The SEG v2 configurations are controlled at an individual node level. The custom gateway setting feature centralizes the configuration on the Workspace ONE UEM Console as part of the MEM configuration itself.

Prerequisites

The following table lists the requirements for the SEG custom settings feature:

Platform Minimum SEG and UAG Supported Version Workspace ONE UEM Console

Windows

2.17.0

20.10

UAG

UAG 20.09 (SEG 2.17.0)

20.10

Configure SEG Custom Gateway Settings

The SEG custom settings are available as key-value pairs on the Workspace ONE UEM console. The commonly used properties are seeded on the Workspace ONE UEM Console. To configure the custom settings, perform the following steps:

  1. Log in to the Workspace ONE UEM console.
  2. Navigate to the Email > Email Settings.
  3. Configure the Email Settings for SEG.
  4. Configure the additional settings for SEG using the Advanced option.
  5. Navigate to the Custom Gateway Settings, click ADD ROW, and enter the supported configuration as the key-value pair:
    • Key: Enter the property or setting name.
    • Type: Enter the type of value such as string, integer, and so on.
    • Value: Enter the property or custom value.
  6. Click Save.

Apply the Custom Gateway Settings on the SEG Service

During an installation or upgrade, if the custom settings are provided on the Workspace ONE UEM console, then the SEG service starts with the applied custom settings

If the custom settings are added or updated on the Workspace ONE UEM console when the SEG service is running, then a refreshSettings notification is triggered for SEG. The SEG fetches the latest custom gateway settings. A few of the custom settings are applied immediately, whereas the other custom settings might require you to restart the SEG service.

Supported Configuration for the Custom Gateway Settings

The following section lists all the supported SEG properties or settings for the custom settings feature.

Note:

The properties or settings are grouped based on feature or functionality. The custom settings can be added on the Workspace ONE UEM console in any order.

JVM Arguments or System Settings

The JVM arguments or system settings property keys start with -D. If the property value is modified, SEG updates the custom system settings in the segServiceWrapper.conf (for Windows) or seg-jvm-args.conf (for UAG). If the system setting is updated when the SEG service is running, then the SEG triggers a service restart.

You can configure the seg.custom.settings.service.restart.code=0 property in the application-override.properties file to disable the automatic restart of the SEG service.

Configuration Key

Described

Value type

Default value

Apply System Setting at Run Time

-Djdk.tls.disabledAlgorithms

Comma-separated list of TLS algorithms, ciphers, and versions to be disabled.

String

MD5, RC4, TLSv1, SSLv2Hello, SSLv3, DSA, DESede, DES, 3DES, DES40_CBC, RC4_40, MD5withRSA, DH, 3DES_EDE_CBC, DHE, DH keySize < 1024, EC keySize < 224

If the modified value is detected, restart automatically.

-Djdk.tls.ephemeralDHKeySize

Customize the strength of the ephemeral DH key size used internally during the TLS or DTLS handshake. The system property does not impact the DH key sizes in the ServerKeyExchange messages for exportable cipher suites.

The following DH key sizes are impacted, the DHE_RSA, DHE_DSS, and DH_anon-based cipher suites in the JSSE Oracle provider. For more information, see Customizing Size of Ephemeral Diffie-Hellman Keys.

Integer

2048

If the modified value is detected, restart automatically.

-Dsyslog.enabled

Flag to enable the syslog configuration for SEG.

Boolean

TRUE - For the UAG deployment

FALSE - For the Windows deployment

If the modified value is detected, restart automatically.

-Dsyslog.host

Host address of the syslog server.

The host address value can be configured with any remote syslog server hostname or IP address that listens over UDP.

If syslog to the remote server is configured with the TCP or TLS, then point to a local host syslog listener that can retransmit using the required protocol over the wire.

The in-built UAG syslog configuration can function as the local retransmitter.

String

Local host

If the modified value is detected, restart automatically.

-Dkerberos.process.recycle.time

Specify the Kerberos process recycle time, when enabled.

Process recycling can be enabled using the property -Denable.kerberos.process.recycle.

Time in the hh24:mm:ss format

23:59:59

If the modified value is detected, restart automatically.

-Xmx

Maximum java heap memory for the service in Mebibytes (MiB).

For example, 8 GiB of RAM can be configured as 8192.

Long

If the system property is not configured, dynamically identified during the SEG service installation based on the system configuration.

