The following topics describes the information related to configuration of SEG V2.

To implement the SEG (V2) for your email architecture, first configure the settings on the UEM console. After you configure the settings, you can download the SEG installer from the Workspace ONE resource portal.

  1. In the UEM console, navigate to Email > Settings and select Configure. The ADD wizard displays.
  2. In the Platform tab of the wizard:
    1. Select Proxy as the Deployment Model.
    2. Select the Email Type (Exchange, IBM Notes, or Google).
    3. If you selected Exchange as the email type, then select the appropriate exchange version from the drop-down menu. Click Next. Example of email servers is Exchange, IBM Notes, or Google.
  3. Configure the basic settings in the Deployment tab of the wizard and then select Next.
    Setting Description
    Friendly Name Enter a friendly name for the SEG deployment. This name gets displayed on the MEM dashboard.
    External URL and Port Enter the URL and port number for the incoming mail traffic to SEG.
    Listener Port The SEG listens for device the communication through this port. The default port number is 443. If SSL is enabled for SEG, the SSL certificate is bound to this port.
    Terminate SSL on SEG Enable this option if you want the SSL certificate to be sent from the SEG instead of offloading on a web application firewall. Upload a .pfx or .p12 certificate file including the root and intermediate certificates.
    Upload Locally Select to upload the SSL certificate locally during installation.
    SEG Server SSL Certificate Select Upload to add the certificate that binds to the listening port. The SSL certificate can be automatically installed instead of providing it locally. An SSL certificate in the .pfx format with a full certificate chain and private key included must be uploaded. See, the Upload the SSL Certificate after Renewal section in the Install the Secure Email Gateway (V2) topic to understand the methods to upload the SSL certificate after renewal.
    Email Server URL and Port Enter the email server URL and port number in the form https://email server url:email server port. The SEG uses the following URL for proxying email requests to the email server. If using Exchange Online, enter the https://outlook.office365.com URL.
    Ignore SSL Errors between SEG and email server Select Enable to ignore the Secure Socket Layer (SSL) certificate errors between the email server and the SEG server.
    Ignore SSL Errors between SEG and AirWatch server Select Enable to ignore Secure Socket Layer (SSL) certificate errors between the Workspace ONE UEM server and the SEG server.

    Establish a strong SSL trust between the Workspace ONE UEM and the SEG server using valid certificates.

    Allow email flow if no policies are present on SEG Select Enable to allow the email traffic if SEG is unable to load the device policies from the Workspace ONE UEM API. By default, the SEG blocks all email requests if no policies are locally present on the SEG.
    Note: A list of all the device records with the corresponding compliance status is provided. SEG does not calculate the compliance of a given device by itself, instead uses the data received from the Workspace ONE UEM console.
    Enable Clustering Select Enable to enable clustering of multiple SEG servers.

    When clustering is enabled, policy updates are distributed to all SEGs in the cluster. The SEGs communicate with each other through the SEG clustering port.

    SEG Cluster Hosts Add the IPs or hostnames of each server in the SEG cluster.
    SEG Cluster Distributed Cache Port Enter the port number for SEG to communicate to the distributed cache.
    SEG Clustering Port Enter the port number for SEG to communicate to the other SEGs in the cluster. Enable clustering to have multiple SEG servers operating as a cluster.
  4. Select Next in the Profile tab of the wizard. If necessary, assign an email profile to the MEM configuration. Select Next in the Profile tab of the wizard.
  5. On the Summary tab, review the configuration that you have just created. Select Finish to save the settings.
  6. Download the SEG installer from the Workspace ONE resource portal.
  7. Configure any additional settings for your SEG using the Advanced option.
    Setting Description
    Use Default Settings The Use Default Settings check box is enabled by default. To modify the advanced settings, you must uncheck this box.
    Enable Real-time Compliance Sync Enable this option to send the compliance information to the SEG in real-time. Without this, individual changes to the device policies are refreshed per the delta sync interval.
    Required transactions The Required transactions cannot be disabled.
    Optional transactions Enable or disable the optional transactions such as Get attachment, Search, Move Items, and so on. The following are the Exchange Active Sync (EAS) transactions that the SEG reports to the console and are displayed on the Email List View in the Last Command column.
    Diagnostic Set the number and frequency of transactions for a device when the test mode is enabled.
    Sizing Set the frequency of SEG and API server interaction.
    Skip Attachment & Hyperlink transformations for S/MIME signed emails Enable to exempt the encryption of attachments and transformation of hyperlinks through SEG for emails that are signed with S/MIME certificates.
    S/MIME Options

