Set up VMware AirWatch Secure Email Gateway (SEG) Classic in Microsoft Exchange 2016 Environment

This post was modified on 04/26/19 to include clarification on the credential expiration issue with the local SEGadmin account.

While support for Secure Email Gateway (SEG) Classic is going away by early May 2019, it’s still worth documenting for those who may not be ready to set up or migrate to SEG V2 just yet.


Steps should be relatively the same whether it be Exchange 2010, 2013 or 2016. The same goes for either console version 9.x or 18.xx and above. My screenshots were based on console version 9.4 and SEG version 9.5.

My sequence with this setup is a little different from what AirWatch recommends per their online documentation. I also confirmed with VMware support on this.

  1. Pre-requisites for Implementation of SEG (Classic Platform)
  2. Enable Basic Authentication – Moved up from step 3
  3. Configure the Classic Platform  – Moved down from step 2
  4. Install the SEG (Classic Platform)
  5. Configure the Classic Platform with the SEG Setup Wizard

Pre-requisites for Implementation of SEG (Classic Platform)

Follow the relevant sections (i.e. hardware, software, network, certificate, etc.) within the link. For instance, below we enabled SOAP API.


You may also enable REST API ahead of SEG V2 migration.


I suggest creating both the “SOAP API General” role and the SEG Admin Account required during SEG configuration now before proceeding further.


In here, you must grant Edit permission (confirmed with VMware support.)


Create an SEG Admin Account. It does not need access to the console other than making an API call. Like any basic account, the credential expires after 30 days starting with console version 9.4 which applies to the SEG Admin account as well. Per the link below, however, this would be OK until you are ready to upgrade your SEG at which point a new credential might need to be set.

API calls blocked if Basic Admin account authentication is past the password expiration period

“In environments in which basic authentication was used during the initial installation of the SEG (V2 or Classic) updated credentials will only need to be used when upgrading or reinstalling the SEG. After the setup procedure, SEG uses Certificate/CMS for authentication and, therefore, basic credentials are only required to establish initial communication.

You may also work with VMware support to extend the expiration date for ALL basic accounts from the default 30 days to 9999 days.




Enable Basic Authentication

This step is optional on the SEG server. Otherwise, anonymous authentication will be used.


Configure the Classic Platform

For Secure Email Gateway URL, enter https://external-SEG-URL and it will append /segconsole/management.ashx as well.
For Use Basic Authentication, selecting ENABLE will require additional info configured earlier.
You may skip the below if it’s not configured just yet.
Uncheck Use Default Settings to make changes accordingly.

Install the SEG (Classic Platform)

Right-click on the installer and run as administrator to begin installation.

Configure the Classic Platform with the SEG Setup Wizard


API Hostname: or your internal API URL.

Enter the email address as and click Verify.
You may change the Log Level here as you see fit to help expedite troubleshooting future issues.
For an additional SEG server, the AirWatch implementation engineer recommends setting it up manually instead of exporting the configuration file from the console first and then importing it back to the new SEG server.


To validate connectivity to Microsoft Exchange ActiveSync (EAS) from the SEG server, open a web browser and go to If the connection is successful, you should be prompted for your username and password.


As always, stay mobile!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.