The following is required in order to complete the configurations outlined in this document.

  • Ability to pass through all firewalls used to isolate the TMG and SEG from the AD and EAS servers.
  • An external certificate authority (CA) cannot be used (e.g., VeriSign, etc.) to create user’s certificates.
  • An internal certificate authority (CA) server must be used to create user’s certificates. If you need guidance as to the methodology of setting up an internal CA, contact AirWatch’s Support Consultants.


    Important: CAs can be set up on servers running a variety of operating systems, including Windows®2000 Server, Windows Server® 2003, and Windows Server 2008. However, not all operating systems support all features or design requirements. Creating an optimal design requires careful planning and lab testing before you deploy it in a production environment.

  • The internal CA, TMG, and SEG must be configured within the same enterprise domain in order to pass user certificates.
  • Administrative access privileges to the Active Directory, Microsoft TMG, AirWatch Secure Email Gateway (SEG) if installed, and EAS servers.
  • Internet Information Services (IIS) with the Client Certificate Mapping Authentication option installed on the:
    • TMG for TMG to EAS configurations
    • SEG for TMG to SEG to EAS configurations
  • 80% of the current resources on the Exchange ActiveSync (EAS) server.
  • Connectivity from TMG and SEG to the AD and EAS servers.

Other Prerequisites

Before configuring the Threat Management Gateway (TMG) and Secure Email Gateway (SEG) to use certificate authentication, you must have the following.

For TMG to EAS

  • Installed and operational Threat Management Gateway (TMG).
  • Windows Server 2003 or 2008 Standard with latest service packs and recommended updates from Microsoft.
  • A device with an Exchange ActiveSync (EAS) profile and certificate from a domain enterprise certificate authority (CA).
  • A TMG that is configured as a member of the same domain as the enterprise certificate authority.
  • Administrative permissions to configure your enterprise.
    • Threat Management Gateway (TMG)
    • Active Directory (AD)
    • Exchange ActiveSync (EAS) server
  • A certificate authority properly configured to issue certificates through AirWatch.

For TMG to SEG to EAS

  • Everything included in the previous section.
  • Installed and operational Secure Email Gateway (SEG).
  • A SEG that is configured as a member of the same domain as the enterprise certificate authority.
  • Administrative permissions to be able to configure your enterprise SEG.