SEG (Classic Platform) Requirements

The factors such as hardware, software, network, and general requirements ensures uninterrupted SEG connectivity.

Determine the requirements for your SEG using the following list.

UEM Console Requirements

  • SOAP API enabled for the required organization group
  • Exchange Active Sync profile created in the UEM console with the Assignment Type as Optional and EAS hostname as the SEG server URL

Prerequisite: Enable SOAP API

To configure the SOAP API URL for your Workspace ONE UEM environment:

  1. Navigate to Groups & Settings > All Settings > System > Advanced > API > SOAP API.
  2. The UEM console gets the API certificate from the SOAP API URL that is located on the Site URLs page. For SaaS deployments, use the format as

Hardware Requirements

Use the following requirements as a basis for creating your Secure Email Gateway (Classic Platform) server, which can be a VM or physical server.

SEG CPU Core RAM Notes

SEG without content transformation

2 4 GB Per 4,000 devices, up to a maximum of 16,000 devices (8 CPU/16 GB RAM) per application server

SEG with content transformation

(Attachment handling, hyperlinks security, tagging, etc.)

2 4 GB

Per 500 devices (250 devices per core), up to a maximum of 2,000 devices (8 CPU/16 GB RAM) per application server


Performance varies based on the size and quantity of transforms. These numbers reflect a deployment with a high number of content transforms. Sizing estimates vary based on actual email and attachment usage

Notes for both SEG deployment types:

  • An Intel processor is required. CPU Cores should each be 2.0 GHz or higher.
  • The minimum requirements for a single SEG server are 2 CPU cores and 4 GB of RAM.
  • IIS App Pool Maximum Worker Processes should be configured as (# of CPU Cores / 2).
  • When installing SEG servers in a load balanced configuration, sizing requirements can be viewed as cumulative. For example, a SEG environment requiring 4 CPU Cores and 8GB of RAM can be supported by either:
    • One single SEG server with 4 CPU cores and 8GB RAM.


    • Two load balanced SEG servers with 2 CPU core and 4GB RAM each.
  • 5 GB Disk Space needed per SEG and dependent software (IIS). This does not include system monitoring tools or additional server applications.

General Requirements


Requirement Notes

Remote access to Windows Servers available to Workspace ONE UEM and Administrator rights

Set up the Remote Desktop Connection Manager for multiple server management, download the installer from

See General Requirements.


Installation of Notepad++ (Recommended)

Downloaded the installer from

  Ensure Exchange ActiveSync is enabled for a test account  

Software Requirements


Requirement Notes

Windows Server 2008 R2 or

Windows Server 2012 or

Windows Server 2012 R2

Windows Server 2016


Install Role from Server Manager

IIS 7.0 (Server 2008 R2)

IIS 8.0 (Server 2012 or Server 2012 R2)

IIS 8.5 (Server 2012 R2 only)


Install Role Services from Server Manager

Common HTTP Features: Static Content, Default Document, Directory Browsing, HTTP Errors, HTTP Redirection

Application Development: ASP.NET, .NET Extensibility, ASP, ISAPI Extensions, ISAPI Filters, Server Side Includes

Management Tools: IIS Management Console, IIS 6 Metabase Compatibility

Ensure WebDAV is not installed.


  Install Application Request Routing (ARR)

ARR component is available at

ARR is mandatory for routing OWA traffic. For Lotus Notes, ARR is mandatory only when Traveler Mail Client is being used.


Install Features from Server Manager

.NET Framework 4.6.2 Features: Entire module

Telnet Client


Install .NET Framework 4.6.2

The SEG Installer installs .NET 4.6.2 if it is not installed beforehand.


Externally registered DNS

See Server Requirements.



SSL Certificate from trusted third party with Subject or Subject Alternative name of DNS

Ensure SSL certificate is trusted by all device types being used. (i.e. not all Comodo certificates are natively trusted by Android)

In addition, the SEG server must be able to connect to the SSL certificate CRL (For example:


IIS 443 Binding with the same SSL certificate

Validate that you can connect to the server over HTTPS ( At this point, you should see the IIS splash page.

See Server Requirements.

Network Requirements

For configuring the ports listed below, all the traffic is uni-directional (outbound) from the source component to the destination component.


Source Component

Destination Component




Devices (from Internet and Wi-Fi)




Telnet from Internet to SEG server on port

  Console Server SEG HTTPS 443 Telnet from Internet to SEG server on port


Workspace ONE UEM SOAP API (DS or CN server)


80 or 443

Verify that the following URL is trusted from the browser on the SEG server:

https://<API URL>/AirWatchServices/


'IP based Persistence' should be used in the event when there are more than one API server.


When the communication between SEG and the API server is through a proxy, SEG cannot make use of the proxy details defined in the browser settings. Therefore, the proxy settings must be specified during SEG configuration.

For more information on configuring proxy settings see Configure Secure Email Gateway (SEG) with the Setup Wizard.



Internal hostname or IP of all other SEG servers




If you are using SEG Clustering (multiple load balanced SEG servers) SEG Clustering across Data Centers is not supported.

  Device Services SEG HTTPS 443 Telnet from Device Services to SEG server on port
  SEG AirWatch Cloud Messaging (AWCM) server HTTPS
  • 2001 (For on premise instance of AirWatch)
  • 443 (For SaaS instance of AirWatch)

Telnet from SEG server to AWCM on port






The following requirements apply based on the email configuration you are using:





80 or 443

Verify that the following URL is trusted from the browser on the SEG server and gives a prompt for credentials:

For Exchange: http(s):// Exchange_Activesync_FQDN/Microsoft-server-activesync

For Lotus Notes: http(s):// LotusNotesTraveler_FQDN/servlet/traveler

For Google:

For Groupwise (depending on version): http(s):

// Groupwise_FQDN/EAS or http(s)://Groupwise_FQDN/Microsoft-server-activesync

Once you enter the credentials, verify that a 501/505 HTTP page displays.


If you are using SSL from the SEG server to the mail endpoint, ensure the SEG server is able to reach the Certificate Revocation List URL for the mail server's SSL certificate. Failure to reach this endpoint may result in performance issues.



Lotus Notes


80 or 443








Novell Groupwise


80 or 443

If Windows authentication is enabled on your CAS Activesync Endpoint, then one of the following is required:

1. Certificate Authentication and KCD

2. SEG cannot be joined to the domain

Server Requirements

External DNS Name

The two main components of Workspace ONE UEM are the Device Services server and the Console server. In a single server deployment, these components reside on the same server, and an external DNS entry needs to be registered for that server.

In a multi-server deployment, these components are installed on separate servers, and only the Device Services component requires an external DNS name, while the Console component can remain only internally available.


SSL Certificate

Set up the externally available URL of the Workspace ONE UEM server with a trusted SSL certificate. A wildcard or individual website certificate is required.


If SSL is used for admin console access, ensure that FQDN is enabled or the host file is configured.

  1. Obtain SSL certificates for each of your external DNS entries. A list of root certificates natively trusted by iOS can be found here:

  2. Upload your SSL certificate to the Workspace ONE UEM server(s). Your certificate provider has instructions for this process.

  1. Once uploaded on your server you can use it to add a 443 binding to the Default Website in IIS. The bindings for a completed server look like the following. Your SSL certificate appears in the drop-down menu of available certificates.

    SSL Cert Binding

  2. Validate that you can connect to the server over HTTPS ( At this point, you see the IIS splash page.

    IIS Splash Page

URL Endpoints

Use the below mentioned URL Endpoint and the status code to check the SEG Connectivity.

Description URL Endpoint Status code

ActiveSync Connectivity


HTTP/1.1 401