The following topics describes the information related to configuration of SEG V2.
To implement the SEG (V2) for your email architecture, first configure the settings on the UEM console. After you configure the settings, you can download the SEG installer from the
Workspace ONE
resource portal.
In the UEM console, navigate to
Email
>
Settings
and select
Configure
. The
ADD
wizard displays.
In the
Platform
tab of the wizard:
Select
Proxy
as the
Deployment Model
.
Select the
Email Type
(Exchange, IBM Notes, or Google).
If you selected Exchange as the email type, then select the appropriate exchange version from the drop-down menu. Click
Next
. Example of email servers is Exchange, IBM Notes, or Google.
Configure the basic settings in the
Deployment
tab of the wizard and then select
Next
.
Friendly Name
Enter a friendly name for the SEG deployment. This name gets displayed on the MEM dashboard.
External URL and Port
Enter the URL and port number for the incoming mail traffic to SEG.
Listener Port
The SEG listens for device the communication through this port. The default port number is 443. If SSL is activated for SEG, the SSL certificate is bound to this port.
Terminate SSL on SEG
Activate this option if you want the SSL certificate to be sent from the SEG instead of offloading on a web application firewall. Upload a .pfx or .p12 certificate file including the root and intermediate certificates.
Upload Locally
Select to upload the SSL certificate locally during installation.
SEG Server SSL Certificate
Select
Upload
to add the certificate that binds to the listening port. The SSL certificate can be automatically installed instead of providing it locally. An SSL certificate in the .pfx format with a full certificate chain and private key included must be uploaded. See, the
Upload the SSL Certificate after Renewal
section in the
Install the Secure Email Gateway (V2)
topic to understand the methods to upload the SSL certificate after renewal.
Email Server URL and Port
Enter the email server URL and port number in the form
https://email server url:email
server port. The SEG uses the following URL for proxying email requests to the email server. If using Exchange Online, enter the
https://outlook.office365.com
URL.
Ignore SSL Errors between SEG and email server
Select
Enable
to ignore the Secure Socket Layer (SSL) certificate errors between the email server and the SEG server.
Ignore SSL Errors between SEG and AirWatch server
Select
Enable
to ignore Secure Socket Layer (SSL) certificate errors between the Workspace ONE UEM server and the SEG server.
Establish a strong SSL trust between the Workspace ONE UEM and the SEG server using valid certificates.
Allow email flow if no policies are present on SEG
Select
Enable
to allow the email traffic if SEG is unable to load the device policies from the Workspace ONE UEM API. By default, the SEG blocks all email requests if no policies are locally present on the SEG.
Note:
A list of all the device records with the corresponding compliance status is provided. SEG does not calculate the compliance of a given device by itself, instead uses the data received from the Workspace ONE UEM console.
Enable Clustering
Select
Enable
to activate clustering of multiple SEG servers.
When clustering is activated, policy updates are distributed to all SEGs in the cluster. The SEGs communicate with each other through the SEG clustering port.
SEG Cluster Hosts
Add the IPs or hostnames of each server in the SEG cluster.
SEG Cluster Distributed Cache Port
Enter the port number for SEG to communicate to the distributed cache.
SEG Clustering Port
Enter the port number for SEG to communicate to the other SEGs in the cluster. Activate clustering to have multiple SEG servers operating as a cluster.
Select
Next
in the
Profile
tab of the wizard. If necessary, assign an email profile to the MEM configuration. Select
Next
in the Profile tab of the wizard.
On the Summary tab, review the configuration that you have just created. Select
Finish
to save the settings.
Download the SEG installer from the
Workspace ONE
resource portal.
Configure any additional settings for your SEG using the
Advanced
option.
Use Default Settings
The
Use Default Settings
check box is activated by default. To modify the advanced settings, you must uncheck this box.
Enable Real-time Compliance Sync
Activate this option to send the compliance information to the SEG in real-time. Without this, individual changes to the device policies are refreshed per the delta sync interval.
Required transactions
The
Required transactions
cannot be deactivated.
Optional transactions
Activate or deactivate the optional transactions such as Get attachment, Search, Move Items, and so on. The following are the Exchange Active Sync (EAS) transactions that the SEG reports to the console and are displayed on the
Email List View
in the
Last Command
column.
Diagnostic
Set the number and frequency of transactions for a device when the test mode is activated.
Sizing
Set the frequency of SEG and API server interaction.
Skip Attachment & Hyperlink transformations for S/MIME signed emails
Activate to exempt the encryption of attachments and transformation of hyperlinks through SEG for emails that are signed with S/MIME certificates.
