Each SSL certificate has a validity period and after the certificate expires you must renew and upload the latest SSL certificate. For SEG, you can upload the SSL certificate to the Workspace ONE UEM console, or locally when installing the SEG on Windows, or when configuring the SEG Edge service on the UAG. This topic describes the various options through which you can renew and upload the SSL certificate.
Upload the SSL Certificate through the Workspace ONE UEM Console
Perform the following steps when the SSL certificate is uploaded through the Workspace ONE UEM console:
- In the UEM console, navigate to Email > Settings and edit the existing email configuration and click Next.
- Navigate to the Deployment tab and click Next.
- Upload the latest SEG server SSL certificate.
- Enter the password when prompted, click Next, and save the settings.
- Restart the SEGv2 service on all the servers to fetch the latest configuration and bind the updated SSL certificate.
Upload the SSL Certificate locally during the SEGv2 Installation for the Windows Server
Perform the following steps when the SSL certificate is uploaded locally during the SEGv2 installation for the Windows server:
- Run the SEGv2 installer in the server box where the SEG is installed.
- Select the Modify option to modify the installation when prompted.
- Click Next to continue.
- Upload the latest SEG server SSL certificate when prompted.
- Enter the password and click Next to finish the setup.
- SEGv2 service now binds to the updated SSL certificate.
Upload the SSL Certificate locally for the SEG Edge Service on the UAG Admin UI
Perform the following steps when the SSL certificate is uploaded locally for the SEG Edge service on the UAG Admin UI:
- Log in to the UAG Admin UI.
- Open the SEGv2 configuration under the Edge Service settings.
- Enable the Add SSL certificate toggle button.
- Click Select against the SSL certificate field.
- Upload the latest SEG server SSL certificate and enter the password when prompted.
- Save the configuration and wait for the appliance agent to complete the modification of the SEG Edge service.
- SEG Edge service now binds to the updated SSL certificate.
Offloading SSL traffic on a Load Balancer or F5 network for a Windows-based Deployment
When the SSL traffic is offloaded on a Load Balancer or the F5 network for a Windows-based deployment, disable the Terminate SSL on SEG toggle button under the Email Configuration settings. The communication between the Load Balancer or the F5 network and the SEGv2 occurs in plain HTTP. In such a scenario, the SSL certificate rotation for the SEG is not applicable.
Offloading SSL traffic on a Load Balancer or F5 network for a UAG Deployment
The SEG on UAG does not support a non-SSL configuration. If the SSL traffic from a device is offloaded on a Load Balancer or F5 network, the SEG must be configured with any SSL certificate to ensure that the traffic reaching the SEG from these network components is encrypted. In such a scenario, the SSL certificate rotation for SEG is applicable as explained in the Upload the SSL Certificate Locally For SEG Edge Service on the UAG Admin UI section.
Additionally, when the SEG on UAG is configured to listen on port 443, the UAG expects a valid Server Name Indication (SNI) extension during a TLS handshake, to enable the redirect requests to the SEG Edge service. When initiating a TLS connection with the SEG on UAG, the load balancer or the F5 network must be configured to use the correct value for the SNI field. The hostname which is configured as part of the external URL field in the Workspace ONE UEM Console (without port and protocol) is used as the SNI value for the SEG Edge service. The same value is used for the following fields while configuring the SEG Edge service on the UAG:
- The airwatchServerHostname field in the INI file when you configure through PowerShell and
- The Secure Email Gateway Hostname field under the Secure Email Gateway settings when you configure through the UAG Admin UI.
If the SEG Edge service on the UAG is configured to listen on any port other than 443, then the SNI configuration is not applicable.