Configure the SEG V2

The following topics describes the information related to configuration of SEG V2.

To implement the SEG (V2) for your email architecture, first configure the settings on the UEM console. After you configure the settings, you can download the SEG installer from the Workspace ONE resource portal.

In the Workspace ONE UEM console, navigate to Email > Email Settings and click Configure. The Add Email Configuration wizard displays.
In the Platform tab of the wizard:
1. Select Proxy as the Deployment Model.
2. Select the Email Type (Exchange, IBM Notes, or Google).
3. If you selected Exchange as the email type, then select the appropriate exchange version from the drop-down menu. Click Next. Example of email servers is Exchange, IBM Notes, or Google.

Configure the basic settings in the Deployment tab of the wizard and then select Next.

Setting	Description
Friendly Name	Enter a friendly name for the SEG deployment. This name gets displayed on the MEM dashboard.
External URL and Port	Enter the URL and port number for the incoming mail traffic to SEG.
Listener Port	The SEG listens for device the communication through this port. The default port number is 443. If SSL is activated for SEG, the SSL certificate is bound to this port.
Terminate SSL on SEG	Activate this option if you want the SSL certificate to be sent from the SEG instead of offloading on a web application firewall. Upload a .pfx or .p12 certificate file including the root and intermediate certificates.
Upload Locally	Select to upload the SSL certificate locally during installation.
SEG Server SSL Certificate	Select Upload to add the certificate that binds to the listening port. The SSL certificate can be automatically installed instead of providing it locally. An SSL certificate in the .pfx format with a full certificate chain and private key included must be uploaded. See, the Upload the SSL Certificate after Renewal section in the Install the Secure Email Gateway (V2) topic to understand the methods to upload the SSL certificate after renewal.
Email Server URL and Port	Enter the email server URL and port number in the form https://email server url:email server port. The SEG uses the following URL for proxying email requests to the email server. If using Exchange Online, enter the https://outlook.office365.com URL.
Ignore SSL Errors between SEG and email server	Select Enable to ignore the Secure Socket Layer (SSL) certificate errors between the email server and the SEG server.
Ignore SSL Errors between SEG and AirWatch server	Select Enable to ignore Secure Socket Layer (SSL) certificate errors between the Workspace ONE UEM server and the SEG server. Establish a strong SSL trust between the Workspace ONE UEM and the SEG server using valid certificates.
Allow email flow if no policies are present on SEG	Select Enable to allow the email traffic if SEG is unable to load the device policies from the Workspace ONE UEM API. By default, the SEG blocks all email requests if no policies are locally present on the SEG. Note: A list of all the device records with the corresponding compliance status is provided. SEG does not calculate the compliance of a given device by itself, instead uses the data received from the Workspace ONE UEM console.
Enable Clustering	Select Enable to activate clustering of multiple SEG servers. When clustering is activated, policy updates are distributed to all SEGs in the cluster. The SEGs communicate with each other through the SEG clustering port.
SEG Cluster Hosts	Add the IPs or hostnames of each server in the SEG cluster.
SEG Cluster Distributed Cache Port	Enter the port number for SEG to communicate to the distributed cache.
SEG Clustering Port	Enter the port number for SEG to communicate to the other SEGs in the cluster. Activate clustering to have multiple SEG servers operating as a cluster.

Select Next in the Profile tab of the wizard. If necessary, assign an email profile to the MEM configuration. Select Next in the Profile tab of the wizard.
On the Summary tab, review the configuration that you have just created. Select Finish to save the settings.
Download the SEG installer from the Workspace ONE resource portal.

Configure any additional settings for your SEG using the Advanced option.


Setting	Description
Use Default Settings	The Use Default Settings check box is activated by default. To modify the advanced settings, you must uncheck this box.
Enable Real-time Compliance Sync	Activate this option to send the compliance information to the SEG in real-time. Without this, individual changes to the device policies are refreshed per the delta sync interval.
Required transactions	The Required transactions cannot be deactivated.
Optional transactions	Activate or deactivate the optional transactions such as Get attachment, Search, Move Items, and so on. The following are the Exchange Active Sync (EAS) transactions that the SEG reports to the console and are displayed on the Email List View in the Last Command column.
Diagnostic	Set the number and frequency of transactions for a device when the test mode is activated.
Sizing	Set the frequency of SEG and API server interaction.
Skip Attachment & Hyperlink transformations for S/MIME signed emails	Activate to exempt the encryption of attachments and transformation of hyperlinks through SEG for emails that are signed with S/MIME certificates.
Enable S/MIME repository lookup	Activate automatic lookup of the S/MIME certificate managed in a hosted LDAP directory. Enter the following values to configure the lookup. LDAP URL - Specify the URL of the LDAP server hosting the S/MIME certificates. For example, `LDAP://certs.soandso.local/o=dept,c=company`. Authentication Type - Specify the authentication type used by the LDAP server. Anonymous and Basic authentication are supported. If Basic authentication is selected, you must enter the username and password. Certificate Attribute - The public key attribute used on the LDAP server to specify the S/MIME certificate. For example, `userCertificate;binary`. You must restart SEG service after enabling this feature.
Custom Gateway Settings	The SEG custom gateway settings are available as a key-value pair on the Workspace ONE UEM console. The commonly used properties are seeded on the Workspace ONE UEM console. For more information on the SEG supported key value pairs.
Block Attachments	Used to control the default action when SEG is unable to communicate with the Workspace ONE UEM or when the local policy set is empty.
Default Message for Blocked Attachments	Configure the message that is displayed to end users when SEG blocks attachments.