Enable S/MIME repository lookup
Activate automatic lookup of the S/MIME certificate managed in a hosted LDAP directory. Enter the following values to configure the lookup.
LDAP URL
- Specify the URL of the LDAP server hosting the S/MIME certificates. For example,
LDAP://certs.soandso.local/o=dept,c=company
.
Authentication Type
- Specify the authentication type used by the LDAP server.
Anonymous
and
Basic
authentication are supported. If
Basic
authentication is selected, you must enter the username and password.
Certificate Attribute
- The public key attribute used on the LDAP server to specify the S/MIME certificate. For example,
userCertificate;binary
.
You must restart SEG service after enabling this feature.
Custom Gateway Settings
The SEG custom gateway settings are available as a key-value pair on the Workspace ONE UEM console. The commonly used properties are seeded on the Workspace ONE UEM console. For more information on the SEG supported key value pairs.
Block Attachments
Used to control the default action when SEG is unable to communicate with the Workspace ONE UEM or when the local policy set is empty.
Default Message for Blocked Attachments
Configure the message that is displayed to end users when SEG blocks attachments.
Configuring for High Availability and Disaster Recovery
SEG can be configured in high availability and disaster recovery environments with both clustering and non-clustering server configurations. The high availability and disaster recovery setups are independent of the cluster configuration.
Use a load balancer to achieve the desired high availability and disaster recovery configuration. The same public host name must be used for the SEG servers across the data centers to ensure that the users need not reauthenticate when a SEG server failover occurs.
The following are the benefits of using SEG in a clustering and non-clustering server environments:
Non-clustered server configuration:
Each SEG is updated independently.
Failover can be performed at the load balancer.
Clustered server configuration:
Each data center must have its own MEM configuration and an external URL to update the MEM configuration's cluster.
Note:
The external URL need not match the URL used by devices to access email, instead the UEM console uses the external URL to send policy updates to the appropriate cluster configuration.
Internal IP addresses or hostnames are applicable for clustering rather than public IP addresses only.
Device EAS profiles must use a third URL that can be failed-over between data centers.
SEG Custom Gateway Settings
The SEG v2 configurations are controlled at an individual node level. The custom gateway setting feature centralizes the configuration on the Workspace ONE UEM Console as part of the MEM configuration itself.
Prerequisites
The following table lists the requirements for the SEG custom settings feature:
Configure SEG Custom Gateway Settings
The SEG custom settings are available as key-value pairs on the Workspace ONE UEM console. The commonly used properties are seeded on the Workspace ONE UEM Console. To configure the custom settings, perform the following steps:
Log in to the Workspace ONE UEM console.
Navigate to the
.
Configure the
Email Settings
for SEG.
Configure the additional settings for SEG using the
Advanced
option.
Navigate to the
Custom Gateway Settings
, click
ADD ROW
, and enter the supported configuration as the key-value pair:
Key
: Enter the property or setting name.
Type
: Enter the type of value such as string, integer, and so on.
Value
: Enter the property or custom value.
Click
Save
.
Apply the Custom Gateway Settings on the SEG Service
During an installation or upgrade, if the custom settings are provided on the Workspace ONE UEM console, then the SEG service starts with the applied custom settings
If the custom settings are added or updated on the Workspace ONE UEM console when the SEG service is running, then a
refreshSettings
notification is triggered for SEG. The SEG fetches the latest custom gateway settings. A few of the custom settings are applied immediately, whereas the other custom settings might require you to restart the SEG service.
Supported Configuration for the Custom Gateway Settings
The following section lists all the supported SEG properties or settings for the custom settings feature.
Note:
The properties or settings are grouped based on feature or functionality. The custom settings can be added on the Workspace ONE UEM console in any order.
JVM Arguments or System Settings
The JVM arguments or system settings property keys start with
-D
. If the property value is modified, SEG updates the custom system settings in the
segServiceWrapper.conf
(for Windows) or
seg-jvm-args.conf
(for UAG). If the system setting is updated when the SEG service is running, then the SEG triggers a service restart.
You can configure the
seg.custom.settings.service.restart.code=0
property in the
application-override.properties
file to deactivate the automatic restart of the SEG service.
-Djdk.tls.disabledAlgorithms
Comma-separated list of TLS algorithms, ciphers, and versions to be deactivated.
