The following topics describes the information related to configuration of SEG V2.

To implement the SEG (V2) for your email architecture, first configure the settings on the UEM console. After you configure the settings, you can download the SEG installer from the Workspace ONE resource portal.

  • In the UEM console, navigate to Email > Settings and select Configure . The ADD wizard displays.
  • In the Platform tab of the wizard:
  • Select Proxy as the Deployment Model .
  • Select the Email Type (Exchange, IBM Notes, or Google).
  • If you selected Exchange as the email type, then select the appropriate exchange version from the drop-down menu. Click Next . Example of email servers is Exchange, IBM Notes, or Google.
  • Configure the basic settings in the Deployment tab of the wizard and then select Next . Friendly Name Enter a friendly name for the SEG deployment. This name gets displayed on the MEM dashboard. External URL and Port Enter the URL and port number for the incoming mail traffic to SEG. Listener Port The SEG listens for device the communication through this port. The default port number is 443. If SSL is activated for SEG, the SSL certificate is bound to this port. Terminate SSL on SEG Activate this option if you want the SSL certificate to be sent from the SEG instead of offloading on a web application firewall. Upload a .pfx or .p12 certificate file including the root and intermediate certificates. Upload Locally Select to upload the SSL certificate locally during installation. SEG Server SSL Certificate Select Upload to add the certificate that binds to the listening port. The SSL certificate can be automatically installed instead of providing it locally. An SSL certificate in the .pfx format with a full certificate chain and private key included must be uploaded. See, the Upload the SSL Certificate after Renewal section in the Install the Secure Email Gateway (V2) topic to understand the methods to upload the SSL certificate after renewal. Email Server URL and Port Enter the email server URL and port number in the form https://email server url:email server port. The SEG uses the following URL for proxying email requests to the email server. If using Exchange Online, enter the https://outlook.office365.com URL. Ignore SSL Errors between SEG and email server Select Enable to ignore the Secure Socket Layer (SSL) certificate errors between the email server and the SEG server. Ignore SSL Errors between SEG and AirWatch server Select Enable to ignore Secure Socket Layer (SSL) certificate errors between the Workspace ONE UEM server and the SEG server.

    Establish a strong SSL trust between the Workspace ONE UEM and the SEG server using valid certificates.

    Allow email flow if no policies are present on SEG Select Enable to allow the email traffic if SEG is unable to load the device policies from the Workspace ONE UEM API. By default, the SEG blocks all email requests if no policies are locally present on the SEG. Note: A list of all the device records with the corresponding compliance status is provided. SEG does not calculate the compliance of a given device by itself, instead uses the data received from the Workspace ONE UEM console. Enable Clustering Select Enable to activate clustering of multiple SEG servers.

    When clustering is activated, policy updates are distributed to all SEGs in the cluster. The SEGs communicate with each other through the SEG clustering port.

    SEG Cluster Hosts Add the IPs or hostnames of each server in the SEG cluster. SEG Cluster Distributed Cache Port Enter the port number for SEG to communicate to the distributed cache. SEG Clustering Port Enter the port number for SEG to communicate to the other SEGs in the cluster. Activate clustering to have multiple SEG servers operating as a cluster.
  • Select Next in the Profile tab of the wizard. If necessary, assign an email profile to the MEM configuration. Select Next in the Profile tab of the wizard.
  • On the Summary tab, review the configuration that you have just created. Select Finish to save the settings.
  • Download the SEG installer from the Workspace ONE resource portal.
  • Configure any additional settings for your SEG using the Advanced option. Use Default Settings The Use Default Settings check box is activated by default. To modify the advanced settings, you must uncheck this box. Enable Real-time Compliance Sync Activate this option to send the compliance information to the SEG in real-time. Without this, individual changes to the device policies are refreshed per the delta sync interval. Required transactions The Required transactions cannot be deactivated. Optional transactions Activate or deactivate the optional transactions such as Get attachment, Search, Move Items, and so on. The following are the Exchange Active Sync (EAS) transactions that the SEG reports to the console and are displayed on the Email List View in the Last Command column. Diagnostic Set the number and frequency of transactions for a device when the test mode is activated. Sizing Set the frequency of SEG and API server interaction. Skip Attachment & Hyperlink transformations for S/MIME signed emails Activate to exempt the encryption of attachments and transformation of hyperlinks through SEG for emails that are signed with S/MIME certificates. Enable S/MIME repository lookup Activate automatic lookup of the S/MIME certificate managed in a hosted LDAP directory. Enter the following values to configure the lookup.
  • LDAP URL - Specify the URL of the LDAP server hosting the S/MIME certificates. For example, LDAP://certs.soandso.local/o=dept,c=company .
  • Authentication Type - Specify the authentication type used by the LDAP server. Anonymous and Basic authentication are supported. If Basic authentication is selected, you must enter the username and password.
  • Certificate Attribute - The public key attribute used on the LDAP server to specify the S/MIME certificate. For example, userCertificate;binary .
  • You must restart SEG service after enabling this feature.

