secure email gateway solutions and secure email gateway (seg) administration guide and how secure email gateway works airwatch secure email gateway configuration guide
Mobile E-mail Management
Now that we have enrolled the devices for management whether it is MDM or
Workspace, we can start deploying corporate data to the enrolled devices. The irst
form of corporate data we will look at deploying to the devices is e-mail. E-mail has
traditionally been one of the driving factors for providing mobile devices to users
or provisioning content to user's personal devices. There are multiple opportunities
available with deploying e-mails to devices with AirWatch by VMware. These
opportunities span multiple e-mail vendors, the option between native and a
container for delivery, and the option of providing full security including DLP
In this chapter, we will take a high-level overview of MEM and look at the reasons as
to why we should be protecting e-mail service. We will then look at all the supported
deployments available with AirWatch including the supported e-mail platforms.
Moving on, we will look at how to set up SEG, Direct PowerShell, and Google Apps
for Business for your deployments.
Once the e-mail infrastructure and/or conigurations are set up and in place within
the environment, we will look at the security options and where to conigure e-mail
security. We will then set up and conigure the proiles to deploy e-mail before
inishing off with how to manage e-mail on the enrolled devices and how to remove
it from the devices.
The following topics will be covered in this chapter:
• Mobile E-mail Management overview
• Protecting e-mail
• Supported deployments
• Secure E-mail Gateway
• Direct PowerShell
• Google Apps for business
167 Mobile E-mail Management
• E-mail security configurations
• Profile setup and configuration
• Managing and removing e-mail
Mobile E-mail Management overview
Mobile E-mail Management (MEM) is the vertical within EMM that represents
all the opportunities available for e-mail deployment. Traditionally, e-mail was
most likely deployed on a corporate-owned device that was provided to you by the
organization that leveraged some of the irst technologies available to deploy e-mail
securely. Now that mobility has grown with the expectation that e-mail is to be
provided on personal devices, we need MEM to provide e-mail to the user's devices.
Most importantly though, we need to ensure that the e-mail is deployed securely and
the information is contained within a secure environment.
As we are all aware, e-mail is a huge piece of how we communicate today and
most likely one of the most common communication methods in an organization.
Users rely extremely heavily on e-mail and the ability to have access to e-mail at
anytime from anywhere is a reality a lot of us live in. I'd imagine that most of your
deployments are somewhat still scoped to e-mail delivery to devices and your center
of focus is to continue to provide that functionality, preferably in a BYOD fashion to
user's personal devices. As discussed in previous chapters, there are considerations
to take when deploying e-mail to devices. There may be laws that require you to
reimburse users or prevent users from being able to access corporate resources
outside of working hours as they aren't being paid. All this falls within MEM with
AirWatch and is only a component of today's EMM.
If you've already provided e-mail to users' devices as part of your deployments,
you'll realize how beneicial it is to users to be able to access e-mail conveniently
from their mobile devices. As a technical professional, I receive hundreds of e-mails
daily for different reasons including system notiications. Always having access to
my e-mail allows for that extra convenience of being more proactive on receiving
alerts (as long as e-mail is still working) with the ability to manage e-mail anywhere.
With MEM, there are multiple different deployment methods available with
AirWatch to meet your organizations security needs. With AirWatch's ME M,
you can expect the following as part of your deployment:
• Deployment of e-mail to multiple types of devices manufactures or
• The ability to deploy e-mail using native device e-mail, an AirWatch e-mail
container, or a supported third-party application
168 Chapter 7
• Support of multiple e-mail providers
• Enforce security with deployment of MDM or workspace
• Allow auto-configuration of e-mail with deployment
• Enforcement of SSL security
• DLP enforcement
• Compliance policies to prevent access to e-mail in the event a device is
compromised or doesn't meet security needs
• The ability to deploy and remove e-mail without affecting the user's
• Enhanced security with the Secure E-mail Gateway option
• The ability to auto provision access to e-mail for users
• Attachment control enablement
• Certificate integration for additional security
• The ability to apply geofencing to remove profiles outside of
• The ability to apply schedules to remove profiles outside of working hours
As technical experts, it is critical to understand the importance of protecting
corporate e-mail within your environments. All types of information are guaranteed
to be traveling within the e-mail systems. I have personally seen information
from usernames and passwords, social security numbers, conidential business
information, legal information, credit card information to name some examples.