String
MD5, RC4, TLSv1, TLSv1.1, SSLv2Hello, SSLv3, DSA, DESede, DES, 3DES, DES40_CBC, RC4_40, MD5withRSA, DH, 3DES_EDE_CBC, DHE, DH keySize < 1024, EC keySize < 224, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384
If the modified value is detected, restart automatically.
-Djdk.tls.ephemeralDHKeySize
Customize the strength of the ephemeral DH key size used internally during the TLS or DTLS handshake. The system property does not impact the DH key sizes in the
ServerKeyExchange
messages for exportable cipher suites.
The following DH key sizes are impacted, the DHE_RSA, DHE_DSS, and DH_anon-based cipher suites in the JSSE Oracle provider. For more information, see Customizing Size of Ephemeral Diffie-Hellman Keys.
Integer
If the modified value is detected, restart automatically.
-Dsyslog.enabled
Flag to activate the syslog configuration for SEG.
Boolean
TRUE - For the UAG deployment
FALSE - For the Windows deployment
If the modified value is detected, restart automatically.
-Dsyslog.host
Host address of the syslog server.
The host address value can be configured with any remote syslog server hostname or IP address that listens over UDP.
If syslog to the remote server is configured with the TCP or TLS, then point to a local host syslog listener that can retransmit using the required protocol over the wire.
The in-built UAG syslog configuration can function as the local retransmitter.
String
localhost
If the modified value is detected, restart automatically.
-Dkerberos.process.recycle.time
Specify the Kerberos process recycle time, when activated.
Process recycling can be activated using the property
-Denable.kerberos.process.recycle
.
Time in the hh24:mm:ss format
23:59:59
If the modified value is detected, restart automatically.
Maximum java heap memory for the service in Mebibytes (MiB).
For example, 8 GiB of RAM can be configured as 8192.
If the system property is not configured, dynamically identified during the SEG service installation based on the system configuration.
If the modified value is detected, restart automatically.
-Dsyslog.facility
Syslog facility as defined by the Syslog server.
String
If the modified value is detected, restart automatically.
-Dsyslog.port
Syslog listener port that the SEG points to.
Integer
If the modified value is detected, restart automatically.
-Denable.kerberos.process.recycle
SEG can be configured to recycle the native Kerberos client processes when the Kerberos based authentication is activated.
Boolean
FALSE
If the modified value is detected, restart automatically.
enable.boxer.ens.ews.proxy
Flag to activate SEG to listen for the EWS traffic and proxy the same to the configured Exchange EWS endpoint.
By default, SEG proxies the EWS requests to the email server host configured as part of the MEM configuration. However, a different host can be configured using the
ews.email.server.host.and.port
property.
Boolean
FALSE
Restart the SEG service.
ews.email.server.host.and.port
If the email server hostname for the EWS is different than the EAS, then use this property to configure the EWS email server hostname.
When the host name for the EWS connection is used from the
ews.email.server.host.and.port
property, all the other HTTP connection parameters remain the same, similar to the EAS parameters.
If the host is using a self-signed certificate, corresponding trusted certificate must be added to SEG separately.
EWS proxy can be activated using flag
enable.boxer.ens.ews.proxy
.
No user action required.
No user action required.
http.response.status.code.for.connection.terminated.with.ews
HTTP response code for the EWS request when a connection error occurs between the SEG and the Exchange.
Integer
No user action required.
proxy.email.request.on.kerberos.error
Flag to activate the proxy request to the email server, in case, an error occurs when generating the KCD token.
Boolean
No user action required.
response.status.code.on.kerberos.error.for.non.ping
HTTP response code for commands, other than PING and OPTIONS, when the Kerberos token generation results fail.
Integer
No user action required.
response.status.code.on.kerberos.error.for.ping
If the
proxy.email.request.on.kerberos.error
property is set to false, then the
response.status.code.on.kerberos.error.for.ping
is the HTTP status code returned during a Kerberos error for the PING command request.
Integer
No user action required.
response.status.code.on.kerberos.error.for.options.method
HTTP response code for the OPTIONS command when the Kerberos token generation results fail.
Integer
No user action required.
response.status.code.on.certificate.validation.fail
HTTP response code when the certificate authentication is activated and if SEG the client certificate validation fails.
If the flag
force.client.cert.for.ssl.handshake
is activated, the request with the missing or invalid certificate might be rejected during the SSL handshake.
Integer
No user action required.
enable.upn.lookup.from.subject.cn
Flag to activate the UPN (used for Kerberos authentication) lookup from
Subject
, and
Common Name
when the UPN is not present in the SAN type extension of the client certificate.
