To relay all email traffic to Workspace ONE UEM-enrolled devices, install the Secure Email Gateway (SEG).

  1. Run the installer as an administrator. In the AirWatch Secure Email Gateway - InstallShield Wizard window. Click Next.
  2. Accept the End User License Agreement.
  3. Click Next to install the SEG to the default folder C:\AirWatch\ or click Change to choose a different folder.
  4. Click Yes to install the JRE.
  5. Enter the AirWatch API Information and click Next.
    Note: The credentials used for accessing the API are only used for the initial setup and cannot be used again.
    Settings Description Description
    HTTPS Select the check box if the protocol for the Workspace ONE UEM API server is https.
    API Server Hostname Enter the hostname of your Workspace ONE UEM API server.This is required to fetch the SEG configuration from the UEM console.
    Admin Username Enter the user name of a Workspace ONE UEM Admin user account.
    Admin Password Enter the password for the Admin Username.
    MEM Config GUID Enter the unique ID of your Mobile Email Management (MEM) configuration.This is shown on the MEM Configuration page on the UEM console.
  6. If an outbound proxy is required for the communication from the SEG to the API server then select the Outbound proxy? check box and enter the proxy settings details as described in the table. Click Next.
    Settings Description
    HTTPS Select the check box if the protocol for the proxy is https.
    Proxy Host The address of the proxy host.
    Proxy Port The proxy port number.
    Username Username for proxy authentication.
    Password

    Password for the proxy username provided.

    Note: These fields are available once you select the Does the proxy require authentication credentails?
  7. Optional: Click Browse to upload the SSL Certificate, enter the Certificate Password and then click Next.
    Note: You can skip this step if the SSL certificate is already uploaded
  8. Click Install to begin the installation. The InstallShield Wizard takes a few minutes to install the SEG.
  9. Click Finish to exit the AirWatch Secure Email Gateway - InstallShield Wizard.

The SEG V2 Admin Page

On the Windows deployment of SEG v2, you can access the Admin page at https://localhost:44444/seg/admin. If SSL is not enabled for SEG, use http.

After you install the SEG, you can perform the following tasks from the SEG Admin page:

  • Change logging levels for the different SEG processes
  • Call diagnostics endpoints
  • View health and statistics information
Note: For SEG on UAG, the SEG Health and Diagnostic information is available under the Edge Service Session Statistics section of the UAG Admin UI. For more information about SEG Health and Diagnostic, see the Monitoring the SEG Health and Diagnostics section in the Deploying and Configuring VMware Unified Access Gateway guide.

Logging

The information related to the SEG processes is recorded in different log files. The level of logging determines the amount of information that is logged for a particular log file. The duration specifies how long an elevated logging level persists before reverting to the default level of the log.

The SEG generates the following logs:

Log Name Description of the Log Contents

Application logs

 The SEG application logs are applicable for the app.log and the ews-proxy.log files.

Transaction Summary

 The transaction summary logs are applicable for the http-transaction.log, kerberos-transaction.log and the ews-transaction.log transaction log files. The default log level is Debug and you need not change unless you want to deactivate the transactional logging.

Policy Updates and Cache

 The policy update and SEG cache logs are applicable for the policy-update.log and cache.log files.

Kerberos Service Manager

 The Kerberos service manager log is applicable for the kerberos-service-manager.log file.

Certificate Authentication

 The certificate-based authentication log is applicable for the cert-auth.log file.

Device Transactions (Blocked)

 Transaction for blocked devices due to non-compliance. This is applicable for the non-compliant-devices.log log file.

Content Transformation

 Email content transformation such as hyperlink and attachment transform. This is applicable for the content-transform.log file.

Diagnostics

On the Diagnostics page you can view the diagnostic information for the SEG and invoke diagnostic endpoints to see other SEG-related information such as the SEG configuration settings, look up the policies in the SEG cache, and download records related to specific policy types.

To use these endpoints, enter the API endpoints as shown in the following table into the REST API URI field on the diagnostic page and click the GET button. Information related to the endpoint is either displayed in the text area on the diagnostics page or a .csv file of the information is downloaded.

API Endpoint   Description
/diagnostic

Returns SEG diagnostic information.