If the modified value is detected, restart automatically.

-Dsyslog.facility

Syslog facility as defined by the Syslog server.

String

USER

If the modified value is detected, restart automatically.

-Dsyslog.port

Syslog listener port that the SEG points to.

Integer

514

If the modified value is detected, restart automatically.

-Denable.kerberos.process.recycle

SEG can be configured to recycle the native Kerberos client processes when the Kerberos based authentication is enabled.

Boolean

FALSE

If the modified value is detected, restart automatically.

Support for EWS

Configuration Key

Description

Value type

Default value

Apply System Setting at Run Time

enable.boxer.ens.ews.proxy

Flag to enable SEG to listen for the EWS traffic and proxy the same to the configured Exchange EWS endpoint.

By default, SEG proxies the EWS requests to the email server host configured as part of the MEM configuration. However, a different host can be configured using the ews.email.server.host.and.port property.

Boolean

FALSE

Restart the SEG service.

ews.email.server.host.and.port

If the email server hostname for the EWS is different than the EAS, then use this property to configure the EWS email server hostname.

When the host name for the EWS connection is used from the ews.email.server.host.and.port property, all the other HTTP connection parameters remain the same, similar to the EAS parameters.

If the host is using a self-signed certificate, corresponding trusted certificate must be added to SEG separately.

EWS proxy can be enabled using flag enable.boxer.ens.ews.proxy.

URL

NA

NA

http.response.status.code.for.connection.terminated.with.ews

HTTP response code for the EWS request when a connection error occurs between the SEG and the Exchange.

Integer

503

NA

Certificate-based Authentication

Configuration Key

Description

Value type

Default value

Apply System Setting at Run Time

proxy.email.request.on.kerberos.error

Flag to enable the proxy request to the email server, in case, an error occurs when generating the KCD token.

Boolean

TRUE

NA

response.status.code.on.kerberos.error.for.non.ping

HTTP response code for commands, other than PING and OPTIONS, when the Kerberos token generation results fail.

Integer

503

NA

response.status.code.on.kerberos.error.for.ping

If the proxy.email.request.on.kerberos.error property is set to false, then the response.status.code.on.kerberos.error.for.ping is the HTTP status code returned during a Kerberos error for the PING command request.

Integer

200

NA

response.status.code.on.kerberos.error.for.options.method

HTTP response code for the OPTIONS command when the Kerberos token generation results fail.

Integer

401

NA

response.status.code.on.certificate.validation.fail

HTTP response code when the certificate authentication is enabled and if SEG the client certificate validation fails.

If the flag force.client.cert.for.ssl.handshake is enabled, the request with the missing or invalid certificate might be rejected during the SSL handshake.

Integer

401

NA

enable.upn.lookup.from.subject.cn

Flag to enable the UPN (used for Kerberos authentication) lookup from Subject, and Common Name when the UPN is not present in the SAN type extension of the client certificate.

Boolean

FALSE

NA

generate.krb5.config.at.service.restart

Flag to generate the KRB configuration file (krb5.ini in Windows or krb5.conf in UAG) when restarting the SEG service.

Boolean

TRUE

Restart the SEG service.

kerberos.service.max.processes.size

Number of KCD client processes that SEG spawns.

Integer

10

Restart the SEG service.

kerberos.thread.pool.size.per.service

Number of threads used per KCD client process.

Integer

5

Restart the SEG service.

kerberos.service.health.check.frequency.in.seconds

Frequency of polling by SEG for each KCD client process.

Integer

5

Restart the SEG service.

kerberos.enable.performance.metrics.logging

Flag to enable time statistics for the Kerberos token handling.

Boolean

TRUE

Restart the SEG service.

kerberos.process.kill.max.wait.time.in.seconds

The maximum wait time for a process to shut down, when you attempt to stop the native process.

Integer

60

Restart the SEG service.

kerberos.process.max.time.to.recover.in.seconds

Maximum time in seconds permitted for a process to be in any status (NOT_STARTED, STARTING, FAILED_TO_START, or BUSY) other than AVAILABLE. To recover processes in an unexpected situation and ensure a safer execution.

Integer

120

Restart the SEG service.

kerberos.backpressure.queue.max.size

Maximum size of the backpressure queue to obtain the Kerberos token. If the backpressure queue is full, further requests are ignored.

