then enable Proxy for AirWatch services communication:
o Enter the URLof the outbound Proxy Host.
o Enter the Proxy Port number.
o Choose the type of Authentication; Anonymous Authentication or Basic Authentication.
n If you choose Authentication type as basic, then you need to enter the Username and Password.
l If you have a proxy email server, then enable Proxy for email server communication.
o Enter the URLof proxy host server.
o Enter the port of the proxy host server.
25
o Select the type of authentication required to access this proxy server. Options include:
n Anonymous Authentication - Unknown users can login based on the rights created by the admin.
n Basic Authentication - Enter your username and password to access.
n Windows Authentication - Enter windows credentials to access the server.
When you have finished configuring the Setup options, choose Next.
2. Configure the SEG for your specific deployment. Enter the following information:
l In the Organization Group field, enter the Group ID for the SEG's organization group.
l Select the MEMconfiguration from the dropdown.
3. Next, specify the following SEG Configuration settings. This information will be pre-populated with the setting that
you have entered on the AirWatch Admin Console. Make any changes as needed, and at the end of the Setup
wizard, the changes are automatically reflected in the AirWatch Admin Console.
Settings Description
Email Server Select the Email Server type, Exchange version, and enter the Email Server Hostname for the
Email Server AirWatch SEG to communicate with your internal email servers.
Hostname
Proxy web Select this checkbox if you want to proxy webmail traffic in addition to EAS traffic through the SEG.
mail traffic
through
gateway
Use Enable this check box to capture all SEG traffic information from devices. Otherwise, specify what
Recommended information SEG can log for devices and how frequently.
Settings
Ignore SSL Enable this check box to ignore SSL errors created by certificates between the SEG and EAS server.
errors With
Email Server
Rules Refresh Enter the interval time, in minutes, for SEG to refresh rules
Interval (min)
Transfer Rate Set the transfer rate for the transactions happening between the SEG and the AirWatch Admin
to Gateway Console.
(transactions)
Transfer Rate
to Console
(transactions)
Friendly Name Define a Friendly Name to help identify the SEG in the logs
26
Enable Real- Select this check box so that the AirWatch Admin Console can send down compliance updates in a
time push-based mechanism instead of in a periodically timed poll-based mechanism. This allows your
Compliance compliance rule set to immediately update when actions occur instead at a specified rate.
Sync
Gateway Specify the hostname of the specific SEG Proxy server.
Hostname
Select Next when complete.
4. The Cluster Configuration screen appears. Select Next.
If multiple SEG servers are load balanced, single policy broadcast messages apply to only one SEG. This includes the
messages sent from the AirWatch Admin Console to SEG upon enrollment or compliance violation or correction.
AirWatch recommends using Delta Sync with a refresh interval of ten minutes to facilitate newly enrolled or
compliant devices. These devices experience a waiting period of maximum ten minutes before email begins to sync.
Benefits of this approach include:
l Updated policies from the same APIsource for all SEG servers.
l Smaller performance impact on API server.
l Reduced implementation or maintenance complexity compared to the SEG clustering model.
l Fewer failure points as each SEG is responsible for its own policy sets.
l Improved user experience.
SEG Clustering is also available to facilitate the sharing of single policy updates to all nodes of a SEG cluster.
For more information on how to configure SEG clustering, see Frequently Asked Questions.
5. The SEG Service Settings screen displays. This screen is a summary page displaying information such as AirWatch
Group, API Certificate, Certificate expiry date, and the Log level. Select the Log level that the SEG Proxy server uses
for troubleshooting purposes. Select Save to automatically restart the Integration service.
27
Any changes that were made to the SEG configuration are automatically updated in the Console settings after the Setup
wizard completes.
Step 5: Deploying Mobile Email through the SEG Proxy