    Enable to permit the automatic lookup of the S/MIME certificate managed in a hosted LDAP directory.

    You must restart SEG after enabling this feature.

    Custom Gateway Settings The SEG custom gateway settings are available as a key-value pair on the Workspace ONE UEM console. The commonly used properties are seeded on the Workspace ONE UEM console. For more information on the SEG supported key value pairs.
    Block Attachments Used to control the default action when SEG is unable to communicate with the Workspace ONE UEM or when the local policy set is empty.
    Default Message for Blocked Attachments Configure the message that is displayed to end users when SEG blocks attachments.

Configuring for High Availability and Disaster Recovery

SEG can be configured in high availability and disaster recovery environments with both clustering and non-clustering server configurations. The high availability and disaster recovery setups are independent of the cluster configuration.

Use a load balancer to achieve the desired high availability and disaster recovery configuration. The same public host name must be used for the SEG servers across the data centers to ensure that the users need not reauthenticate when a SEG server failover occurs.

The following are the benefits of using SEG in a clustering and non-clustering server environments:

  • Non-clustered server configuration:
    • Each SEG is updated independently.
    • Failover can be performed at the load balancer.
  • Clustered server configuration:

    • Each data center must have its own MEM configuration and an external URL to update the MEM configuration's cluster.
      Note: The external URL need not match the URL used by devices to access email, instead the UEM console uses the external URL to send policy updates to the appropriate cluster configuration.
    • Internal IP addresses or hostnames are applicable for clustering rather than public IP addresses only.
    • Device EAS profiles must use a third URL that can be failed-over between data centers.

SEG Custom Gateway Settings

The SEG v2 configurations are controlled at an individual node level. The custom gateway setting feature centralizes the configuration on the Workspace ONE UEM Console as part of the MEM configuration itself.

Prerequisites

The following table lists the requirements for the SEG custom settings feature:

Platform Minimum SEG and UAG Supported Version Workspace ONE UEM Console

Windows

2.17.0

20.10

UAG

UAG 2009 (SEG 2.17.0)

20.10

Configure SEG Custom Gateway Settings

The SEG custom settings are available as key-value pairs on the Workspace ONE UEM console. The commonly used properties are seeded on the Workspace ONE UEM Console. To configure the custom settings, perform the following steps:

  1. Log in to the Workspace ONE UEM console.
  2. Navigate to the Email > Email Settings.
  3. Configure the Email Settings for SEG.
  4. Configure the additional settings for SEG using the Advanced option.
  5. Navigate to the Custom Gateway Settings, click ADD ROW, and enter the supported configuration as the key-value pair:
    • Key: Enter the property or setting name.
    • Type: Enter the type of value such as string, integer, and so on.
    • Value: Enter the property or custom value.
  6. Click Save.

Apply the Custom Gateway Settings on the SEG Service

During an installation or upgrade, if the custom settings are provided on the Workspace ONE UEM console, then the SEG service starts with the applied custom settings

If the custom settings are added or updated on the Workspace ONE UEM console when the SEG service is running, then a refreshSettings notification is triggered for SEG. The SEG fetches the latest custom gateway settings. A few of the custom settings are applied immediately, whereas the other custom settings might require you to restart the SEG service.

Supported Configuration for the Custom Gateway Settings

The following section lists all the supported SEG properties or settings for the custom settings feature.