Working in health care, we have multiple compliances we have to obey. It is critical
that we are able to protect PHI and PCI within our environment, e-mail being a high
risk to this information leaking.
As an organization, you will most likely have policies in place that enforce what an
employee should and shouldn't be doing when it comes to e-mail usage. Although
this may be in place, it typically doesn't prevent the users from using the technology
to help them get their job done more eficiently. Even though these policies are in
place, you and I both know that users will do what they can to be as productive
169 Mobile E-mail Management
For me, policies are only part of the overall controls around protecting your
organization's information. As a user, you are going to use the technology provided
to you without realizing the potential risk and e-mail creates a signiicant risk,
especially with the increase and demand of users requesting access with their
personal devices. When it comes to e-mail delivery on mobile devices, especially
personal devices, we need to ensure that we fully understand the risk associated
with the information within the e-mails and how easy it can be for that information
to leak outside the organization.
When looking at providing e-mail to the users on their personal devices, it is
critical that we are able to protect the information from leaving the boundaries of
the organization and entering the user's personal world. If we don't enforce these
controls as technical professionals, the users won't even realize that they are doing
anything wrong when they work with e-mail on their devices. For example, if
there is no control around the attachments within your corporate e-mail and a user
accidentally downloads that attachment to their personal device, data loss has just
occurred and that information could land anywhere.
For all organizations, allowing access to e-mails via native ActiveSync, POP, or IMAP
should be considered a security risk. Even if you don't have any compliances within
your organization, your company does maintain employee records and information.
Even more importantly, there will be some form of conidential information within
an e-mail from leadership containing new strategies, organization changes, or
intellectual property that if leaked, could compromise your company. With that, you
need to ensure that when you provide e-mail to your employee's personal devices, it
is secure. Some of the more important security controls that you need to be aware of
are as follows:
• Password-protected device or e-mail access
• Ensuring devices or e-mail applications are encrypted
• Preventing jailbroken or rooted devices
• DLP is in place to prevent copy and paste or screenshot functions
• Attachment control.
With AirWatch, you are able to protect your e-mail with multiple options available
for your deployment. Whether you are a Microsoft, Google, Lotus, or Novell
environment, or if you would like to deploy a native experience or provide e-mail
through a container, allow access to e-mail on multiple devices including iOS,
Android, and Windows, provide full DLP or just some security controls are all
possible with AirWatch's lexible MEM solution. With the options available from
AirWatch, you will be able to meet your organization's security requirements to
ensure a secure and usable solution.
170 Chapter 7
There are multiple supported deployments with AirWatch depending on what
e-mail infrastructure you have in place and how secure you would like to make
The following mail infrastructure is supported with AirWatch:
• Microsoft Exchange 2003/2007/2010/2013/Office 365
• Google Apps for Business
• Lotus Domino with Lotus Notes
• Novell GroupWise
• Any e-mail infrastructure that supports Exchange ActiveSync
• Any e-mail infrastructure that supports a POP/IMAP/SMTP configuration.
