Hi!, in this opportunity we will see how to restore a SEG connection.
Explanation of the Issue
The SEG was recently configured and deployed in your Workspace ONE UEM environment but the SEG test connection has never been successful. The following information related to the SEG deployment was collected:
• When the SEG server was first deployed, a trusted public SSL certificate was not available. So a self-signed certificate was created for seg.ucb.local and used for the SEG deployment. Now a trusted *.mycompany.com certificate is available to use.
• When the SEG server was first deployed, the Workspace ONE UEM API URL was https://wsouemadmin.mycompany.com. It has since been changed to https://wsouem.mycompany.com. This URL change has been applied to some systems, but most likely not to all systems and sub-components.
A Test Connection was run under Email > Email Settings > Configuration, the test was unsuccessful.
Resolution Overview
After examining the information, you found the cause to the SEG test connection failure to be the SSL certificate and the Workspace ONE UEM API hostname mismatch. You apply the following resolutions:
• Update the public SSL certificate for the SEG configuration in the Workspace ONE UEM console.
• Re-run the SEG installer to update the Workspace ONE UEM API URL.
• Restart the VMware AirWatch Secure Email Gateway service to update the SSL certificate.
Updating the Public SSL Certificate for the Secure Email Gateway Configuration
When the SEG was first deployed, a self-signed certificate was used since a trusted public SSL certificate was not available. A successful SEG test connection requires a trusted public SSL certificate. In this task, you replace the self-signed certificate with a trust public SSL certificate for the SEG configuration.
1. Log in to the Workspace ONE UEM console
2. Navigate to Email > Email Settings > Configuration, and click Edit.
3. Leave the settings under the Platform settings the same, click Next.
4. Under the Deployment tab and locate the Terminate SSL on SEG setting, ensure this option is set to Enable.
5. Next to SEG Server SSL Certificate, click Change to replace the certificate.
6. Click Browse.
7. Select a valid .pfx certificate, , and click Open.
8. Click Save.
9. Click Next.
10. Click Next.
11. Click Finish.
12. You then return to the SEG Configuration Summary page.
a. Scroll to the Internal Settings section, and locate the Thumbprint.
Updating the Workspace ONE UEM API URL for Secure Email Gateway
Because the SEG was configured to connect to the old Workspace ONE UEM API URL, the SEG test connection is unsuccessful. In this task, you update the Workspace ONE UEM API URL for the SEG component.
1. Download the SecureEmailGatewayInstaller_2.16.exe file.
2. Right-click the SEG installer file, and select Run as administrator.
3. Click Next.
4. In the Program Maintenance window, select Modify, and click Next.
5. In the AirWatch API Information window, the API Server Hostname is wsouemadmin.mycompany.com. Update the API Server Hostname to:
• API Server Hostname: wsouem.mycompany.com
6. Click Next.
7. Ensure the Outbound proxy checkbox is not selected, click Next.
8. Click Install.
9. When the installation completes, click Finish.
10. On the SEG VM, open Services.
a. Locate the VMware AirWatch Secure Email Gateway service,
b. Click Restart the SEG service.
11. In the Workspace ONE UEM console, navigate to Email > Email Settings > Configuration.
12. Click Test Connection. You see a Connection Succeed message.
NOTE
After the Secure Email Gateway service restarts, it might take up to 5 minutes for the service to be fully operational and re-connect to the Workspace ONE UEM API.
Setting Up a Secure Email Gateway Policy and Email Compliance Policies
After restoring the SEG test connection, your security team would like to apply a few corporate email security standards. You will configure the following email compliance policies:
1. Users receive email when the SEG test connection fails.
2. Users receive an email attachment when the SEG test connection fails.
3. When the SEG test connection succeeds, unmanaged devices stop receiving email.
1. In the Workspace ONE UEM console, navigate to Email > Email Settings > Configuration, and click Edit.
2. Click Next.
3. Scroll down to the Security Settings section, and select Enable for the Allow email flow if no policies are present on SEG option.
4. Click Next.
5. Click Next.
6. Click Finish.
7. In the Workspace ONE UEM console, navigate to Email > Compliance Policies.
a. Locate the Managed Device policy under General Email Policies list.
b. Click the red circle next to the Managed Device policy to enable the policy. The circle turns green, meaning the Managed Device policy is now active.
8. On the SEG VM, open File Explorer.
a. Navigate to This PC > Local Disk (C:) > AirWatch > SecureEmailGateway-2.16 > config,
b. locate the SEG configuration file, config.json.
c. Right-click config.json and select Edit with Notepad++.
9. Click Ctrl+F on the keyboard to open the Find dialog box.
10. In the Find what text box, enter allowattachment and click Find Next.
11. Locate the allowAttachmentUntilPolicyIsDataReady configuration, you see the setting is set to false currently.
TIP
By default, the SEG is set to block attachments when the connectivity to the Workspace ONE UEM API fails.
12. Replace the configuration value false with true.
13. Click Save.
14. Open Services on the SEG VM, then click Restart to restart the VMware AirWatch Secure Email Gateway service.
TIP
Restarting the SEG service allows the SEG to retrieve the new policies from the Workspace ONE UEM API as well as the new configuration values in the config.json file. The configuration file changes are not applied until you restart the SEG service.
Closing Notes
I hope it has been useful! See you next.