    Custom Gateway Settings The SEG custom gateway settings are available as a key-value pair on the Workspace ONE UEM console. The commonly used properties are seeded on the Workspace ONE UEM console. For more information on the SEG supported key value pairs. Block Attachments Used to control the default action when SEG is unable to communicate with the Workspace ONE UEM or when the local policy set is empty. Default Message for Blocked Attachments Configure the message that is displayed to end users when SEG blocks attachments.

    Configuring for High Availability and Disaster Recovery

    SEG can be configured in high availability and disaster recovery environments with both clustering and non-clustering server configurations. The high availability and disaster recovery setups are independent of the cluster configuration.

    Use a load balancer to achieve the desired high availability and disaster recovery configuration. The same public host name must be used for the SEG servers across the data centers to ensure that the users need not reauthenticate when a SEG server failover occurs.

    The following are the benefits of using SEG in a clustering and non-clustering server environments:

  • Non-clustered server configuration:
  • Each SEG is updated independently.
  • Failover can be performed at the load balancer.
  • Clustered server configuration:

  • Each data center must have its own MEM configuration and an external URL to update the MEM configuration's cluster. Note: The external URL need not match the URL used by devices to access email, instead the UEM console uses the external URL to send policy updates to the appropriate cluster configuration.
  • Internal IP addresses or hostnames are applicable for clustering rather than public IP addresses only.
  • Device EAS profiles must use a third URL that can be failed-over between data centers.
  • SEG Custom Gateway Settings

    The SEG v2 configurations are controlled at an individual node level. The custom gateway setting feature centralizes the configuration on the Workspace ONE UEM Console as part of the MEM configuration itself.

    Prerequisites

    The following table lists the requirements for the SEG custom settings feature:

    Configure SEG Custom Gateway Settings

    The SEG custom settings are available as key-value pairs on the Workspace ONE UEM console. The commonly used properties are seeded on the Workspace ONE UEM Console. To configure the custom settings, perform the following steps:

  • Log in to the Workspace ONE UEM console.
  • Navigate to the Email > Email Settings .
  • Configure the Email Settings for SEG.
  • Configure the additional settings for SEG using the Advanced option.
  • Navigate to the Custom Gateway Settings , click ADD ROW , and enter the supported configuration as the key-value pair:
  • Key : Enter the property or setting name.
  • Type : Enter the type of value such as string, integer, and so on.
  • Value : Enter the property or custom value.
  • Click Save .
  • Apply the Custom Gateway Settings on the SEG Service

    During an installation or upgrade, if the custom settings are provided on the Workspace ONE UEM console, then the SEG service starts with the applied custom settings

    If the custom settings are added or updated on the Workspace ONE UEM console when the SEG service is running, then a refreshSettings notification is triggered for SEG. The SEG fetches the latest custom gateway settings. A few of the custom settings are applied immediately, whereas the other custom settings might require you to restart the SEG service.

    Supported Configuration for the Custom Gateway Settings

    The following section lists all the supported SEG properties or settings for the custom settings feature.

    Note:

    The properties or settings are grouped based on feature or functionality. The custom settings can be added on the Workspace ONE UEM console in any order.

    JVM Arguments or System Settings

    The JVM arguments or system settings property keys start with -D . If the property value is modified, SEG updates the custom system settings in the segServiceWrapper.conf (for Windows) or seg-jvm-args.conf (for UAG). If the system setting is updated when the SEG service is running, then the SEG triggers a service restart.

    You can configure the seg.custom.settings.service.restart.code=0 property in the application-override.properties file to deactivate the automatic restart of the SEG service.

    -Djdk.tls.disabledAlgorithms

    Comma-separated list of TLS algorithms, ciphers, and versions to be deactivated.

    String

    MD5, RC4, TLSv1, TLSv1.1, SSLv2Hello, SSLv3, DSA, DESede, DES, 3DES, DES40_CBC, RC4_40, MD5withRSA, DH, 3DES_EDE_CBC, DHE, DH keySize < 1024, EC keySize < 224, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384

    If the modified value is detected, restart automatically.

    -Djdk.tls.ephemeralDHKeySize

    Customize the strength of the ephemeral DH key size used internally during the TLS or DTLS handshake. The system property does not impact the DH key sizes in the ServerKeyExchange messages for exportable cipher suites.