Now that the SEG is fully configured, it is ready to begin protecting mobile email. To start using SEG, configure all mobile
devices to fetch email through the SEG server instead of the EAS server. To do this, deploy an EAS profile to your mobile
fleet.
1. Navigate to the Devices > Profiles > List View page, and then select Add to create a new profile.
2. Select a device platform. If you are leveraging the SEG for multiple device OSs then you must create a similar profile
for each platform.
3. On the General tab, enter the information about the profile and assign the profile to the applicable organization
groups and smart groups. Ensure to keep the assignment type as Automatic or Optional.
4. Select Exchange ActiveSync and choose Configure. From here, configure the parameters to access corporate mail
through the SEG.
l Select the Mail Client your organization intends for end users to utilize from the drop-down menu.
l Ensure that the Exchange ActiveSync Host is the hostname of the SEG server and not the Exchange server.
28
l Make sure to leverage lookup values so each user can get their own distinct email.
AirWatch recommends that the Password field be left blank. This prompts the end user to enter the password
once the profile is installed on the device.
5. Once complete, choose Save and Publish to begin utilizing secure mobile email. AirWatch recommends making
additional profiles for each device platform for which you want to provision mobile email.
29
Chapter 5:
Email Management through the Secure
Email Gateway (SEG) Proxy
Overview 31
Securing with Email Policies 31
Discovering Devices 32
Email Dashboard 33
List View 33
SEG Targeted Logging 35
Comparing SEG Policies 36
30
Chapter 5: Email Management through the Secure Email Gateway (SEG) Proxy
Overview
After the SEGproxy integration setup is complete, you can manage the connected device email traffic, set email policies,
and take appropriate actions on the devices from the AirWatch Admin Console.
Securing with Email Policies

Compliance Policies
Enable the below policies from Email > Compliance Policies.You can activate or deactivate the policies using the colored
buttons under the Active column. By default the policies are disabled (red color). Use the edit policy icon under the
Actions column to allow or block a policy.
Note:a. Mail client compliance policy is not supported on Windows Phone.

b. The Android Lotus Notes Client does not support the EASdevice type policy.
c. The Android Lotus Notes Client and iOSTouchdown presently does not support the attachment encryption
security email policy.
General Email Policies

l Sync Settings Prevent the device from syncing with specific EAS folders. Note that AirWatch prevents devices from
syncing with the selected folders irrespective of other compliance policies. For the policy to take effect, it is necessary
to republish the EAS profile to the devices (this forces devices to re-sync with the email server).
l Managed Device Restrict email access only to managed devices.
l Mail Client Restrict email access to a set of mail clients.
l User Restrict email access to a set of users based on the email user name.
l EASDevice Type Allow or block devices based on the EAS Device Type attribute reported by the end-user device.
Managed Device Policies
l Inactivity Allows you to prevent inactive, managed devices from accessing email. You can specify the number of
days a device shows up as inactive (i.e. does not check-in to AirWatch), before email access is cut off. The minimum
accepted value is 1 and maximum is 32767.
l Device Compromised Allows you to prevent compromised devices from accessing email. Note that this policy does
not block email access for devices that have not reported compromised status to AirWatch.
l Encryption Allows you to prevent email access for unencrypted devices. Note that this policy is applicable only to
devices that have reported data protection status to AirWatch.
l Model Allows you to restrict email access based on the Platform and Model of the device.
l Operating System Allows you to restrict email access to a set of operating systems for specific platforms.
l Require ActiveSync Profile - Allows you to restrict email access to devices whose emails are not managed through an
Exchange ActiveSync profile.
31
Email Security Policies

