Configure the SEG V2 EWS Proxy for Email Notification Service

SEG provides authorization and compliance for Exchange Web Services (EWS) traffic used by VMware's Email Notification Service (ENS). ENS adds Push Notification support to Exchange for providing real-time email notifications to Workspace ONE Boxer.

About this task:

Both Cloud and On-premises ENS deployments are supported by SEG. The SEG listens on the EWS endpoint for traffic from the ENS, applies the MEM compliance policies on incoming requests, and proxies the requests to Exchange. Certificate Based Authentication (CBA) using KCD is supported. If your deployment utilizes CBA using KCD, SEG acquires the Kerberos token (from KDC) required for Exchange authentication.

  1. Navigate to SEG > Config folder.
  2. Select the application.properties file and edit the file.
    Note: When SEG is deployed on UAG, use the following path to edit the file: vi /opt/vmware/docker/seg/container/config/override/application-override.properties
  3. Add the enable.boxer.ens.ews.proxy=true entry in the application-override.properties file.
  4. Save the file.
  5. Restart the SEG service. The SEG now listens to the /EWS endpoint for traffic from the email notification service.
    Note: For SEG version 2.17.0 or later, with the Workspace ONE UEM console version 20.10 and later, perform the SEG configuration using the custom gateway settings. To understand the SEG custom gateway settings, see the SEG Custom Gateway Settings section in the Configure the SEG V2 topic.

    For SEG version before 2.17.0, SEG continues to use the default configuration (pre-defined configuration). If the custom settings feature is not available, manually update the respective files at the individual node and modify the SEG configuration.

Configure a Different Hostname for Exchange Web Service

Starting with SEG version 2.12, SEG supports the ability to configure a different hostname for processing Exchange Web Service (EWS) traffic. The following procedure describes the steps to configure a different hostname for processing EWS traffic.

  1. In the SEG applications.properties file locate and modify the ews.email.server.host.and.port value.

    For SEG version 2.17.0 or later, with the Workspace ONE UEM console version 20.10 and later, perform the SEG configuration using the custom gateway settings. To understand the SEG custom gateway settings, see the SEG Custom Gateway Settings topic.

    For SEG version before 2.17.0, SEG continues to use the default configuration (pre-defined configuration). If the custom settings feature is not available, manually update the respective files at the individual node and modify the SEG configuration.

  2. Enter the hostname and port of the email server that handles the EWS requests.
  3. Save the applications.properties file.
    Note: The email server related settings utilized by SEG such as server timeout, ignoreSslErrorsWithExchange, and so on is obtained from the email server provided in the MEM configuration wizard.

    When you upgrade SEG, the ews.email.server.host.and.port always take the default value as false. On SEG upgrade, you can retain this setting in the seg-application-override.properties file.

    For email servers using a self-signed certificate, you must add that certificate to the Java trustStore on the SEG server. If the certificate is added to the trustStore after SEG installation, you must rerun the SEG installer.

Configure Outbound Proxy between SEG V2 and the Email Server

When SEG cannot reach the email server directly due to network restrictions, the traffic from SEG is routed through the outbound proxy. The outbound proxy is accessible from SEG, and in turn the SEG can reach the email server.

About this task:

If SEG is configured to proxy the EWS requests, then the outbound proxy configuration is also applicable to the EWS traffic. The following procedure describes the steps to enable the outbound proxy between the SEG and the email server.

  1. Log in to the SEG server.
  2. Navigate to the proxy-config.json file and edit the file using any text editor.
    Note: For the Windows deployment, the proxy-config.json file is at the <SEG_Install_Dir>\config folder and for SEG on UAG deployment, the file is at the /opt/vmware/docker/seg/container/config folder.
  3. In the JSON file, update the emailProxy field with all the details. The following table lists the description of each field shown in the sample entry.
    "emailProxy" : {
    "enabled" : true,
    "host" : "http(s)://example.email.proxy.host:port",
    "user" : "example_user",
    "password" : "example_password.plaintext"
    },
    enabled

    Value - Boolean flag

    Default value - false

    Set this value to true to enable the outbound proxy for the email traffic.
    host Specify the FQDN of the proxy in the protocol://host:port format. The protocol can be http or https and the host can be the hostname or IP address of the proxy server.
    user Specify a user name if the proxy needs authentication.
    Note: Only basic authentication is supported.
    password Specify a password if the proxy needs authentication. Enter the plain text password with the .plaintext suffix.

    For example, if xyz_abc is the password, then provide xyz_abc.plaintext as the value.

    Upon restart, SEG reads the configuration and overwrites the file with the encrypted password text.

  4. Save the changes and restart the SEG service.

Channel SEG Logs to the Syslog Server on Windows

This procedure describes the steps to enable system logs (syslogs) to capture the SEG logs on a Windows platform.

After a SEG upgrade, repeat the steps to set the syslog properties.

  1. Navigate to the SEG installation directory: {SEG_DIRECTORTY}/service/conf.
  2. Edit the segServiceWrapper.conf file.
  3. Check for the following properties to enable syslog: wrapper.java.additional.27=-Dsyslog.enabled=false.
  4. Set the wrapper.java.additional.27=-Dsyslog.enabled=false property to wrapper.java.additional.27=-Dsyslog.enabled=true.
  5. Configure syslog, enable the following syslog properties, and remove the # before the properties.
    #wrapper.java.additional.28=-Dsyslog.host=
    #wrapper.java.additional.29=-Dsyslog.port=514
    #wrapper.java.additional.30=-Dsyslog.facility=USER

    The syslog configuration in logback.xml directs the logs to the syslog host.

    wrapper.java.additional.28=-Dsyslog.host=

    The syslog configuration in logback.xml uses the port 514 on UDP by default.

    wrapper.java.additional.29=-Dsyslog.port=514

    The syslog configuration in logback.xml uses the USER as the default facility.

    wrapper.java.additional.30=-Dsyslog.facility=USER

    The app.log is directed to the syslog server by default.

