To begin integrating the SEG V2 with Google, you must configure Mobile Email Management (MEM) and install SEG V2. You must configure the settings required for SEG Proxy on the UEM console and then proceed with configuring the Security Settings at the Google Admin Console.
Configure SEG V2 using Unified Endpoint Management Console
- Navigate to Email > Email Settings and select Configure.The Add Email Configuration wizard displays.
- Select Add. The wizard displays the Platform tab.
- From Deployment Model, select Proxy.
- From Gateway Platform, select V2.
- From Email Type, select Google and then select Next. The Deployment tab opens and displays the basic settings.
- From the Deployment tab, select the Friendly Name text box and enter a unique name.
- Configure the External Settings.
- Select the External URL and Port text box and enter the external URL and the port number to which Workspace ONE sends policy updates. The supported format is https://<external seg url>:<external port>.
- Configure the Internal Settings.
- Select the Listener Port text box and enter the web listener port for SEG. By default, the port number is 443. If SSL is enabled for SEG, the SSL certificate is bound to this port.
- (Optional) From Terminate SSL on SEG, select Enable to bind the SSL certificate to the port.
Select the Upload Locally check box to upload the SSL certificate. The UEM console supports uploading the certificate locally for easy OTA installation. The certificate can also be provided during run-time.
- From SEG Server SSL Certificate, select Upload to add the certificate. The SSL certificate can be installed automatically, instead of providing it locally. This setting is useful for larger SEG deployments.
Configure the Email Server Settings.
- Select Email Server URL and Port text box and enter the Google server URL and the port number. The supported format is https://<email server url>:<email server port>. This is the Google URL to which SEG proxies email requests to Google. For example, https://m.google.com.
- Configure Security Settings.
- From Ignore SSL Errors between SEG and email server, select Enable to ignore the Secure Socket Layer (SSL) certificate errors between the email server and SEG server.
- From Ignore SSL Errors between SEG and Workspace ONE server, select Enable to ignore Secure Socket Layer (SSL) certificate errors between the Workspace ONE server and SEG server. Establish a strong SSL trust between Workspace ONE and SEG server using valid certificates.
- From Allow email flow if no policies are present on SEG, select Enable to allow the email traffic if SEG is unable to load the device policies from the Workspace ONE API. By default, SEG blocks email requests if no policies are locally present.
- (Optional) Configure Cluster Settings.
- From Enable Clustering, select Enable if you want to enable clustering of SEG servers. For more information, see Configure the V2 Platform section of the VMware AirWatch Secure Email Gateway guide.
- Configure Google Apps Settings.
- Under the Google Apps Settings, the Automatic Password Provision is disabled by default. Select Disabled if you provide the Google password to your device users or if they are provided with their SSO password that is the same as the Google password. Disabling this setting is considered to be more stable because the Google password is managed within your organization.
- (Optional) If you do not provide native passwords to device users, or if they are only provided with SSO password and the primary directory is not Google, select Enabled. When enabled, UEM console provisions the Google for your users. Enter the following information for the UEM console to provision the Google password:
- Select the Google Apps Domain text box and enter the Google Apps domain address.
- Select the Google Apps Sub-Domain text box and enter the Google Apps sub domain address.
- Select the Google Apps admin username text box and enter the full URL as the Google Apps Admin user name.
- From the Service account certificate, select Upload to upload to add the Service account certificate. Enter the certificate password when prompted. The certificate password is created when generating the client ID on the Google console.
- Select the Directory service account email address text box and enter the Directory service account email address that is generated while creating the Service Account Certificate.
- Select the Application Name text box and enter the project name.
- Select Next and enter the required settings in the Profiles tab and select Next. For more information on the settings in the Profiles tab, see Configure the V2 Platform section of the VMware AirWatch Secure Email Gateway guide.
- Select Finish.
Configure IP Restriction on Google Admin Console
Configure Google Sync to accept traffic only from SEG. This restricts the communication to SEG and ensures that the devices that attempt to bypass SEG are blocked.
- Log into the Google Admin console.
- Navigate to Device Management > Advanced Settings > Google Sync .
- Select the IP Whitelist text box and enter the external SEG IPs that you want to whitelist.
- Select Save.