l Email Security Classification - Define the action for the SEG to take on emails with and without security tags. You
may either allow or block the email on AirWatch Inbox or other email clients. You can choose different actions for the
AirWatch Inbox and other mail clients. If you choose to block emails, you can choose to replace the email contents
with a helpful message using the available templates configured at message template settings. Please note that
lookup values are not supported for Block Email message template.
l Attachments (managed devices) Encrypt email attachments of selected file type with an encryption key unique to
the device - user combination. These attachments are secured on the device and are only available for viewing on the
AirWatch Content Locker. Currently, this feature is only available on managed iOS, Android, and Windows Phone
devices with the AirWatch Content Locker application. For other managed devices, you can choose to either allow
encrypted attachments, block attachments, or allow unencrypted attachments.
l Attachments (unmanaged devices) Allow encrypted attachments, block attachments, or allow unencrypted
attachments for un-managed devices. Attachments encrypted for unmanaged devices are done to prevent data loss
and maintain email integrity (i.e for Forward or Reply messages). Please note that attachments of un-managed
devices cannot be opened in AirWatch Content Locker.
l Hyperlink Allow device users to open hyperlinks contained within an email directly with AirWatch Browser present
on the device. The Secure Email Gateway dynamically modifies the hyperlink to open in AirWatch Browser.
o You may choose one of the Modification Type:
n All - Choose to open all the hyperlinks with AirWatch Browser.
n Include - Choose if you want the device users to open only the hyperlinks through the AirWatch Browser.
Mention the included domains in the Only modify hyperlinks for these domains field. You can bulk upload
the domain names from a .csv file as well.
n Exclude - Choose if you do not want the device users to open the mentioned domains through the AirWatch
Browser. Mention the excluded domains in the Modify all hyperlinks except for these domains field. You
can bulk upload the domain names from a .csv file as well.
Best Practice
Testing the email policies before deploying on the devices is a good practice. AirWatch recommends using the following
method to test the capabilities of these policies before applying them on the devices.
l Enable the Test Mode option on the Email Dashboard. This ensures you can test compliance capabilities without
applying the policies on the devices.
Discovering Devices
Before you can begin managing the devices from the Email Dashboard, the configured MEMshould discover the devices
enrolled to the organization group. This section discusses how devices with or without an EAS profile are discovered by
configured MEMdeployment.
With EAS profile

AirWatch sends an allow command to the relevant EAS profile associated SEG server. The server then automatically starts
connecting to the device.
32
Without EAS profile

AirWatch sends a broadcast message stating that a device has enrolled. AirWatch sends this message to all the Secure
Email Gateway Proxy servers configured at the same organization group to which the device has enrolled. As soon as the
device connects to a particular SEG server, the SEG recognizes the device as managed from the broadcast message sent
earlier. The SEG Proxy then reports the device as discovered with its memConfigID to AirWatch. AirWatch then associates
the enrolled device to that memConfigID and displays it on the Email Dashboard.
Email Dashboard
Gain visibility into the email traffic and monitor the devices through the AirWatch Email Dashboard. This dashboard gives
you a real-time summary of the status of the devices connected to the email traffic. You can access the Dashboard from
Email > Dashboard. From the Email Dashboard, you can access the List View page which enables you to:
l Whitelist or blacklist a device to allow or deny access to email respectively.
l View the devices which are managed, un-managed, compliant, non- compliant, blocked, or allowed.
l View the device details such as OS, Model, Platform, Phone Number, IMEI, IP address.
From the Dashboard, you can also use the available Graphs to filter your search. For example, if you want to view all the
managed devices of that organization group, select the Managed Devices graph. This displays the results in the List View
screen.
List View
View all the real-time updates of your end user devices that you are managing with AirWatch MEM. You can access the
List View from Email > List View. You can view the device or user specific information by switching between the two
tabs; Device and User available here. You can change the Layout to either view the summary or the detailed list of the
information based on your requirement.
33
The List View screen provides detailed information that include:

l Last Request - In SEG integration this column shows the last time a device synced mail.
l User - The user account name.
l Friendly Name - The friendly name of the device.
l MEM Config - The configured MEM deployment that is managing the device.
l Email Address - The email address of the user account.
l Identifier - The unique alpha-numeric identification code associated with the device.
l Mail Client - The email client syncing the emails on the device.
l Last Command - The command triggers the last state change of the device and populates the Last Request column.
l Last Gateway Server -The server to which the device connected.
l Status - The real time status of the device and whether email is blocked or allowed on it as per the defined policy.
l Reason - The reason code for allowing or blocking email on a device. Please note that the reason code displays
'Global' and 'Individual' only when the access state of the email is changed by an entity other than AirWatch (for
example, an external administrator).
l Platform, Model, OS, IMEI, EASDevice Type, IP Address -The device information displays in these fields.
l Mailbox Identity - The location of the user mailbox in the Active Directory.
Note: In the Email Dashboard, an iOS device shows mailbox record if at the time of enrollment a native email client is
already configured on the device or when an EAS profile is pushed for other email clients. An Android device shows
mailbox record when a device enrolls or when the email clients are installed on the enrolled device with the exception
of AirWatch Inbox.
Filters for Quick Search

