How Secure Email Gateway Airwatch works

secure email gateway solutions and secure email gateway (seg) administration guide and how secure email gateway works airwatch secure email gateway configuration guide
GraceColeman Profile Pic
GraceColeman,Netherlands,Professional
Published Date:17-08-2017
Your Website URL(Optional)
Comment
Mobile E-mail Management Now that we have enrolled the devices for management whether it is MDM or Workspace, we can start deploying corporate data to the enrolled devices. The irst form of corporate data we will look at deploying to the devices is e-mail. E-mail has traditionally been one of the driving factors for providing mobile devices to users or provisioning content to user's personal devices. There are multiple opportunities available with deploying e-mails to devices with AirWatch by VMware. These opportunities span multiple e-mail vendors, the option between native and a container for delivery, and the option of providing full security including DLP if needed. In this chapter, we will take a high-level overview of MEM and look at the reasons as to why we should be protecting e-mail service. We will then look at all the supported deployments available with AirWatch including the supported e-mail platforms. Moving on, we will look at how to set up SEG, Direct PowerShell, and Google Apps for Business for your deployments. Once the e-mail infrastructure and/or conigurations are set up and in place within the environment, we will look at the security options and where to conigure e-mail security. We will then set up and conigure the proiles to deploy e-mail before inishing off with how to manage e-mail on the enrolled devices and how to remove it from the devices. The following topics will be covered in this chapter: • Mobile E-mail Management overview • Protecting e-mail • Supported deployments • Secure E-mail Gateway • Direct PowerShell • Google Apps for business 167 Mobile E-mail Management • E-mail security configurations • Profile setup and configuration • Managing and removing e-mail Mobile E-mail Management overview Mobile E-mail Management (MEM) is the vertical within EMM that represents all the opportunities available for e-mail deployment. Traditionally, e-mail was most likely deployed on a corporate-owned device that was provided to you by the organization that leveraged some of the irst technologies available to deploy e-mail securely. Now that mobility has grown with the expectation that e-mail is to be provided on personal devices, we need MEM to provide e-mail to the user's devices. Most importantly though, we need to ensure that the e-mail is deployed securely and the information is contained within a secure environment. As we are all aware, e-mail is a huge piece of how we communicate today and most likely one of the most common communication methods in an organization. Users rely extremely heavily on e-mail and the ability to have access to e-mail at anytime from anywhere is a reality a lot of us live in. I'd imagine that most of your deployments are somewhat still scoped to e-mail delivery to devices and your center of focus is to continue to provide that functionality, preferably in a BYOD fashion to user's personal devices. As discussed in previous chapters, there are considerations to take when deploying e-mail to devices. There may be laws that require you to reimburse users or prevent users from being able to access corporate resources outside of working hours as they aren't being paid. All this falls within MEM with AirWatch and is only a component of today's EMM. If you've already provided e-mail to users' devices as part of your deployments, you'll realize how beneicial it is to users to be able to access e-mail conveniently from their mobile devices. As a technical professional, I receive hundreds of e-mails daily for different reasons including system notiications. Always having access to my e-mail allows for that extra convenience of being more proactive on receiving alerts (as long as e-mail is still working) with the ability to manage e-mail anywhere. With MEM, there are multiple different deployment methods available with AirWatch to meet your organizations security needs. With AirWatch's ME M, you can expect the following as part of your deployment: • Deployment of e-mail to multiple types of devices manufactures or operating systems • The ability to deploy e-mail using native device e-mail, an AirWatch e-mail container, or a supported third-party application 168 Chapter 7 • Support of multiple e-mail providers • Enforce security with deployment of MDM or workspace • Allow auto-configuration of e-mail with deployment • Enforcement of SSL security • DLP enforcement • Compliance policies to