The following proile conigurations are available to deploy e-mail to your devices
once enrolled within AirWatch:
• Android Devices: POP/IMAP/SMTP, Exchange ActiveSync, Native Mail
Client, AirWatcMail C h lient, Lotus Notes, and NitroDesk TouchDown
• iOS Devices: POP/IMAP/SMTP, Exchange ActiveSync, Native Mail Client,
AirWatch Inbox, and NitroDesk TouchDown
• Windows Phone 8 Devices: POP/IMAP/SMTP, Exchange ActiveSync,
and Native Mail Client
• Windows Mobile Devices: Exchange ActiveSync and Native Mail Client
• Symbian Devices: Exchange ActiveSync and Native Mail Client
• Apple Mac OS X Devices: POP/IMAP/SMTP, Exchange Web Services,
Native Mail Client, and Microsoft Outlook
• Windows PC Devices: Exchange Web Services and Microsoft Outlook
• Windows 8/RT Devices: AirWatchInbox using Exchange ActiveSync
With AirWatch, you can deploy e-mail in its basic form with minimum security in
place by simply setting up the conigurations in a proile to be deployed to users. For
the additional granular security, AirWatch has the option of three additional models
that can be used with your environment:
• Basic Profile with limited Security: This can be set up for most if not all
171 Mobile E-mail Management
• Secure E-mail Gateway using the Proxy Model: Microsoft Exchange
2003/2007/2010/2013/Office 365, Microsoft Office 365, Lotus Domino with
Lotus Notes, Novel GroupWise using Exchange ActiveSync, and Google
Apps for Business
• PowerShell using the Direct Model: Microsoft Exchange 2010/2013/
• Google using the Direct Model: Google Apps for Business
From the preceding options, you will receive the greatest security by using the SEG
Proxy option. The additional security with SEG over direct model is the ability to
encrypt and control attachments and hyperlinks, preventing them from leaving the
AirWatch environment. The basic proile is obviously the least secure with very
minimum controls over e-mail.
To view the supported functionality between the models and supported
platforms, log in to the myairwatch portal, navigate to AirWatch
Resources E-mail Management, open Mobile E-mail Management Guide,
and go to Appendix: E-mail Management Functionality.
Secure E-mail Gateway (SEG)
Now that we know what options we have with the MEM deployments, we will look
at how to set up and conigure SEG and the beneits of using this model.
SEG serves as a proxy server that is installed in-line with your corporate e-mail
infrastructure. Once installed, you will conigure your client proiles to send all
trafic through the SEG servers to allow for additional security and controls over
e-mail being delivered to mobile devices.
With SEG, you can provide the following additional security controls:
• Attachment control
• Hyperlink Management
• Encryption Enforcement
• Device Approval/Blocking
• Whitelisting/Blacklisting of Devices/Users
• Apply Compliance Policies.
172 Chapter 7
SEG deployment options
The SEG server can only be deployed within your data center whether you are an
on-premise or SaaS-based customer. The recommended deployment for your SEG
is to install it within your DMZ or behind a reverse proxy server. The following
diagram shows the recommended architecture for your SEG deployment:
This model can also be deployed with Microsoft Ofice 365 and Google
Apps for Business.
173 Mobile E-mail Management
The next section lists all the requirements for the SEG deployment.
Ensure that the SOAP API is enabled for the organization group SEG is being
• Navigate to Groups & Settings All Settings System Advanced
API SOAP API and select Generate Client Certificate
VM or physical With attachment encryption, Without attachment encryption,
server hyperlink security and tagging hyperlink security and tagging
Number of 1,200 Devices per 1 CPU Core 2,000 Devices per 1 CPU Core and 2
devices and 2 GB RAM GB RAM
Disk size Standard OS requirements
CPU cores Minimum 1 and Maximum 8 CPUs
RAM (GB) Minimum 2 GB RAM
You can load balance the SEG servers for high availability.
The following lists all the software requirements for the SEG deployment:
• Supported operating systems: Windows Server 2008 R2, Windows Server
2012, or Windows Server 2012 R2
• Server manager roles: IIS 7.0 (Server 2008 R2), IIS 8.0 (Server 2012 or Server
2012 R2), or IIS 8.5 (Server 2012 R2 only)
• Server manager roles services
° Common HTTP features: static content, default document, directory
browsing, HTTP errors, HTTP redirection
° Application development: ASP.NET, .NET Extensibility, ASP, ISAPI
Extensions, ISAPI Filters, Server Side Includes
174 Chapter 7
° Management tools: IIS Management Console, IIS 6 Metabase
Ensure WebDAV is not installed.