Boolean
FALSE
No user action required.
generate.krb5.config.at.service.restart
Flag to generate the KRB configuration file (krb5.ini in Windows or krb5.conf in UAG) when restarting the SEG service.
Boolean
Restart the SEG service.
kerberos.service.max.processes.size
Number of KCD client processes that SEG spawns.
Integer
Restart the SEG service.
kerberos.thread.pool.size.per.service
Number of threads used per KCD client process.
Integer
Restart the SEG service.
kerberos.service.health.check.frequency.in.seconds
Frequency of polling by SEG for each KCD client process.
Integer
Restart the SEG service.
kerberos.enable.performance.metrics.logging
Flag to activate time statistics for the Kerberos token handling.
Boolean
Restart the SEG service.
kerberos.process.kill.max.wait.time.in.seconds
The maximum wait time for a process to shut down, when you attempt to stop the native process.
Integer
Restart the SEG service.
kerberos.process.max.time.to.recover.in.seconds
Maximum time in seconds permitted for a process to be in any status (NOT_STARTED, STARTING, FAILED_TO_START, or BUSY) other than AVAILABLE. To recover processes in an unexpected situation and ensure a safer run.
Integer
Restart the SEG service.
kerberos.backpressure.queue.max.size
Maximum size of the backpressure queue to obtain the Kerberos token. If the backpressure queue is full, further requests are ignored.
Integer
Restart the SEG service.
kerberos.backpressure.queue.max.wait.in.seconds
Duration in seconds for which a request waits in a backpressure queue for the Kerberos token generation before being stopped.
Integer
Restart the SEG service.
enable.cert.revocation.validation
Flag to activate the certificate revocation check using the CRL. The flag is used only when the CBA is activated.
Boolean
FALSE
Restart the SEG service.
fail.hard.on.crl.download.failure.during.server.startup
Flag to prevent SEG from starting if SEG is unable to fetch the CRLs at start.
The option is applicable only when any CRL distribution URL is configured using the
remote.crl.distribution.http.uris
key.
Boolean
Restart the SEG service.
remote.crl.fetch.interval.in.minutes
Interval in minutes for a periodic timer that attempts to update SEG with the latest CRL data.
Long (the value type is integer)
1440 (24 hours)
Restart the SEG service.
remote.crl.distribution.http.uris
List of HTTP URLs of CRL Distribution Points (CDP). Use the value when SEG is configured to accept the client certificates, either by enabling the
Require Client Certificate
flag or the Kerberos based authentication.
Applicable only if
enable.cert.revocation.validation
value is set to true.
String
No user action required.
kerberos.linux.named.pipe.connect.delay.millis
Delay in milliseconds before the SEG Java process attempts to listen to the named pipes that are started by the Kerberos client native processes. This delay is to ensure smooth recovery of crashed Kerberos client processes. This property is applicable only for SEG on UAG.
Since: UAG 21.03
Restart the SEG service.
cert.mapping.ldap.enabled
The flag indicates if the certificate-mapping feature is activated for SEG.
If the KCD authentication is deactivated in the email configuration, ignore the setting and consider as false.
Boolean
FALSE
Restart the SEG service.
cert.mapping.ldap.host
The remote LDAP host information in a proper URL format.
String
Restart the SEG service.
cert.mapping.ldap.authType
The authentication type used with the LDAP server for the certificate-mapping feature.
Integer
0 (simple authentication)
Restart the SEG service.
cert.mapping.ldap.user
The LDAP user for authenticating the LDAP query.
SEG uses the same service account credentials configured as part of the Kerberos authentication settings.
However for the LDAP query, the user name must be provided in the
Distinguished Name
(DN) format.
String
Restart the SEG service.
cert.mapping.ldap.attrs
List of LDAP lookup attributes used for certificate-mapping feature.
String
Restart the SEG service.
cert.mapping.ldap.server.base
Distinguished name of the base domain configured for running the LDAP query. The query fetches the matching results from the domain.
By default, the query refers to the rootDSE of the LDAP setup. The field can be empty for the
userCertificate
and
userPrincipalName
attributes indexed and replicated to the global catalog.
String
Restart the SEG service.
cert.mapping.ignore.ldap.ssl.errors
Flag to ignore any SSL errors when contacting LDAP server for the certificate-mapping lookup.
Boolean
FALSE
Restart the SEG service.
cert.mapping.max.query.executor.pools
Maximum number of LDAP services created to allow the maximum concurrent LDAP queries.
Integer
Restart the SEG service.
cert.mapping.ldap.connect.timeout.millis
LDAP connect timeout in milliseconds for certificate-mapping.