Integer

2500

Restart the SEG service.

kerberos.backpressure.queue.max.wait.in.seconds

Duration in seconds for which a request waits in a backpressure queue for the Kerberos token generation before being stopped.

Integer

20

Restart the SEG service.

enable.cert.revocation.validation

Flag to enable the certificate revocation check using the CRL. The flag is used only when the CBA is enabled.

Boolean

FALSE

Restart the SEG service.

fail.hard.on.crl.download.failure.during.server.startup

Flag to prevent SEG from starting if SEG is unable to fetch the CRLs at start.

The option is applicable only when any CRL distribution URL is configured using the remote.crl.distribution.http.uris key.

Boolean

TRUE

Restart the SEG service.

remote.crl.fetch.interval.in.minutes

Interval in minutes for a periodic timer that attempts to update SEG with the latest CRL data.

Long (the value type is integer)

1440 (24 hours)

Restart the SEG service.

remote.crl.distribution.http.uris

List of HTTP URLs of CRL Distribution Points (CDP). Use the value when SEG is configured to accept the client certificates, either by enabling the Require Client Certificate flag or the Kerberos based authentication.

Applicable only if enable.cert.revocation.validation value is set to true.

String

NA

Certificate-Mapping LDAP Lookup

Configuration Key

Description

Value type

Default value

Apply System Setting at Run Time

cert.mapping.ldap.enabled

The flag indicates if the certificate-mapping feature is enabled for SEG.

If the KCD authentication is disabled in the email configuration, ignore the setting and consider as false.

Boolean

FALSE

Restart the SEG service.

cert.mapping.ldap.host

The remote LDAP host information in a proper URL format.

String

NA

Restart the SEG service.

cert.mapping.ldap.authType

The authentication type used with the LDAP server for the certificate-mapping feature.

Integer

0 (simple authentication)

Restart the SEG service.

cert.mapping.ldap.user

The LDAP user for authenticating the LDAP query.

SEG uses the same service account credentials configured as part of the Kerberos authentication settings.

However for the LDAP query, the user name must be provided in the Distinguished Name (DN) format.

String

NA

Restart the SEG service.

cert.mapping.ldap.attrs

List of LDAP lookup attributes used for certificate-mapping feature.

String

NA

Restart the SEG service.

cert.mapping.ldap.server.base

Distinguished name of the base domain configured for running the LDAP query. The query fetches the matching results from the domain.

By default, the query refers to the rootDSE of the LDAP setup. The field can be empty for the userCertificate and userPrincipalName attributes indexed and replicated to the global catalog.

String

NA

Restart the SEG service.

cert.mapping.ignore.ldap.ssl.errors

Flag to ignore any SSL errors when contacting LDAP server for the certificate-mapping lookup.

Boolean

FALSE

Restart the SEG service.

cert.mapping.max.query.executor.pools

Maximum number of LDAP services created to allow the maximum concurrent LDAP queries.

Integer

25

Restart the SEG service.

cert.mapping.ldap.connect.timeout.millis

LDAP connect timeout in milliseconds for certificate-mapping.

Integer

3000

Restart the SEG service.

cert.mapping.ldap.read.timeout.millis

LDAP read timeout in milliseconds for certificate-mapping.

Integer

3000

Restart the SEG service.

cert.mapping.ldap.service.pool.size

LDAP (executor) service thread pool size.

Integer

3

Restart the SEG service.

cert.mapping.backpressure.queue.size

Maximum size of requests that are allowed in back pressure queue, waiting for the LDAP service for certificate-mapping lookup.

Integer

1000

Restart the SEG service.

cert.mapping.backpressure.max.ttl.in.seconds

Maximum time a request can stay in back pressure queue waiting for the LDAP service to be available.

Integer

60

Restart the SEG service.

cert.mapping.wait.delay.for.concurrent.query.millis

Fixed delay waiting for a request when another request for the same UPN is in progress for getting certificate mapping.

Integer

500

NA

SEG Policy and Cache

Configuration Key

Description

Value Type

Default Value

Apply System Setting at Run Time

policy.data.not.ready.response.code

HTTP response code to be returned to the device if SEG is yet to receive all the policy data just after start, and the configuration prohibits email communication until policy data is ready.

Integer

503

NA

ignore.duplicate.records.during.policy.update

Flag to ignore duplicate records returned from an API, and compare the size of a policy in the SEG cache with the size for only Unique IDs.