Configuring for High Availability and Disaster Recovery

SEG can be configured in high availability and disaster recovery environments with both clustering and non-clustering server configurations. The high availability and disaster recovery setups are independent of the cluster configuration.

Use a load balancer to achieve the desired high availability and disaster recovery configuration. The same public host name must be used for the SEG servers across the data centers to ensure that the users need not reauthenticate when a SEG server failover occurs.

The following are the benefits of using SEG in a clustering and non-clustering server environments:

Non-clustered server configuration:
- Each SEG is updated independently.
- Failover can be performed at the load balancer.
Clustered server configuration:
- Each data center must have its own MEM configuration and an external URL to update the MEM configuration's cluster.
  Note: The external URL need not match the URL used by devices to access email, instead the UEM console uses the external URL to send policy updates to the appropriate cluster configuration.
- Internal IP addresses or hostnames are applicable for clustering rather than public IP addresses only.
- Device EAS profiles must use a third URL that can be failed-over between data centers.

SEG Custom Gateway Settings

The SEG v2 configurations are controlled at an individual node level. The custom gateway setting feature centralizes the configuration on the Workspace ONE UEM Console as part of the MEM configuration itself.

Prerequisites

The following table lists the requirements for the SEG custom settings feature:

Platform	Minimum SEG and UAG Supported Version	Workspace ONE UEM Console
Windows	2.17.0	20.10
UAG	UAG 2009 (SEG 2.17.0)	20.10

Configure SEG Custom Gateway Settings

The SEG custom settings are available as key-value pairs on the Workspace ONE UEM console. The commonly used properties are seeded on the Workspace ONE UEM Console. To configure the custom settings, perform the following steps:

Log in to the Workspace ONE UEM console.
Navigate to the Email > Email Settings.
Configure the Email Settings for SEG.
Configure the additional settings for SEG using the Advanced option.
Navigate to the Custom Gateway Settings, click ADD ROW, and enter the supported configuration as the key-value pair:
- Key: Enter the property or setting name.
- Type: Enter the type of value such as string, integer, and so on.
- Value: Enter the property or custom value.
Click Save.

Apply the Custom Gateway Settings on the SEG Service

During an installation or upgrade, if the custom settings are provided on the Workspace ONE UEM console, then the SEG service starts with the applied custom settings

If the custom settings are added or updated on the Workspace ONE UEM console when the SEG service is running, then a refreshSettings notification is triggered for SEG. The SEG fetches the latest custom gateway settings. A few of the custom settings are applied immediately, whereas the other custom settings might require you to restart the SEG service.

Supported Configuration for the Custom Gateway Settings

The following section lists all the supported SEG properties or settings for the custom settings feature.

Note:

The properties or settings are grouped based on feature or functionality. The custom settings can be added on the Workspace ONE UEM console in any order.

JVM Arguments or System Settings

The JVM arguments or system settings property keys start with -D. If the property value is modified, SEG updates the custom system settings in the segServiceWrapper.conf (for Windows) or seg-jvm-args.conf (for UAG). If the system setting is updated when the SEG service is running, then the SEG triggers a service restart.

You can configure the seg.custom.settings.service.restart.code=0 property in the application-override.properties file to deactivate the automatic restart of the SEG service.

Configuration Key	Description	Value type	Default value	Apply System Setting at Run Time
-Djdk.tls.disabledAlgorithms	Comma-separated list of TLS algorithms, ciphers, and versions to be deactivated.	String	MD5, RC4, TLSv1, TLSv1.1, SSLv2Hello, SSLv3, DSA, DESede, DES, 3DES, DES40_CBC, RC4_40, MD5withRSA, DH, 3DES_EDE_CBC, DHE, DH keySize < 1024, EC keySize < 224, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384	If the modified value is detected, restart automatically.
-Djdk.tls.ephemeralDHKeySize	Customize the strength of the ephemeral DH key size used internally during the TLS or DTLS handshake. The system property does not impact the DH key sizes in the `ServerKeyExchange` messages for exportable cipher suites. The following DH key sizes are impacted, the DHE_RSA, DHE_DSS, and DH_anon-based cipher suites in the JSSE Oracle provider. For more information, see Customizing Size of Ephemeral Diffie-Hellman Keys.	Integer	2048	If the modified value is detected, restart automatically.
-Dsyslog.enabled	Flag to activate the syslog configuration for SEG.	Boolean	TRUE - For the UAG deployment FALSE - For the Windows deployment	If the modified value is detected, restart automatically.
-Dsyslog.host	Host address of the syslog server. The host address value can be configured with any remote syslog server hostname or IP address that listens over UDP. If syslog to the remote server is configured with the TCP or TLS, then point to a local host syslog listener that can retransmit using the required protocol over the wire. The in-built UAG syslog configuration can function as the local retransmitter.	String	localhost	If the modified value is detected, restart automatically.
-Dkerberos.process.recycle.time	Specify the Kerberos process recycle time, when activated. Process recycling can be activated using the property -Denable.kerberos.process.recycle.	Time in the hh24:mm:ss format	23:59:59	If the modified value is detected, restart automatically.
-Xmx	Maximum java heap memory for the service in Mebibytes (MiB). For example, 8 GiB of RAM can be configured as 8192.	Long	If the system property is not configured, dynamically identified during the SEG service installation based on the system configuration.	If the modified value is detected, restart automatically.
-Dsyslog.facility	Syslog facility as defined by the Syslog server.	String	USER	If the modified value is detected, restart automatically.
-Dsyslog.port	Syslog listener port that the SEG points to.	Integer	514	If the modified value is detected, restart automatically.
-Denable.kerberos.process.recycle	SEG can be configured to recycle the native Kerberos client processes when the Kerberos based authentication is activated.	Boolean	FALSE	If the modified value is detected, restart automatically.