• Install Application Request Routing (ARR)
° It is available athttp://www.iis.net/downloads/microsoft/
• Enable the following server manager features
° .NET Framework 3.5.1 Features (the full module)
° Telnet Client
• .NET Framework 4.0
• Externally registered DNS
• SSL Certificate from a trusted third party with Subject or Subject Alternative
Name of DNS
• IIS 443 binding with the same SSL certificate
• Remote access to SEG servers
• Notepad ++ (recommended)
• Exchange ActiveSync test account
Source Component Destination Component Protocol Port
Internet and Wi-Fi SEG HTTPS 443
SEG AirWatch SOAP API HTTP or HTTPS 80 or 443
Internal hostname or IP of other
SEG (optional) HTTP 8090
SEG servers for clustering
Device Services SEG HTTPS 443
SEG Exchange HTTP or HTTPS 80 or 443
SEG Lotus Notes HTTP or HTTPS 80 or 443
SEG Google HTTPS 443
SEG Novell GroupWise HTTP or HTTPS 80 or 443
175 Mobile E-mail Management
Before we install SEG, we need to enable the SEG proxy in the AirWatch Admin
Console. To do this, complete the following steps:
1. Log in to the AirWatch Admin Console.
2. Navigate to E-mail Settings and click on Conigure. You will be presented
with the Mobile Email Management Coniguratio wizard: n
3. Select the Email Server Type for your deployment. With Microsof Exc t hange
2010/2013/Ofice365 and Google Apps for Business, choose With SEG Proxy
4. On the MEM Deployment page, complete the required information:
° Friendly Name: Add a name, as this is an easy way to identify usage.
° Secure E-mail Gateway URL: This is the URL for your SEG to
provision the policies.
° Ignore SSL errors between SEG and AirWatch server: You can select
this to ignore SSL errors.
° Use Basic Authentication: It is recommended that you select this and
enter a Gateway Username and Gateway Password to authenticate
secure traffic. If this is not selected, anonymous authentication will
° Click on Test Connection to validate the connection to the
For Google Apps for Business, you will need the Google
Apps domain, Google Apps admin username, and Google
Apps admin password in addition to the information
176 Chapter 7
5. Click on Next to go to the MEM Proile Deployment option:
° For multiple SEG deployments, you will need to associate which
profile will be used for each platform through the gateway being
Only one gateway can be configured per a device type and
mail client type.
° Click on Add to add your profile deployments if required
6. Click on Next to view the Summary page and then click on Save.
Once you have saved the coniguration, navigate back to the page to view the MEM
coniguration and additional options and perform the following steps:
• Navigate to to E-mail Settings and then click on Configuration.
• You will see the profile you configured with the additional options:
° Add: This is to add additional SEG servers
° Edit: This is to edit current SEG settings
177 Mobile E-mail Management
° Advanced: This is to modify additional settings. By default, the Use
Recommended Settings is selected
° Test Connection: This validates that SEG settings are correct
° Export Settings: You can export settings to XML and import them as
an option during SEG installation
• At the bottom of the screen, you have options to disable or delete
Next, you will need to download the SEG installer from the Admin Console:
1. Navigate to E-mail Settings.
2. On the main screen, click on AirWatch Secure E-mail Gateway Installer to
download the installer ile and copy the ile to the SEG server.
Disable User Access Control (UAC) to prevent any errors
On the SEG server, install the SEG:
1. Right-click on the installer ile downloaded from the console and select Run
2. Click on Next on the Welcome screen.
3. Accept the End User License Agreement and click on Next.
4. Specify a destination to install the SEG or leave the installation path as
default location (C:\AirWatch).
The best practice is to install applications on a separate
partition to the OS.