    The following DH key sizes are impacted, the DHE_RSA, DHE_DSS, and DH_anon-based cipher suites in the JSSE Oracle provider. For more information, see Customizing Size of Ephemeral Diffie-Hellman Keys.

    Integer

    If the modified value is detected, restart automatically.

    -Dsyslog.enabled

    Flag to activate the syslog configuration for SEG.

    Boolean

    TRUE - For the UAG deployment

    FALSE - For the Windows deployment

    If the modified value is detected, restart automatically.

    -Dsyslog.host

    Host address of the syslog server.

    The host address value can be configured with any remote syslog server hostname or IP address that listens over UDP.

    If syslog to the remote server is configured with the TCP or TLS, then point to a local host syslog listener that can retransmit using the required protocol over the wire.

    The in-built UAG syslog configuration can function as the local retransmitter.

    String

    localhost

    If the modified value is detected, restart automatically.

    -Dkerberos.process.recycle.time

    Specify the Kerberos process recycle time, when activated.

    Process recycling can be activated using the property -Denable.kerberos.process.recycle .

    Time in the hh24:mm:ss format

    23:59:59

    If the modified value is detected, restart automatically.

    Maximum java heap memory for the service in Mebibytes (MiB).

    For example, 8 GiB of RAM can be configured as 8192.

    If the system property is not configured, dynamically identified during the SEG service installation based on the system configuration.

    If the modified value is detected, restart automatically.

    -Dsyslog.facility

    Syslog facility as defined by the Syslog server.

    String

    If the modified value is detected, restart automatically.

    -Dsyslog.port

    Syslog listener port that the SEG points to.

    Integer

    If the modified value is detected, restart automatically.

    -Denable.kerberos.process.recycle

    SEG can be configured to recycle the native Kerberos client processes when the Kerberos based authentication is activated.

    Boolean

    FALSE

    If the modified value is detected, restart automatically.

    enable.boxer.ens.ews.proxy

    Flag to activate SEG to listen for the EWS traffic and proxy the same to the configured Exchange EWS endpoint.

    By default, SEG proxies the EWS requests to the email server host configured as part of the MEM configuration. However, a different host can be configured using the ews.email.server.host.and.port property.

    Boolean

    FALSE

    Restart the SEG service.

    ews.email.server.host.and.port

    If the email server hostname for the EWS is different than the EAS, then use this property to configure the EWS email server hostname.

    When the host name for the EWS connection is used from the ews.email.server.host.and.port property, all the other HTTP connection parameters remain the same, similar to the EAS parameters.

    If the host is using a self-signed certificate, corresponding trusted certificate must be added to SEG separately.

    EWS proxy can be activated using flag enable.boxer.ens.ews.proxy .

    No user action required.

    No user action required.

    http.response.status.code.for.connection.terminated.with.ews

    HTTP response code for the EWS request when a connection error occurs between the SEG and the Exchange.

    Integer

    No user action required.

    proxy.email.request.on.kerberos.error

    Flag to activate the proxy request to the email server, in case, an error occurs when generating the KCD token.

    Boolean

    No user action required.

    response.status.code.on.kerberos.error.for.non.ping

    HTTP response code for commands, other than PING and OPTIONS, when the Kerberos token generation results fail.

    Integer

    No user action required.

    response.status.code.on.kerberos.error.for.ping

    If the proxy.email.request.on.kerberos.error property is set to false, then the response.status.code.on.kerberos.error.for.ping is the HTTP status code returned during a Kerberos error for the PING command request.

    Integer

    No user action required.

    response.status.code.on.kerberos.error.for.options.method

    HTTP response code for the OPTIONS command when the Kerberos token generation results fail.

    Integer

    No user action required.

    response.status.code.on.certificate.validation.fail

    HTTP response code when the certificate authentication is activated and if SEG the client certificate validation fails.

    If the flag force.client.cert.for.ssl.handshake is activated, the request with the missing or invalid certificate might be rejected during the SSL handshake.

    Integer

    No user action required.

    enable.upn.lookup.from.subject.cn

    Flag to activate the UPN (used for Kerberos authentication) lookup from Subject , and Common Name when the UPN is not present in the SAN type extension of the client certificate.

    Boolean

    FALSE

    No user action required.

    generate.krb5.config.at.service.restart

    Flag to generate the KRB configuration file (krb5.ini in Windows or krb5.conf in UAG) when restarting the SEG service.

    Boolean

    Restart the SEG service.

    kerberos.service.max.processes.size

    Number of KCD client processes that SEG spawns.

    Integer

    Restart the SEG service.

    kerberos.thread.pool.size.per.service

    Number of threads used per KCD client process.

