To relay all email traffic to Workspace ONE UEM-enrolled devices, install the Secure Email Gateway (SEG).
- Run the installer as an administrator. In the AirWatch Secure Email Gateway - InstallShield Wizard window. Click Next.
- Accept the End User License Agreement.
- Click Next to install the SEG to the default folder C:\AirWatch\ or click Change to choose a different folder.
- Click Yes to install the JRE.
- Enter the AirWatch API Information and click Next.
Note: The credentials used for accessing the API are only used for the initial setup and cannot be used again.
Settings Description Description HTTPS Select the check box if the protocol for the Workspace ONE UEM API server is https. API Server Hostname Enter the hostname of your Workspace ONE UEM API server.This is required to fetch the SEG configuration from the UEM console. Admin Username Enter the user name of a Workspace ONE UEM Admin user account. Admin Password Enter the password for the Admin Username. MEM Config GUID Enter the unique ID of your Mobile Email Management (MEM) configuration.This is shown on the MEM Configuration page on the UEM console. - If an outbound proxy is required for the communication from the SEG to the API server then select the Outbound proxy? check box and enter the proxy settings details as described in the table. Click Next.
Settings Description HTTPS Select the check box if the protocol for the proxy is https. Proxy Host The address of the proxy host. Proxy Port The proxy port number. Username Username for proxy authentication. Password Password for the proxy username provided.
Note: These fields are available once you select the Does the proxy require authentication credentails? - Optional: Click Browse to upload the SSL Certificate, enter the Certificate Password and then click Next.
Note: You can skip this step if the SSL certificate is already uploaded
- Click Install to begin the installation. The InstallShield Wizard takes a few minutes to install the SEG.
- Click Finish to exit the AirWatch Secure Email Gateway - InstallShield Wizard.
The SEG V2 Admin Page
On the Windows deployment of SEG v2, you can access the Admin page at https://localhost:44444/seg/admin. If SSL is not enabled for SEG, use http.
After you install the SEG, you can perform the following tasks from the SEG Admin page:
- Change logging levels for the different SEG processes
- Call diagnostics endpoints
- View health and statistics information
Logging
The information related to the SEG processes is recorded in different log files. The level of logging determines the amount of information that is logged for a particular log file. The duration specifies how long an elevated logging level persists before reverting to the default level of the log.
The SEG generates the following logs:
Log Name | Description of the Log Contents |
---|---|
Application logs |
The SEG application logs are applicable for the app.log and the ews-proxy.log files. |
Transaction Summary |
The transaction summary logs are applicable for the http-transaction.log, kerberos-transaction.log and the ews-transaction.log transaction log files. The default log level is Debug and you need not change unless you want to deactivate the transactional logging. |
Policy Updates and Cache |
The policy update and SEG cache logs are applicable for the policy-update.log and cache.log files. |
Kerberos Service Manager |
The Kerberos service manager log is applicable for the kerberos-service-manager.log file. |
Certificate Authentication |
The certificate-based authentication log is applicable for the cert-auth.log file. |
Device Transactions (Blocked) |
Transaction for blocked devices due to non-compliance. This is applicable for the non-compliant-devices.log log file. |
Content Transformation |
Email content transformation such as hyperlink and attachment transform. This is applicable for the content-transform.log file. |
Diagnostics
On the Diagnostics page you can view the diagnostic information for the SEG and invoke diagnostic endpoints to see other SEG-related information such as the SEG configuration settings, look up the policies in the SEG cache, and download records related to specific policy types.
To use these endpoints, enter the API endpoints as shown in the following table into the REST API URI field on the diagnostic page and click the GET button. Information related to the endpoint is either displayed in the text area on the diagnostics page or a .csv file of the information is downloaded.
API Endpoint | Description |
/diagnostic | Returns SEG diagnostic information. By default, the SEG diagnostic information is displayed on the diagnostics page. |
/policy/segconfig | Returns the SEG configuration settings. |
/policy/<Policy Type>/<Policy Lookup Key> | Look up the policies in the SEG cache. |
/cache/<Policy Type>/ | Download records related to policy types including devices, accounts, managed attachments, unmanaged attachments, and 451 redirect mappings. |
The following table contains policy types and their respective lookup keys you use to view these policies in the SEG cache. Replace the <Policy Type> and the <Policy Lookup Key> in the API endpoint, /policy/<Policy Type>/<Policy Lookup Key>.
PoIicy Type | Policy Lookup Key | Description |
segconfig | No lookup key required | Look up the SEG configuration settings. |
generalaccess | No lookup key required | Look up the general access policy. |
device | EAS Device Identifier | Look up the device policy by providing the EAS Device Identifier as the lookup key. For example, /policy/device/SMKG1KBHQ53H39TFTNQQ10JDES |
account | User name | Look up the account policy by providing user name as the lookup key. |
easdevicetype | EAS device type | Look up the EAS device type policy by providing EAS device type as the lookup key. |
mailclient | Mail Client |
Look up the mail client policy by providing mail client as the lookup key. You must have all characters in the encoded URL form. For example, /policy/mailclient/Apple-iPhone5C3%2F1405.526000002 |
hyperlink | No lookup key required | Look up the hyperlink policy. |
Encryptionkeydatapayload |
AirWatch Device ID | Look up the encryption key data payload by providing the Workspace ONE UEM Device ID as the lookup key. |
Configure the External Configuration File
In certain scenarios, you might want to override the default values provided in the application.properties file. Using the SEG V2, you can manually override the values in the application.properties file using an external configuration file, instead of modifying the application.properties file.