prevent access to e-mail in the event a device is compromised or doesn't meet security needs • The ability to deploy and remove e-mail without affecting the user's personal information • Enhanced security with the Secure E-mail Gateway option • The ability to auto provision access to e-mail for users • Attachment control enablement • Certificate integration for additional security • The ability to apply geofencing to remove profiles outside of specified boundaries • The ability to apply schedules to remove profiles outside of working hours if required Protecting e-mail As technical experts, it is critical to understand the importance of protecting corporate e-mail within your environments. All types of information are guaranteed to be traveling within the e-mail systems. I have personally seen information from usernames and passwords, social security numbers, conidential business information, legal information, credit card information to name some examples. Working in health care, we have multiple compliances we have to obey. It is critical that we are able to protect PHI and PCI within our environment, e-mail being a high risk to this information leaking. As an organization, you will most likely have policies in place that enforce what an employee should and shouldn't be doing when it comes to e-mail usage. Although this may be in place, it typically doesn't prevent the users from using the technology to help them get their job done more eficiently. Even though these policies are in place, you and I both know that users will do what they can to be as productive as possible. 169 Mobile E-mail Management For me, policies are only part of the overall controls around protecting your organization's information. As a user, you are going to use the technology provided to you without realizing the potential risk and e-mail creates a signiicant risk, especially with the increase and demand of users requesting access with their personal devices. When it comes to e-mail delivery on mobile devices, especially personal devices, we need to ensure that we fully understand the risk associated with the information within the e-mails and how easy it can be for that information to leak outside the organization. When looking at providing e-mail to the users on their personal devices, it is critical that we are able to protect the information from leaving the boundaries of the organization and entering the user's personal world. If we don't enforce these controls as technical professionals, the users won't even realize that they are doing anything wrong when they work with e-mail on their devices. For example, if there is no control around the attachments within your corporate e-mail and a user accidentally downloads that attachment to their personal device, data loss has just occurred and that information could land anywhere. For all organizations, allowing access to e-mails via native ActiveSync, POP, or IMAP should be considered a security risk. Even if you don't have any compliances within your organization, your company does maintain employee records and information. Even more importantly, there will be some form of conidential information within an e-mail from leadership containing new strategies, organization changes, or intellectual property that if leaked, could compromise your company. With that, you need to ensure that when you provide e-mail to your employee's personal devices, it is secure. Some of the more important security controls that you need to be aware of are as follows: • Password-protected device or e-mail access • Ensuring devices or e-mail applications are encrypted • Preventing jailbroken or rooted devices • DLP is in place to prevent copy and paste or screenshot functions • Attachment control. With AirWatch, you are able to protect your e-mail with multiple options available for your deployment. Whether you are a Microsoft, Google, Lotus, or Novell environment, or if you would like to deploy a native experience or provide e-mail through a container, allow access to e-mail on multiple devices including iOS, Android, and Windows, provide full DLP or just some security controls are all possible with AirWatch's lexible MEM solution. With the options available from AirWatch, you will be able to meet your organization's security requirements to ensure a secure and usable solution. 