    Integer

    Restart the SEG service.

    kerberos.service.health.check.frequency.in.seconds

    Frequency of polling by SEG for each KCD client process.

    Integer

    Restart the SEG service.

    kerberos.enable.performance.metrics.logging

    Flag to activate time statistics for the Kerberos token handling.

    Boolean

    Restart the SEG service.

    kerberos.process.kill.max.wait.time.in.seconds

    The maximum wait time for a process to shut down, when you attempt to stop the native process.

    Integer

    Restart the SEG service.

    kerberos.process.max.time.to.recover.in.seconds

    Maximum time in seconds permitted for a process to be in any status (NOT_STARTED, STARTING, FAILED_TO_START, or BUSY) other than AVAILABLE. To recover processes in an unexpected situation and ensure a safer run.

    Integer

    Restart the SEG service.

    kerberos.backpressure.queue.max.size

    Maximum size of the backpressure queue to obtain the Kerberos token. If the backpressure queue is full, further requests are ignored.

    Integer

    Restart the SEG service.

    kerberos.backpressure.queue.max.wait.in.seconds

    Duration in seconds for which a request waits in a backpressure queue for the Kerberos token generation before being stopped.

    Integer

    Restart the SEG service.

    enable.cert.revocation.validation

    Flag to activate the certificate revocation check using the CRL. The flag is used only when the CBA is activated.

    Boolean

    FALSE

    Restart the SEG service.

    fail.hard.on.crl.download.failure.during.server.startup

    Flag to prevent SEG from starting if SEG is unable to fetch the CRLs at start.

    The option is applicable only when any CRL distribution URL is configured using the remote.crl.distribution.http.uris key.

    Boolean

    Restart the SEG service.

    remote.crl.fetch.interval.in.minutes

    Interval in minutes for a periodic timer that attempts to update SEG with the latest CRL data.

    Long (the value type is integer)

    1440 (24 hours)

    Restart the SEG service.

    remote.crl.distribution.http.uris

    List of HTTP URLs of CRL Distribution Points (CDP). Use the value when SEG is configured to accept the client certificates, either by enabling the Require Client Certificate flag or the Kerberos based authentication.

    Applicable only if enable.cert.revocation.validation value is set to true.

    String

    No user action required.

    kerberos.linux.named.pipe.connect.delay.millis

    Delay in milliseconds before the SEG Java process attempts to listen to the named pipes that are started by the Kerberos client native processes. This delay is to ensure smooth recovery of crashed Kerberos client processes. This property is applicable only for SEG on UAG.

    Since: UAG 21.03

    Restart the SEG service.

    cert.mapping.ldap.enabled

    The flag indicates if the certificate-mapping feature is activated for SEG.

    If the KCD authentication is deactivated in the email configuration, ignore the setting and consider as false.

    Boolean

    FALSE

    Restart the SEG service.

    cert.mapping.ldap.host

    The remote LDAP host information in a proper URL format.

    String

    Restart the SEG service.

    cert.mapping.ldap.authType

    The authentication type used with the LDAP server for the certificate-mapping feature.

    Integer

    0 (simple authentication)

    Restart the SEG service.

    cert.mapping.ldap.user

    The LDAP user for authenticating the LDAP query.

    SEG uses the same service account credentials configured as part of the Kerberos authentication settings.

    However for the LDAP query, the user name must be provided in the Distinguished Name (DN) format.

    String

    Restart the SEG service.

    cert.mapping.ldap.attrs

    List of LDAP lookup attributes used for certificate-mapping feature.

    String

    Restart the SEG service.

    cert.mapping.ldap.server.base

    Distinguished name of the base domain configured for running the LDAP query. The query fetches the matching results from the domain.

    By default, the query refers to the rootDSE of the LDAP setup. The field can be empty for the userCertificate and userPrincipalName attributes indexed and replicated to the global catalog.

    String

    Restart the SEG service.

    cert.mapping.ignore.ldap.ssl.errors

    Flag to ignore any SSL errors when contacting LDAP server for the certificate-mapping lookup.

    Boolean

    FALSE

    Restart the SEG service.

    cert.mapping.max.query.executor.pools

    Maximum number of LDAP services created to allow the maximum concurrent LDAP queries.

    Integer

    Restart the SEG service.

    cert.mapping.ldap.connect.timeout.millis

    LDAP connect timeout in milliseconds for certificate-mapping.

    Integer

    Restart the SEG service.

    cert.mapping.ldap.read.timeout.millis

    LDAP read timeout in milliseconds for certificate-mapping.

    Integer

    Restart the SEG service.

    cert.mapping.ldap.service.pool.size

    LDAP (executor) service thread pool size.

