Secure Email Gateway (SEG) V2 - VMware
Secure Email Gateway(SEG) V2VMware Workspace ONE UEM
Secure Email Gateway (SEG) V2You can find the most up-to-date technical documentation on the VMware website at:https://docs.vmware.com/VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.comCopyrightVMware, Inc. 2020 VMware, Inc. All rights reserved. Copyright and trademark information.2
Contents1 Introduction to the Secure Email Gateway (V2) 42 The Secure Email Gateway Architecture 53 Requirements for the Secure Email Gateway (V2) 7SEG Support on UAG9Configuring for High Availability and Disaster RecoveryConfigure the SEG V21011Configure Outbound Proxy between SEG V2 and the Email ServerInstall the Secure Email Gateway (V2)14Upload the SSL Certificate after Renewal15Configure the SEG V2 EWS Proxy for Email Notification ServiceConfigure the External Configuration File1718Configure a Different Hostname for Exchange Web ServiceThe SEG V2 Admin Page131920Channel SEG Logs to the Syslog Server22Channel SEG Logs to the Syslog Server on the Unified Access Gateway23Migrate from the Secure Email Gateway Classic to Secure Email Gateway V24 Email Management25Activate Email Compliance PolicyEmail DashboardList View23272728Configure and Deploy Email Profile305 SEG Migration (Classic) 32Migrate to the SEG V2 with Google33Configure IP Restriction on Google Admin Console34Configure Automatic Password Provision and Sync PasswordsVMware, Inc.343
Introduction to the Secure EmailGateway (V2)1The Workspace ONE UEM powered by AirWatch Secure Email Gateway V2 (SEG V2) helps toprotect your mail infrastructure and enables VMware AirWatch Mobile Email Management (MEM)functionalities. Install the SEG along with your existing email server to relay all ActiveSync emailtraffic to Workspace ONE UEM-enrolled devices.Based on the settings you define in the Workspace ONE UEM console, the SEG filters allcommunication requests from individual devices that connect to SEG.Note This guide contains information about the SEG V2. The SEG Classic software is beingdiscontinued and end of life has been announced. The Classic Secure Email Gateway (SEG)installer will reach End of General Support on May 5, 2019. On December 24, 2018, the ClassicSEG installer will be removed from the Resources portal. After May 5, 2019, VMware cannotguarantee full support for Classic SEG. For more information about the End-of-Life terms, seehttps://kb.vmware.com/s/article/2960293.Note To read about the Classic SEG information, see the VMware AirWatch Secure EmailGateway 1811 guide at C-REQS.html.VMware, Inc.4
The Secure Email GatewayArchitecture2Deploy the SEG to enable the policy creation that determines how end-users access mail on theirdevices. It is optimal to install the Secure Email Gateway (SEG) in a Demilitarized Zone (DMZ) orbehind a reverse proxy server.The SEG is an on-premises component that you install as part of your organization's network. TheSEG Proxy model requires an Exchange ActiveSync infrastructure like Microsoft Exchange, IBMNotes Traveler, or G Suite. For more information on SEG, contact Workspace ONE Support.Note Workspace ONE UEM only supports the versions of third-party email servers currentlysupported by the email server provider. When the provider deprecates a server version,Workspace ONE UEM no longer supports integration with that version.SEG Setup with Exchange ActiveSyncWorkspace ONE UEM best practices support this configuration. The SEG is placed in the DMZ forrouting mobile email traffic.Note VMware recommends configuring the SEG with Exchange ActiveSync to route mobileemail traffic.VMware, Inc.5
Secure Email Gateway (SEG) V2Exchange ActiveSync SEG Using Optional Reverse ProxyConfigurationThe reverse proxy configuration uses an optional reverse proxy to direct the mobile device trafficto the SEG Proxy while routing browser traffic directly to the webmail endpoints. Use thefollowing network configuration to set up the reverse proxy to communicate between devicesand the SEG using the Exchange ActiveSync (EAS) protocol.Recommendations for Reverse Proxy ConfigurationExchange ActiveSync is a stateless protocol, and persistence is not explicitly required byMicrosoft. The best load-balancing method might vary from different implementations. Use thefollowing information to meet the recommended load-balancing requirements efficiently.nIP-based affinity: Configure IP-based affinity if you are using Certificate authentication andthere is no proxy or other component in front of the load-balancer that changes the source IPfrom the original device.nAuthentication Header Cookie based Affinity: If you are using Basic authentication,especially if there is a proxy or other network component that changes the source IP fromthe original device.VMware, Inc.6
