The diagrams below highlight the communications flow for a device attempting to connect to the Exchange ActiveSync (EAS) server using a certificate for authentication.

The first diagram shows the connection through the Microsoft TMG and the second diagram shows the same as the first with the addition of the Workspace ONE UEM Secure Email Gateway (SEG).

The TMG and SEG reside in a Demilitarize Zone (DMZ) to protect enterprise servers from outside intruders. As such, certificate authentication is handled indirectly using Kerberos.

TMG to EAS Server

  • A request is made by Workspace ONE UEM to the enterprise domain certificate authority (can only be issued by an internal CA) to produce a certificate for the user that contains User Principal Name (UPN) mapping and their email address in the Subject Alternative Name (SAN) of the certificate.
  • Since the TMG is a member of the same enterprise domain as the internal CA, it receives the certificate from the CA and authenticates the certificate against Active Directory (AD).
  • Once authenticated with AD, Kerberos issues a ticket to TMG with the user’s credentials allowing the TMG to impersonate (authenticate) the user’s device to the EAS server.
  • EAS accepts the TMG’s impersonation (authentication) and allows the user to access email.