    Integer

    Restart the SEG service.

    cert.mapping.backpressure.queue.size

    Maximum size of requests that are allowed in back pressure queue, waiting for the LDAP service for certificate-mapping lookup.

    Integer

    Restart the SEG service.

    cert.mapping.backpressure.max.ttl.in.seconds

    Maximum time a request can stay in back pressure queue waiting for the LDAP service to be available.

    Integer

    Restart the SEG service.

    cert.mapping.wait.delay.for.concurrent.query.millis

    Fixed delay waiting for a request when another request for the same UPN is in progress for getting certificate mapping.

    Integer

    No user action required.

    bulk.update.completion.threshold.in.seconds

    The timeout value in seconds to complete bulk policy update flow. If the bulk policy update does not complete within this duration, the bulk policy update is marked as failure.

    Since: SEG 2.20.0, UAG 21.06

    Integer

    No user action required.

    policy.data.not.ready.response.code

    HTTP response code to be returned to the device if SEG is yet to receive all the policy data just after start, and the configuration prohibits email communication until policy data is ready.

    Integer

    No user action required.

    ignore.duplicate.records.during.policy.update

    Flag to ignore duplicate records returned from an API, and compare the size of a policy in the SEG cache with the size for only Unique IDs.

    Boolean

    No user action required.

    policy.update.eventbus.timeout.buffer.millis

    Event bus timeout used during a policy update.

    30000

    No user action required.

    disable.api.policy.count.match.during.policy.update

    Maximum time in seconds that SEG waits for the cache to be asynchronously updated with the new policy records during a bulk policy update.

    Boolean

    FALSE

    No user action required.

    policy.async.cache.update.completion.threshold.seconds

    Maximum time in seconds that SEG waits for the cache to be asynchronously updated with new policy records during a bulk policy update.

    Integer

    Restart the SEG service.

    cache.index.validation.eventbus.timeout.millis

    Timeout duration in milliseconds for validating the cache index on all the nodes after a bulk policy update.

    If failed, SEG retries before finally reverting the changes.

    Integer

    30000

    No user action required.

    cache.index.swap.wait.time.in.millis

    Wait delay in milliseconds before swapping active and passive cache indexes after the latest policy from API is updated on the passive cache.

    60000

    No user action required.

    cache.index.validation.max.retry.count

    Number of retry attempts to validate that the cache indexes are updated in all the nodes, when clustering is activated.

    Integer

    No user action required.

    wait.time.in.millis.before.passive.cache.cleanup.start

    In case the policy update fails and the SEG is running in a clustered mode, the cache indexes in all the nodes must be updated to be in sync. The wait.time.in.millis.before.passive.cache.cleanup.start , is the time in milliseconds for which the SEG waits before cleaning the passive cache, so that all the nodes have sufficient time to swap the passive and active indexes, if necessary.

    30000

    No user action required.

    cache.async.update.status.check.timer.interval.millis

    Interval in milliseconds for a periodic timer that validates async policy data update in cache.

    10000

    No user action required.

    full.bulk.update.interval.in.minutes (only when the delta is activated)

    Integer

    1440 (24 hours)

    Restart the SEG service.

    validate.resource.uri.in.jwt.auth

    Interval in minutes for a periodic full bulk policy update, when the delta sync is activated.

    Boolean

    No user action required.

    jwt.allowed-clock-skew-in-seconds

    Flag to activate validation of resource URL in the JWT token.

    Integer

    No user action required.

    tcpip.discovery.timeout-seconds

    Maximum allowed skew in JWT timestamp for the token to be successfully authenticated.

    Integer

    Restart the SEG service.

    hazelcast.operation.call.timeout.millis

    Timeout for Hazel cast cache read or write operation.

    60000

    disable.transformation.on.inline.unknown.attachment.bytes

    Flag to deactivate the attachment transformation if the MIME type cannot be identified.

    Boolean

    No user action required.

    disable.transformation.on.inline.unknown.attachment.tag

    Flag to ignore the transformation on the inline attachment tags that do not have a file extension or MIME type to be processed correctly.

    Boolean

    No user action required.

    enable.request.transformation.by.default

    Flag to activate the content transformation on the request flow.

    If any of the transformation types are activated and the value is FALSE, the request transformation occurs. When the value is TRUE, request transformation always occurs.

    Activate the flag when the content the transformation is activated and the attachments are encrypted or hyperlinks are transformed. The content transformation is deactivated, but the outgoing emails are decrypted attachments and original hyperlinks.

    Boolean

    FALSE

    No user action required.

    email.server.request.timeout.millis

    HTTP request timeout from SEG to the email server in milliseconds for the email traffic.