Integer
Restart the SEG service.
cert.mapping.ldap.read.timeout.millis
LDAP read timeout in milliseconds for certificate-mapping.
Integer
Restart the SEG service.
cert.mapping.ldap.service.pool.size
LDAP (executor) service thread pool size.
Integer
Restart the SEG service.
cert.mapping.backpressure.queue.size
Maximum size of requests that are allowed in back pressure queue, waiting for the LDAP service for certificate-mapping lookup.
Integer
Restart the SEG service.
cert.mapping.backpressure.max.ttl.in.seconds
Maximum time a request can stay in back pressure queue waiting for the LDAP service to be available.
Integer
Restart the SEG service.
cert.mapping.wait.delay.for.concurrent.query.millis
Fixed delay waiting for a request when another request for the same UPN is in progress for getting certificate mapping.
Integer
No user action required.
bulk.update.completion.threshold.in.seconds
The timeout value in seconds to complete bulk policy update flow. If the bulk policy update does not complete within this duration, the bulk policy update is marked as failure.
Since: SEG 2.20.0, UAG 21.06
Integer
No user action required.
policy.data.not.ready.response.code
HTTP response code to be returned to the device if SEG is yet to receive all the policy data just after start, and the configuration prohibits email communication until policy data is ready.
Integer
No user action required.
ignore.duplicate.records.during.policy.update
Flag to ignore duplicate records returned from an API, and compare the size of a policy in the SEG cache with the size for only Unique IDs.
Boolean
No user action required.
policy.update.eventbus.timeout.buffer.millis
Event bus timeout used during a policy update.
30000
No user action required.
disable.api.policy.count.match.during.policy.update
Maximum time in seconds that SEG waits for the cache to be asynchronously updated with the new policy records during a bulk policy update.
Boolean
FALSE
No user action required.
policy.async.cache.update.completion.threshold.seconds
Maximum time in seconds that SEG waits for the cache to be asynchronously updated with new policy records during a bulk policy update.
Integer
Restart the SEG service.
cache.index.validation.eventbus.timeout.millis
Timeout duration in milliseconds for validating the cache index on all the nodes after a bulk policy update.
If failed, SEG retries before finally reverting the changes.
Integer
30000
No user action required.
cache.index.swap.wait.time.in.millis
Wait delay in milliseconds before swapping active and passive cache indexes after the latest policy from API is updated on the passive cache.
60000
No user action required.
cache.index.validation.max.retry.count
Number of retry attempts to validate that the cache indexes are updated in all the nodes, when clustering is activated.
Integer
No user action required.
wait.time.in.millis.before.passive.cache.cleanup.start
In case the policy update fails and the SEG is running in a clustered mode, the cache indexes in all the nodes must be updated to be in sync. The
wait.time.in.millis.before.passive.cache.cleanup.start
, is the time in milliseconds for which the SEG waits before cleaning the passive cache, so that all the nodes have sufficient time to swap the passive and active indexes, if necessary.
30000
No user action required.
cache.async.update.status.check.timer.interval.millis
Interval in milliseconds for a periodic timer that validates async policy data update in cache.
10000
No user action required.
full.bulk.update.interval.in.minutes (only when the delta is activated)
Integer
1440 (24 hours)
Restart the SEG service.
validate.resource.uri.in.jwt.auth
Interval in minutes for a periodic full bulk policy update, when the delta sync is activated.
Boolean
No user action required.
jwt.allowed-clock-skew-in-seconds
Flag to activate validation of resource URL in the JWT token.
Integer
No user action required.
tcpip.discovery.timeout-seconds
Maximum allowed skew in JWT timestamp for the token to be successfully authenticated.
Integer
Restart the SEG service.
hazelcast.operation.call.timeout.millis
Timeout for Hazel cast cache read or write operation.
60000
disable.transformation.on.inline.unknown.attachment.bytes
Flag to deactivate the attachment transformation if the MIME type cannot be identified.
Boolean
No user action required.
disable.transformation.on.inline.unknown.attachment.tag
Flag to ignore the transformation on the inline attachment tags that do not have a file extension or MIME type to be processed correctly.
Boolean
No user action required.
enable.request.transformation.by.default
Flag to activate the content transformation on the request flow.
If any of the transformation types are activated and the value is FALSE, the request transformation occurs. When the value is TRUE, request transformation always occurs.
Activate the flag when the content the transformation is activated and the attachments are encrypted or hyperlinks are transformed. The content transformation is deactivated, but the outgoing emails are decrypted attachments and original hyperlinks.