Before you begin:
In addition to the configuration received from the Workspace ONE UEM console, the SEG V2 uses certain values from the local configuration file at SEGDir/config/application.properties. During a SEG V2 upgrade, the values in the older application.properties file are discarded and the external configuration file retains any overridden values when the new version of SEG is installed. In case, any values need to be modified, update the external configuration file. During a SEG upgrade this helps to retain the customer overridden configuration values.
About this task:
The following procedure describes the steps to configure the external configurations file.
- Create a folder in the server machine where SEG V2 is installed, and create a subdirectory where the override file is located.
Results: For example, create a subdirectory with name config-override under the SEG installation directory C:\AirWatch\SEG\.
- Browse to the newly created folder and create a properties file.
Results: For example, if the file name is application-override.properties, full path of the file might be C:\AirWatch\SEG\config-override\application-override.properties.
- Navigate to .
- Click the Advanced System Settings link on the left-side panel, and then click Environment Variables.
- Create a system variable. Add the additional.spring.config.location value for the Variable name and provide the full path of the file created in Step 2 as Variable value.
- Save the newly created file and click OK. As per the example in Step 2, the value of the system variable is C:\AirWatch\SEG\config-override\application-override.properties.
- Open the properties file created in Step 2 in any text editor, add the property key-value pairs that you want to override and save the file. Any changes to this file take effect only after the SEG service is restarted.
- Restart the SEG service and check if SEG is using the overridden values from the external configuration file.
What to do next:
After restarting SEG, the overridden values from the external configuration file is used. Verify that the functional behavior of SEG is as per the overridden values.
SEG provides an API to verify if any invalid keys are configured in the external configuration file. Enter /diagnostic/invalidconfigkeys in the Diagnostics tab of the Admin UI to access the invalid keys.
Upload the SSL Certificate after Renewal
Each SSL certificate has a validity period and after the certificate expires you must renew and upload the latest SSL certificate. For SEG, you can upload the SSL certificate to the Workspace ONE UEM console, or locally when installing the SEG on Windows, or when configuring the SEG Edge service on the UAG. This topic describes the various options through which you can renew and upload the SSL certificate.
Upload the SSL Certificate through the Workspace ONE UEM Console
Perform the following steps when the SSL certificate is uploaded through the Workspace ONE UEM console:
- In the UEM console, navigate to Email > Settings and edit the existing email configuration and click Next.
- Navigate to the Deployment tab and click Next.
- Upload the latest SEG server SSL certificate.
- Enter the password when prompted, click Next, and save the settings.
- Restart the SEGv2 service on all the servers to fetch the latest configuration and bind the updated SSL certificate.
Upload the SSL Certificate locally during the SEGv2 Installation for the Windows Server
Perform the following steps when the SSL certificate is uploaded locally during the SEGv2 installation for the Windows server:
- Run the SEGv2 installer in the server box where the SEG is installed.
- Select the Modify option to modify the installation when prompted.
- Click Next to continue.
- Upload the latest SEG server SSL certificate when prompted.
- Enter the password and click Next to finish the setup.
- SEGv2 service now binds to the updated SSL certificate.
Upload the SSL Certificate locally for the SEG Edge Service on the UAG Admin UI
Perform the following steps when the SSL certificate is uploaded locally for the SEG Edge service on the UAG Admin UI:
- Log in to the UAG Admin UI.
- Open the SEGv2 configuration under the Edge Service settings.
- Enable the Add SSL certificate toggle button.
- Click Select against the SSL certificate field.
- Upload the latest SEG server SSL certificate and enter the password when prompted.
- Save the configuration and wait for the appliance agent to complete the modification of the SEG Edge service.
- SEG Edge service now binds to the updated SSL certificate.
Offloading SSL traffic on a Load Balancer or F5 network for a Windows-based Deployment
When the SSL traffic is offloaded on a Load Balancer or the F5 network for a Windows-based deployment, deactivate the Terminate SSL on SEG toggle button under the Email Configuration settings. The communication between the Load Balancer or the F5 network and the SEGv2 occurs in plain HTTP. In such a scenario, the SSL certificate rotation for the SEG is not applicable.
Offloading SSL traffic on a Load Balancer or F5 network for a UAG Deployment
The SEG on UAG does not support a non-SSL configuration. If the SSL traffic from a device is offloaded on a Load Balancer or F5 network, the SEG must be configured with any SSL certificate to ensure that the traffic reaching the SEG from these network components is encrypted. In such a scenario, the SSL certificate rotation for SEG is applicable as explained in the Upload the SSL Certificate Locally For SEG Edge Service on the UAG Admin UI section.
Additionally, when the SEG on UAG is configured to listen on port 443, the UAG expects a valid Server Name Indication (SNI) extension during a TLS handshake, to enable the redirect requests to the SEG Edge service. When initiating a TLS connection with the SEG on UAG, the load balancer or the F5 network must be configured to use the correct value for the SNI field. The hostname which is configured as part of the external URL field in the Workspace ONE UEM Console (without port and protocol) is used as the SNI value for the SEG Edge service. The same value is used for the following fields while configuring the SEG Edge service on the UAG:
- The airwatchServerHostname field in the INI file when you configure through PowerShell and
- The Secure Email Gateway Hostname field under the Secure Email Gateway settings when you configure through the UAG Admin UI.
If the SEG Edge service on the UAG is configured to listen on any port other than 443, then the Server Name Indication (SNI) configuration is not applicable. To enable the SNI configuration, a Server SSL profile must be created. For F5, enable the server SSL profile and the custom configurations. The Certificate and Server Name fields must be enabled and configured with the SEGv2. The following image shows an example of an SSL bridging configuration on F5 with SNI enabled in the server SSL profile.
For Avi Networks, enable SSL on the pool configuration and use the TLS SNI to specify the SEGv2 address. The following image shows an example of an SSL bridging configuration on AVI networks with SNI enabled in the pool configuration.