Boolean

TRUE

NA

policy.update.eventbus.timeout.buffer.millis

Event bus timeout used during a policy update.

Long

30000

NA

disable.api.policy.count.match.during.policy.update

Maximum time in seconds that SEG waits for the cache to be asynchronously updated with the new policy records during a bulk policy update.

Boolean

FALSE

NA

policy.async.cache.update.completion.threshold.seconds

Maximum time in seconds that SEG waits for the cache to be asynchronously updated with new policy records during a bulk policy update.

Integer

900

Restart the SEG service.

cache.index.validation.eventbus.timeout.millis

Timeout duration in milliseconds for validating the cache index on all the nodes after a bulk policy update.

If failed, SEG retries before finally reverting the changes.

Integer

30000

NA

cache.index.swap.wait.time.in.millis

Wait delay in milliseconds before swapping active and passive cache indexes after the latest policy from API is updated on the passive cache.

Long

60000

NA

cache.index.validation.max.retry.count

Number of retry attempts to validate that the cache indexes are updated in all the nodes, when clustering is enabled.

Integer

3

NA

wait.time.in.millis.before.passive.cache.cleanup.start

In case the policy update fails and the SEG is running in a clustered mode, the cache indexes in all the nodes must be updated to be in sync. The wait.time.in.millis.before.passive.cache.cleanup.start, is the time in milliseconds for which the SEG waits before cleaning the passive cache, so that all the nodes have sufficient time to swap the passive and active indexes, if necessary.

Long

30000

NA

cache.async.update.status.check.timer.interval.millis

Interval in milliseconds for a periodic timer that validates async policy data update in cache.

Long

10000

NA

full.bulk.update.interval.in.minutes (only when the delta is enabled)

Integer

1440 (24 hours)

Restart the SEG service.

validate.resource.uri.in.jwt.auth

Interval in minutes for a periodic full bulk policy update, when the delta sync is enabled.

Boolean

TRUE

NA

jwt.allowed-clock-skew-in-seconds

Flag to enable validation of resource URL in the JWT token.

Integer

30

NA

tcpip.discovery.timeout-seconds

Maximum allowed skew in JWT timestamp for the token to be successfully authenticated.

Integer

5

Restart the SEG service.

hazelcast.operation.call.timeout.millis

Timeout for Hazel cast cache read or write operation.

NA

Long

60000

Content Transformation

Configuration Key

Description

Value Type

Default Value

Apply System Setting at Run Time

disable.transformation.on.inline.unknown.attachment.bytes

Flag to disable the attachment transformation if the MIME type cannot be identified.

Boolean

TRUE

NA

disable.transformation.on.inline.unknown.attachment.tag

Flag to ignore the transformation on the inline attachment tags that do not have a file extension or MIME type to be processed correctly.

Boolean

TRUE

NA

enable.request.transformation.by.default

Flag to enable the content transformation on the request flow.

If any of the transformation types are enabled and the value is FALSE, the request transformation occurs. When the value is TRUE, request transformation always occurs.

Enable the flag when the content the transformation is enabled and the attachments are encrypted or hyperlinks are transformed. The content transformation is disabled, but the outgoing emails are decrypted attachments and original hyperlinks.

Boolean

FALSE

NA

HTTP Request or Response

Configuration Key

Description

Value type

Default value

Apply System Setting at Run Time

api.server.connect.timeout.millis

HTTP connection timeout from SEG to the API server in milliseconds.

Integer

15000

email.server.connect.timeout.millis

HTTP connection timeout from SEG to the email server in milliseconds.

Long

15000

force.client.cert.for.ssl.handshake

In the MEM configuration, when the Require Client Certificate is enabled in the Advanced Settings option, setting the flag to TRUE forces the SSL handshake to fail. Due to the absence of a client certificate and the request not reaching the application layer, the SSL handshake fails. If the flag is set to FALSE, the request reaches the application layer before failing due to the lack of the client certificate.

Boolean

FALSE

http.client.max.idle.timeout.seconds

Maximum idle timeout in seconds after which any connection is closed to release the system resources.

Integer

3600

http.response.status.code.for.non.ping.on.connection.closed.failure

HTTP response code for the requests other than the PING command when the connection between the SEG and the email server closes unexpectedly.

You can use this option only if the flag return.http.response.status.for.non.ping.on.connection.closed.failure is enabled.