By default, the SEG diagnostic information is displayed on the diagnostics page.

/policy/segconfig Returns the SEG configuration settings.
/policy/<Policy Type>/<Policy Lookup Key>  Look up the policies in the SEG cache.
/cache/<Policy Type>/ Download records related to policy types including devices, accounts, managed attachments, unmanaged attachments, and 451 redirect mappings.

The following table contains policy types and their respective lookup keys you use to view these policies in the SEG cache. Replace the <Policy Type> and the <Policy Lookup Key> in the API endpoint, /policy/<Policy Type>/<Policy Lookup Key>.

PoIicy Type Policy Lookup Key Description
segconfig No lookup key required Look up the SEG configuration settings.
generalaccess No lookup key required Look up the general access policy.
device EAS Device Identifier

Look up the device policy by providing the EAS Device Identifier as the lookup key.

For example, /policy/device/SMKG1KBHQ53H39TFTNQQ10JDES
account User name Look up the account policy by providing user name as the lookup key.
easdevicetype EAS device type

Look up the EAS device type policy by providing EAS device type as the lookup key.
mailclient

Mail Client

Look up the mail client policy by providing mail client as the lookup key.

You must have all characters in the encoded URL form.

For example, /policy/mailclient/Apple-iPhone5C3%2F1405.526000002
hyperlink No lookup key required Look up the hyperlink policy.

Encryptionkeydatapayload

 AirWatch Device ID Look up the encryption key data payload by providing the Workspace ONE UEM Device ID as the lookup key.

Configure the External Configuration File

In certain scenarios, you might want to override the default values provided in the application.properties file. Using the SEG V2, you can manually override the values in the application.properties file using an external configuration file, instead of modifying the application.properties file.

Note: For SEG version 2.17.0 or later, with the Workspace ONE UEM console version 20.10 and later, you must use the SEG key-value pair settings instead of the external configuration file. To understand the SEG key-value pair settings, see the SEG Custom Gateway Settings topic.
Note: When SEG is deployed on UAG, the default application-override.properties file already exists at /opt/vmware/docker/seg/container/config/override/application-override.properties.
Note: The file or folder names used in this procedure are for your reference only. You can choose any file or folder names as per your choice.

Before you begin:

In addition to the configuration received from the Workspace ONE UEM console, the SEG V2 uses certain values from the local configuration file at SEGDir/config/application.properties. During a SEG V2 upgrade, the values in the older application.properties file are discarded and the external configuration file retains any overridden values when the new version of SEG is installed. In case, any values need to be modified, update the external configuration file. During a SEG upgrade this helps to retain the customer overridden configuration values.

About this task:

The following procedure describes the steps to configure the external configurations file.

  1. Create a folder in the server machine where SEG V2 is installed, and create a subdirectory where the override file is located.

    Results: For example, create a subdirectory with name config-override under the SEG installation directory C:\AirWatch\SEG\.

  2. Browse to the newly created folder and create a properties file.

    Results: For example, if the file name is application-override.properties, full path of the file might be C:\AirWatch\SEG\config-override\application-override.properties.

  3. Navigate to Control Panel > System and Security > System.
  4. Click the Advanced System Settings link on the left-side panel, and then click Environment Variables.
  5. Create a system variable. Add the additional.spring.config.location value for the Variable name and provide the full path of the file created in Step 2 as Variable value.
  6. Save the newly created file and click OK. As per the example in Step 2, the value of the system variable is C:\AirWatch\SEG\config-override\application-override.properties.
  7. Open the properties file created in Step 2 in any text editor, add the property key-value pairs that you want to override and save the file. Any changes to this file take effect only after the SEG service is restarted.
  8. Restart the SEG service and check if SEG is using the overridden values from the external configuration file.

What to do next:

After restarting SEG, the overridden values from the external configuration file is used. Verify that the functional behavior of SEG is as per the overridden values.

SEG provides an API to verify if any invalid keys are configured in the external configuration file. Enter /diagnostic/invalidconfigkeys in the Diagnostics tab of the Admin UI to access the invalid keys.

