The factors such as hardware, software, network, and general requirements ensures uninterrupted SEG connectivity.

Determine the requirements for your SEG using the following list.

AirWatch Console Requirements

  • SOAP API enabled for the required organization group
  • Exchange Active Sync profile created in the AirWatch Console with the Assignment Type as Optional and EAS hostname as the SEG server URL

Prerequisite: Enable SOAP API

To configure the SOAP API URL for your AirWatch environment:

  1. Navigate to Groups & Settings > All Settings > System > Advanced > API > SOAP API.
  2. The AirWatch Console gets the API certificate from the SOAP API URL that is located on the Site URLs page. For SaaS deployments, use the format as XX.airwatchportals.com.

Hardware Requirements

Use the following requirements as a basis for creating your Secure Email Gateway (Classic Platform) server, which can be a VM or physical server.

SEG CPU Core RAM Notes

SEG without content transformation

2 4 GB Per 4,000 devices, up to a maximum of 16,000 devices (8 CPU/16 GB RAM) per application server

SEG with content transformation

(Attachment handling, hyperlinks security, tagging, etc.)

2 4 GB

Per 500 devices (250 devices per core), up to a maximum of 2,000 devices (8 CPU/16 GB RAM) per application server

 

Performance varies based on the size and quantity of transforms. These numbers reflect a deployment with a high number of content transforms. Sizing estimates vary based on actual email and attachment usage

Notes for both SEG deployment types:

  • An Intel processor is required.
  • The minimum requirements for a single SEG server are 2 CPU cores and 4 GB of RAM.
  • IIS App Pool Maximum Worker Processes should be configured as (# of CPU Cores / 2).
  • When installing SEG servers in a load balanced configuration, sizing requirements can be viewed as cumulative. For example, a SEG environment requiring 4 CPU Cores and 8GB of RAM can be supported by either:
    • One single SEG server with 4 CPU cores and 8GB RAM.

      or

    • Two load balanced SEG servers with 2 CPU core and 4GB RAM each.
  • 5 GB Disk Space needed per SEG and dependent software (IIS). This does not include system monitoring tools or additional server applications.

General Requirements

Status

Checklist
Requirement Notes
 

Remote access to Windows Servers available to AirWatch and Administrator rights

Set up the Remote Desktop Connection Manager for multiple server management, download the installer from https://www.microsoft.com/en-us/download/details.aspx?id=44989

See General Requirements.

 

Installation of Notepad++ (Recommended)

Downloaded the installer from http://download.tuxfamily.org/notepadplus/6.5.1/npp.6.5.1.Installer.exe

  Ensure Exchange ActiveSync is enabled for a test account  

Software Requirements

Status

Checklist
Requirement Notes
 

Windows Server 2008 R2 or

Windows Server 2012 or

Windows Server 2012 R2

Windows Server 2016

 
 

Install Role from Server Manager

IIS 7.0 (Server 2008 R2)

IIS 8.0 (Server 2012 or Server 2012 R2)

IIS 8.5 (Server 2012 R2 only)

 

Install Role Services from Server Manager

Common HTTP Features: Static Content, Default Document, Directory Browsing, HTTP Errors, HTTP Redirection

Application Development: ASP.NET, .NET Extensibility, ASP, ISAPI Extensions, ISAPI Filters, Server Side Includes

Management Tools: IIS Management Console, IIS 6 Metabase Compatibility

Ensure WebDAV is not installed.

 

  Install Application Request Routing (ARR)

ARR component is available at http://www.iis.net/downloads/microsoft/application-request-routing

ARR is mandatory for routing OWA traffic. For Lotus Notes, ARR is mandatory only when Traveler Mail Client is being used.

 

Install Features from Server Manager

.NET Framework 4.6.2 Features: Entire module

Telnet Client

 

Install .NET Framework 4.6.2

The SEG Installer installs .NET 4.6.2 if it is not installed beforehand.

 

Externally registered DNS

See Server Requirements.

 

 

SSL Certificate from trusted third party with Subject or Subject Alternative name of DNS

Ensure SSL certificate is trusted by all device types being used. (i.e. not all Comodo certificates are natively trusted by Android)

In addition, the SEG server must be able to connect to the SSL certificate CRL (For example: ocsp.verisign.com)

 

IIS 443 Binding with the same SSL certificate

Validate that you can connect to the server over HTTPS (https://yourAirWatchDomain.com). At this point, you should see the IIS splash page.

