Configure the various SEG (V2) settings such as email, external and server settings, and security information.


You must have downloaded the SEG server SSL certificate.


  1. Navigate to Email > Email Settings and select Configure.
    The Add Email Configuration wizard displays.
  2. Select Add. The wizard displays the Platform tab.
    1. From Deployment Model, select Proxy.
    2. From Gateway Platform, select V2.
    3. From Email Type, select Google and then select Next.
      The Deployment tab opens and displays the basic settings.
  3. Select the Friendly Name text box and enter a unique name.
  4. Configure the External Settings. Select the External URL and Port text box and enter the external URL and the port number to which Workspace ONE sends policy updates.
    The supported format is https://<external seg url>:<external port>.
  5. Configure the Server Settings.
    1. Enter the web listener port for SEG . By default, the port number is 443. If SSL is enabled for SEG, the SSL certificate is bound to this port.
    2. (Optional) From Terminate SSL on SEG, select Enable to bind the SSL certificate to the port.
    3. Select Upload Locally to upload the SSL certificate during installation. Use this setting when you do not have the certificate during MEM configuration. See, Configure the SEG V2 section in the Secure Email Gateway (SEG) V2 guide.
      The UEM console supports uploading the certificate locally for easy OTA installation. The certificate can also be provided during run-time.
    4. From SEG Server SSL Certificate, select Upload to add the certificate.
      The SSL certificate can be installed automatically, instead of providing it locally. This setting is useful for larger SEG deployments. An SSL certificate in the .pfx format with full certificate chain and private key included must be uploaded. See, Configure the SEG V2 section in the Secure Email Gateway (SEG) V2 guide.
  6. Configure the Email Server Settings. Select Email Server URL and Port and enter the Google server URL:
    This is the Google address to which the SEG will proxy ActiveSync requests.
  7. Configure Security Settings.
    1. From Ignore SSL Errors between SEG and email server, select Enable to ignore the Secure Socket Layer (SSL) certificate errors between the email server and SEG server.
    2. From Ignore SSL Errors between SEG and Workspace ONE UEM server, select Enable to ignore Secure Socket Layer (SSL) certificate errors between the Workspace ONE UEM server and SEG server.
      Establish a strong SSL trust between Workspace ONE UEM and SEG server using valid certificates.
    3. From Allow email flow if no policies are present on SEG , select Enable to allow the email traffic if SEG is unable to load the device policies from the Workspace ONE UEM APIs.
      By default,   SEG blocks email requests if no policies are locally present.
  8. Configure Cluster Settings. From Enable Clustering, select Enable if you want to enable clustering of SEG servers. For more information, see Configure the V2 Platform section of the VMware AirWatch Secure Email Gateway guide.
  9. (Optional) Configure the Automatic Password Provision setting in Google Apps. Skip this step if you provide the Google password to your device users or if they are provided with their SSO password that is the same as the Google password.
    The Automatic Password Provision setting is disabled by default because it is considered to be more stable when the Google password is managed within your organization.
    1. If you do not provide native passwords to device users, or if they are only provided with SSO password and the primary directory is not Google, select Enabled.
      When enabled, the UEM console provisions the Google for your users.
    2. Enter the following information for the UEM console to provision the Google password:
      Setting Description
      Google Apps Domain Google Apps domain address.
      Google Apps Sub-Domain Google Apps sub-domain address.
      Google Apps admin username Complete URL as the Google Apps Admin user name.
      Service account certificate Click Upload to upload to the Service account certificate. Enter the certificate password when prompted. The certificate password is created when generating the client ID on the Google console.
      Directory service account email address Directory service account email address that is generated while creating the Service Account Certificate.
      Application Name Specify the project name created earlier.
      Google User Email Address Certificate attribute which holds the email address of the user.
  10. Enter the required settings in the Profiles tab and click Next.
    For more information on the settings in the Profiles tab, see the Configure the V2 Platform section of the VMware AirWatch Secure Email Gateway guide.
  11. Click Finish.

What to do next

Configure IP Restriction on the Google Admin Console to complete the integration of SEG (V2) proxy with Google.