Note:

The properties or settings are grouped based on feature or functionality. The custom settings can be added on the Workspace ONE UEM console in any order.

JVM Arguments or System Settings

The JVM arguments or system settings property keys start with -D. If the property value is modified, SEG updates the custom system settings in the segServiceWrapper.conf (for Windows) or seg-jvm-args.conf (for UAG). If the system setting is updated when the SEG service is running, then the SEG triggers a service restart.

You can configure the seg.custom.settings.service.restart.code=0 property in the application-override.properties file to disable the automatic restart of the SEG service.

Configuration Key

Described

Value type

Default value

Apply System Setting at Run Time

-Djdk.tls.disabledAlgorithms

Comma-separated list of TLS algorithms, ciphers, and versions to be disabled.

String

MD5, RC4, TLSv1, SSLv2Hello, SSLv3, DSA, DESede, DES, 3DES, DES40_CBC, RC4_40, MD5withRSA, DH, 3DES_EDE_CBC, DHE, DH keySize < 1024, EC keySize < 224

If the modified value is detected, restart automatically.

-Djdk.tls.ephemeralDHKeySize

Customize the strength of the ephemeral DH key size used internally during the TLS or DTLS handshake. The system property does not impact the DH key sizes in the ServerKeyExchange messages for exportable cipher suites.

The following DH key sizes are impacted, the DHE_RSA, DHE_DSS, and DH_anon-based cipher suites in the JSSE Oracle provider. For more information, see Customizing Size of Ephemeral Diffie-Hellman Keys.

Integer

2048

If the modified value is detected, restart automatically.

-Dsyslog.enabled

Flag to enable the syslog configuration for SEG.

Boolean

TRUE - For the UAG deployment

FALSE - For the Windows deployment

If the modified value is detected, restart automatically.

-Dsyslog.host

Host address of the syslog server.

The host address value can be configured with any remote syslog server hostname or IP address that listens over UDP.

If syslog to the remote server is configured with the TCP or TLS, then point to a local host syslog listener that can retransmit using the required protocol over the wire.

The in-built UAG syslog configuration can function as the local retransmitter.

String

localhost

If the modified value is detected, restart automatically.

-Dkerberos.process.recycle.time

Specify the Kerberos process recycle time, when enabled.

Process recycling can be enabled using the property -Denable.kerberos.process.recycle.

Time in the hh24:mm:ss format

23:59:59

If the modified value is detected, restart automatically.

-Xmx

Maximum java heap memory for the service in Mebibytes (MiB).

For example, 8 GiB of RAM can be configured as 8192.

Long

If the system property is not configured, dynamically identified during the SEG service installation based on the system configuration.

If the modified value is detected, restart automatically.

-Dsyslog.facility

Syslog facility as defined by the Syslog server.

String

USER

If the modified value is detected, restart automatically.

-Dsyslog.port

Syslog listener port that the SEG points to.

Integer

514

If the modified value is detected, restart automatically.

-Denable.kerberos.process.recycle

SEG can be configured to recycle the native Kerberos client processes when the Kerberos based authentication is enabled.

Boolean

FALSE

If the modified value is detected, restart automatically.

Support for EWS

Configuration Key

Description

Value type

Default value

Apply System Setting at Run Time

enable.boxer.ens.ews.proxy

Flag to enable SEG to listen for the EWS traffic and proxy the same to the configured Exchange EWS endpoint.

By default, SEG proxies the EWS requests to the email server host configured as part of the MEM configuration. However, a different host can be configured using the ews.email.server.host.and.port property.

Boolean

FALSE

Restart the SEG service.

ews.email.server.host.and.port

If the email server hostname for the EWS is different than the EAS, then use this property to configure the EWS email server hostname.

When the host name for the EWS connection is used from the ews.email.server.host.and.port property, all the other HTTP connection parameters remain the same, similar to the EAS parameters.

If the host is using a self-signed certificate, corresponding trusted certificate must be added to SEG separately.