    Since: SEG 2.20.0, UAG 21.06

    Integer 1200000

    No user action required.

    keep.http.client.connection.alive

    Flag to keep a socket connection to the email server and the API server alive to reuse the same connection for any subsequent request.

    Since: SEG 2.20.0, UAG 21.06

    Boolean

    No user action required.

    keep.email.server.client.connection.alive

    Flag to keep a socket connection to the email server alive, to reuse the same connection for any subsequent request. Note: This key is supported until SEG version 2.19.0 and UAG version 21.03.1. For SEG version 2.20.0 and UAG version 21.06, use key keep.http.client.connection.alive . Boolean

    No user action required.

    api.server.connect.timeout.millis

    HTTP connection timeout from SEG to the API server in milliseconds.

    Integer

    15000

    No user action required.

    email.server.connect.timeout.millis

    HTTP connection timeout from SEG to the email server in milliseconds.

    15000

    No user action required.

    force.client.cert.for.ssl.handshake

    In the MEM configuration, when the Require Client Certificate is activated in the Advanced Settings option, setting the flag to TRUE forces the SSL handshake to fail. Due to the absence of a client certificate and the request not reaching the application layer, the SSL handshake fails. If the flag is set to FALSE, the request reaches the application layer before failing due to the lack of the client certificate.

    Boolean

    FALSE

    No user action required.

    http.client.max.idle.timeout.seconds

    Maximum idle timeout in seconds after which any connection is closed to release the system resources.

    Integer

    No user action required.

    http.response.status.code.for.non.ping.on.connection.closed.failure

    HTTP response code for the requests other than the PING command when the connection between the SEG and the email server closes unexpectedly.

    You can use this option only if the flag return.http.response.status.for.non.ping.on.connection.closed.failure is activated.

    Integer

    No user action required.

    http.response.status.code.for.ping.on.connection.closed.failure

    HTTP response code for the PING command requests when the connection between the SEG and email server closes unexpectedly.

    Integer

    No user action required.

    http.server.max.idle.timeout.seconds

    Idle time in seconds after which an inbound connection to the SEG server is closed.

    Integer

    No user action required.

    max.http.buffer.chunk.size

    Maximum HTTP chunk size.

    Integer

    8192 (that is, 8 KB)

    No user action required.

    max.initial.line.length

    Maximum length of the initial line of the HTTP requests ending or originating at SEG.

    Integer

    4096 (that is, 4 KB)

    No user action required.

    return.http.response.status.for.non.ping.on.connection.closed.failure

    Flag to decide if the SEG responds to the device in case a connection error occurs between SEG and the email server when serving a non-PING command.

    When activated, the http.response.status.code.for.non.ping.on.connection.closed.failure property determines the response code.

    Few email clients might show some error when the connection to SEG is abruptly closed.

    Integer

    No user action required.

    smime.lookup.ldap.connect.timeout.millis

    LDAP connection timeout in milliseconds for the SMIME certificate lookup.

    Integer

    No user action required.

    smime.lookup.ldap.read.timeout.millis

    LDAP read timeout in milliseconds for the SMIME certificate lookup.

    Integer

    No user action required.

    smime.lookup.ldap.server.base

    Base path of the LDAP server that the SEG uses for the SMIME lookup.

    String

    No user action required.

    smime.lookup.ignore.ldap.ssl.errors

    Flag to ignore any SSL errors when contacting the LDAP server for the SMIME lookup.

    Boolean

    FALSE

    No user action required.

    resp-header.Strict-Transport-Security

    The STS header with the preconfigured default value is overridden and a new SEG value is used.

    String

    Max-age=31536000;includeSubDomains

    No user action required.

    resp-header.X-Custom-Header

    New header with a specified value is included for subsequent responses.

    String

    No user action required.

    kerb-conf.log_level

    System log level for the kcdclient pipe processes that the SEG spawns.

    0 - Off

    1 - Error

    2 - Warning

    3 - Info

    4 - Debug

    Integer

    No user action required.

    kerb-conf.log_file_append

    Flag to indicate if a process restart must append logs or discard old logs and truncate a file.

    0 - Do not append

    1 - Append

    Integer

    No user action required.

    kerb-conf.log_file_backup_count

    Maximum number of backup log files to be created when the maximum file size is reached.

    Integer

    No user action required.

    kerb-conf.log_file_size

    Maximum file size of a Kerberos process log file in MB.

    Integer

    No user action required.

    kerb-conf.refresh_config_interval

    Time taken in seconds to refresh the settings and to load any updated configuration from a file.