From here, using the Filter option,you can narrow your device search based on:
l Last Seen - All, less than 24 hours, 12 hours, 6 hours, 2 hours.
l Managed - All, Managed, Unmanaged.
l Allowed - All, Allowed, Blocked.
l Policy Override - All, Blacklisted, Whitelisted, Default.
l Policy Violation - Compromised, Device Inactive, Not data Protected/Enrolled/MDM Compliant, Unapproved
EASDevice Type/Email Account/Mail Client/Model/OS.
l MEM Config - Filter devices based on the configured MEM deployments.
34
Performing Actions
The Override,Actions,and the Administration dropdown menu provides a single location to perform multiple actions on
the device.
Note: Please note that these actions once performed cannot be undone.
Override
Select the check box corresponding to a device to perform actions on it.
l Whitelist - Allows a device to receive emails.
l Blacklist - Blocks a device from receiving emails.
l Default - Allows or blocks a device based on whether the device is compliant or non compliant.
Actions
l Run Compliance - Triggers the compliance engine to run for the selected MEM configuration.
l Enable Test Mode - Test email policies without applying them on devices. Once enabled, you can view a message
displaying 'Test Mode Enabled' on the List View screen. Please note that enabling /disabling Test Mode does not
require you to run compliance engine.
Administration
l Dx Mode On - Runs the diagnostic for the selected user mailbox.
l Dx Mode Off - Turns off the diagnostic for the selected user mailbox.
l Update Encryption Key - Resets the encryption and the re-syncs the emails for the selected devices.
l Delete Unmanaged Devices - Deletes the selected unmanaged device record from the dashboard. Please note that
this record may reappear after the next sync.
SEG Targeted Logging

The SEG targeted logging enables you to create Verbose Web Listener logs for specific users or devices. These log files
help troubleshoot issues in a large environment setup.
To target logs for specific device or user, do the following:
Note: Please note that for security reasons, the targeted logging is available only on the SEGserver through
'localhost/SEGConsole'.
1. Login to the SEG server and navigate to 'http://localhost/segconsole'.
2. Select the required query from the options EASDevice Identifier and Username in the Targeted Logging screen.
3. Select Add Target if you want to add more devices or users.
35
4. Select Start Targeted Logging to begin the process.
5. Once complete, select Stop Targeted Logging. By default, logs are written to the Logs > EASListener folder.
Comparing SEG Policies

The Device Policies feature provides troubleshooting of clustered SEGs. From the SEG Console (localhost) you can
download a file listing all devices that the SEG will allow for email receipt. You can compare this list between the clustered
SEGs to determine if the device policy sets are in line with one another.
1. Login to the SEG server and navigate to 'http://localhost/segconsole'.
2. Select Export Device Policies from the Device Policies section. The .csv file gets downloaded to the default location.
3. Select OK.
36
Chapter 6:
Frequently Asked Questions
Overview 38
SEGClustering FAQs 38
37
Chapter 6: Frequently Asked Questions
Overview
The answers to some of the questions regarding SEG Clustering and the troubleshooting steps to follow in case of an
error are listed down in this chapter.
SEGClustering FAQs
How to enable SEGclustering?
SEGclustering can be enabled while configuring SEGwith the Secure Email Gateway Setup Wizard. In the SEG Setup
Wizard:
1. Enter the setup details in the Setup page and select Next.
2. Enter the configuration settings details in the Configuration page and select Next. The Cluster Configuration page
appears.
To know what the setup details and configuration settings are that must be entered, see steps 1-3 of Configuring the SEG
with the Setup Wizard.
3. Select the Enable SEG Clustering check box.
l Specify the name you want to assign to the cluster in the Cluster Directory Name field.
l Define the default port for the SEG servers to communicate with each other in the Default Portfield.
38
l Specify the host name of each SEG server in the cluster in the Node Address field.
l Select Next when complete.
What is the app cluster directory XML?