EWS proxy can be enabled using flag enable.boxer.ens.ews.proxy.

URL

No user action required.

No user action required.

http.response.status.code.for.connection.terminated.with.ews

HTTP response code for the EWS request when a connection error occurs between the SEG and the Exchange.

Integer

503

No user action required.

Certificate-based Authentication

Configuration Key

Description

Value type

Default value

Apply System Setting at Run Time

proxy.email.request.on.kerberos.error

Flag to enable the proxy request to the email server, in case, an error occurs when generating the KCD token.

Boolean

TRUE

No user action required.

response.status.code.on.kerberos.error.for.non.ping

HTTP response code for commands, other than PING and OPTIONS, when the Kerberos token generation results fail.

Integer

503

No user action required.

response.status.code.on.kerberos.error.for.ping

If the proxy.email.request.on.kerberos.error property is set to false, then the response.status.code.on.kerberos.error.for.ping is the HTTP status code returned during a Kerberos error for the PING command request.

Integer

200

No user action required.

response.status.code.on.kerberos.error.for.options.method

HTTP response code for the OPTIONS command when the Kerberos token generation results fail.

Integer

401

No user action required.

response.status.code.on.certificate.validation.fail

HTTP response code when the certificate authentication is enabled and if SEG the client certificate validation fails.

If the flag force.client.cert.for.ssl.handshake is enabled, the request with the missing or invalid certificate might be rejected during the SSL handshake.

Integer

401

No user action required.

enable.upn.lookup.from.subject.cn

Flag to enable the UPN (used for Kerberos authentication) lookup from Subject, and Common Name when the UPN is not present in the SAN type extension of the client certificate.

Boolean

FALSE

No user action required.

generate.krb5.config.at.service.restart

Flag to generate the KRB configuration file (krb5.ini in Windows or krb5.conf in UAG) when restarting the SEG service.

Boolean

TRUE

Restart the SEG service.

kerberos.service.max.processes.size

Number of KCD client processes that SEG spawns.

Integer

10

Restart the SEG service.

kerberos.thread.pool.size.per.service

Number of threads used per KCD client process.

Integer

5

Restart the SEG service.

kerberos.service.health.check.frequency.in.seconds

Frequency of polling by SEG for each KCD client process.

Integer

5

Restart the SEG service.

kerberos.enable.performance.metrics.logging

Flag to enable time statistics for the Kerberos token handling.

Boolean

TRUE

Restart the SEG service.

kerberos.process.kill.max.wait.time.in.seconds

The maximum wait time for a process to shut down, when you attempt to stop the native process.

Integer

60

Restart the SEG service.

kerberos.process.max.time.to.recover.in.seconds

Maximum time in seconds permitted for a process to be in any status (NOT_STARTED, STARTING, FAILED_TO_START, or BUSY) other than AVAILABLE. To recover processes in an unexpected situation and ensure a safer execution.

Integer

120

Restart the SEG service.

kerberos.backpressure.queue.max.size

Maximum size of the backpressure queue to obtain the Kerberos token. If the backpressure queue is full, further requests are ignored.

Integer

2500

Restart the SEG service.

kerberos.backpressure.queue.max.wait.in.seconds

Duration in seconds for which a request waits in a backpressure queue for the Kerberos token generation before being stopped.

Integer

20

Restart the SEG service.

enable.cert.revocation.validation

Flag to enable the certificate revocation check using the CRL. The flag is used only when the CBA is enabled.

Boolean

FALSE

Restart the SEG service.

fail.hard.on.crl.download.failure.during.server.startup

Flag to prevent SEG from starting if SEG is unable to fetch the CRLs at start.

The option is applicable only when any CRL distribution URL is configured using the remote.crl.distribution.http.uris key.

Boolean

TRUE

Restart the SEG service.

remote.crl.fetch.interval.in.minutes

Interval in minutes for a periodic timer that attempts to update SEG with the latest CRL data.

