The Workspace ONE UEM powered by AirWatch Secure Email Gateway V2 (SEG V2) helps to protect your mail infrastructure and enables VMware AirWatch Mobile Email Management (MEM) functionalities. Install the SEG along with your existing email server to relay all ActiveSync email traffic to Workspace ONE UEM-enrolled devices.

Based on the settings you define in the Workspace ONE UEM console, the SEG filters all communication requests from individual devices that connect to SEG.

Note: This guide contains information about the SEG V2. The SEG Classic software is being discontinued and end of life has been announced. The Classic Secure Email Gateway (SEG) installer will reach End of General Support on May 5, 2019. On December 24, 2018, the Classic SEG installer will be removed from the Resources portal. After May 5, 2019, VMware cannot guarantee full support for Classic SEG. For more information about the End-of-Life terms, see https://kb.vmware.com/s/article/2960293.
Note: To read about the Classic SEG information, see the VMware AirWatch Secure Email Gateway 1811 guide at https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1811/WS1-Secure-Email-Gateway/GUID-AWT-SEG-CLASSIC-REQS.html.

Requirements for the Secure Email Gateway (V2)

To successfully deploy the SEG, you must meet the UEM console requirements, hardware requirements, software requirements, and network recommendations.

UEM Console Requirements

  • All currently supported UEM console versions. See the Workspace ONE UEM console release and End of General Support Matrix document for more details on the currently supported versions.
  • REST API must be enabled for the Organization Group.
Prerequisite: Enable REST API

To configure the REST API URL for your Workspace ONE UEM environment:

  1. Navigate to Groups & Settings > All Settings > System > Advanced > API > REST API.
  2. The Workspace ONE UEM gets the API certificate from the REST API URL, that is, on the site URLs page located at Groups & Settings > All Settings > System > Advanced > Site URL. For SaaS deployments,the API URL must be in the asXX.awmdm.com format.

You can configure the SEG V2 at a container organization group that inherits the REST API settings from a customer type organization group.

Hardware Requirements

A SEG V2 server can be either a virtual (preferred) or physical server.

Note the following when deploying SEG V2:

  • An Intel processor is required. CPU Cores should each be 2.0 GHz or higher.
  • The minimum requirements for a single SEG server are 2 CPU cores and 4 GB RAM.
  • When installing the SEG servers in a load balanced configuration, sizing requirements can be viewed as cumulative. For example, a SEG environment requiring 4 CPU Cores and 8 GB RAM can be supported by either:
    • One single SEG server with 4 CPU cores and 8 GB RAM.
    • Two load-balanced SEG servers, each with 2 CPU cores and 4 GB RAM.
  • 5 GB disk space needed per SEG and dependent software. This does not include system monitoring tools or additional server applications.

Software Requirements

  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

Networking Requirements

The SEG uses the following default ports:

Source Component Destination Component Protocol Port Description
Devices (from Internet and Wi-Fi) SEG HTTPS 443 Devices request mail from SEG
Console Server SEG HTTPS 443 Console makes administrative commands to SEG 
SEG Workspace ONE UEM REST API (Device Services (DS) or Console Server (CN) server) HTTP or HTTPS 80 or 443 SEG retrieves the configuration and general compliance policy information
SEG Internal hostname or IP of all other SEG servers TCP 5701 and 41232 If SEG Clustering is used, then SEG communication to shared policy cache across other SEGs for updates and replication.
SEG localhost HTTP 44444 Admin accesses the SEG server status and diagnostic information from the localhost machine.
Device Services SEG HTTPS 443 Enrollment events and real-time compliance communicates to SEG.
SEG  Exchange HTTP or HTTPS 80 or 443 Verify the following URL is accessible from the browser on the SEG server and prompts for the credentials. http(s)://<Exchange-Server-FQDN>/Microsoft-Server-ActiveSync

The SEG V2 requires that TLS 1.1 or 1.2 is supported on the client's email server, preferably TLS 1.2. It is recommended that the client follow the guidelines of the email system and the OS manufacturer.

Recommendations

Requirement Notes

Remote access to Windows Servers available to Workspace ONE UEM and administrator rights

Set up the Remote Desktop Connection Manager for multiple server management. You can download the installer from the Microsoft download center.
Installation of Notepad++ (Recommended) This application makes it easier to parse through the log files.
Ensure Exchange ActiveSync is enabled for a test account  
Ensure you have remote access to the servers where Workspace ONE UEM is installed. Typically, Workspace ONE UEM consultants perform installations remotely over a web meeting or screen share. Some customers also provide Workspace ONE UEM with VPN credentials to directly access the environment as well.

The Secure Email Gateway Architecture

Deploy the SEG to enable the policy creation that determines how end-users access mail on their devices. It is optimal to install the Secure Email Gateway (SEG) in a Demilitarized Zone (DMZ) or behind a reverse proxy server.

The SEG is an on-premises component that you install as part of your organization's network. The SEG Proxy model requires an Exchange ActiveSync infrastructure like Microsoft Exchange, IBM Notes Traveler, or G Suite. For more information on SEG, contact Workspace ONE Support.

Note: Workspace ONE UEM only supports the versions of third-party email servers currently supported by the email server provider. When the provider deprecates a server version, Workspace ONE UEM no longer supports integration with that version.

SEG Setup with Exchange ActiveSync

Workspace ONE UEM best practices support this configuration. For routing mobile email traffic deploy SEG in the DMZ .

Deploy SEG with Exchange ActiveSync

Note: To route mobile email traffic, VMware recommends configuring the SEG with Exchange ActiveSync.

Exchange ActiveSync SEG Using Optional Reverse Proxy Configuration

The reverse proxy configuration uses an optional reverse proxy to direct the mobile device traffic to the SEG Proxy while routing browser traffic directly to the webmail endpoints. Use the following network configuration to set up the reverse proxy to communicate between devices and the SEG using the Exchange ActiveSync (EAS) protocol.

Configure Exchange ActiveSync SEG using optional reverse proxy

Recommendations for Reverse Proxy Configuration

Exchange ActiveSync is a stateless protocol, and persistence is not explicitly required by Microsoft. The best load-balancing method might vary from different implementations. Use the following information to meet the recommended load-balancing requirements efficiently.

  • IP-based affinity: Configure IP-based affinity if you are using Certificate authentication and there is no proxy or other component in front of the load-balancer that changes the source IP from the original device.
  • Authentication Header Cookie based Affinity: If you are using Basic authentication, especially if there is a proxy or other network component that changes the source IP from the original device.