    Integer

    No user action required.

    krb5-conf.<property_name>

    The properties are updated in the krb5-base.conf file.

    No user action required.

    custom.response.text.for.root.and.health.api

    Custom text to be sent as a response when the root path of the SEG V2 is accessed.

    If hide.seg.info.on.health.monitor.response is set to true , the text is also used in the response body of the health monitoring endpoints (/health and /lb-health).

    Since: SEG 2.20.0, UAG 21.06

    String

    No user action required.

    log.device.delta.sync.payload.in.debug.mode

    Flag to activate the delta sync payload.

    Boolean

    FALSE

    No user action required.

    api.server.connectivity.diagnostic.timeout.millis

    When SEG verifies the connectivity to the API server to capture the diagnostic information, specify the HTTP connection timeout in milliseconds.

    Integer

    No user action required.

    email.server.connectivity.diagnostic.timeout.millis

    When SEG verifies the connectivity to the Email server to capture diagnostic information, specify the HTTP connection timeout in milliseconds.

    Integer

    No user action required.

    high.cpu.monitoring.enabled

    Flag to activate the CPU usage monitoring and to generate thread dumps beyond a threshold limit. Configure the threshold limit using the cpu.monitor.trigger.threshold.percentage property.

    Boolean

    FALSE

    No user action required.

    log.http.server.network.activity

    Flag to activate the SEG HTTP server network activity.

    Boolean

    FALSE

    No user action required.

    enable.seg.metrics.collection

    Flag to activate the SEG metrics collection. When the flag is activated with the UEIP flag on the Workspace ONE UEM console, SEG reports the diagnostic information to the VMware Analytics Cloud (VAC).

    Boolean

    No user action required.

    log.active.sync.payload.in.debug.mode Flag to activate logging active synchronization payload in active-sync-payload-reporting.log

    Since: SEG 2.18.0, UAG 20.12

    . String

    FALSE

    No user action required.

    hide.seg.info.on.health.monitor.response

    Flag to deactivate the SEG version and build information in the health monitoring endpoints (/health and /lb-health).

    Since: SEG 2.19.0, UAG 21.03

    Boolean False

    No user action required.

    logger.app

    The SEG application logs are applicable for the app.log and the ews-proxy.log files.

    Since: SEG 2.18.0, UAG 20.12

    String Error

    No user action required.

    logger.transactional

    The transaction summary logs are applicable for the http-transaction.log, kerberos-transaction.log and the ews-transaction.log transaction log files. The default log level is Debug and you need not change unless you want to deactivate the transactional logging.

    Since: SEG 2.18.0, UAG 20.12

    String Debug

    No user action required.

    logger.policy.cache

    The policy update and SEG cache logs are applicable for the policy-update.log and cache.log files.

    Since: SEG 2.18.0, UAG 20.12

    String

    No user action required.

    logger.kerberos.service.manager

    The Kerberos service manager log is applicable for the kerberos-service-manager.log file.

    Since: SEG 2.18.0, UAG 20.12

    String Error

    No user action required.

    logger.cert.auth

    The certificate-based authentication log is applicable for the cert-auth.log file.

    Since: SEG 2.18.0, UAG 20.12

    String Error

    No user action required.

    logger.compliance

    Transaction for blocked devices due to non-compliance. This is applicable for the non-compliant-devices.log log file.

    Since: SEG 2.18.0, UAG 20.12

    String Error

    No user action required.

    logger.content.transformation

    Email content transformation such as hyperlink and attachment transform. This is applicable for the content-transform.log file.

    Since: SEG 2.18.0, UAG 20.12

    String Error

    No user action required.

    SEG Targeted Content Logging

    SEG targeted content logging is activated to troubleshoot content transformation related issues. When you activate content logging, SEG starts writing email content (before and after transformation) in the <SEG_Install_Dir>/tmp/content-logs folder.

    Note: Activate content logging only for troubleshooting and remove the property keys from custom settings after troubleshooting. You must consent the customer before you activate content logging.

    content.logging.target.all

    Activate content logging for all users and devices.

    Since: SEG 2.18.0, UAG 20.12

    Boolean False

    No user action required.

    content.logging.target.users

    Activate content logging for targeted users.

    Comma separated list. For example, user1, user2, and so on.

    Since: SEG 2.18.0, UAG 20.12

    String

    No user action required.

    content.logging.target.easdeviceids

    Activate content logging for targeted EAS device IDs.

    Comma separated list. For example device1, device2. and so on.

    Since: SEG 2.18.0, UAG 20.12

    String

    No user action required.

    Supported Configuration for the Custom Gateway Settings from SEG 2.18.0 Version

    The following section lists all the supported SEG properties or settings for the custom gateway feature that are introduced in the SEG 2.18.0 version.