Long (the value type is integer)

1440 (24 hours)

Restart the SEG service.

remote.crl.distribution.http.uris

List of HTTP URLs of CRL Distribution Points (CDP). Use the value when SEG is configured to accept the client certificates, either by enabling the Require Client Certificate flag or the Kerberos based authentication.

Applicable only if enable.cert.revocation.validation value is set to true.

String

NA

No user action required.

kerberos.linux.named.pipe.connect.delay.millis

Delay in milliseconds before the SEG Java process attempts to listen to the named pipes that are started by the Kerberos client native processes. This delay is to ensure smooth recovery of crashed Kerberos client processes. This property is applicable only for SEG on UAG.

Since: UAG 21.03

Long 50

Restart the SEG service.

Certificate-Mapping LDAP Lookup

Configuration Key

Description

Value type

Default value

Apply System Setting at Run Time

cert.mapping.ldap.enabled

The flag indicates if the certificate-mapping feature is enabled for SEG.

If the KCD authentication is disabled in the email configuration, ignore the setting and consider as false.

Boolean

FALSE

Restart the SEG service.

cert.mapping.ldap.host

The remote LDAP host information in a proper URL format.

String

NA

Restart the SEG service.

cert.mapping.ldap.authType

The authentication type used with the LDAP server for the certificate-mapping feature.

Integer

0 (simple authentication)

Restart the SEG service.

cert.mapping.ldap.user

The LDAP user for authenticating the LDAP query.

SEG uses the same service account credentials configured as part of the Kerberos authentication settings.

However for the LDAP query, the user name must be provided in the Distinguished Name (DN) format.

String

NA

Restart the SEG service.

cert.mapping.ldap.attrs

List of LDAP lookup attributes used for certificate-mapping feature.

String

NA

Restart the SEG service.

cert.mapping.ldap.server.base

Distinguished name of the base domain configured for running the LDAP query. The query fetches the matching results from the domain.

By default, the query refers to the rootDSE of the LDAP setup. The field can be empty for the userCertificate and userPrincipalName attributes indexed and replicated to the global catalog.

String

NA

Restart the SEG service.

cert.mapping.ignore.ldap.ssl.errors

Flag to ignore any SSL errors when contacting LDAP server for the certificate-mapping lookup.

Boolean

FALSE

Restart the SEG service.

cert.mapping.max.query.executor.pools

Maximum number of LDAP services created to allow the maximum concurrent LDAP queries.

Integer

25

Restart the SEG service.

cert.mapping.ldap.connect.timeout.millis

LDAP connect timeout in milliseconds for certificate-mapping.

Integer

3000

Restart the SEG service.

cert.mapping.ldap.read.timeout.millis

LDAP read timeout in milliseconds for certificate-mapping.

Integer

3000

Restart the SEG service.

cert.mapping.ldap.service.pool.size

LDAP (executor) service thread pool size.

Integer

3

Restart the SEG service.

cert.mapping.backpressure.queue.size

Maximum size of requests that are allowed in back pressure queue, waiting for the LDAP service for certificate-mapping lookup.

Integer

1000

Restart the SEG service.

cert.mapping.backpressure.max.ttl.in.seconds

Maximum time a request can stay in back pressure queue waiting for the LDAP service to be available.

Integer

60

Restart the SEG service.

cert.mapping.wait.delay.for.concurrent.query.millis

Fixed delay waiting for a request when another request for the same UPN is in progress for getting certificate mapping.

Integer

500

No user action required.

SEG Policy and Cache

Configuration Key

Description

Value Type

Default Value

Apply System Setting at Run Time

policy.data.not.ready.response.code

HTTP response code to be returned to the device if SEG is yet to receive all the policy data just after start, and the configuration prohibits email communication until policy data is ready.

Integer

503

No user action required.

ignore.duplicate.records.during.policy.update

Flag to ignore duplicate records returned from an API, and compare the size of a policy in the SEG cache with the size for only Unique IDs.

Boolean

TRUE

No user action required.

policy.update.eventbus.timeout.buffer.millis

Event bus timeout used during a policy update.

