Before configuring the SEG to use client certificate authentication, meet the following pre-requisites.

  • A Windows Server (2008 R2 or higher)
  • A Certificate Authority (CA) integrated with Workspace ONE UEM to issue certificates to your mobile devices. In this documentation, Microsoft is used as an example for a CA. However, Workspace ONE UEM supports certificates from multiple CAs.
  • A trust relationship between the CA and the Directory Services server.

  • A domain service account to use as the Principal Identity with designated permission to impersonate users to the EAS service.
  • A Certificate Revocation List (CRL) for CA that is accessible over HTTP and CRL distribution point. For more information, see Configure CRL over HTTP for CA .

  • Administrative access to the following in your enterprise environment:
    • Active Directory (AD) Users & Computers
    • Exchange ActiveSync (EAS) or Client Access Servers (CAS)
    • Windows Server on which the SEG is installed
    • Certificate Authority (CA)
Note: If there are multiple EAS servers in an array, you need to create an Alternate Service Account (ASA) in Active Directory. Instructions can be found in the Appendix .

Communication paths should be as noted below.

Table 1. Communication Paths
Source Port Protocol Destination
SEG 80 HTTP CRL Distribution Point
SEG 88 LDAP\kerberos Domain Controller
SEG 80/443 HTTP (S) Exchange ActiveSync
SEG 443 HTTPS AW API
AW 443 HTTPS SEG
Device 443 HTTPS SEG