  6. Configure syslog for other loggers and add the syslog appender in the logger element.
    <if condition="${syslog.enabled}">
        <then>
            <appender-ref ref="SYSLOG_ASYNC"/>
        </then>
    </if>
  7. Restart the SEG service.
    Note: For SEG version 2.17.0 or later, with the Workspace ONE UEM console version 20.10 and later, perform the SEG configuration using the custom gateway settings. To understand the SEG custom gateway settings, ssee the SEG Custom Gateway Settings section in the Configure the SEG V2 topic.

    For SEG version before 2.17.0, SEG continues to use the default configuration (pre-defined configuration). If the custom settings feature is not available, manually update the respective files at the individual node and modify the SEG configuration.

Channel SEG Logs to the Syslog Server on the Unified Access Gateway

This procedure describes the steps to enable the system logs (syslogs) to capture the SEG logs on the UAG platform.

Starting with UAG version 3.7, by default, the SEG is configured to follow the syslog configurations done as part of the UAG system settings. To enable the syslog for UAG, see the Configure Unified Access Gateway System Settings topic in the Deploying and Configuring VMware Unified Access Gateway guide.

When SEG is deployed on UAG version 3.6, enable the syslog on SEG in addition to the UAG system settings. For more information about enabling syslog for SEG on UAG version 3.6 see the following steps.

  1. Open your SSH client and initiate an SSH connection.
  2. Edit the SEG java arguments for SEG using the vi /opt/vmware/docker/seg/container/config/seg-jvm-args.conf command.
  3. Search for the syslog properties, update the values as shown in the example and save the file.

    Results: -Dsyslog.enabled=true, -Dsyslog.host=localhost, -Dsyslog.port=514, and -Dsyslog.facility=USER.

  4. Save the SEG edge service on the UAG admin UI to apply the changes.
  5. Enable the syslog for UAG under the System Settings.
    Note: To configure SEG on UAG to log individually any remote syslog server over UDP, update the following properties listed in the seg-jvm-args.conf file:
    • Update the -Dsyslog.host value to the remote syslog server host.
    • Update the -Dsyslog.port value to the syslog server listener port.
    • Save the SEG edge service on the UAG Admin UI to apply the changes.
    Note: For SEG version 2.17.0 or later, with the Workspace ONE UEM console version 20.10 and later, perform the SEG configuration using the custom gateway settings. To understand the SEG custom gateway settings, see the SEG Custom Gateway Settings section in the Configure the SEG V2 topic.

    For SEG version before 2.17.0, SEG continues to use the default configuration (pre-defined configuration). If the custom settings feature is not available, manually update the respective files at the individual node and modify the SEG configuration.

Override Default Heap Memory Allocation

During the SEG v2 installation, by default, SEG v2 dynamically configures a portion of the system RAM as the maximum heap allocation.

Note: The JVM heap allocation configuration does not block all the allocated memory. Instead, the configuration defines the maximum limit on the Java heap memory. The Java process starts with the minimum required amount of memory. Based on the requirement, the process might consume more memory from the allocation. The JVM periodically runs garbage collection to free up the space.

You can configure a specific amount of memory for the SEG java process to override the default behavior:

  • For SEG version 2.17.0 (UAG 2009) and Workspace ONE UEM Console 20.10 or higher: Override the default memory allocation using the custom gateway settings key -Xmx. To reflect the changes made, restart the service. For more information about the custom gateway settings, see the SEG Custom Gateway Settings section in the Configure the SEG V2 topic.
  • For SEG version 2.16.0 (UAG 3.10) or Workspace ONE UEM Console 20.06 and earlier: To configure a property value to override the default memory allocation, perform the following steps:
  1. In the application-override.properties file, add the following entry: custom.heap.memory.allocation.in.mb=<value in MiB>

    The value is represented in MiB. For example, you can configure 8 GiB of RAM as custom.heap.memory.allocation.in.mb=8192.

  2. For Windows deployment, rerun the SEG installer. For SEG on UAG, resave the edge service settings.

SEG Support on UAG

SEG provides secure access to your organization's on-premise email as part of the Unified Access Gateway (UAG) platform. Before deploying SEG on UAG, you must complete the MEM configuration using the Workspace ONE platform.

SEG has the following constraints when deployed on UAG:

  • The SEG service on the UAG appliance listens on the port as configured under the Server Settings in the MEM configuration.
  • The UAG does not support any non-encrypted protocols. Therefore, SEG only supports SSL re-encryption (SSL bridging) or SSL pass through.
  • If your API server or email server is using self-signed certificates, the corresponding trusted certificates must be uploaded through the UAG Admin UI or referenced during the PowerShell deployment.
  • SEG on UAG always uses port 5701 and 41232 for the clustering ports in the MEM configuration. You cannot configure clustering ports other than 5701 and 41232 with UAG.
  • Consider deploying SEG on dedicated UAG instances as SEG requires additional resources that might strain your existing deployment. The Workspace ONE team is evaluating the performance of combining SEG with other edge services on UAG.

For more information about the SEG support on UAG, see the Secure Email Gateway on Unified Access Gateway topic in the Deploying and Configuring VMware Unified Access Gateway guide.