Upload the SSL Certificate after Renewal

Each SSL certificate has a validity period and after the certificate expires you must renew and upload the latest SSL certificate. For SEG, you can upload the SSL certificate to the Workspace ONE UEM console, or locally when installing the SEG on Windows, or when configuring the SEG Edge service on the UAG. This topic describes the various options through which you can renew and upload the SSL certificate.

Upload the SSL Certificate through the Workspace ONE UEM Console

Perform the following steps when the SSL certificate is uploaded through the Workspace ONE UEM console:

  1. In the UEM console, navigate to Email > Settings and edit the existing email configuration and click Next.
  2. Navigate to the Deployment tab and click Next.
  3. Upload the latest SEG server SSL certificate.
  4. Enter the password when prompted, click Next, and save the settings.
  5. Restart the SEGv2 service on all the servers to fetch the latest configuration and bind the updated SSL certificate.

Upload the SSL Certificate locally during the SEGv2 Installation for the Windows Server

Perform the following steps when the SSL certificate is uploaded locally during the SEGv2 installation for the Windows server:

  1. Run the SEGv2 installer in the server box where the SEG is installed.
  2. Select the Modify option to modify the installation when prompted.
  3. Click Next to continue.
  4. Upload the latest SEG server SSL certificate when prompted.
  5. Enter the password and click Next to finish the setup.
  6. SEGv2 service now binds to the updated SSL certificate.

Upload the SSL Certificate locally for the SEG Edge Service on the UAG Admin UI

Perform the following steps when the SSL certificate is uploaded locally for the SEG Edge service on the UAG Admin UI:

  1. Log in to the UAG Admin UI.
  2. Open the SEGv2 configuration under the Edge Service settings.
  3. Enable the Add SSL certificate toggle button.
  4. Click Select against the SSL certificate field.
  5. Upload the latest SEG server SSL certificate and enter the password when prompted.
  6. Save the configuration and wait for the appliance agent to complete the modification of the SEG Edge service.
  7. SEG Edge service now binds to the updated SSL certificate.

Offloading SSL traffic on a Load Balancer or F5 network for a Windows-based Deployment

When the SSL traffic is offloaded on a Load Balancer or the F5 network for a Windows-based deployment, deactivate the Terminate SSL on SEG toggle button under the Email Configuration settings. The communication between the Load Balancer or the F5 network and the SEGv2 occurs in plain HTTP. In such a scenario, the SSL certificate rotation for the SEG is not applicable.

Offloading SSL traffic on a Load Balancer or F5 network for a UAG Deployment

The SEG on UAG does not support a non-SSL configuration. If the SSL traffic from a device is offloaded on a Load Balancer or F5 network, the SEG must be configured with any SSL certificate to ensure that the traffic reaching the SEG from these network components is encrypted. In such a scenario, the SSL certificate rotation for SEG is applicable as explained in the Upload the SSL Certificate Locally For SEG Edge Service on the UAG Admin UI section.

Additionally, when the SEG on UAG is configured to listen on port 443, the UAG expects a valid Server Name Indication (SNI) extension during a TLS handshake, to enable the redirect requests to the SEG Edge service. When initiating a TLS connection with the SEG on UAG, the load balancer or the F5 network must be configured to use the correct value for the SNI field. The hostname which is configured as part of the external URL field in the Workspace ONE UEM Console (without port and protocol) is used as the SNI value for the SEG Edge service. The same value is used for the following fields while configuring the SEG Edge service on the UAG:

  • The airwatchServerHostname field in the INI file when you configure through PowerShell and
  • The Secure Email Gateway Hostname field under the Secure Email Gateway settings when you configure through the UAG Admin UI.

If the SEG Edge service on the UAG is configured to listen on any port other than 443, then the Server Name Indication (SNI) configuration is not applicable. To enable the SNI configuration, a Server SSL profile must be created. For F5, enable the server SSL profile and the custom configurations. The Certificate and Server Name fields must be enabled and configured with the SEGv2. The following image shows an example of an SSL bridging configuration on F5 with SNI enabled in the server SSL profile.

New server SSL profile

Note: The additional settings within the server SSL profile might be required based on your organizations security requirements.

For Avi Networks, enable SSL on the pool configuration and use the TLS SNI to specify the SEGv2 address. The following image shows an example of an SSL bridging configuration on AVI networks with SNI enabled in the pool configuration.

New pool configuration