Long

30000

No user action required.

disable.api.policy.count.match.during.policy.update

Maximum time in seconds that SEG waits for the cache to be asynchronously updated with the new policy records during a bulk policy update.

Boolean

FALSE

No user action required.

policy.async.cache.update.completion.threshold.seconds

Maximum time in seconds that SEG waits for the cache to be asynchronously updated with new policy records during a bulk policy update.

Integer

900

Restart the SEG service.

cache.index.validation.eventbus.timeout.millis

Timeout duration in milliseconds for validating the cache index on all the nodes after a bulk policy update.

If failed, SEG retries before finally reverting the changes.

Integer

30000

No user action required.

cache.index.swap.wait.time.in.millis

Wait delay in milliseconds before swapping active and passive cache indexes after the latest policy from API is updated on the passive cache.

Long

60000

No user action required.

cache.index.validation.max.retry.count

Number of retry attempts to validate that the cache indexes are updated in all the nodes, when clustering is enabled.

Integer

3

No user action required.

wait.time.in.millis.before.passive.cache.cleanup.start

In case the policy update fails and the SEG is running in a clustered mode, the cache indexes in all the nodes must be updated to be in sync. The wait.time.in.millis.before.passive.cache.cleanup.start, is the time in milliseconds for which the SEG waits before cleaning the passive cache, so that all the nodes have sufficient time to swap the passive and active indexes, if necessary.

Long

30000

No user action required.

cache.async.update.status.check.timer.interval.millis

Interval in milliseconds for a periodic timer that validates async policy data update in cache.

Long

10000

No user action required.

full.bulk.update.interval.in.minutes (only when the delta is enabled)

Integer

1440 (24 hours)

Restart the SEG service.

validate.resource.uri.in.jwt.auth

Interval in minutes for a periodic full bulk policy update, when the delta sync is enabled.

Boolean

TRUE

No user action required.

jwt.allowed-clock-skew-in-seconds

Flag to enable validation of resource URL in the JWT token.

Integer

30

No user action required.

tcpip.discovery.timeout-seconds

Maximum allowed skew in JWT timestamp for the token to be successfully authenticated.

Integer

5

Restart the SEG service.

hazelcast.operation.call.timeout.millis

Timeout for Hazel cast cache read or write operation.

Long

60000

Content Transformation

Configuration Key

Description

Value Type

Default Value

Apply System Setting at Run Time

disable.transformation.on.inline.unknown.attachment.bytes

Flag to disable the attachment transformation if the MIME type cannot be identified.

Boolean

TRUE

No user action required.

disable.transformation.on.inline.unknown.attachment.tag

Flag to ignore the transformation on the inline attachment tags that do not have a file extension or MIME type to be processed correctly.

Boolean

TRUE

No user action required.

enable.request.transformation.by.default

Flag to enable the content transformation on the request flow.

If any of the transformation types are enabled and the value is FALSE, the request transformation occurs. When the value is TRUE, request transformation always occurs.

Enable the flag when the content the transformation is enabled and the attachments are encrypted or hyperlinks are transformed. The content transformation is disabled, but the outgoing emails are decrypted attachments and original hyperlinks.

Boolean

FALSE

No user action required.

HTTP Request or Response

Configuration Key

Description

Value type

Default value

Apply System Setting at Run Time

api.server.connect.timeout.millis

HTTP connection timeout from SEG to the API server in milliseconds.

Integer

15000

No user action required.

email.server.connect.timeout.millis

HTTP connection timeout from SEG to the email server in milliseconds.

Long

15000

No user action required.

force.client.cert.for.ssl.handshake

In the MEM configuration, when the Require Client Certificate is enabled in the Advanced Settings option, setting the flag to TRUE forces the SSL handshake to fail. Due to the absence of a client certificate and the request not reaching the application layer, the SSL handshake fails. If the flag is set to FALSE, the request reaches the application layer before failing due to the lack of the client certificate.