5. Validate that the default website is on the target site and click on Next.
6. Click on install then on Finish once the installation completes.
178 Chapter 7
Now that the SEG has been installed, we can conigure the settings for it:
• The Secure E-mail Gateway Setup wizard should have auto-launched after
installation. If not, click on the AirWatch SEG Setup shortcut on the desktop
• On the Setup page, configure the following:
1. Enter the API Hostname which is typically the AirWatch API
service URL. For example, it may look something like this for
2. Select Ignore SSL errors between SEG and AirWatch to ignore
any SSL errors.
3. Enter the SEG admin username and password.
This is an AirWatch account that is needed to integrate
with the API. If an admin account isn't set up in
AirWatch, create a local admin account and assign it
the allow remote access role resource in the AirWatch
admin console. Ensure that this account is created at the
same organization group level or above the organization
group being configured with the SEG.
4. If you have a proxy server, select the Enable proxy for AirWatch
services communication checkbox and enter the proxy host, proxy
port and authentication information.
If you select Advanced, you could upload the XML file
that was exported from the console, enter the password
and API hostname, and then click on Next.
5. Click on Next.
• Select the organization group the SEG will be used for, then select the
specific MEM configuration you created for the SEG, and click on Next.
179 Mobile E-mail Management
• On this page, configure the following:
1. Select the E-mail Server Type. For Microsoft Exchange, select the
version you are using.
2. Enter the E-mail server hostname (your ActiveSync URL), then
click on Verify, enter a mailbox username and password, and
click on Verify.
Google Apps for Business doesn't require a server hostname
to be entered as you configured the information as part of
the configuration within the Admin Console.
3. If you selected Exchange, you also have the option of proxying web
mail traffic through the gateway. Select the checkbox to route your
webmail traffic through the proxy.
For Microsoft Exchange webmail proxy and Lotus Notes,
you will need to install the Application Request Routing
(ARR) component, as stated in the requirements.
4. The Secure E-mail Gateway settings will be prepopulated with
the settings entered in the AirWatch admin console. You can
make any changes that are needed that will update the AirWatch
5. Click on Next.
• The next screen allows you to Enable SEG Clustering. If you have multiple
SEG servers for High Availability or Load Balancing, select the option and
add the following information:
° Add the Cluster Directory Name information
° Add the Default Port information
° The node address
180 Chapter 7
° To add the additional SEG servers to the cluster, select Add Node
° Click on Next once complete
• You will receive a Finished screen, and then you will be automatically
redirected to the Secure E-mail Gateway Service Settings screen. You can
navigate away from this page.
You have now completed the SEG installation and coniguration and you are ready
to set up your proile to deploy e-mail via the SEG.
To upgrade the SEG, download the latest installer from the
console (E-mail Settings) after an upgrade and follow the
simple upgrade instructions.
Next we will look at how to set up the PowerShell integration method and the
beneits of using this model.
PowerShell integration overview
Integrating PowerShell with AirWatch requires less infrastructure and is a much
simpler deployment. With PowerShell integration, AirWatch issues PowerShell
commands to Microsoft Exchange to allow or reject e-mail access with ActiveSync.
This integration allows you to enforce access control by whitelisting/blacklisting
user's devices. Using this will prevent you from leveraging the advanced features
such as attachment encryption or hyperlink transformation.
181 Mobile E-mail Management
PowerShell integration deployment options
The PowerShell integration model can be deployed using an AirWatch SaaS or
on-premise deployment with an on-premise Exchange 2010/2013 or Ofice 365
infrastructure. The following diagram shows the recommended architecture for
your PowerShell Integration deployment:
PowerShell integration requirements
The following section lists all the requirements for the PowerShell integration
• Service account with a mailbox that has remote PowerShell access to
Microsoft Exchange Server
• The following roles are required for integration:
° Organization Client Access role
° Mail Recipients role
182 Chapter 7
° Recipients Policies role (only needed for Windows Phone 7 and
• Access to the server-side session is required to executeExchange commands
• Port 443 or 80 for communications
• Exchange ActiveSync profile
• ACC is required for SaaS deployments as covered in Chapter 3,
You will need to work with your Microsoft Exchange
administrators to successfully deploy PowerShell integration.