See Server Requirements.

Network Requirements

For configuring the ports listed below, all traffic is uni-directional (outbound) from the source component to the destination component.

 

Source Component

Destination Component

Protocol

Port

Verification
 

Devices (from Internet and Wi-Fi)

SEG

HTTPS

443

Telnet from Internet to SEG server on port

  Console Server SEG HTTPS 443 Telnet from Internet to SEG server on port
 

SEG

AirWatch SOAP API (DS or CN server)

HTTP or HTTPS

80 or 443

Verify that the following URL is trusted from the browser on the SEG server:

https://<API URL>/AirWatchServices/

Internal/0/ActiveSyncIntegrationServiceEndpoint.svc

'IP based Persistence' should be used in the event when there are more than one API server.

 

When the communication between SEG and the API server is through a proxy, SEG cannot make use of the proxy details defined in the browser settings. Therefore, the proxy settings must be specified during SEG configuration.

For more information on configuring proxy settings see Configure Secure Email Gateway (SEG) with the Setup Wizard.

 

SEG (OPTIONAL)

Internal hostname or IP of all other SEG servers

UDP and TCP

9090

(Configurable)

If you are using SEG Clustering (multiple load balanced SEG servers) SEG Clustering across Data Centers is not supported.

  Device Services SEG HTTPS 443 Telnet from Device Services to SEG server on port
  SEG AirWatch Cloud Messaging (AWCM) server HTTPS
  • 2001 (For on premise instance of AirWatch)
  • 443 (For SaaS instance of AirWatch)

Telnet from SEG server to AWCM on port

 

 

 

 

 

The following requirements apply based on the email configuration you are using:

 

SEG

Exchange

HTTP or HTTPS

80 or 443

Verify that the following URL is trusted from the browser on the SEG server and gives a prompt for credentials:

For Exchange: http(s):// Exchange_Activesync_FQDN/Microsoft-server-activesync

For Lotus Notes: http(s):// LotusNotesTraveler_FQDN/servlet/traveler

For Google: https://m.google.com/Microsoft-server-activesync

For Groupwise (depending on version): http(s):

// Groupwise_FQDN/EAS or http(s)://Groupwise_FQDN/Microsoft-server-activesync

Once you enter the credentials, verify that a 501/505 HTTP page displays.

Important:

If you are using SSL from the SEG server to the mail endpoint, ensure the SEG server is able to reach the Certificate Revocation List URL for the mail server's SSL certificate. Failure to reach this endpoint may result in performance issues.

 

SEG 

Lotus Notes

HTTP or HTTPS

80 or 443

 

SEG 

Google

HTTPS

443

 

SEG 

Novell Groupwise

HTTP or HTTPS

80 or 443

If Windows authentication is enabled on your CAS Activesync Endpoint, then one of the following is required:

1. Certificate Authentication and KCD

2. SEG cannot be joined to the domain

Server Requirements

External DNS Name

The two main components of AirWatch are the Device Services server and the Console server. In a single server deployment, these components reside on the same server, and an external DNS entry needs to be registered for that server.

In a multi-server deployment, these components are installed on separate servers, and only the Device Services component requires an external DNS name, while the Console component can remain only internally available.

 

SSL Certificate

Set up the externally available URL of the AirWatch server with a trusted SSL certificate. A wildcard or individual website certificate is required.

Note:

If SSL is used for admin console access, ensure that FQDN is enabled or the host file is configured.

  1. Obtain SSL certificates for each of your external DNS entries. A list of root certificates natively trusted by iOS can be found here: http://support.apple.com/kb/HT5012

  2. Upload your SSL certificate to the AirWatch server(s). Your certificate provider has instructions for this process.

  1. Once uploaded on your server you can use it to add a 443 binding to the Default Website in IIS. The bindings for a completed server look like the following. Your SSL certificate appears in the drop-down menu of available certificates.

    SSL Cert Binding

  2. Validate that you can connect to the server over HTTPS (https://yourAirWatchDomain.com). At this point, you see the IIS splash page.

    IIS Splash Page



URL Endpoints

Use the below mentioned URL Endpoint and the status code to check the SEG Connectivity.

Description URL Endpoint Status code

ActiveSync Connectivity

/Microsoft-Server-Activesync

HTTP/1.1 401