The Workspace ONE UEM powered by AirWatch Secure Email Gateway V2 (SEG V2) helps to protect your mail infrastructure and enables VMware AirWatch Mobile Email Management (MEM) functionalities. Install the SEG along with your existing email server to relay all ActiveSync email traffic to Workspace ONE UEM-enrolled devices.
Based on the settings you define in the Workspace ONE UEM console, the SEG filters all communication requests from individual devices that connect to SEG.
Requirements for the Secure Email Gateway (V2)
To successfully deploy the SEG, you must meet the UEM console requirements, hardware requirements, software requirements, and network recommendations.
UEM Console Requirements
- All currently supported UEM console versions. See the Workspace ONE UEM console release and End of General Support Matrix document for more details on the currently supported versions.
- REST API must be enabled for the Organization Group.
To configure the REST API URL for your Workspace ONE UEM environment:
- Navigate to .
- The Workspace ONE UEM gets the API certificate from the REST API URL, that is, on the site URLs page located at asXX.awmdm.com format. . For SaaS deployments,the API URL must be in the
You can configure the SEG V2 at a container organization group that inherits the REST API settings from a customer type organization group.
A SEG V2 server can be either a virtual (preferred) or physical server.
Note the following when deploying SEG V2:
- An Intel processor is required. CPU Cores should each be 2.0 GHz or higher.
- The minimum requirements for a single SEG server are 2 CPU cores and 4 GB RAM.
- When installing the SEG servers in a load balanced configuration, sizing requirements can be viewed as cumulative. For example, a SEG environment requiring 4 CPU Cores and 8 GB RAM can be supported by either:
- One single SEG server with 4 CPU cores and 8 GB RAM.
- Two load-balanced SEG servers, each with 2 CPU cores and 4 GB RAM.
- 5 GB disk space needed per SEG and dependent software. This does not include system monitoring tools or additional server applications.
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
The SEG uses the following default ports:
|Source Component||Destination Component||Protocol||Port||Description|
|Devices (from Internet and Wi-Fi)||SEG||HTTPS||443||Devices request mail from SEG|
|Console Server||SEG||HTTPS||443||Console makes administrative commands to SEG|
|SEG||Workspace ONE UEM REST API (Device Services (DS) or Console Server (CN) server)||HTTP or HTTPS||80 or 443||SEG retrieves the configuration and general compliance policy information|
|SEG||Internal hostname or IP of all other SEG servers||TCP||5701 and 41232||If SEG Clustering is used, then SEG communication to shared policy cache across other SEGs for updates and replication.|
|SEG||localhost||HTTP||44444||Admin accesses the SEG server status and diagnostic information from the localhost machine.|
|Device Services||SEG||HTTPS||443||Enrollment events and real-time compliance communicates to SEG.|
|SEG||Exchange||HTTP or HTTPS||80 or 443||Verify the following URL is accessible from the browser on the SEG server and prompts for the credentials. http(s)://<Exchange-Server-FQDN>/Microsoft-Server-ActiveSync|
The SEG V2 requires that TLS 1.1 or 1.2 is supported on the client's email server, preferably TLS 1.2. It is recommended that the client follow the guidelines of the email system and the OS manufacturer.
Remote access to Windows Servers available to Workspace ONE UEM and administrator rights
Set up the Remote Desktop Connection Manager for multiple server management. You can download the installer from the Microsoft download center.
|Installation of Notepad++ (Recommended)||This application makes it easier to parse through the log files.|
|Ensure Exchange ActiveSync is enabled for a test account|
|Ensure you have remote access to the servers where Workspace ONE UEM is installed. Typically, Workspace ONE UEM consultants perform installations remotely over a web meeting or screen share. Some customers also provide Workspace ONE UEM with VPN credentials to directly access the environment as well.|
The Secure Email Gateway Architecture
Deploy the SEG to enable the policy creation that determines how end-users access mail on their devices. It is optimal to install the Secure Email Gateway (SEG) in a Demilitarized Zone (DMZ) or behind a reverse proxy server.
The SEG is an on-premises component that you install as part of your organization's network. The SEG Proxy model requires an Exchange ActiveSync infrastructure like Microsoft Exchange, IBM Notes Traveler, or G Suite. For more information on SEG, contact Workspace ONE Support.
SEG Setup with Exchange ActiveSync
Workspace ONE UEM best practices support this configuration. The SEG is placed in the DMZ for routing mobile email traffic.
Exchange ActiveSync SEG Using Optional Reverse Proxy Configuration
The reverse proxy configuration uses an optional reverse proxy to direct the mobile device traffic to the SEG Proxy while routing browser traffic directly to the webmail endpoints. Use the following network configuration to set up the reverse proxy to communicate between devices and the SEG using the Exchange ActiveSync (EAS) protocol.
Recommendations for Reverse Proxy Configuration
Exchange ActiveSync is a stateless protocol, and persistence is not explicitly required by Microsoft. The best load-balancing method might vary from different implementations. Use the following information to meet the recommended load-balancing requirements efficiently.
- IP-based affinity: Configure IP-based affinity if you are using Certificate authentication and there is no proxy or other component in front of the load-balancer that changes the source IP from the original device.
- Authentication Header Cookie based Affinity: If you are using Basic authentication, especially if there is a proxy or other network component that changes the source IP from the original device.