Requirements for the SecureEmail Gateway (V2)3To successfully deploy the SEG, you must meet the UEM console requirements, hardwarerequirements, software requirements, and network recommendations.UEM Console RequirementsnAll currently supported UEM console versions. See the Workspace ONE UEM console releaseand End of General Support Matrix document for more details on the currently supportedversions.nREST API must be enabled for the Organization Group.Prerequisite: Enable REST APITo configure the REST API URL for your Workspace ONE UEM environment:1Navigate to Groups & Settings All Settings System Advanced API REST API.2The Workspace ONE UEM gets the API certificate from the REST API URL, that is, on the siteURLs page located at Groups & Settings All Settings System Advanced Site URL. ForSaaS deployments,the API URL must be in the asXX.awmdm.com format.You can configure the SEG V2 at a container organization group that inherits theREST API settings from a customer type organization group.Hardware RequirementsA SEG V2 server can be either a virtual (preferred) or physical server.Note the following when deploying SEG V2:nAn Intel processor is required. CPU Cores should each be 2.0 GHz or higher.nThe minimum requirements for a single SEG server are 2 CPU cores and 4 GB RAM.nWhen installing the SEG servers in a load balanced configuration, sizing requirements can beviewed as cumulative. For example, a SEG environment requiring 4 CPU Cores and 8 GB RAMcan be supported by either:nOne single SEG server with 4 CPU cores and 8 GB RAM.nTwo load-balanced SEG servers, each with 2 CPU cores and 4 GB RAM.VMware, Inc.7
Secure Email Gateway (SEG) V2n5 GB disk space needed per SEG and dependent software. This does not include systemmonitoring tools or additional server applications.Software RequirementsnWindows Server 2008 R2nWindows Server 2012nWindows Server 2012 R2nWindows Server 2016nWindows Server 2019Networking RequirementsThe SEG uses the following default ports:SourceComponentDestination ComponentProtocolPortDescriptionDevices (fromInternet and WiFi)SEGHTTPS443Devices request mail from SEGConsole ServerSEGHTTPS443Console makes administrative commandsto SEGSEGWorkspace ONE UEMREST API (DeviceServices (DS) or ConsoleServer (CN) server)HTTP orHTTPS80 or 443SEG retrieves the configuration andgeneral compliance policy informationSEGInternal hostname or IP ofall other SEG serversTCP5701 and41232If SEG Clustering is used, then SEGcommunication to shared policy cacheacross other SEGs for updates andreplication.SEGlocalhostHTTP44444Admin accesses the SEG server statusand diagnostic information from thelocalhost machine.Device ServicesSEGHTTPS443Enrollment events and real-timecompliance communicates to SEG.SEGExchangeHTTP orHTTPS80 or 443Verify the following URL is accessiblefrom the browser on the SEG server andprompts for the credentials. http(s):// Exchange-Server-FQDN /MicrosoftServer-ActiveSyncThe SEG V2 requires that TLS 1.1 or 1.2 is supported on the client's email server, preferably TLS1.2. It is recommended that the client follow the guidelines of the email system and the OSmanufacturer.VMware, Inc.8
Secure Email Gateway (SEG) V2RecommendationsRequirementNotesRemote access to Windows Servers available to Workspace ONE UEM andadministrator rightsSet up the Remote Desktop ConnectionManager for multiple servermanagement. You can download theinstaller from the Microsoft downloadcenter.Installation of Notepad (Recommended)This application makes it easier to parsethrough the log files.Ensure Exchange ActiveSync is enabled for a test accountEnsure you have remote access to the servers where Workspace ONE UEM isinstalled. Typically, Workspace ONE UEM consultants perform installationsremotely over a web meeting or screen share. Some customers also provideWorkspace ONE UEM with VPN credentials to directly access theenvironment as well.This chapter includes the following topics:nSEG Support on UAGnConfiguring for High Availability and Disaster RecoverynConfigure the SEG V2nConfigure Outbound Proxy between SEG V2 and the Email ServernInstall the Secure Email Gateway (V2)nConfigure the SEG V2 EWS Proxy for Email Notification ServicenConfigure the External Configuration FilenConfigure a Different Hostname for Exchange Web ServicenThe SEG V2 Admin PagenChannel SEG Logs to the Syslog ServernChannel SEG Logs to the Syslog Server on the Unified Access GatewaynMigrate from the Secure Email Gateway Classic to Secure Email Gateway V2SEG Support on UAGSEG provides secure access to your organization's on-premise email as part of the UnifiedAccess Gateway (UAG) platform. Before deploying SEG on UAG, you must complete the MEMconfiguration using the Workspace ONE platform.SEG has the following constraints when deployed on UAG:nThe SEG service on the UAG appliance listens on the port as configured under the ServerSettings in the MEM configuration.VMware, Inc.9
