Email and App Proxy

Note: For use with Symantec Mobility 5.3 or later.

1.       Deploy a cluster of VM’s (Virtual Machines) matching the same number CAS/EAS server front-ends used by the organization. 

Note: Follow HOWTO110252 to create these VM’s.  Each will require 8GB RAM and at least two dual core processors.  Optionally configure two NICs per proxy, one for internal communication and the other for device communication.  However, a single NIC can function to do both internal and external communication, with the proper routing.

2.       From the Mobility Admin Console > Downloads click the Download secure proxy link:

3.       Follow HOWTO110248 to transfer the ISO file to each Secure Proxy front-end.

4.       From the proxy’s terminal, install libicu by entering the following as root:
sudo yum -y install libicu

5.       Download the JRE 1.7.51 RPM or later from the Oracle website and follow HOWTO110248 to transfer it to the proxy server.

6.       Install the RPM, as root, using a command like:
sudo rpm -ivh jre-8u45-linux-x64.rpm

7.       Verify that java has successfully installed by entering the following:
java -version

8.       Once libicu and Java Runtime Environment are installed create a mount point for the Secure Proxy ISO by entering, as root:
mkdir /mnt/iso

9.       Mount the Secure Proxy ISO using a command like:
sudo mount -o loop /tmp/SecureProxy_x86_64_R5.3-17.iso /mnt/iso

Note: The mount command syntax used above is: sudo mount -o loop <PathtoISO> <MountDirectory>

10.   Change directories to /mnt/iso by entering:
cd /mnt/iso

11.   Execute the setup.sh script by entering the following, as root:
sudo ./setup.sh --install

12.   When prompted to create a user account hit enter to accept the default, as below:

13.   Same for group-name, as above:

Note: If an error occurs saying: perl(DBI) is needed by squid-3.4.12-20151200914.x86_64 install perl-DBI using a command like: sudo yum -y install perl-DBI and repeat steps 11 and 12.  Selinux may block the symc-proxy user and its processes; follow http://www.symantec.com/docs/HOWTO110257 to set it to disabled or permissive mode.  Repeate Steps 11-13.

14.   Enter y to configure the proxy now.

15.   Follow the prompts to configure the incoming and outgoing connections.

Tip: The incoming connection, from devices, should be 443 (default)

16.   Optionally enter a unique name for your proxy server.  This name is arbitrary but should be unique enough to identify this proxy within the Mobility Admin Console.

17.   Register the proxy to a Mobility tenant by entering the FQDN of the Mobility server:

18.   Enter a local or LDAP/AD (if EIDP is used) administrative credential to register the proxy with Mobility:

Email Proxy Cluster Configuration

1.       From the Mobility Admin Console > Settings > Proxies click  (+Add Cluster).

2.       Fill in the name, description and set the logging level to Debug.

3.       Ensure that Email Proxy is selected as the intended role.

4.       Set an external proxy address.

Note: This address may be the address of the virtual application on the load balancer, if one is being used for multiple email proxies.  Otherwise enter the published FQDN of the Email Proxy FE.

5.       Set the Mode to Passive for testing purposes.

6.       Keep push, deactivated; see documentation for detailed instructions for enabling Push for iOS 7 and later devices. Basic email proxy functionality will not be hindered by having this deactivated, for now.

7.       Enter the routable address from the Email proxy to the EAS server or CAS front-end.

Tip: If the environment is already load-balancing between CAS FE’s consider the number of hops between the device and the Email Proxy(s).  You may want to consider pointing the proxy directly to the internal CAS FE rather than the load-balanced address to reduce latency, especially if an LB method is already being used between Secure Email Proxies.

8.       Yes, terminate SSL at the proxy, unless it is going to be terminated at the load-balancer.  In either scenario a valid SSL certificate is required for devices to trust the connection.  Obtain a PKCS7 certificate with a matching CN (Common Name) and upload it to the cluster configuration:

9.       Click Save.

10.   Click  (Available Proxies) to expand and drag the newly registered proxy into the Associated proxies column:

11.   Allow up to 5 minutes for the Proxy to receive its new configuration.

Tip: The proxy logs are located in /usr/local/nginx/logs/  The controller.log file tends to contain the most useful information, at this stage.

12.   Test the email proxy from an iOS device by manually configuring an exchange email setting.

Tip: Also confirm that the proxy is accessible from the Internet by browsing to the cluster FQDN in a browser.  A 403 error will confirm connectivity.  If no connectivity is established, consider firewall settings, for ex. Turn off iptables with a command like: service iptables stop. To insert an iptables-inbound-exception, the following commands should suffice:
/sbin/iptables --insert INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
/etc/init.d/iptables save

13.   Now that the Email Proxy cluster contains an active proxy, the administrator may now set a device or app config to use this cluster’s FQDN as the EAS server.

Note: Flip the cluster configuration from Passive to Active mode.  This will require devices to be compliant and have a policy allowing email access via the proxy.