Boolean

FALSE

No user action required.

http.client.max.idle.timeout.seconds

Maximum idle timeout in seconds after which any connection is closed to release the system resources.

Integer

3600

No user action required.

http.response.status.code.for.non.ping.on.connection.closed.failure

HTTP response code for the requests other than the PING command when the connection between the SEG and the email server closes unexpectedly.

You can use this option only if the flag return.http.response.status.for.non.ping.on.connection.closed.failure is enabled.

Integer

503

No user action required.

http.response.status.code.for.ping.on.connection.closed.failure

HTTP response code for the PING command requests when the connection between the SEG and email server closes unexpectedly.

Integer

200

No user action required.

http.server.max.idle.timeout.seconds

Idle time in seconds after which an inbound connection to the SEG server is closed.

Integer

3600

No user action required.

keep.email.server.client.connection.alive

Flag to keep a socket connection to the email server alive, to reuse the same connection for any subsequent request.

Integer

TRUE

No user action required.

max.http.buffer.chunk.size

Maximum HTTP chunk size.

Integer

8192 (that is, 8 KB)

No user action required.

max.initial.line.length

Maximum length of the initial line of the HTTP requests ending or originating at SEG.

Integer

4096 (that is, 4 KB)

No user action required.

return.http.response.status.for.non.ping.on.connection.closed.failure

Flag to decide if the SEG responds to the device in case a connection error occurs between SEG and the email server when serving a non-PING command.

When enabled, the http.response.status.code.for.non.ping.on.connection.closed.failure property determines the response code.

Few email clients might show some error when the connection to SEG is abruptly closed.

Integer

TRUE

No user action required.

SMIME Certificate Lookup

Configuration Key

Description

Value type

Default value

Apply System Setting at Run Time

smime.lookup.ldap.connect.timeout.millis

LDAP connection timeout in milliseconds for the SMIME certificate lookup.

Integer

3000

No user action required.

smime.lookup.ldap.read.timeout.millis

LDAP read timeout in milliseconds for the SMIME certificate lookup.

Integer

3000

No user action required.

smime.lookup.ldap.server.base

Base path of the LDAP server that the SEG uses for the SMIME lookup.

String

NA

No user action required.

smime.lookup.ignore.ldap.ssl.errors

Flag to ignore any SSL errors when contacting the LDAP server for the SMIME lookup.

Boolean

FALSE

No user action required.

Custom Response Headers

Configuration Key

Description

Value Type

Default Value

Apply System Setting at Run Time

resp-header.Strict-Transport-Security

The STS header with the preconfigured default value is overridden and a new SEG value is used.

String

Max-age=31536000;includeSubDomains

No user action required.

resp-header.X-Custom-Header

New header with a specified value is included for subsequent responses.

String

NA

No user action required.

KCD Client Configuration

Configuration Key

Description

Value Type

Default Value

Apply System Setting at Run Time

kerb-conf.log_level

System log level for the kcdclient pipe processes that the SEG spawns.

0 - Off

1 - Error

2 - Warning

3 - Info

4 - Debug

Integer

2

No user action required.

kerb-conf.log_file_append

Flag to indicate if a process restart must append logs or discard old logs and truncate a file.

0 - Do not append

1 - Append

Integer

1

No user action required.

kerb-conf.log_file_backup_count

Maximum number of backup log files to be created when the maximum file size is reached.

Integer

1

No user action required.

kerb-conf.log_file_size

Maximum file size of a Kerberos process log file in MB.

Integer

10

No user action required.

kerb-conf.refresh_config_interval

Time taken in seconds to refresh the settings and to load any updated configuration from a file.

Integer

30

No user action required.

krb5-conf.<property_name>

The properties are updated in the krb5-base.conf file.

NA

NA

No user action required.

SEG Statistics, Monitoring, and Troubleshooting

Configuration Key

Description

Value Type

Default Value

Apply System Setting at Run Time

log.device.delta.sync.payload.in.debug.mode

Flag to enable the delta sync payload.