Secure Email Gateway (SEG) V2nThe UAG does not support any non-encrypted protocols. Therefore, SEG only supports SSLre-encryption (SSL bridging) or SSL pass through.nIf your API server or email server is using self-signed certificates, the corresponding trustedcertificates must be uploaded through the UAG Admin UI or referenced during thePowerShell deployment.nSEG on UAG always uses port 5701 and 41232 for the clustering ports in the MEMconfiguration. You cannot configure clustering ports other than 5701 and 41232 with UAG.nConsider deploying SEG on dedicated UAG instances as SEG requires additional resourcesthat might strain your existing deployment. The Workspace ONE team is evaluating theperformance of combining SEG with other edge services on UAG.For more information about the SEG support on UAG, see the Secure Email Gateway on UnifiedAccess Gateway topic in the Deploying and Configuring VMware Unified Access Gateway guide.Configuring for High Availability and Disaster RecoverySEG can be configured in high availability and disaster recovery environments with bothclustering and non-clustering server configurations. The high availability and disaster recoverysetups are independent of the cluster configuration.Use a load balancer to achieve the desired high availability and disaster recovery configuration.The same public host name must be used for the SEG servers across the data centers to ensurethat the users need not reauthenticate when a SEG server failover occurs.The following are the benefits of using SEG in a clustering and non-clustering serverenvironments:nnNon-clustered server configuration:nEach SEG is updated independently.nFailover can be performed at the load balancer.Clustered server configuration:nEach data center must have its own MEM configuration and an external URL to update theMEM configuration's cluster.Note The external URL need not match the URL used by devices to access email, insteadthe UEM console uses the external URL to send policy updates to the appropriate clusterconfiguration.nInternal IP addresses or hostnames are applicable for clustering rather than public IPaddresses only.nDevice EAS profiles must use a third URL that can be failed-over between data centers.VMware, Inc.10
Secure Email Gateway (SEG) V2Configure the SEG V2To implement the SEG (V2) for your email architecture, first configure the settings on the UEMconsole. After you configure the settings, you can download the SEG installer from theWorkspace ONE resource portal.Procedure1In the UEM console, navigate to Email Settings and select Configure. The Add EmailConfiguration wizard displays.2In the Platform tab of the wizard:aSelect Proxy as the Deployment Model.bSelect the Email Type (Exchange, IBM Notes, or Google).cIf you selected Exchange as the email type, then select the appropriate exchange versionfrom the drop-down menu. Click Next.Example of email servers is Exchange, IBM Notes, or Google.3Configure the basic settings in the Deployment tab of the wizard and then select Next.SettingDescriptionFriendly NameEnter a friendly name for the SEG deployment. This name gets displayed onthe MEM dashboard.External URL and PortEnter the URL and port number for the incoming mail traffic to SEG.Listener PortThe SEG listens for device the communication through this port. The defaultport number is 443. If SSL is enabled for SEG, the SSL certificate is bound tothis port.Terminate SSL on SEGEnable this option if you want the SSL certificate to be sent from the SEGinstead of offloading on a web application firewall. Upload a .pfx or .p12certificate file including the root and intermediate certificates.Upload LocallySelect to upload the SSL certificate locally during installation.SEG Server SSL CertificateSelect Upload to add the certificate that binds to the listening port. The SSLcertificate can be automatically installed instead of providing it locally. AnSSL certificate in the .pfx format with a full certificate chain and private keyincluded must be uploaded. See, the Upload the SSL Certificate afterRenewal topic to understand the methods to upload the SSL certificate afterrenewal.Email Server URL and PortEnter the email server URL and port number in the form https://emailserver url:email server port. The SEG uses the following URL forproxying email requests to the email server. If using Exchange Online, enterthe https://outlook.office365.com URL.Ignore SSL Errors between SEG andemail serverVMware, Inc.Select Enable to ignore the Secure Socket Layer (SSL) certificate errorsbetween the email server and the SEG server.11
