Deploy the SEG to enable the policy creation that determines how end-users access mail on their devices. It is optimal to install the Secure Email Gateway (SEG) in a Demilitarized Zone (DMZ) or behind a reverse proxy server.
The SEG is an on-premises component that you install as part of your organization's network. The SEG Proxy model requires an Exchange ActiveSync infrastructure like Microsoft Exchange, IBM Notes Traveler, or G Suite. For more information on SEG, contact Workspace ONE Support.
SEG Setup with Exchange ActiveSync
Workspace ONE UEM best practices support this configuration. The SEG is placed in the DMZ for routing mobile email traffic.
Exchange ActiveSync SEG Using Optional Reverse Proxy Configuration
The reverse proxy configuration uses an optional reverse proxy to direct the mobile device traffic to the SEG Proxy while routing browser traffic directly to the webmail endpoints. Use the following network configuration to set up the reverse proxy to communicate between devices and the SEG using the Exchange ActiveSync (EAS) protocol.
Recommendations for Reverse Proxy Configuration
Exchange ActiveSync is a stateless protocol, and persistence is not explicitly required by Microsoft. The best load-balancing method might vary from different implementations. Use the following information to meet the recommended load-balancing requirements efficiently.
- IP-based affinity: Configure IP-based affinity if you are using Certificate authentication and there is no proxy or other component in front of the load-balancer that changes the source IP from the original device.
- Authentication Header Cookie based Affinity: If you are using Basic authentication, especially if there is a proxy or other network component that changes the source IP from the original device.