Support for EWS

Configuration Key	Description	Value type	Default value	Apply System Setting at Run Time
enable.boxer.ens.ews.proxy	Flag to activate SEG to listen for the EWS traffic and proxy the same to the configured Exchange EWS endpoint. By default, SEG proxies the EWS requests to the email server host configured as part of the MEM configuration. However, a different host can be configured using the ews.email.server.host.and.port property.	Boolean	FALSE	Restart the SEG service.
ews.email.server.host.and.port	If the email server hostname for the EWS is different than the EAS, then use this property to configure the EWS email server hostname. When the host name for the EWS connection is used from the ews.email.server.host.and.port property, all the other HTTP connection parameters remain the same, similar to the EAS parameters. If the host is using a self-signed certificate, corresponding trusted certificate must be added to SEG separately. EWS proxy can be activated using flag enable.boxer.ens.ews.proxy.	URL	No user action required.	No user action required.
http.response.status.code.for.connection.terminated.with.ews	HTTP response code for the EWS request when a connection error occurs between the SEG and the Exchange.	Integer	503	No user action required.

Configuration Key

Description

Value type

Default value

Apply System Setting at Run Time

enable.boxer.ens.ews.proxy

Flag to activate SEG to listen for the EWS traffic and proxy the same to the configured Exchange EWS endpoint.

By default, SEG proxies the EWS requests to the email server host configured as part of the MEM configuration. However, a different host can be configured using the ews.email.server.host.and.port property.

Boolean

FALSE

Restart the SEG service.

ews.email.server.host.and.port

If the email server hostname for the EWS is different than the EAS, then use this property to configure the EWS email server hostname.

When the host name for the EWS connection is used from the ews.email.server.host.and.port property, all the other HTTP connection parameters remain the same, similar to the EAS parameters.

If the host is using a self-signed certificate, corresponding trusted certificate must be added to SEG separately.

EWS proxy can be activated using flag enable.boxer.ens.ews.proxy.

URL

No user action required.

http.response.status.code.for.connection.terminated.with.ews

HTTP response code for the EWS request when a connection error occurs between the SEG and the Exchange.

Integer

503

No user action required.

Certificate-based Authentication

Configuration Key	Description	Value type	Default value	Apply System Setting at Run Time
proxy.email.request.on.kerberos.error	Flag to activate the proxy request to the email server, in case, an error occurs when generating the KCD token.	Boolean	TRUE	No user action required.
response.status.code.on.kerberos.error.for.non.ping	HTTP response code for commands, other than PING and OPTIONS, when the Kerberos token generation results fail.	Integer	503	No user action required.
response.status.code.on.kerberos.error.for.ping	If the proxy.email.request.on.kerberos.error property is set to false, then the response.status.code.on.kerberos.error.for.ping is the HTTP status code returned during a Kerberos error for the PING command request.	Integer	200	No user action required.
response.status.code.on.kerberos.error.for.options.method	HTTP response code for the OPTIONS command when the Kerberos token generation results fail.	Integer	401	No user action required.
response.status.code.on.certificate.validation.fail	HTTP response code when the certificate authentication is activated and if SEG the client certificate validation fails. If the flag force.client.cert.for.ssl.handshake is activated, the request with the missing or invalid certificate might be rejected during the SSL handshake.	Integer	401	No user action required.
enable.upn.lookup.from.subject.cn	Flag to activate the UPN (used for Kerberos authentication) lookup from Subject, and Common Name when the UPN is not present in the SAN type extension of the client certificate.	Boolean	FALSE	No user action required.
generate.krb5.config.at.service.restart	Flag to generate the KRB configuration file (krb5.ini in Windows or krb5.conf in UAG) when restarting the SEG service.	Boolean	TRUE	Restart the SEG service.
kerberos.service.max.processes.size	Number of KCD client processes that SEG spawns.	Integer	10	Restart the SEG service.
kerberos.thread.pool.size.per.service	Number of threads used per KCD client process.	Integer	5	Restart the SEG service.
kerberos.service.health.check.frequency.in.seconds	Frequency of polling by SEG for each KCD client process.	Integer	5	Restart the SEG service.
kerberos.enable.performance.metrics.logging	Flag to activate time statistics for the Kerberos token handling.	Boolean	TRUE	Restart the SEG service.
kerberos.process.kill.max.wait.time.in.seconds	The maximum wait time for a process to shut down, when you attempt to stop the native process.	Integer	60	Restart the SEG service.
kerberos.process.max.time.to.recover.in.seconds	Maximum time in seconds permitted for a process to be in any status (NOT_STARTED, STARTING, FAILED_TO_START, or BUSY) other than AVAILABLE. To recover processes in an unexpected situation and ensure a safer run.	Integer	120	Restart the SEG service.
kerberos.backpressure.queue.max.size	Maximum size of the backpressure queue to obtain the Kerberos token. If the backpressure queue is full, further requests are ignored.	Integer	2500	Restart the SEG service.
kerberos.backpressure.queue.max.wait.in.seconds	Duration in seconds for which a request waits in a backpressure queue for the Kerberos token generation before being stopped.	Integer	20	Restart the SEG service.
enable.cert.revocation.validation	Flag to activate the certificate revocation check using the CRL. The flag is used only when the CBA is activated.	Boolean	FALSE	Restart the SEG service.
fail.hard.on.crl.download.failure.during.server.startup	Flag to prevent SEG from starting if SEG is unable to fetch the CRLs at start. The option is applicable only when any CRL distribution URL is configured using the remote.crl.distribution.http.uris key.	Boolean	TRUE	Restart the SEG service.
remote.crl.fetch.interval.in.minutes	Interval in minutes for a periodic timer that attempts to update SEG with the latest CRL data.	Long (the value type is integer)	1440 (24 hours)	Restart the SEG service.
remote.crl.distribution.http.uris	List of HTTP URLs of CRL Distribution Points (CDP). Use the value when SEG is configured to accept the client certificates, either by enabling the Require Client Certificate flag or the Kerberos based authentication. Applicable only if enable.cert.revocation.validation value is set to true.	String	NA	No user action required.
kerberos.linux.named.pipe.connect.delay.millis	Delay in milliseconds before the SEG Java process attempts to listen to the named pipes that are started by the Kerberos client native processes. This delay is to ensure smooth recovery of crashed Kerberos client processes. This property is applicable only for SEG on UAG. Since: UAG 21.03	Long	50	Restart the SEG service.