170 Chapter 7 Supported deployments There are multiple supported deployments with AirWatch depending on what e-mail infrastructure you have in place and how secure you would like to make your deployment. The following mail infrastructure is supported with AirWatch: • Microsoft Exchange 2003/2007/2010/2013/Office 365 • Google Apps for Business • Lotus Domino with Lotus Notes • Novell GroupWise • Any e-mail infrastructure that supports Exchange ActiveSync • Any e-mail infrastructure that supports a POP/IMAP/SMTP configuration. The following proile conigurations are available to deploy e-mail to your devices once enrolled within AirWatch: • Android Devices: POP/IMAP/SMTP, Exchange ActiveSync, Native Mail Client, AirWatcMail C h lient, Lotus Notes, and NitroDesk TouchDown • iOS Devices: POP/IMAP/SMTP, Exchange ActiveSync, Native Mail Client, AirWatch Inbox, and NitroDesk TouchDown • Windows Phone 8 Devices: POP/IMAP/SMTP, Exchange ActiveSync, and Native Mail Client • Windows Mobile Devices: Exchange ActiveSync and Native Mail Client • Symbian Devices: Exchange ActiveSync and Native Mail Client • Apple Mac OS X Devices: POP/IMAP/SMTP, Exchange Web Services, Native Mail Client, and Microsoft Outlook • Windows PC Devices: Exchange Web Services and Microsoft Outlook • Windows 8/RT Devices: AirWatchInbox using Exchange ActiveSync With AirWatch, you can deploy e-mail in its basic form with minimum security in place by simply setting up the conigurations in a proile to be deployed to users. For the additional granular security, AirWatch has the option of three additional models that can be used with your environment: • Basic Profile with limited Security: This can be set up for most if not all e-mail providers 171 Mobile E-mail Management • Secure E-mail Gateway using the Proxy Model: Microsoft Exchange 2003/2007/2010/2013/Office 365, Microsoft Office 365, Lotus Domino with Lotus Notes, Novel GroupWise using Exchange ActiveSync, and Google Apps for Business • PowerShell using the Direct Model: Microsoft Exchange 2010/2013/ Office 365 • Google using the Direct Model: Google Apps for Business From the preceding options, you will receive the greatest security by using the SEG Proxy option. The additional security with SEG over direct model is the ability to encrypt and control attachments and hyperlinks, preventing them from leaving the AirWatch environment. The basic proile is obviously the least secure with very minimum controls over e-mail. To view the supported functionality between the models and supported platforms, log in to the myairwatch portal, navigate to AirWatch Resources E-mail Management, open Mobile E-mail Management Guide, and go to Appendix: E-mail Management Functionality. Secure E-mail Gateway (SEG) Now that we know what options we have with the MEM deployments, we will look at how to set up and conigure SEG and the beneits of using this model. SEG overview SEG serves as a proxy server that is installed in-line with your corporate e-mail infrastructure. Once installed, you will conigure your client proiles to send all trafic through the SEG servers to allow for additional security and controls over e-mail being delivered to mobile devices. With SEG, you can provide the following additional security controls: • Attachment control • Hyperlink Management • Encryption Enforcement • Device Approval/Blocking • Whitelisting/Blacklisting of Devices/Users • Apply Compliance Policies. 172 Chapter 7 SEG deployment options The SEG server can only be deployed within your data center whether you are an on-premise or SaaS-based customer. The recommended deployment for your SEG is to install it within your DMZ or behind a reverse proxy server. The following diagram shows the recommended architecture for your SEG deployment: This model can also be deployed with Microsoft Ofice 365 and Google Apps for Business. 173 Mobile E-mail Management SEG requirements The next section lists all the requirements for the SEG deployment. Prerequisites Ensure that the SOAP API is enabled for the organization group SEG is being deployed for: • Navigate to Groups & Settings All Settings System Advanced API SOAP API and select Generate Client Certificate Hardware requirements VM or physical With attachment encryption, Without attachment encryption, server hyperlink security and tagging hyperlink security and tagging Number of 1,200 Devices per 1 CPU Core 2,000 Devices per 1 CPU Core and 2 devices and 2 GB RAM GB RAM Disk size Standard OS requirements CPU cores Minimum 1 and Maximum 8 CPUs RAM (GB) Minimum 2 GB RAM You can load balance the SEG servers for high availability. Software requirements The following lists all the software requirements for the SEG deployment: • Supported operating systems: Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 • Server manager roles: IIS 7.0 (Server 2008 R2), IIS 8.0 (Server 2012 or Server 2012 R2), or IIS 8.5 (Server 2012 R2 only) • Server manager roles services ° Common HTTP features: static content, default document, directory browsing, HTTP errors, HTTP redirection ° Application development: ASP.NET, .NET