Boolean

FALSE

No user action required.

api.server.connectivity.diagnostic.timeout.millis

When SEG verifies the connectivity to the API server to capture the diagnostic information, specify the HTTP connection timeout in milliseconds.

Integer

5000

No user action required.

email.server.connectivity.diagnostic.timeout.millis

When SEG verifies the connectivity to the Email server to capture diagnostic information, specify the HTTP connection timeout in milliseconds.

Integer

5000

No user action required.

high.cpu.monitoring.enabled

Flag to enable the CPU usage monitoring and to generate thread dumps beyond a threshold limit. Configure the threshold limit using the cpu.monitor.trigger.threshold.percentage property.

Boolean

FALSE

No user action required.

log.http.server.network.activity

Flag to enable the SEG HTTP server network activity.

Boolean

FALSE

No user action required.

enable.seg.metrics.collection

Flag to enable the SEG metrics collection. When the flag is enabled with the UEIP flag on the Workspace ONE UEM console, SEG reports the diagnostic information to the VMware Analytics Cloud (VAC).

Boolean

TRUE

No user action required.

log.active.sync.payload.in.debug.mode Flag to enable logging active synchronization payload in active-sync-payload-reporting.log

Since: SEG 2.18.0, UAG 20.12

.
String

FALSE

No user action required.

hide.seg.info.on.health.monitor.response

Flag to disable SEG version and build information in the health monitoring endpoints (/health and /lb-health).

Since: SEG 2.19.0, UAG 21.03

Boolean False

No user action required.

SEG Logging

Configuration Key Description Value Type Default Value Apply System Setting at Run Time

logger.app

The SEG application logs are applicable for the app.log and the ews-proxy.log files.

Since: SEG 2.18.0, UAG 20.12

String Error

No user action required.

logger.transactional

The transaction summary logs are applicable for the http-transaction.log, kerberos-transaction.log and the ews-transaction.log transaction log files. The default log level is Debug and you need not change unless you want to disable the transactional logging.

Since: SEG 2.18.0, UAG 20.12

String Debug

No user action required.

logger.policy.cache

The policy update and SEG cache logs are applicable for the policy-update.log and cache.log files.

Since: SEG 2.18.0, UAG 20.12

String Info

No user action required.

logger.kerberos.service.manager

The Kerberos service manager log is applicable for the kerberos-service-manager.log file.

Since: SEG 2.18.0, UAG 20.12

String Error

No user action required.

logger.cert.auth

The certificate-based authentication log is applicable for the cert-auth.log file.

Since: SEG 2.18.0, UAG 20.12

String Error

No user action required.

logger.compliance

Transaction for blocked devices due to non-compliance. This is applicable for the non-compliant-devices.log log file.

Since: SEG 2.18.0, UAG 20.12

String Error

No user action required.

logger.content.transformation

Email content transformation such as hyperlink and attachment transform. This is applicable for the content-transform.log file.

Since: SEG 2.18.0, UAG 20.12

String Error

No user action required.

SEG Targeted Content Logging

SEG targeted content logging is enabled to troubleshoot content transformation related issues. When you enable content logging, SEG starts writing email content (before and after transformation) in the <SEG_Install_Dir>/tmp/content-logs folder.

Note: Enable content logging only for troubleshooting and remove the property keys from custom settings after troubleshooting. You must consent the customer before you enable content logging.
Configuration Key Description Value Type Default Value Apply System Setting at Run Time

content.logging.target.all

Enable content logging for all users and devices.

Since: SEG 2.18.0, UAG 20.12

Boolean False

No user action required.

content.logging.target.users

Enable content logging for targeted users.

Comma separated list. For example, user1, user2, and so on.

Since: SEG 2.18.0, UAG 20.12

String NA

No user action required.

content.logging.target.easdeviceids

Enable content logging for targeted EAS device IDs.

Comma separated list. For example device1, device2. and so on.

Since: SEG 2.18.0, UAG 20.12

String NA

No user action required.