Certificate-Mapping LDAP Lookup

Configuration Key	Description	Value type	Default value	Apply System Setting at Run Time
cert.mapping.ldap.enabled	The flag indicates if the certificate-mapping feature is activated for SEG. If the KCD authentication is deactivated in the email configuration, ignore the setting and consider as false.	Boolean	FALSE	Restart the SEG service.
cert.mapping.ldap.host	The remote LDAP host information in a proper URL format.	String	NA	Restart the SEG service.
cert.mapping.ldap.authType	The authentication type used with the LDAP server for the certificate-mapping feature.	Integer	0 (simple authentication)	Restart the SEG service.
cert.mapping.ldap.user	The LDAP user for authenticating the LDAP query. SEG uses the same service account credentials configured as part of the Kerberos authentication settings. However for the LDAP query, the user name must be provided in the Distinguished Name (DN) format.	String	NA	Restart the SEG service.
cert.mapping.ldap.attrs	List of LDAP lookup attributes used for certificate-mapping feature.	String	NA	Restart the SEG service.
cert.mapping.ldap.server.base	Distinguished name of the base domain configured for running the LDAP query. The query fetches the matching results from the domain. By default, the query refers to the rootDSE of the LDAP setup. The field can be empty for the userCertificate and userPrincipalName attributes indexed and replicated to the global catalog.	String	NA	Restart the SEG service.
cert.mapping.ignore.ldap.ssl.errors	Flag to ignore any SSL errors when contacting LDAP server for the certificate-mapping lookup.	Boolean	FALSE	Restart the SEG service.
cert.mapping.max.query.executor.pools	Maximum number of LDAP services created to allow the maximum concurrent LDAP queries.	Integer	25	Restart the SEG service.
cert.mapping.ldap.connect.timeout.millis	LDAP connect timeout in milliseconds for certificate-mapping.	Integer	3000	Restart the SEG service.
cert.mapping.ldap.read.timeout.millis	LDAP read timeout in milliseconds for certificate-mapping.	Integer	3000	Restart the SEG service.
cert.mapping.ldap.service.pool.size	LDAP (executor) service thread pool size.	Integer	3	Restart the SEG service.
cert.mapping.backpressure.queue.size	Maximum size of requests that are allowed in back pressure queue, waiting for the LDAP service for certificate-mapping lookup.	Integer	1000	Restart the SEG service.
cert.mapping.backpressure.max.ttl.in.seconds	Maximum time a request can stay in back pressure queue waiting for the LDAP service to be available.	Integer	60	Restart the SEG service.
cert.mapping.wait.delay.for.concurrent.query.millis	Fixed delay waiting for a request when another request for the same UPN is in progress for getting certificate mapping.	Integer	500	No user action required.