Boolean
FALSE
No user action required.
email.server.request.timeout.millis
HTTP request timeout from SEG to the email server in milliseconds for the email traffic.
Since: SEG 2.20.0, UAG 21.06
Integer
1200000
No user action required.
keep.http.client.connection.alive
Flag to keep a socket connection to the email server and the API server alive to reuse the same connection for any subsequent request.
Since: SEG 2.20.0, UAG 21.06
Boolean
No user action required.
keep.email.server.client.connection.alive
Flag to keep a socket connection to the email server alive, to reuse the same connection for any subsequent request.
Note:
This key is supported until SEG version 2.19.0 and UAG version 21.03.1. For SEG version 2.20.0 and UAG version 21.06, use key
keep.http.client.connection.alive
.
Boolean
No user action required.
api.server.connect.timeout.millis
HTTP connection timeout from SEG to the API server in milliseconds.
Integer
15000
No user action required.
email.server.connect.timeout.millis
HTTP connection timeout from SEG to the email server in milliseconds.
15000
No user action required.
force.client.cert.for.ssl.handshake
In the MEM configuration, when the
Require Client Certificate
is activated in the
Advanced Settings
option, setting the flag to
TRUE
forces the SSL handshake to fail. Due to the absence of a client certificate and the request not reaching the application layer, the SSL handshake fails. If the flag is set to FALSE, the request reaches the application layer before failing due to the lack of the client certificate.
Boolean
FALSE
No user action required.
http.client.max.idle.timeout.seconds
Maximum idle timeout in seconds after which any connection is closed to release the system resources.
Integer
No user action required.
http.response.status.code.for.non.ping.on.connection.closed.failure
HTTP response code for the requests other than the PING command when the connection between the SEG and the email server closes unexpectedly.
You can use this option only if the flag
return.http.response.status.for.non.ping.on.connection.closed.failure
is activated.
Integer
No user action required.
http.response.status.code.for.ping.on.connection.closed.failure
HTTP response code for the PING command requests when the connection between the SEG and email server closes unexpectedly.
Integer
No user action required.
http.server.max.idle.timeout.seconds
Idle time in seconds after which an inbound connection to the SEG server is closed.
Integer
No user action required.
max.http.buffer.chunk.size
Maximum HTTP chunk size.
Integer
8192 (that is, 8 KB)
No user action required.
max.initial.line.length
Maximum length of the initial line of the HTTP requests ending or originating at SEG.
Integer
4096 (that is, 4 KB)
No user action required.
return.http.response.status.for.non.ping.on.connection.closed.failure
Flag to decide if the SEG responds to the device in case a connection error occurs between SEG and the email server when serving a non-PING command.
When activated, the
http.response.status.code.for.non.ping.on.connection.closed.failure
property determines the response code.
Few email clients might show some error when the connection to SEG is abruptly closed.
Integer
No user action required.
smime.lookup.ldap.connect.timeout.millis
LDAP connection timeout in milliseconds for the SMIME certificate lookup.
Integer
No user action required.
smime.lookup.ldap.read.timeout.millis
LDAP read timeout in milliseconds for the SMIME certificate lookup.
Integer
No user action required.
smime.lookup.ldap.server.base
Base path of the LDAP server that the SEG uses for the SMIME lookup.
String
No user action required.
smime.lookup.ignore.ldap.ssl.errors
Flag to ignore any SSL errors when contacting the LDAP server for the SMIME lookup.
Boolean
FALSE
No user action required.
resp-header.Strict-Transport-Security
The STS header with the preconfigured default value is overridden and a new SEG value is used.
String
Max-age=31536000;includeSubDomains
No user action required.
resp-header.X-Custom-Header
New header with a specified value is included for subsequent responses.
String
No user action required.
kerb-conf.log_level
System log level for the
kcdclient
pipe processes that the SEG spawns.
0 - Off
1 - Error
2 - Warning
3 - Info
4 - Debug
Integer
No user action required.
kerb-conf.log_file_append
Flag to indicate if a process restart must append logs or discard old logs and truncate a file.
0 - Do not append
1 - Append
Integer
No user action required.
kerb-conf.log_file_backup_count
Maximum number of backup log files to be created when the maximum file size is reached.
Integer
No user action required.
kerb-conf.log_file_size
Maximum file size of a Kerberos process log file in MB.
Integer
No user action required.
kerb-conf.refresh_config_interval
Time taken in seconds to refresh the settings and to load any updated configuration from a file.