Secure Email Gateway (SEG) V2SettingDescriptionIgnore SSL Errors between SEG andAirWatch serverSelect Enable to ignore Secure Socket Layer (SSL) certificate errorsbetween the Workspace ONE UEM server and the SEG server.Establish a strong SSL trust between the Workspace ONE UEM and the SEGserver using valid certificates.Allow email flow if no policies arepresent on SEGSelect Enable to allow the email traffic if SEG is unable to load the devicepolicies from the Workspace ONE UEM API. By default, the SEG blocks allemail requests if no policies are locally present on the SEG.Note A list of all the device records with the corresponding compliancestatus is provided. SEG does not calculate the compliance of a given deviceby itself, instead uses the data received from the Workspace ONE UEMconsole.Enable ClusteringSelect Enable to enable clustering of multiple SEG servers.When clustering is enabled, policy updates are distributed to all SEGs in thecluster. The SEGs communicate with each other through the SEG clusteringport.SEG Cluster HostsAdd the IPs or hostnames of each server in the SEG cluster.SEG Cluster Distributed Cache PortEnter the port number for SEG to communicate to the distributed cache.SEG Clustering PortEnter the port number for SEG to communicate to the other SEGs in thecluster. Enable clustering to have multiple SEG servers operating as acluster.4Select Next in the Profile tab of the wizard. If necessary, assign an email profile to the MEMconfiguration. Select Next in the Profile tab of the wizard.5On the Summary tab, review the configuration that you have just created. Select Finish tosave the settings.6Download the SEG installer from the Workspace ONE resource portal.7Configure any additional settings for your SEG using the Advanced option.SettingDescriptionUse Default SettingsThe Use Default Settings check box is enabled by default. To modify theadvanced settings, you must uncheck this box.Enable Real-time Compliance SyncEnable this option to send the compliance information to the SEG in realtime. Without this, individual changes to the device policies are refreshedper the delta sync interval.Required transactionsThe Required transactions cannot be disabled.Optional transactionsEnable or disable the optional transactions such as Get attachment, Search,Move Items, and so on. The following are the Exchange Active Sync (EAS)transactions that the SEG reports to the console and are displayed on theEmail List View in the Last Command column.DiagnosticSet the number and frequency of transactions for a device when the testmode is enabled.SizingSet the frequency of SEG and API server interaction.VMware, Inc.12
Secure Email Gateway (SEG) V2SettingDescriptionSkip Attachment & Hyperlinktransformations for S/MIME signedemailsEnable to exempt the encryption of attachments and transformation ofhyperlinks through SEG for emails that are signed with S/MIME certificates.Enable S/MIME repository lookupEnable to permit the automatic lookup of the S/MIME certificate managed ina hosted LDAP directory.You must restart SEG after enabling this feature.Block AttachmentsUsed to control the default action when SEG is unable to communicate withthe Workspace ONE UEM or when the local policy set is empty.Default Message for BlockedAttachmentsConfigure the message that is displayed to end users when SEG blocksattachments.Configure Outbound Proxy between SEG V2 and the EmailServerWhen SEG cannot reach the email server directly due to network restrictions, the traffic fromSEG is routed through the outbound proxy. The outbound proxy is accessible from SEG, and inturn the SEG can reach the email server.If SEG is configured to proxy the EWS requests, then the outbound proxy configuration is alsoapplicable to the EWS traffic. The following procedure describes the steps to enable theoutbound proxy between the SEG and the email server.Procedure1Log in to the SEG server.2Navigate to the proxy-config.json file and edit the file using any text editor.Note For the Windows deployment, the proxy-config.json file is at the SEG Install Dir \config folder and for SEG on UAG deployment, the file is at the /opt/vmware/docker/seg/container/config folder.3In the JSON file, update the emailProxy field with all the details. The following table lists thedescription of each field shown in the sample entry."emailProxy" : {"enabled" : true,"host" : "http(s)://example.email.proxy.host:port","user" : "example user","password" : "example password.plaintext"},VMware, Inc.13