SEG Policy and Cache

Configuration Key	Description	Value Type	Default Value	Apply System Setting at Run Time
bulk.update.completion.threshold.in.seconds	The timeout value in seconds to complete bulk policy update flow. If the bulk policy update does not complete within this duration, the bulk policy update is marked as failure. Since: SEG 2.20.0, UAG 21.06	Integer	600	No user action required.
policy.data.not.ready.response.code	HTTP response code to be returned to the device if SEG is yet to receive all the policy data just after start, and the configuration prohibits email communication until policy data is ready.	Integer	503	No user action required.
ignore.duplicate.records.during.policy.update	Flag to ignore duplicate records returned from an API, and compare the size of a policy in the SEG cache with the size for only Unique IDs.	Boolean	TRUE	No user action required.
policy.update.eventbus.timeout.buffer.millis	Event bus timeout used during a policy update.	Long	30000	No user action required.
disable.api.policy.count.match.during.policy.update	Maximum time in seconds that SEG waits for the cache to be asynchronously updated with the new policy records during a bulk policy update.	Boolean	FALSE	No user action required.
policy.async.cache.update.completion.threshold.seconds	Maximum time in seconds that SEG waits for the cache to be asynchronously updated with new policy records during a bulk policy update.	Integer	900	Restart the SEG service.
cache.index.validation.eventbus.timeout.millis	Timeout duration in milliseconds for validating the cache index on all the nodes after a bulk policy update. If failed, SEG retries before finally reverting the changes.	Integer	30000	No user action required.
cache.index.swap.wait.time.in.millis	Wait delay in milliseconds before swapping active and passive cache indexes after the latest policy from API is updated on the passive cache.	Long	60000	No user action required.
cache.index.validation.max.retry.count	Number of retry attempts to validate that the cache indexes are updated in all the nodes, when clustering is activated.	Integer	3	No user action required.
wait.time.in.millis.before.passive.cache.cleanup.start	In case the policy update fails and the SEG is running in a clustered mode, the cache indexes in all the nodes must be updated to be in sync. The wait.time.in.millis.before.passive.cache.cleanup.start, is the time in milliseconds for which the SEG waits before cleaning the passive cache, so that all the nodes have sufficient time to swap the passive and active indexes, if necessary.	Long	30000	No user action required.
cache.async.update.status.check.timer.interval.millis	Interval in milliseconds for a periodic timer that validates async policy data update in cache.	Long	10000	No user action required.
full.bulk.update.interval.in.minutes (only when the delta is activated)		Integer	1440 (24 hours)	Restart the SEG service.
validate.resource.uri.in.jwt.auth	Interval in minutes for a periodic full bulk policy update, when the delta sync is activated.	Boolean	TRUE	No user action required.
jwt.allowed-clock-skew-in-seconds	Flag to activate validation of resource URL in the JWT token.	Integer	30	No user action required.
tcpip.discovery.timeout-seconds	Maximum allowed skew in JWT timestamp for the token to be successfully authenticated.	Integer	5	Restart the SEG service.
hazelcast.operation.call.timeout.millis	Timeout for Hazel cast cache read or write operation.		Long	60000

Content Transformation

Configuration Key	Description	Value Type	Default Value	Apply System Setting at Run Time
disable.transformation.on.inline.unknown.attachment.bytes	Flag to deactivate the attachment transformation if the MIME type cannot be identified.	Boolean	TRUE	No user action required.
disable.transformation.on.inline.unknown.attachment.tag	Flag to ignore the transformation on the inline attachment tags that do not have a file extension or MIME type to be processed correctly.	Boolean	TRUE	No user action required.
enable.request.transformation.by.default	Flag to activate the content transformation on the request flow. If any of the transformation types are activated and the value is FALSE, the request transformation occurs. When the value is TRUE, request transformation always occurs. Activate the flag when the content the transformation is activated and the attachments are encrypted or hyperlinks are transformed. The content transformation is deactivated, but the outgoing emails are decrypted attachments and original hyperlinks.	Boolean	FALSE	No user action required.

Configuration Key

Description

Value Type

Default Value

Apply System Setting at Run Time

disable.transformation.on.inline.unknown.attachment.bytes

Flag to deactivate the attachment transformation if the MIME type cannot be identified.

Boolean

TRUE

No user action required.

disable.transformation.on.inline.unknown.attachment.tag

Flag to ignore the transformation on the inline attachment tags that do not have a file extension or MIME type to be processed correctly.

Boolean

TRUE

No user action required.

enable.request.transformation.by.default

Flag to activate the content transformation on the request flow.

If any of the transformation types are activated and the value is FALSE, the request transformation occurs. When the value is TRUE, request transformation always occurs.

Activate the flag when the content the transformation is activated and the attachments are encrypted or hyperlinks are transformed. The content transformation is deactivated, but the outgoing emails are decrypted attachments and original hyperlinks.

Boolean

FALSE

No user action required.