The AppClusterDirectory.xml file (located in the same directory as the AW.Eas.IntegrationService.exe service) is created
upon successful completion of the SEG setup process when clustering has been enabled. During the initial configuration,
the first entry in the AppClusterDirectory.xml file is the master SEG. This file references other servers in the cluster, and is
of the form as shown below (change node address, name & port as needed):
<?xmlversion="1.0"?>
<applicationClusterDirectoryname="SecureEmailGateway"port="9090">
<nodeaddress="servername1"name="seg@servername1"/>
<nodeaddress="servername2"name="seg@servername2"/>
</applicationClusterDirectory>
The value name in the initial applicationClusterDirectory tag reflects the name of the cluster as defined during
configuration, and any changes to this will be reflected in different clusters being created. For example, if SEG1 is a
member of SEG Cluster name= SEG1 and SEG2 is a member of SEG Cluster name= SEG2, these two SEGs will never
initiate communication.
Note: The value "name" will not be updated if a new SEG server is elected master.
What happens if the master SEG goes down?

If the master SEG goes down, all other SEGs in the cluster will initiate a voting process to elect a new master SEG. This
process is initiated after the SEGs miss the maximum number of heartbeats from a particular server; in this case the
master SEG server. Once a new master is chosen, the cluster has successfully recovered and functionality will return to a
steady state for all SEGs that are in active communication.
At this point, though the master SEG is not shown in the first position in the AppClusterDirectory.xml file, the EAS
Integration service will log that a new master has been chosen and specify that SEG.
If a slave server goes down, it will be removed from the cluster, and will stop receiving or sending updates to the other
members of the cluster.
How should the SEGs be re-clustered in the event the cluster breaks?
Clustering issues are typically seen when communication between the SEG servers is broken. In such scenarios, follow the
steps below:
39
1. Verify if the EAS Integration Service is configured properly for clustering on all servers.
l EAS Integration Service Config file (\AW.Eas.IntegrationService\AW.Eas.IntegrationService.exe.config):
o In the configSections section, the cacheConfiguration field should be set equal to Clustered.
<clusterConfiguration nodeAddress="servername1" nodeName="seg@servername1"

directoryLocation="AppClusterDirectory.xml" sharedKey="AirWatch"/>
<cacheConfiguration cacheType="Clustered" />
2. Choose one of the SEGservers to be the master SEG.

l Verify cluster name and port details of the chosen SEGin the AppCluster Directory.xml
l Add the node address of the chosen SEG in the AppCluster Directory.xml. This should be the only node listed in
the AppCluster Directory.xml.
3. Restart the EAS Integration Service for the chosen SEGserver. This SEGserver now becomes the master node.
l Verification - In the Integration service log file for this SEG server, verify if this server joins the cluster as the
Master.
4. For all the other SEGservers:

l Verify cluster name and port details in the AppCluster Directory.xml
l Configure the AppClusterDirectory.xml identical to the master SEG. This means the AppClusterDirectory.xml of
other SEG servers should only show the master SEG listed in it.
5. Restart the EAS Integration Service for the other SEG servers in the cluster.
l These SEGservers now act as slave nodes and seeks the master node. The AppClusterDirectory.xml lists the
information of the master SEGand the slave SEGservers.
l Verification:
o In the Integration service log file for each SEG server, verify if the server joins the cluster as a Slave server.
o Verify if the AppClusterDirectory.xml is updated with information regarding all servers in the cluster, with the
Master node on top of the server list.
Monitoring the cluster

After re-clustering the SEGs:
1. Monitor if the AppClusterDirectory.xml is identical across all SEG nodes.
2. Monitor the Integration service log files for each SEG server to check if any errors pertaining to the following:
l Communication errors between the SEG servers.
l Policy update errors (perform a manual update of policies from the SEG Console or AirWatch Console).
3. Enter the command netstat -an | find "9090" to return a listener for both TCP and UDP.
40
What is the best practice for upgrading clustered SEGs?

