This section explains the requirements and prerequisites for using the ENS2 with Workspace ONE UEM.

Email Server Integration Supported Versions

  • Email Client - For Android support, you must have ENS2 1.3.0.4 or later and Workspace ONE Boxer 5.2 or later.
  • Email Server - Exchange 2010 SP3, Exchange 2013 SP1, Exchange 2016, Exchange 2019 (for on-premises ENS2 version 1.7 and later), or Office 365.
  • For ENS2 on-premises with ENS2 version 1.8 and later, Office 365 is supported.

Workspace ONE UEM Requirements

  • On-premises and Cloud deployment: Workspace ONE UEM console 1902 and later

Hardware Requirements (On-Premises Only)

Table 1. Web Server
CPU Core RAM Hard Disk Storage Notes
2 (Intel processor) 16 GB 30 GB

Per 100,000 users.

Table 2. Database Server
CPU Core RAM Hard Disk Storage Notes
2 (Intel processor) 16 GB (minimum) Approx. 0.0477 MB per user to estimate the DB storage size.

Per 100,000 users.

Software Requirements

For ENS2 version 1.7 and later, you must upgrade your CNS from CNS v1.0 to CNS v2.0 to support notifications.

Requirement (On-Premises) Notes
Windows Server 2012 R2, Windows Server 2016, or Windows Server 2019 The servers must be externally accessible through https (SSL Cert) and with a Fully Qualified Domain Name (FQDN)

SQL Server 2016, 2017, and 2019

(Database Server)

The db_owner role and public role must be assigned to the SQL server user that is used for running the application. The database option must be selected for external database and you must set the collation to SQL_Latin1_General_CP1_Cl_AS. A dedicated SQL instance for ENS is recommended. The steps to create an ENS database and the Workspace ONE UEM database are the same. For more information on creating the Workspace ONE UEM database, see Create the Workspace ONE UEM Database topic in the Installing Workspace ONE UEM guide.
Note: A shared SQL instance can only be used for demonstration purpose, where a small set of users can use the ENS.
Basic Authentication for the Exchange environment OAuth and Certificate-Based Authentication (CBA) is supported for Exchange Web Services
CNS Certificate  
Secure Channel Certificate  
IIS 7 or later Installed on Web Server
Requirement (Cloud) Notes
Basic Authentication for the Exchange environment OAuth and Certificate-Based Authentication (CBA) is supported for Exchange Web Services
Autodiscovery enabled in the Exchange environment and Internet-facing EWS environment. If the autodiscovery is disabled, you can use the EWSUrl key value pair to configure ENS.  

Networking Requirements

Table 3. Network Ports
Source Destination Protocol (Port)
ENS Exchange (EWS) HTTPS (443)
Exchange (EWS) ENS HTTPS (443)
Mailbox/CAS ENS HTTPS (443)
ENS AirWatch Cloud Notification Service (CNS) HTTPS (443)
ENS SQL Server Instance SQL (1433)
Internet (Devices) ENS HTTPS (443)
Table 4. IIS Services
Component Name Required Services
Web Management Tools IIS 6 Management Compatibility
IIS Management Console  
IIS Management Scripts and Tools  
IIS Management Service  
Table 5. World Wide Web Services
Component Name Required Services
Application Development Features .NET Extensibility 3.5
.NET Extensibility 4.6  
Application Initialization  
ASP  
ASP.NET 3.5  
ASP.NET 4.6  
ISAPI Extensions  
ISAPI Filters  
Server-Side Includes  
WebSocket Protocol  
Common HTTP Features Default Document
Directory Browsing  
HTTP Errors  
Static Content  
Health and Diagnostics HTTP Logging
Performance Features Static Content Compression
Security Request Filtering

SQL Server and High Availability Support

High availability configuration - ENS2 supports SQL Server AlwaysOn high availability configuration. To set up the SQL Server AlwaysOn for active/active or active/passive setup, see Overview of Always On Availability Groups (SQL Server). If you are using AlwaysOn, point to the availability group when choosing the database server during the ENS2 installation.

TLS Support for ENS

For ENS2 on-premises, see the Cipher Suites in TLS/SSL (Schannel SSP) topic for default ciphers suites for different Windows server versions and select the ENS2 on-premises server version accordingly.

Note: If SEG is configured, then ensure that the on-premises ENS server has all the ciphers that are enabled in the SEG server.

ENS supports TLS version 1.0 to TLS version 1.3. ENS does not choose any protocol, but allows the OS to choose the strongest available TLS version and the cipher suites. The following table lists the recommended cipher suites.

Cipher Suites SSL Cipher Strength TLS Protocol Version Elliptic Curve Variants Cryptographic Algorithm Authenticated Encryption Cryptographic Hash Algorithm
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 TLS 1.2 ECDH-ephemeral ECDSA AESGCM (128) SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 TLS 1.2 ECDH-ephemeral ECDSA AESGCM (256) SHA256 and SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE-ECDSA-AES128-SHA TLS 1.2 ECDH-ephemeral ECDSA AES (128) SHA1
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDHE-ECDSA-AES256-SHA TLS 1.2 ECDH-ephemeral ECDSA AES (256) SHA1
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE-ECDSA-AES128-SHA256 TLS 1.2 ECDH-ephemeral ECDSA AES (128) SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE-ECDSA-AES256-SHA384 TLS 1.2 ECDH-ephemeral ECDSA AES (256) SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 TLS 1.2 ECDH-ephemeral RSA AESGCM (128) SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE-RSA-AES256-GCM-SHA384 TLS 1.2 ECDH-ephemeral RSA AESGCM (256) SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDHE-RSA-AES128-SHA TLS 1.2 ECDH-ephemeral RSA AES (128) SHA1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHE-RSA-AES256-SHA TLS 1.2 ECDH-ephemeral RSA AES (256) SHA1
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHE-RSA-AES128-SHA256 TLS 1.2 ECDH-ephemeral RSA AES (128) SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDHE-RSA-AES256-SHA384 TLS 1.2 ECDH-ephemeral RSA AES (256)

ENS2 Prerequisites

To enable and secure the communication between the Exchange server and the ENS server, note the following points:

  • Communication between ENS and Exchange servers must not have any SSL errors.
  • telnet and ping commands must work seamlessly between ENS and Exchange CAS/Mailbox servers.
  • SSL certificates used for ENS and Exchange servers must not have any errors when they run through SSL checkers.
Note: If you want to enable certificate-based authentication or configure ENS2 with SEG, see Enable Certificate-Based Authentication for ENS and Configuring SEG as the EWS Proxy for ENS.

Upload the Root CA Certificate

To upload the root CA certificate to the Exchange server, perform the following steps:

  1. Download the SSL certificate from the on-premises ENS server. Access the ENS Alive endpoint in a browser and download the certificate from the address bar.
    Note: You must only download the root certificate issued by a trusted authority and signed by an internal CA. For the cloud deployment, you can download the root certificate from https://ens.getboxer.com/api/ens/alive, https://ens-eu.getboxer.com/api/ens/alive, https://ens-apj.getboxer.com/api/ens/alive, or https://ens-uk.getboxer.com/api/ens/alive based on your region, issued by VMware for your account.

    For the on-premises deployment, download the root certificate and replace acme.com with the resolved name or IP address of your ENS server.

  2. Import this certificate on the Exchange Server into the Trusted Root Certification Authorities through MMC.