HTTP Request or Response

Configuration Key	Description	Value type	Default value	Apply System Setting at Run Time
email.server.request.timeout.millis	HTTP request timeout from SEG to the email server in milliseconds for the email traffic. Since: SEG 2.20.0, UAG 21.06	Integer	1200000	No user action required.
keep.http.client.connection.alive	Flag to keep a socket connection to the email server and the API server alive to reuse the same connection for any subsequent request. Since: SEG 2.20.0, UAG 21.06	Boolean	True	No user action required.
keep.email.server.client.connection.alive	Flag to keep a socket connection to the email server alive, to reuse the same connection for any subsequent request. Note: This key is supported until SEG version 2.19.0 and UAG version 21.03.1. For SEG version 2.20.0 and UAG version 21.06, use key keep.http.client.connection.alive.	Boolean	True	No user action required.
api.server.connect.timeout.millis	HTTP connection timeout from SEG to the API server in milliseconds.	Integer	15000	No user action required.
email.server.connect.timeout.millis	HTTP connection timeout from SEG to the email server in milliseconds.	Long	15000	No user action required.
force.client.cert.for.ssl.handshake	In the MEM configuration, when the Require Client Certificate is activated in the Advanced Settings option, setting the flag to TRUE forces the SSL handshake to fail. Due to the absence of a client certificate and the request not reaching the application layer, the SSL handshake fails. If the flag is set to FALSE, the request reaches the application layer before failing due to the lack of the client certificate.	Boolean	FALSE	No user action required.
http.client.max.idle.timeout.seconds	Maximum idle timeout in seconds after which any connection is closed to release the system resources.	Integer	3600	No user action required.
http.response.status.code.for.non.ping.on.connection.closed.failure	HTTP response code for the requests other than the PING command when the connection between the SEG and the email server closes unexpectedly. You can use this option only if the flag return.http.response.status.for.non.ping.on.connection.closed.failure is activated.	Integer	503	No user action required.
http.response.status.code.for.ping.on.connection.closed.failure	HTTP response code for the PING command requests when the connection between the SEG and email server closes unexpectedly.	Integer	200	No user action required.
http.server.max.idle.timeout.seconds	Idle time in seconds after which an inbound connection to the SEG server is closed.	Integer	3600	No user action required.
max.http.buffer.chunk.size	Maximum HTTP chunk size.	Integer	8192 (that is, 8 KB)	No user action required.
max.initial.line.length	Maximum length of the initial line of the HTTP requests ending or originating at SEG.	Integer	4096 (that is, 4 KB)	No user action required.
return.http.response.status.for.non.ping.on.connection.closed.failure	Flag to decide if the SEG responds to the device in case a connection error occurs between SEG and the email server when serving a non-PING command. When activated, the http.response.status.code.for.non.ping.on.connection.closed.failure property determines the response code. Few email clients might show some error when the connection to SEG is abruptly closed.	Integer	TRUE	No user action required.

SMIME Certificate Lookup

Configuration Key	Description	Value type	Default value	Apply System Setting at Run Time
smime.lookup.ldap.connect.timeout.millis	LDAP connection timeout in milliseconds for the SMIME certificate lookup.	Integer	3000	No user action required.
smime.lookup.ldap.read.timeout.millis	LDAP read timeout in milliseconds for the SMIME certificate lookup.	Integer	3000	No user action required.
smime.lookup.ldap.server.base	Base path of the LDAP server that the SEG uses for the SMIME lookup.	String	NA	No user action required.
smime.lookup.ignore.ldap.ssl.errors	Flag to ignore any SSL errors when contacting the LDAP server for the SMIME lookup.	Boolean	FALSE	No user action required.

Custom Response Headers

Configuration Key	Description	Value Type	Default Value	Apply System Setting at Run Time
resp-header.Strict-Transport-Security	The STS header with the preconfigured default value is overridden and a new SEG value is used.	String	Max-age=31536000;includeSubDomains	No user action required.
resp-header.X-Custom-Header	New header with a specified value is included for subsequent responses.	String	NA	No user action required.

KCD Client Configuration

Configuration Key	Description	Value Type	Default Value	Apply System Setting at Run Time
kerb-conf.log_level	System log level for the kcdclient pipe processes that the SEG spawns. 0 - Off 1 - Error 2 - Warning 3 - Info 4 - Debug	Integer	2	No user action required.
kerb-conf.log_file_append	Flag to indicate if a process restart must append logs or discard old logs and truncate a file. 0 - Do not append 1 - Append	Integer	1	No user action required.
kerb-conf.log_file_backup_count	Maximum number of backup log files to be created when the maximum file size is reached.	Integer	1	No user action required.
kerb-conf.log_file_size	Maximum file size of a Kerberos process log file in MB.	Integer	10	No user action required.
kerb-conf.refresh_config_interval	Time taken in seconds to refresh the settings and to load any updated configuration from a file.	Integer	30	No user action required.
krb5-conf.<property_name>	The properties are updated in the krb5-base.conf file.	NA	NA	No user action required.

SEG Statistics, Monitoring, and Troubleshooting

Configuration Key	Description	Value Type	Default Value	Apply System Setting at Run Time
custom.response.text.for.root.and.health.api	Custom text to be sent as a response when the root path of the SEG V2 is accessed. If hide.seg.info.on.health.monitor.response is set to true, the text is also used in the response body of the health monitoring endpoints (/health and /lb-health). Since: SEG 2.20.0, UAG 21.06	String	OK	No user action required.
log.device.delta.sync.payload.in.debug.mode	Flag to activate the delta sync payload.	Boolean	FALSE	No user action required.
api.server.connectivity.diagnostic.timeout.millis	When SEG verifies the connectivity to the API server to capture the diagnostic information, specify the HTTP connection timeout in milliseconds.	Integer	5000	No user action required.
email.server.connectivity.diagnostic.timeout.millis	When SEG verifies the connectivity to the Email server to capture diagnostic information, specify the HTTP connection timeout in milliseconds.	Integer	5000	No user action required.
high.cpu.monitoring.enabled	Flag to activate the CPU usage monitoring and to generate thread dumps beyond a threshold limit. Configure the threshold limit using the cpu.monitor.trigger.threshold.percentage property.	Boolean	FALSE	No user action required.
log.http.server.network.activity	Flag to activate the SEG HTTP server network activity.	Boolean	FALSE	No user action required.
enable.seg.metrics.collection	Flag to activate the SEG metrics collection. When the flag is activated with the UEIP flag on the Workspace ONE UEM console, SEG reports the diagnostic information to the VMware Analytics Cloud (VAC).	Boolean	TRUE	No user action required.
log.active.sync.payload.in.debug.mode	Flag to activate logging active synchronization payload in active-sync-payload-reporting.log Since: SEG 2.18.0, UAG 20.12 .	String	FALSE	No user action required.
hide.seg.info.on.health.monitor.response	Flag to deactivate the SEG version and build information in the health monitoring endpoints (/health and /lb-health). Since: SEG 2.19.0, UAG 21.03	Boolean	False	No user action required.