Integer
No user action required.
krb5-conf.<property_name>
The properties are updated in the
krb5-base.conf
file.
No user action required.
custom.response.text.for.root.and.health.api
Custom text to be sent as a response when the root path of the SEG V2 is accessed.
If
hide.seg.info.on.health.monitor.response
is set to
true
, the text is also used in the response body of the health monitoring endpoints (/health and /lb-health).
Since: SEG 2.20.0, UAG 21.06
String
No user action required.
log.device.delta.sync.payload.in.debug.mode
Flag to activate the delta sync payload.
Boolean
FALSE
No user action required.
api.server.connectivity.diagnostic.timeout.millis
When SEG verifies the connectivity to the API server to capture the diagnostic information, specify the HTTP connection timeout in milliseconds.
Integer
No user action required.
email.server.connectivity.diagnostic.timeout.millis
When SEG verifies the connectivity to the Email server to capture diagnostic information, specify the HTTP connection timeout in milliseconds.
Integer
No user action required.
high.cpu.monitoring.enabled
Flag to activate the CPU usage monitoring and to generate thread dumps beyond a threshold limit. Configure the threshold limit using the
cpu.monitor.trigger.threshold.percentage
property.
Boolean
FALSE
No user action required.
log.http.server.network.activity
Flag to activate the SEG HTTP server network activity.
Boolean
FALSE
No user action required.
enable.seg.metrics.collection
Flag to activate the SEG metrics collection. When the flag is activated with the UEIP flag on the Workspace ONE UEM console, SEG reports the diagnostic information to the VMware Analytics Cloud (VAC).
Boolean
No user action required.
log.active.sync.payload.in.debug.mode
Flag to activate logging active synchronization payload in
active-sync-payload-reporting.log
Since: SEG 2.18.0, UAG 20.12
.
String
FALSE
No user action required.
hide.seg.info.on.health.monitor.response
Flag to deactivate the SEG version and build information in the health monitoring endpoints (/health and /lb-health).
Since: SEG 2.19.0, UAG 21.03
Boolean
False
No user action required.
logger.app
The SEG application logs are applicable for the
app.log
and the
ews-proxy.log
files.
Since: SEG 2.18.0, UAG 20.12
String
Error
No user action required.
logger.transactional
The transaction summary logs are applicable for the
http-transaction.log, kerberos-transaction.log
and the
ews-transaction.log
transaction log files. The default log level is
Debug
and you need not change unless you want to deactivate the transactional logging.
Since: SEG 2.18.0, UAG 20.12
String
Debug
No user action required.
logger.policy.cache
The policy update and SEG cache logs are applicable for the
policy-update.log
and
cache.log
files.
Since: SEG 2.18.0, UAG 20.12
String
No user action required.
logger.kerberos.service.manager
The Kerberos service manager log is applicable for the
kerberos-service-manager.log
file.
Since: SEG 2.18.0, UAG 20.12
String
Error
No user action required.
logger.cert.auth
The certificate-based authentication log is applicable for the
cert-auth.log
file.
Since: SEG 2.18.0, UAG 20.12
String
Error
No user action required.
logger.compliance
Transaction for blocked devices due to non-compliance. This is applicable for the
non-compliant-devices.log
log file.
Since: SEG 2.18.0, UAG 20.12
String
Error
No user action required.
logger.content.transformation
Email content transformation such as hyperlink and attachment transform. This is applicable for the
content-transform.log
file.
Since: SEG 2.18.0, UAG 20.12
String
Error
No user action required.
SEG Targeted Content Logging
SEG targeted content logging is activated to troubleshoot content transformation related issues. When you activate content logging, SEG starts writing email content (before and after transformation) in the
<SEG_Install_Dir>/tmp/content-logs
folder.
Note:
Activate content logging only for troubleshooting and remove the property keys from custom settings after troubleshooting. You must consent the customer before you activate content logging.
content.logging.target.all
Activate content logging for all users and devices.
Since: SEG 2.18.0, UAG 20.12
Boolean
False
No user action required.
content.logging.target.users
Activate content logging for targeted users.
Comma separated list. For example, user1, user2, and so on.
Since: SEG 2.18.0, UAG 20.12
String
No user action required.
content.logging.target.easdeviceids
Activate content logging for targeted EAS device IDs.
Comma separated list. For example device1, device2. and so on.
Since: SEG 2.18.0, UAG 20.12
String
No user action required.
Supported Configuration for the Custom Gateway Settings from SEG 2.18.0 Version
The following section lists all the supported SEG properties or settings for the custom gateway feature that are introduced in the SEG 2.18.0 version.