To ensure the cluster is stable post upgrade, stop the integration service on all SEGs, then start the integration service on
each SEG one by one (beginning with the first node in the AppClusterDirectory.xml). After starting the service on each
SEG, check EAS Integration Service Logs (Verbose) to ensure the SEG joins the cluster. See How should the SEGs be re-
clustered in the event the cluster breaks? for more detail.
Note: While the integration service is not running, SEG falls back to the default setting in the Web Listener web.config
file.
41
Appendix: Upgrading the SEG Proxy Server
Appendix:
Upgrading the SEG Proxy Server
Overview
The SEG is designed to make the upgrade process quick and easy. Perform the following steps to upgrade the SEG to the
latest version.
Step 1: Preparing for the Upgrade

1. Download the SEG Installer from the AirWatch Admin Console under Email > Settings.
2. AirWatch recommends running the MEM Configuration wizard again and associating the existing EAS profile to the
SEG deployment.
Step 2: Running the AirWatch SEG Installer

1. Double-click the AirWatch SEG Installer.exe file, or right-click to choose Run as Administrator.
Upon opening, the SEG Installer detects if a previous version is installed and verifies if you want to upgrade to the
new version. Click Yes, and then click Next.
2. Click Install to begin the upgrade. The SEG Installer automatically performs the SEG upgrade.
3. Once complete, click Finish.
42
Appendix: Securing with Basic Authentication
Appendix:
Securing with Basic Authentication
Overview
AirWatch recommends using of basic authentication for securing the SEG endpoint with AirWatch console and for
enhanced security while sending policy updates.
Enabling Basic Authentication

On the Secure Email Gateway server:
a. In the IISManager, expand Default Web Site and select SEGConsole.
b. Select Authentication and then:
l Enable Basic Authentication.
l Disable Anonymous Authentication .
c. Navigate to Server Manager > Local Users and Groups > Users. Create a basic username and a password.
On the AirWatch Admin Console, while configuring the SEG deployment:

a. Enable the Basic Authentication checkbox.
b. Enter the username and password that you had earlier created in the above step c.
43
Appendix: Configuring with Reverse Proxy Server
Appendix:
Configuring with Reverse Proxy Server
Overview
SEG can be configured to work with reverse proxy servers in a normal fashion. You can set up load balancing between the
SEGs and reverse proxy, but take care to configure the load balancers in front of the Central Authentication Service (CAS).
Recommendations
l IP based affinity: Recommended if you are using Certificate authentication and there is no proxy or other
component in front of the load balancer that would change the source IP from the original device.
l Authentication Header Cookie based Affinity: Recommended if you are using Basic authentication, especially if
there is a proxy or other network component that would change the source IP from the original device.
For more information, please see
http://technet.microsoft.com/en-us/library/ff625248%28v=exchg.141%29.aspx
http://technet.microsoft.com/en-us/library/ff625247
Note: Exchange ActiveSync is a stateless protocol, and persistence is not explicitly required by MSFT. The best
method of load balancing may vary from implementation to implementation.
Configuration
l Generally, they may be set to do a round-robin on the CAS with a persistence based on the source IP address. This
works well when devices connect directly to the reverse proxy but causes issues when we put a SEG in front of it.
Suppose you have one or two SEGs and the source IP as far as the load balancer in front of the CAS that is concerned
will also be one or two. Hence, this can damage the load balancing and all the traffic can end up going to one or two
CAS.
l Another issue can arise if there is some kind of limits set up on the reverse proxy server. For example, on an Internet
Security and Acceleration (ISA) server, the default number of concurrent connections accepted from a single IP
address is about 150. You need to set this to at least 5000 connections. On an ISA server, this can be set up under the
Flood Mitigation settings.
44
Finding Additional Documentation

While reading through this documentation you may encounter references to documents that are not included here. You
can access this additional documentation through the AirWatch Resources page (https://resources.air-watch.com) on
myAirWatch.
Note: AirWatch recommends you always pull the document from AirWatch Resources each time you need to
reference it.
To search for and access additional documentation on the AirWatch Resources page, perform the following step-by-step
instructions:
1. Navigate to http://my.air-watch.com and log in using your AirWatch ID credentials.
2. Select AirWatch Resources from the navigation bar or home screen. The AirWatchResources page displays with a list
of recent documentation and a list of Resources Categories on the left.
3. Select your AirWatch Version from the drop-down list in the search parameters to filter a displayed list of documents.
Once selected, you will only see documentation that pertains to your particular version of AirWatch.
4. Access documentation using the following methods:

l Select a resource category on the left to view all documents belonging to that category. For example, selecting
Documentation filters your search to include the entire technical documentation set. Selecting Platform filters
your search to only include platform guides.
l Search for a particular resource using the search box in the top-right by entering keywords or document names.
l Add a document to your favorites and it will be added to My Resources. Access documents you have favorited
by selecting myAirWatch from the navigation bar and then selected My Resources from the toolbar.
45
l Download a PDF of a document by selecting the button. Note, however, that documentation is frequently
updated with the latest bug fixes and feature enhancements. Therefore, AirWatch recommends you always pull
the document from AirWatch Resources each time you need to reference it.
Having trouble finding a document?Make sure a specific AirWatch Version is selected. All Versions will typically
return many results. Make sure you select Documentation from the category list, at a minimum. If you know which
category you want to search (e.g., Platform, Install &Architecture, EmailManagement) then selecting that will also
further narrow your search and provide better results. Filtering by PDFas a File Type will also narrow your search
even further to only include technical documentation manuals.
46

VMware AirWatch SEG Administration Guide v8 - 3

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

VMware AirWatch SEG Administration Guide v8 - 3

Uploaded by

Copyright:

Available Formats

VMware AirWatch Secure Email Gateway

Chapter 2: Prerequisites for SEGConnectivity 8

Chapter 6: Frequently Asked Questions 37

Appendix: Upgrading the SEG Proxy Server 42

Appendix: Securing with Basic Authentication 43

Appendix: Configuring with Reverse Proxy Server 44

Finding Additional Documentation 45

Introduction to the Secure Email Gateway (SEG)

Before You Begin

Important: An Intel processor is required.

Install Application Request Routing ARRcomponent is available at

When the communication between SEG and the API

Important: If your are using SSL from the SEG server to

Recommended Setup: Exchange ActiveSync SEG Configuration

Step 1: Enabling SEG Proxy on AirWatch Admin Console

2. In the Platform wizard form:

3. In the Deployment wizard form:

4. In the Profiles wizard form, configure the following:

Step 2: Preparing for the Installation

Step 3: Running the AirWatch SEG Installer

5. Select Install to begin the SEG installation.

Step 4: Configuring the SEG with the Setup Wizard

n Basic Authentication - Enter your username and password to access.

n Windows Authentication - Enter windows credentials to access the server.

l Select the MEMconfiguration from the dropdown.

Select Next when complete.

4. The Cluster Configuration screen appears. Select Next.

l Smaller performance impact on API server.

l Reduced implementation or maintenance complexity compared to the SEG clustering model.

l Improved user experience.

Step 5: Deploying Mobile Email through the SEG Proxy

Securing with Email Policies

Note:a. Mail client compliance policy is not supported on Windows Phone.

General Email Policies

l Managed Device Restrict email access only to managed devices.

l Mail Client Restrict email access to a set of mail clients.

Email Security Policies

With EAS profile

Without EAS profile

The List View screen provides detailed information that include:

l User - The user account name.

l Friendly Name - The friendly name of the device.

l Email Address - The email address of the user account.

l Last Gateway Server -The server to which the device connected.

Filters for Quick Search

l Managed - All, Managed, Unmanaged.

l Allowed - All, Allowed, Blocked.

l Policy Override - All, Blacklisted, Whitelisted, Default.

l MEM Config - Filter devices based on the configured MEM deployments.

l Blacklist - Blocks a device from receiving emails.

SEG Targeted Logging

1. Login to the SEG server and navigate to 'http://localhost/segconsole'.

3. Select Add Target if you want to add more devices or users.

4. Select Start Targeted Logging to begin the process.

Comparing SEG Policies

3. Select the Enable SEG Clustering check box.

l Select Next when complete.

What is the app cluster directory XML?

What happens if the master SEG goes down?

<clusterConfiguration nodeAddress="servername1" nodeName="seg@servername1"

2. Choose one of the SEGservers to be the master SEG.

4. For all the other SEGservers:

Monitoring the cluster