SEG Logging

Configuration Key	Description	Value Type	Default Value	Apply System Setting at Run Time
logger.app	The SEG application logs are applicable for the app.log and the ews-proxy.log files. Since: SEG 2.18.0, UAG 20.12	String	Error	No user action required.
logger.transactional	The transaction summary logs are applicable for the http-transaction.log, kerberos-transaction.log and the ews-transaction.log transaction log files. The default log level is Debug and you need not change unless you want to deactivate the transactional logging. Since: SEG 2.18.0, UAG 20.12	String	Debug	No user action required.
logger.policy.cache	The policy update and SEG cache logs are applicable for the policy-update.log and cache.log files. Since: SEG 2.18.0, UAG 20.12	String	Info	No user action required.
logger.kerberos.service.manager	The Kerberos service manager log is applicable for the kerberos-service-manager.log file. Since: SEG 2.18.0, UAG 20.12	String	Error	No user action required.
logger.cert.auth	The certificate-based authentication log is applicable for the cert-auth.log file. Since: SEG 2.18.0, UAG 20.12	String	Error	No user action required.
logger.compliance	Transaction for blocked devices due to non-compliance. This is applicable for the non-compliant-devices.log log file. Since: SEG 2.18.0, UAG 20.12	String	Error	No user action required.
logger.content.transformation	Email content transformation such as hyperlink and attachment transform. This is applicable for the content-transform.log file. Since: SEG 2.18.0, UAG 20.12	String	Error	No user action required.

SEG Targeted Content Logging

SEG targeted content logging is activated to troubleshoot content transformation related issues. When you activate content logging, SEG starts writing email content (before and after transformation) in the <SEG_Install_Dir>/tmp/content-logs folder.

Note: Activate content logging only for troubleshooting and remove the property keys from custom settings after troubleshooting. You must consent the customer before you activate content logging.

Configuration Key	Description	Value Type	Default Value	Apply System Setting at Run Time
content.logging.target.all	Activate content logging for all users and devices. Since: SEG 2.18.0, UAG 20.12	Boolean	False	No user action required.
content.logging.target.users	Activate content logging for targeted users. Comma separated list. For example, user1, user2, and so on. Since: SEG 2.18.0, UAG 20.12	String	NA	No user action required.
content.logging.target.easdeviceids	Activate content logging for targeted EAS device IDs. Comma separated list. For example device1, device2. and so on. Since: SEG 2.18.0, UAG 20.12	String	NA	No user action required.

Configuration Key

Description

Value Type

Default Value

Apply System Setting at Run Time

content.logging.target.all

Activate content logging for all users and devices.

Since: SEG 2.18.0, UAG 20.12

Boolean

False

No user action required.

content.logging.target.users

Activate content logging for targeted users.

Comma separated list. For example, user1, user2, and so on.

Since: SEG 2.18.0, UAG 20.12

String

No user action required.

content.logging.target.easdeviceids

Activate content logging for targeted EAS device IDs.

Comma separated list. For example device1, device2. and so on.

Since: SEG 2.18.0, UAG 20.12

String

No user action required.

Supported Configuration for the Custom Gateway Settings from SEG 2.18.0 Version

The following section lists all the supported SEG properties or settings for the custom gateway feature that are introduced in the SEG 2.18.0 version.

Note: In SEG 2.18.0 version, few SEG properties are enhanced to provide a better user experience.

SEG Troubleshooting

The functionality of the following SEG properties is improved in the SEG 2.18.0 version. For SEG versions before 2.18.0, activating these properties required the user to manually update the log level for the respective logger in the logback.xml file. In SEG 2.18 version, the log level for the respective logger in the logback.xml file is automatically updated.

Configuration Key	Description	Value Type	Default Value	Apply System Setting at Run Time
log.active.sync.payload.in.debug.mode	Flag to activate logging device payload for activesync reporting. Payload is written in the active-sync-payload-reporting.log file. Since: SEG 2.18.0, UAG 20.12	String	False	No user action required.
log.http.server.network.activity	Flag to activate the SEG HTTP server network activity. Since: SEG 2.18.0, UAG 20.12	String	False	Restart SEG service

Configuration Key

Description

Value Type

Default Value

Apply System Setting at Run Time

log.active.sync.payload.in.debug.mode

Flag to activate logging device payload for activesync reporting. Payload is written in the active-sync-payload-reporting.log file.