Extensibility, ASP, ISAPI Extensions, ISAPI Filters, Server Side Includes 174 Chapter 7 ° Management tools: IIS Management Console, IIS 6 Metabase Compatibility Ensure WebDAV is not installed. • Install Application Request Routing (ARR) ° It is available athttp://www.iis.net/downloads/microsoft/ application-request-routing • Enable the following server manager features ° .NET Framework 3.5.1 Features (the full module) ° Telnet Client • .NET Framework 4.0 • Externally registered DNS • SSL Certificate from a trusted third party with Subject or Subject Alternative Name of DNS • IIS 443 binding with the same SSL certificate General requirements • Remote access to SEG servers • Notepad ++ (recommended) • Exchange ActiveSync test account Network requirements Source Component Destination Component Protocol Port Internet and Wi-Fi SEG HTTPS 443 SEG AirWatch SOAP API HTTP or HTTPS 80 or 443 Internal hostname or IP of other SEG (optional) HTTP 8090 SEG servers for clustering Device Services SEG HTTPS 443 SEG Exchange HTTP or HTTPS 80 or 443 SEG Lotus Notes HTTP or HTTPS 80 or 443 SEG Google HTTPS 443 SEG Novell GroupWise HTTP or HTTPS 80 or 443 175 Mobile E-mail Management Installation Before we install SEG, we need to enable the SEG proxy in the AirWatch Admin Console. To do this, complete the following steps: 1. Log in to the AirWatch Admin Console. 2. Navigate to E-mail Settings and click on Conigure. You will be presented with the Mobile Email Management Coniguratio wizard: n 3. Select the Email Server Type for your deployment. With Microsof Exc t hange 2010/2013/Ofice365 and Google Apps for Business, choose With SEG Proxy 4. On the MEM Deployment page, complete the required information: ° Friendly Name: Add a name, as this is an easy way to identify usage. ° Secure E-mail Gateway URL: This is the URL for your SEG to provision the policies. ° Ignore SSL errors between SEG and AirWatch server: You can select this to ignore SSL errors. ° Use Basic Authentication: It is recommended that you select this and enter a Gateway Username and Gateway Password to authenticate secure traffic. If this is not selected, anonymous authentication will be used. ° Click on Test Connection to validate the connection to the SEG server. For Google Apps for Business, you will need the Google Apps domain, Google Apps admin username, and Google Apps admin password in addition to the information previously mentioned. 176 Chapter 7 5. Click on Next to go to the MEM Proile Deployment option: ° For multiple SEG deployments, you will need to associate which profile will be used for each platform through the gateway being configured. Only one gateway can be configured per a device type and mail client type. ° Click on Add to add your profile deployments if required 6. Click on Next to view the Summary page and then click on Save. Once you have saved the coniguration, navigate back to the page to view the MEM coniguration and additional options and perform the following steps: • Navigate to to E-mail Settings and then click on Configuration. • You will see the profile you configured with the additional options: ° Add: This is to add additional SEG servers ° Edit: This is to edit current SEG settings 177 Mobile E-mail Management ° Advanced: This is to modify additional settings. By default, the Use Recommended Settings is selected ° Test Connection: This validates that SEG settings are correct ° Export Settings: You can export settings to XML and import them as an option during SEG installation • At the bottom of the screen, you have options to disable or delete the configuration Next, you will need to download the SEG installer from the Admin Console: 1. Navigate to E-mail Settings. 2. On the main screen, click on AirWatch Secure E-mail Gateway Installer to download the installer ile and copy the ile to the SEG server. Disable User Access Control (UAC) to prevent any errors during installation. On the SEG server, install the SEG: 1. Right-click on the installer ile downloaded from the console and select Run as Administrator. 2. Click on Next on the Welcome screen. 3. Accept the End User License Agreement and click on Next. 4. Specify a destination to install the SEG or leave the installation path as default location (C:\AirWatch). The best practice is to install applications on a separate partition to the OS. 5. Validate that the default website is on the target site and click on Next. 6. Click on install then on Finish once the installation completes. 