Secure Email Gateway (SEG) V2FieldValue or Default valueDescriptionenabledValue - Boolean flagSet this value to true to enable theoutbound proxy for the email traffic.Default value - falsehostSpecify the FQDN of the proxy in theprotocol://host:port format. Theprotocol can be http or https and thehost can be the hostname or IPaddress of the proxy server.userSpecify a user name if the proxyneeds authentication.Note Only basic authentication issupported.passwordSpecify a password if the proxyneeds authentication. Enter the plaintext password with the .plaintextsuffix.For example, if xyz abc is thepassword, then providexyz abc.plaintext as the value.Upon restart, SEG reads theconfiguration and overwrites the filewith the encrypted password text.4Save the changes and restart the SEG service.Install the Secure Email Gateway (V2)Install the Secure Email Gateway (SEG) to relay all email traffic to Workspace ONE UEM-enrolleddevices.Procedure1Run the installer as an administrator. In the AirWatch Secure Email Gateway - InstallShieldWizard wind
Access Gateway topic in the Deploying and Configuring VMware Unified Access Gateway guide. Configuring for High Availability and Disaster Recovery SEG can be configured in high availability and disaster recovery environments with both clustering and non-clustering server configurations. The high availability and disaster recovery
In order to make SEG-Y consistent with the SEG D Rev 3.0 standard, Appendix B defines a tape label for SEG-Y tapes, using a format based on the RP66 Storage Unit Label. Labels are not mandatory for SEG-Y, but their use is highly desirable in environments such as ro
OF GROUPE RENAULT SALES BY 2022 Width Price CMF-A CMF-B LS CMF-B HS A SEG. B SEG. C SEG. D SEG. CMF-CD CMF-EV CMF: Common Module Family LS: Low specifications HS: High specifications 2016 2022 New EV 0% 25% 50% 75% 100% 2019 2021 Sales on CMF platforms New B
2 Trimark Seg Funds Annual Report December 31, 2018 Trimark Interest Seg Fund Selected Seg Fund information Fund information as at: December 31, 2018 First offered for sale: June 23, 1998 Size: 567,441 Net asset value: 10.27 per unit Issued by: BMO Life Assurance Company Managed by: Invesco Canada Ltd. Performance: 1-year 3-year 5-year 10-year 0.45% 0.17% 0.12% 0.08%
of Forcepoint Email Security. If you register a new Forcepoint DLP Email Gateway license, the email protection system automatically updates to allow access to Forcepoint DLP Email Gateway menu options. See Forcepoint Email Security versus Forcepoint DLP Email Gateway, page 5, for a comparison table of the menu options available in each product.
SAP NW Gateway Server SAP UI 5 Fiori UI Add-ons SAP ERP Fiori Integration Add-ons SAP NW Gateway IW_BEP 1) Central Hub Deployment of SAP NetWeaver Gateway 2) Embedded Deployment of SAP NetWeaver Gateway NetWeaver Gateway deployment options SAP NW Gateway Server SAP UI 5 Fiori UI Add-ons SAP ERP Fiori Integration Add-ons SAP NW Gateway IW_BEPFile Size: 493KB
Softswitch Operations [2/3] n Inter-Softswitch Communications Local Switch STP Trunking Gateway Signaling (SS7) Gateway Media Gateway Controller STP Trunking Gateway STP Media Gateway Controller Signaling (SS7) Gateway STP STP Domain A Domain B Local Switch Routing Directory 3 1 5 2 ISUP IAM 4
Feb 04, 2015 · Stewart Secure Email User Guide – March 2015 2 Registering, Logging In, and Password Resets Secure email will arrive in your email inbox just as any other email. The first time you receive a secure email, you will be required to register to create an account for the Stewart Secure
Automotive EMC Introduction and Overview. 14. Automotive System RF Emissions Vehicle systems can be responsible for onboard noise generation as a byproduct of vehicle operation. In the automotive industry, this noise has been classified into two categories: – Broadband (typically due to electrical arcing) » Referred to as “Arc and Spark” noise. – Narrowband (typically due to .