Integer

503

http.response.status.code.for.ping.on.connection.closed.failure

HTTP response code for the PING command requests when the connection between the SEG and email server closes unexpectedly.

Integer

200

http.server.max.idle.timeout.seconds

Idle time in seconds after which an inbound connection to the SEG server is closed.

Integer

3600

keep.email.server.client.connection.alive

Flag to keep a socket connection to the email server alive, to reuse the same connection for any subsequent request.

Integer

TRUE

max.http.buffer.chunk.size

Maximum HTTP chunk size.

Integer

8192 (that is, 8 KB)

max.initial.line.length

Maximum length of the initial line of the HTTP requests ending or originating at SEG.

Integer

4096 (that is, 4 KB)

return.http.response.status.for.non.ping.on.connection.closed.failure

Flag to decide if the SEG responds to the device in case a connection error occurs between SEG and the email server when serving a non-PING command.

When enabled, the http.response.status.code.for.non.ping.on.connection.closed.failure property determines the response code.

Few email clients might show some error when the connection to SEG is abruptly closed.

Integer

TRUE

SMIME Certificate Lookup

Configuration Key

Description

Value type

Default value

Apply System Setting at Run Time

smime.lookup.ldap.connect.timeout.millis

LDAP connection timeout in milliseconds for the SMIME certificate lookup.

Integer

3000

NA

smime.lookup.ldap.read.timeout.millis

LDAP read timeout in milliseconds for the SMIME certificate lookup.

Integer

3000

NA

smime.lookup.ldap.server.base

Base path of the LDAP server that the SEG uses for the SMIME lookup.

String

NA

NA

smime.lookup.ignore.ldap.ssl.errors

Flag to ignore any SSL errors when contacting the LDAP server for the SMIME lookup.

Boolean

FALSE

NA

Custom Response Headers

Configuration Key

Description

Value Type

Default Value

Apply System Setting at Run Time

resp-header.Strict-Transport-Security

The STS header with the preconfigured default value is overridden and a new SEG value is used.

String

Max-age=31536000;includeSubDomains

NA

resp-header.X-Custom-Header

New header with a specified value is included for subsequent responses.

String

NA

NA

KCD Client Configuration

Configuration Key

Description

Value Type

Default Value

Apply System Setting at Run Time

kerb-conf.log_level

System log level for the kcdclient pipe processes that the SEG spawns.

0 - Off

1 - Error

2 - Warning

3 - Info

4 - Debug

Integer

2

NA

kerb-conf.log_file_append

Flag to indicate if a process restart must append logs or discard old logs and truncate a file.

0 - Do not append

1 - Append

Integer

1

NA

kerb-conf.log_file_backup_count

Maximum number of backup log files to be created when the maximum file size is reached.

Integer

1

NA

kerb-conf.log_file_size

Maximum file size of a Kerberos process log file in MB.

Integer

10

NA

kerb-conf.refresh_config_interval

Time taken in seconds to refresh the settings and to load any updated configuration from a file.

Integer

30

NA

krb5-conf.<property_name>

The properties are updated in the krb5-base.conf file.

NA

NA

NA

SEG Statistics, Monitoring, and Troubleshooting

Configuration Key

Description

Value Type

Default Value

Apply System Setting at Run Time

log.device.delta.sync.payload.in.debug.mode

Flag to enable the delta sync payload.

Boolean

FALSE

NA

api.server.connectivity.diagnostic.timeout.millis

When SEG verifies the connectivity to the API server to capture the diagnostic information, specify the HTTP connection timeout in milliseconds.

Integer

5000

NA

email.server.connectivity.diagnostic.timeout.millis

When SEG verifies the connectivity to the Email server to capture diagnostic information, specify the HTTP connection timeout in milliseconds.

Integer

5000

NA

high.cpu.monitoring.enabled

Flag to enable the CPU usage monitoring and to generate thread dumps beyond a threshold limit. Configure the threshold limit using the cpu.monitor.trigger.threshold.percentage property.

Boolean

FALSE

NA

log.http.server.network.activity

Flag to enable the SEG HTTP server network activity.

Boolean

FALSE

NA

enable.seg.metrics.collection

Flag to enable the SEG metrics collection. When the flag is enabled with the UEIP flag on the Workspace ONE UEM console, SEG reports the diagnostic information to the VMware Analytics Cloud (VAC).

Boolean

TRUE

NA