Since: SEG 2.18.0, UAG 20.12

String

False

No user action required.

log.http.server.network.activity

Flag to activate the SEG HTTP server network activity.

Since: SEG 2.18.0, UAG 20.12

String

False

Restart SEG service

SEG Logging

Configuration Key	Description	Value Type	Default Value	Apply System Setting at Run Time
logger.app	The SEG application logs are applicable for the app.log and the ews-proxy.log files. Since: SEG 2.18.0, UAG 20.12	String	Error	No user action required.
logger.transactional	The transaction summary logs are applicable for the http-transaction.log, kerberos-transaction.log and the ews-transaction.log transaction log files. The default log level is Debug and you need not change unless you want to deactivate the transactional logging. Since: SEG 2.18.0, UAG 20.12	String	Debug	No user action required.
logger.policy.cache	The policy update and SEG cache logs are applicable for the policy-update.log and cache.log files. Since: SEG 2.18.0, UAG 20.12	String	Info	No user action required.
logger.kerberos.service.manager	The Kerberos service manager log is applicable for the kerberos-service-manager.log file. Since: SEG 2.18.0, UAG 20.12	String	Error	No user action required.
logger.cert.auth	The certificate-based authentication log is applicable for the cert-auth.log file. Since: SEG 2.18.0, UAG 20.12	String	Error	No user action required.
logger.compliance	Transaction for blocked devices due to non-compliance. This is applicable for the non-compliant-devices.log log file. Since: SEG 2.18.0, UAG 20.12	String	Error	No user action required.
logger.content.transformation	Email content transformation such as hyperlink and attachment transform. This is applicable for the content-transform.log file. Since: SEG 2.18.0, UAG 20.12	String	Error	No user action required.

SEG Content Logging

SEG content logging is activated to troubleshoot content transformation related issues. When you activate content logging, SEG starts writing email content (before and after transformation) in the SEG install directory, following the path pattern {}.

Note: Activate content logging only for troubleshooting and remove the property keys from custom settings after troubleshooting. You must consent the customer before you activate content logging.

Configuration Key	Description	Value Type	Default Value	Apply System Setting at Run Time
content.logging.target.all	Activate content logging for all users and devices. Since: SEG 2.18.0, UAG 20.12	Boolean	False	No user action required.
content.logging.target.users	Activate content logging for targeted users. Comma separated list. For example, user1, user2, and so on. Since: SEG 2.18.0, UAG 20.12	String	NA	No user action required.
content.logging.target.easdeviceids	Activate content logging for targeted EAS device IDs. Comma separated list. For example, device1, device2. and so on. Since: SEG 2.18.0, UAG 20.12	String	NA	No user action required.

Configuration Key

Description

Value Type

Default Value

Apply System Setting at Run Time

content.logging.target.all

Activate content logging for all users and devices.

Since: SEG 2.18.0, UAG 20.12

Boolean

False

No user action required.

content.logging.target.users

Activate content logging for targeted users.

Comma separated list. For example, user1, user2, and so on.

Since: SEG 2.18.0, UAG 20.12

String

No user action required.

content.logging.target.easdeviceids

Activate content logging for targeted EAS device IDs.

Comma separated list. For example, device1, device2. and so on.

Since: SEG 2.18.0, UAG 20.12

String

No user action required.

Supported Configuration for the Custom Gateway Settings from SEG 2.23.0 Version

The following section lists all the supported SEG properties or settings for the custom gateway feature that are introduced in the SEG 2.23.0 version.

HTTP Request or Response

Configuration Key	Description	Value Type	Default Value	Apply System Setting at Run Time
http.compression.support	Activate or deactivate HTTP compression for SEG server. This flag is set to indicate if the server must support gzip or deflate compression (serving compressed responses to clients advertising support for them with Accept-Encoding header) Since: SEG 2.23.0, UAG 22.07	Boolean	True	Restart SEG service

Configuration Key

Description

Value Type

Default Value

Apply System Setting at Run Time

http.compression.support

Activate or deactivate HTTP compression for SEG server. This flag is set to indicate if the server must support gzip or deflate compression (serving compressed responses to clients advertising support for them with Accept-Encoding header)

Since: SEG 2.23.0, UAG 22.07

Boolean

True

Restart SEG service

SEG Policy and Cache

Configuration Key	Description	Value Type	Default Value	Apply System Setting at Run Time
console.api.server.connection.pool.size	Default configuration is retrieved from the SEG gateway settings in the ConsoleAPIConfig. Since: SEG 2.23.0, UAG 22.07	Integer	20	No user action required.
console.api.server.timeout.in.millis	Default configuration is retrieved from the SEG gateway settings in the ConsoleAPIConfig. Since: SEG 2.23.0, UAG 22.07	Integer	40000	No user action required.
seg.config.retry.interval.in.minutes	Default configuration is retrieved from the SEG gateway settings in the PolicyUpdateConfig. Since: SEG 2.23.0, UAG 22.07	Integer	5	No user action required.
policy.update.error.retry.count	Default configuration is retrieved from the SEG gateway settings in the PolicyUpdateConfig. Since: SEG 2.23.0, UAG 22.07	Integer	3	No user action required.