178 Chapter 7 Coniguration Now that the SEG has been installed, we can conigure the settings for it: • The Secure E-mail Gateway Setup wizard should have auto-launched after installation. If not, click on the AirWatch SEG Setup shortcut on the desktop • On the Setup page, configure the following: 1. Enter the API Hostname which is typically the AirWatch API service URL. For example, it may look something like this for SaaS customers:https://asxxx.awmdm.com. 2. Select Ignore SSL errors between SEG and AirWatch to ignore any SSL errors. 3. Enter the SEG admin username and password. This is an AirWatch account that is needed to integrate with the API. If an admin account isn't set up in AirWatch, create a local admin account and assign it the allow remote access role resource in the AirWatch admin console. Ensure that this account is created at the same organization group level or above the organization group being configured with the SEG. 4. If you have a proxy server, select the Enable proxy for AirWatch services communication checkbox and enter the proxy host, proxy port and authentication information. If you select Advanced, you could upload the XML file that was exported from the console, enter the password and API hostname, and then click on Next. 5. Click on Next. • Select the organization group the SEG will be used for, then select the specific MEM configuration you created for the SEG, and click on Next. 179 Mobile E-mail Management • On this page, configure the following: 1. Select the E-mail Server Type. For Microsoft Exchange, select the version you are using. 2. Enter the E-mail server hostname (your ActiveSync URL), then click on Verify, enter a mailbox username and password, and click on Verify. Google Apps for Business doesn't require a server hostname to be entered as you configured the information as part of the configuration within the Admin Console. 3. If you selected Exchange, you also have the option of proxying web mail traffic through the gateway. Select the checkbox to route your webmail traffic through the proxy. For Microsoft Exchange webmail proxy and Lotus Notes, you will need to install the Application Request Routing (ARR) component, as stated in the requirements. 4. The Secure E-mail Gateway settings will be prepopulated with the settings entered in the AirWatch admin console. You can make any changes that are needed that will update the AirWatch Admin Console. 5. Click on Next. • The next screen allows you to Enable SEG Clustering. If you have multiple SEG servers for High Availability or Load Balancing, select the option and add the following information: ° Add the Cluster Directory Name information ° Add the Default Port information ° The node address 180 Chapter 7 ° To add the additional SEG servers to the cluster, select Add Node ° Click on Next once complete • You will receive a Finished screen, and then you will be automatically redirected to the Secure E-mail Gateway Service Settings screen. You can navigate away from this page. You have now completed the SEG installation and coniguration and you are ready to set up your proile to deploy e-mail via the SEG. To upgrade the SEG, download the latest installer from the console (E-mail Settings) after an upgrade and follow the simple upgrade instructions. Direct PowerShell Next we will look at how to set up the PowerShell integration method and the beneits of using this model. PowerShell integration overview Integrating PowerShell with AirWatch requires less infrastructure and is a much simpler deployment. With PowerShell integration, AirWatch issues PowerShell commands to Microsoft Exchange to allow or reject e-mail access with ActiveSync. This integration allows you to enforce access control by whitelisting/blacklisting user's devices. Using this will prevent you from leveraging the advanced features such as attachment encryption or hyperlink transformation. 181 Mobile E-mail Management PowerShell integration deployment options The PowerShell integration model can be deployed using an AirWatch SaaS or on-premise deployment with an on-premise Exchange 2010/2013 or Ofice 365 infrastructure. The following diagram shows the recommended architecture for your PowerShell Integration deployment: PowerShell integration requirements The following section lists all the requirements for the PowerShell integration deployment: • Service account with a mailbox that has remote PowerShell access to Microsoft Exchange Server • The following roles are required for integration: ° Organization Client Access role ° Mail Recipients role 182 Chapter 7 ° Recipients Policies role (only needed for Windows Phone 7 and Blackberry devices) • Access to the server-side session is required to executeExchange commands • Port 443 or 80 for communications • Exchange ActiveSync profile • ACC is required for SaaS deployments as covered in Chapter 3, Enterprise Integration You will need to work with your Microsoft Exchange administrators to successfully deploy PowerShell integration. Coniguring PowerShell integration The following six steps are required to set up PowerShell integration with AirWatch: 1. Set up PowerShell admin user in Exchange 2010/2013 1. Log in to Exchange Management console (Exchange Admin Center in Exchange 2013). Navigate to Toolbox Role Based Control User Editor and log in as an Exchange administrator. This is the same as logging in to the Exchange Control Panel (ECP) directly and clicking on Roles and Auditing. 