Note:
In SEG 2.18.0 version, few SEG properties are enhanced to provide a better user experience.
SEG Troubleshooting
The functionality of the following SEG properties is improved in the SEG 2.18.0 version. For SEG versions before 2.18.0, activating these properties required the user to manually update the log level for the respective logger in the logback.xml file. In SEG 2.18 version, the log level for the respective logger in the logback.xml file is automatically updated.
log.active.sync.payload.in.debug.mode
Flag to activate logging device payload for activesync reporting. Payload is written in the
active-sync-payload-reporting.log
file.
Since: SEG 2.18.0, UAG 20.12
String
False
No user action required.
log.http.server.network.activity
Flag to activate the SEG HTTP server network activity.
Since: SEG 2.18.0, UAG 20.12
String
False
Restart SEG service
logger.app
The SEG application logs are applicable for the
app.log
and the
ews-proxy.log
files.
Since: SEG 2.18.0, UAG 20.12
String
Error
No user action required.
logger.transactional
The transaction summary logs are applicable for the
http-transaction.log, kerberos-transaction.log
and the
ews-transaction.log
transaction log files. The default log level is
Debug
and you need not change unless you want to deactivate the transactional logging.
Since: SEG 2.18.0, UAG 20.12
String
Debug
No user action required.
logger.policy.cache
The policy update and SEG cache logs are applicable for the
policy-update.log
and
cache.log
files.
Since: SEG 2.18.0, UAG 20.12
String
No user action required.
logger.kerberos.service.manager
The Kerberos service manager log is applicable for the
kerberos-service-manager.log
file.
Since: SEG 2.18.0, UAG 20.12
String
Error
No user action required.
logger.cert.auth
The certificate-based authentication log is applicable for the
cert-auth.log
file.
Since: SEG 2.18.0, UAG 20.12
String
Error
No user action required.
logger.compliance
Transaction for blocked devices due to non-compliance. This is applicable for the
non-compliant-devices.log
log file.
Since: SEG 2.18.0, UAG 20.12
String
Error
No user action required.
logger.content.transformation
Email content transformation such as hyperlink and attachment transform. This is applicable for the
content-transform.log
file.
Since: SEG 2.18.0, UAG 20.12
String
Error
No user action required.
SEG Content Logging
SEG content logging is activated to troubleshoot content transformation related issues. When you activate content logging, SEG starts writing email content (before and after transformation) in the SEG install directory, following the path pattern {}.
Note:
Activate content logging only for troubleshooting and remove the property keys from custom settings after troubleshooting. You must consent the customer before you activate content logging.
content.logging.target.all
Activate content logging for all users and devices.
Since: SEG 2.18.0, UAG 20.12
Boolean
False
No user action required.
content.logging.target.users
Activate content logging for targeted users.
Comma separated list. For example, user1, user2, and so on.
Since: SEG 2.18.0, UAG 20.12
String
No user action required.
content.logging.target.easdeviceids
Activate content logging for targeted EAS device IDs.
Comma separated list. For example, device1, device2. and so on.
Since: SEG 2.18.0, UAG 20.12
String
No user action required.
Supported Configuration for the Custom Gateway Settings from SEG 2.23.0 Version
The following section lists all the supported SEG properties or settings for the custom gateway feature that are introduced in the SEG 2.23.0 version.
HTTP Request or Response
http.compression.support
Activate or deactivate HTTP compression for SEG server. This flag is set to indicate if the server must support gzip or deflate compression (serving compressed responses to clients advertising support for them with Accept-Encoding header)
Since: SEG 2.23.0, UAG 22.07
Boolean
Restart SEG service
console.api.server.connection.pool.size
Default configuration is retrieved from the SEG gateway settings in the
ConsoleAPIConfig
.
Since: SEG 2.23.0, UAG 22.07
Integer
No user action required.
console.api.server.timeout.in.millis
Default configuration is retrieved from the SEG gateway settings in the
ConsoleAPIConfig
.
Since: SEG 2.23.0, UAG 22.07
Integer
40000
No user action required.
seg.config.retry.interval.in.minutes
Default configuration is retrieved from the SEG gateway settings in the
PolicyUpdateConfig
.
Since: SEG 2.23.0, UAG 22.07
Integer
No user action required.
policy.update.error.retry.count
Default configuration is retrieved from the SEG gateway settings in the
PolicyUpdateConfig
.
Since: SEG 2.23.0, UAG 22.07
Integer
No user action required.