    Note: In SEG 2.18.0 version, few SEG properties are enhanced to provide a better user experience.

    SEG Troubleshooting

    The functionality of the following SEG properties is improved in the SEG 2.18.0 version. For SEG versions before 2.18.0, activating these properties required the user to manually update the log level for the respective logger in the logback.xml file. In SEG 2.18 version, the log level for the respective logger in the logback.xml file is automatically updated.

    log.active.sync.payload.in.debug.mode

    Flag to activate logging device payload for activesync reporting. Payload is written in the active-sync-payload-reporting.log file.

    Since: SEG 2.18.0, UAG 20.12

    String False

    No user action required.

    log.http.server.network.activity Flag to activate the SEG HTTP server network activity.

    Since: SEG 2.18.0, UAG 20.12

    String False Restart SEG service

    logger.app

    The SEG application logs are applicable for the app.log and the ews-proxy.log files.

    Since: SEG 2.18.0, UAG 20.12

    String Error

    No user action required.

    logger.transactional

    The transaction summary logs are applicable for the http-transaction.log, kerberos-transaction.log and the ews-transaction.log transaction log files. The default log level is Debug and you need not change unless you want to deactivate the transactional logging.

    Since: SEG 2.18.0, UAG 20.12

    String Debug

    No user action required.

    logger.policy.cache

    The policy update and SEG cache logs are applicable for the policy-update.log and cache.log files.

    Since: SEG 2.18.0, UAG 20.12

    String

    No user action required.

    logger.kerberos.service.manager

    The Kerberos service manager log is applicable for the kerberos-service-manager.log file.

    Since: SEG 2.18.0, UAG 20.12

    String Error

    No user action required.

    logger.cert.auth

    The certificate-based authentication log is applicable for the cert-auth.log file.

    Since: SEG 2.18.0, UAG 20.12

    String Error

    No user action required.

    logger.compliance

    Transaction for blocked devices due to non-compliance. This is applicable for the non-compliant-devices.log log file.

    Since: SEG 2.18.0, UAG 20.12

    String Error

    No user action required.

    logger.content.transformation

    Email content transformation such as hyperlink and attachment transform. This is applicable for the content-transform.log file.

    Since: SEG 2.18.0, UAG 20.12

    String Error

    No user action required.

    SEG Content Logging

    SEG content logging is activated to troubleshoot content transformation related issues. When you activate content logging, SEG starts writing email content (before and after transformation) in the SEG install directory, following the path pattern {}.

    Note: Activate content logging only for troubleshooting and remove the property keys from custom settings after troubleshooting. You must consent the customer before you activate content logging.

    content.logging.target.all

    Activate content logging for all users and devices.

    Since: SEG 2.18.0, UAG 20.12

    Boolean False

    No user action required.

    content.logging.target.users

    Activate content logging for targeted users.

    Comma separated list. For example, user1, user2, and so on.

    Since: SEG 2.18.0, UAG 20.12

    String

    No user action required.

    content.logging.target.easdeviceids

    Activate content logging for targeted EAS device IDs.

    Comma separated list. For example, device1, device2. and so on.

    Since: SEG 2.18.0, UAG 20.12

    String

    No user action required.

    Supported Configuration for the Custom Gateway Settings from SEG 2.23.0 Version

    The following section lists all the supported SEG properties or settings for the custom gateway feature that are introduced in the SEG 2.23.0 version.

    HTTP Request or Response

    http.compression.support

    Activate or deactivate HTTP compression for SEG server. This flag is set to indicate if the server must support gzip or deflate compression (serving compressed responses to clients advertising support for them with Accept-Encoding header)

    Since: SEG 2.23.0, UAG 22.07

    Boolean

    Restart SEG service

    console.api.server.connection.pool.size

    Default configuration is retrieved from the SEG gateway settings in the ConsoleAPIConfig .

    Since: SEG 2.23.0, UAG 22.07

    Integer

    No user action required.

    console.api.server.timeout.in.millis

    Default configuration is retrieved from the SEG gateway settings in the ConsoleAPIConfig .

    Since: SEG 2.23.0, UAG 22.07

    Integer

    40000

    No user action required.

    seg.config.retry.interval.in.minutes

    Default configuration is retrieved from the SEG gateway settings in the PolicyUpdateConfig .

    Since: SEG 2.23.0, UAG 22.07

    Integer

    No user action required.

    policy.update.error.retry.count

    Default configuration is retrieved from the SEG gateway settings in the PolicyUpdateConfig .

    Since: SEG 2.23.0, UAG 22.07

    Integer

    No user action required.