2. Click on New, enter a name and description, and add these roles: Mail Recipients, Organization Client Access, and Recipient Policies. Click on Save to create the new role group. 2. Conigure IIS on Exchange server 1. Log in to your Exchange servers (or more specifically, your Client Access Servers (CAS)), open up IIS, and ensure that the PowerShell application within your default website is configured for Basic Authentication or Windows Authentication credentials. 2. Open up Exchange Management Shell on each of the Exchange servers and run the following command: Set-ExecutionPolicy RemoteSigned 183 Mobile E-mail Management 3. Install and conigure Windows PowerShell on AirWatch servers 1. On AirWatch servers, verify that PowerShell is installed 2. Open PowerShell on each of the AirWatch servers and run the following code/command: Set-ExecutionPolicy RemoteSigned 4. Conigure PowerShell integration in the AirWatch Admin Console 1. Log in to the AirWatch Admin Console. 2. Navigate to E-mail Settings and click on Configure. 3. You will be presented with the MEM configuration wizard. 4. SelectMicrosoft Exchange for E-mail Server Type and select Exchange 2010 / 2013 / Office 365. Then, selectExchange PowerShell as the Deployment Type and click on Next. 5. On the MEM deployment page, complete the following required information and then click on Next: ° Friendly Name: Add a name, as this is an easy way to identify usage ° PowerShell URL: Enter the Exchange PowerShell URL, for example,https://e-mailserverurl/powershell ° Ignore SSL errors between AirWatch and AirWatch Server: You can select this to ignore SSL errors ° ACC Configuration for PowerShell integration: This is only available for multiple MEM deployments and allows you to select which ACC server to integrate with ° Use Service Account Credentials: This allows you to leverage the AppPool service account on the ACC server ° Authentication Type: Select authentication to match the Exchange settings (Basic, Negotiate, or Kerberos) ° Admin Username: Enter the username for the PowerShell service account ° Admin Password: Enter the password for the PowerShell service account ° Test Connection: Click on Test Connection to validate configuration 184 Chapter 7 ° One-time sync after configuration: This forces a sync after configuration has completed ° Limit sync results: You can limit the sync to certain filtered groups 6. Click on Next to go to the MEM Profile Deployment option: ° For multiple MEM deployments, you will need to associate which profile will be used for each platform through the gateway being configured. Only one can be configured per a device type and mail client type. 7. Click on Add to add your profile deployments if required. 8. Click on Next to view the Summary page and then click on Save. 9. Once you have saved the configuration, navigate back to the page to view the MEM configuration and additional options. Navigate to E-mail Settings and then click on Configuration. 185 Mobile E-mail Management 5. Start PowerShell integration by completing the following steps: 1. Sync all mailboxes from AirWatch E-mail Dashboard with Exchange to import all devices with the EAS partnership. 2. Allow devices to enroll and continue to sync daily to view devices as they convert from Unmanaged to Managed. 3. Apply AirWatch E-mail Policy to block unmanaged devi ces when ready. 6. Conigure Exchange to quarantine or block new devices by completing the following steps: 1. To prevent anyone from configuring access directly to Exchange using ActiveSync, configure Exchange to quarantine or block any new devices upon configuration. Only devices enrolled in AirWatch will be able to access e-mail by issuing PowerShell commands to Exchange. 2. Open up Exchange PowerShell on an Exchange server and run the following commands: ° To quarantining devices: Set-ActiveSyncOrganizationSettings – DefaultAccessLevel quarantine ° To block devices: Set-ActiveSyncOrganizationSettings – DefaultAccessLevel Block You have now completed the PowerShell integration and coniguration and you are ready to set up your proile to deploy e-mail to the devices. Direct Google The last integration option provided by AirWatch is Google Apps f or Business integration. 186