Coniguring PowerShell integration
The following six steps are required to set up PowerShell integration with AirWatch:
1. Set up PowerShell admin user in Exchange 2010/2013
1. Log in to Exchange Management console (Exchange Admin Center
in Exchange 2013). Navigate to Toolbox Role Based Control User
Editor and log in as an Exchange administrator.
This is the same as logging in to the Exchange Control Panel
(ECP) directly and clicking on Roles and Auditing.
2. Click on New, enter a name and description, and add these roles:
Mail Recipients, Organization Client Access, and Recipient Policies.
Click on Save to create the new role group.
2. Conigure IIS on Exchange server
1. Log in to your Exchange servers (or more specifically, your Client
Access Servers (CAS)), open up IIS, and ensure that the PowerShell
application within your default website is configured for Basic
Authentication or Windows Authentication credentials.
2. Open up Exchange Management Shell on each of the Exchange
servers and run the following command:
183 Mobile E-mail Management
3. Install and conigure Windows PowerShell on AirWatch servers
1. On AirWatch servers, verify that PowerShell is installed
2. Open PowerShell on each of the AirWatch servers and run the
4. Conigure PowerShell integration in the AirWatch Admin Console
1. Log in to the AirWatch Admin Console.
2. Navigate to E-mail Settings and click on Configure.
3. You will be presented with the MEM configuration wizard.
4. SelectMicrosoft Exchange for E-mail Server Type and select
Exchange 2010 / 2013 / Office 365. Then, selectExchange
PowerShell as the Deployment Type and click on Next.
5. On the MEM deployment page, complete the following required
information and then click on Next:
° Friendly Name: Add a name, as this is an easy way to
° PowerShell URL: Enter the Exchange PowerShell URL, for
° Ignore SSL errors between AirWatch and AirWatch Server:
You can select this to ignore SSL errors
° ACC Configuration for PowerShell integration: This is only
available for multiple MEM deployments and allows you to
select which ACC server to integrate with
° Use Service Account Credentials: This allows you to
leverage the AppPool service account on the ACC server
° Authentication Type: Select authentication to match the
Exchange settings (Basic, Negotiate, or Kerberos)
° Admin Username: Enter the username for the PowerShell
° Admin Password: Enter the password for the PowerShell
° Test Connection: Click on Test Connection to validate
184 Chapter 7
° One-time sync after configuration: This forces a sync after
configuration has completed
° Limit sync results: You can limit the sync to certain
6. Click on Next to go to the MEM Profile Deployment option:
° For multiple MEM deployments, you will need to associate
which profile will be used for each platform through the
gateway being configured.
Only one can be configured per a device type and mail
7. Click on Add to add your profile deployments if required.
8. Click on Next to view the Summary page and then click on Save.
9. Once you have saved the configuration, navigate back to the page
to view the MEM configuration and additional options. Navigate to
E-mail Settings and then click on Configuration.
185 Mobile E-mail Management
5. Start PowerShell integration by completing the following steps:
1. Sync all mailboxes from AirWatch E-mail Dashboard with Exchange
to import all devices with the EAS partnership.
2. Allow devices to enroll and continue to sync daily to view devices as
they convert from Unmanaged to Managed.
3. Apply AirWatch E-mail Policy to block unmanaged devi ces
6. Conigure Exchange to quarantine or block new devices by completing the
1. To prevent anyone from configuring access directly to Exchange
using ActiveSync, configure Exchange to quarantine or block any
new devices upon configuration. Only devices enrolled in AirWatch
will be able to access e-mail by issuing PowerShell commands
2. Open up Exchange PowerShell on an Exchange server and run the
° To quarantining devices:
° To block devices:
You have now completed the PowerShell integration and coniguration and you are
ready to set up your proile to deploy e-mail to the devices.
The last integration option provided by AirWatch is Google Apps f or