Before configuring the SEG to use client certificate authentication, meet the following pre-requisites.
- A Windows Server (2008 R2 or higher)
- A Certificate Authority (CA) integrated with Workspace ONE UEM to issue certificates to your mobile devices. In this documentation, Microsoft is used as an example for a CA. However, Workspace ONE UEM supports certificates from multiple CAs.
-
A trust relationship between the CA and the Directory Services server.
- A domain service account to use as the Principal Identity with designated permission to impersonate users to the EAS service.
-
A Certificate Revocation List (CRL) for CA that is accessible over HTTP and CRL distribution point. For more information, see Configure CRL over HTTP for CA .
- Administrative access to the following in your enterprise environment:
- Active Directory (AD) Users & Computers
- Exchange ActiveSync (EAS) or Client Access Servers (CAS)
- Windows Server on which the SEG is installed
- Certificate Authority (CA)
Note: If there are multiple EAS servers in an array, you need to create an Alternate Service Account (ASA) in Active Directory. Instructions can be found in the
Appendix .
Communication paths should be as noted below.
| Source | Port | Protocol | Destination |
| SEG | 80 | HTTP | CRL Distribution Point |
| SEG | 88 | LDAP\kerberos | Domain Controller |
| SEG | 80/443 | HTTP (S) | Exchange ActiveSync |
| SEG | 443 | HTTPS | AW API |
| AW | 443 | HTTPS | SEG |
| Device | 443 | HTTPS | SEG |
