Symantec Secure Email Proxy Administration Guide

Symantec Secure Email Proxy Administration Guide

Documentation version: 4.4 (2) Legal Notice Copyright 2014 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party ( Third Party Programs ). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com

Technical Support Contacting Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s support offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and/or Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis Premium service offerings that include Account Management Services For information about Symantec s support offerings, you can visit our website at the following URL: www.symantec.com/business/support/ All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy. Customers with a current support agreement may access Technical Support information at the following URL: www.symantec.com/business/support/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available: Product release level Hardware information

Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/business/support/ Customer service information is available at the following URL: www.symantec.com/business/support/ Customer Service is available to assist with non-technical questions, such as the following types of issues: Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs, DVDs, or manuals

Support agreement resources If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows: Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America customercare_apac@symantec.com semea@symantec.com supportsolutions@symantec.com

Setting up an email proxy for Symantec App Center This document includes the following topics: Restricting mobile device access to organizational email Setting up the email proxy Selecting your email proxy deployment model Installing and registering the email proxy Installing SSL certificates for the email proxy Creating, configuring, and managing email proxy clusters Testing your email proxy Creating device policies that route email access through your email proxy Blocking email access for non-compliant devices Monitoring the health of your email proxy Unregistering your email proxy Uninstalling your email proxy Secure Email Proxy command line tools Secure Email Proxy default file locations

Restricting mobile device access to organizational email 8 Restricting mobile device access to organizational email Symantec App Center integrates with the Secure Email Proxy to manage access to your organization's Exchange ActiveSync mail server. It provides an access control point for email traffic to registered devices. When users attempt to access corporate email from their devices, the connection requests are routed through the email proxy. The email proxy verifies the connections come from approved users on registered devices. Supported email apps are as follows: Symantec Secure Email (Mobile device management (MDM ) is optional) Android 4.x ios 7/6 ios Native email app (MDM is required) ios 7/6 Next See Setting up the email proxy on page 8. Setting up the email proxy Follow this workflow to install and set up email proxy and integrate it with Symantec App Center. Table 1-1 Phase Task Email proxy installation and setup workflow Description 1 2 Select a deployment model. Install and register the proxy. Decide how you want to deploy the email proxy in your environment. See Selecting your email proxy deployment model on page 10. Install and register the email proxy through the command line. See Installing and registering the email proxy on page 12.

Setting up the email proxy 9 Table 1-1 Phase Task Email proxy installation and setup workflow (continued) Description 3 optional 4 5 6 optional 7 8 Install SSL certificates. Create and configure clusters. Test the proxy. Create a compliance rule. Create a device policy. Monitor the health of your proxies. You only need to install SSL certificates if you use SSL authentication. See Installing SSL certificates for the email proxy on page 13. Clusters let you assign the same configurations to multiple proxies. See Creating, configuring, and managing email proxy clusters on page 15. Before you deploy the proxy in your environment, test it first. See Testing your email proxy on page 17. You can create rules to block email access when a device is non-compliant. See Blocking email access for non-compliant devices on page 22. Your device policy must specify the Exchange ActiveSync host name or IP address of your proxy server or load balancer. It must also specify which email apps are supported and if MDM is required. See Creating device policies that route email access through your email proxy on page 19. You can monitor the health of your proxies from the Admin Console. See Monitoring the health of your email proxy on page 22. Click here for the interactive workflow. More information See Restricting mobile device access to organizational email on page 8. Get started See Selecting your email proxy deployment model on page 10.

Selecting your email proxy deployment model 10 Selecting your email proxy deployment model Before you install Secure Email Proxy and integrate it with Symantec App Center, you should consider which deployment option best suits your environment. The deployment options are based on where the SSL connection terminates. The proxy must terminate the SSL connection or it receives traffic and clear text. Deployment options are as follows: SSL termination at proxy SSL termination at a load balancer You can stand up multiple proxies behind the load balancer. Each proxy runs independently and communicates with App Center; however, there is no data sharing between proxies. You can add and remove proxies as needed to handle additional loads. The load balancer is expected to handle failover. When you use a load balancer, the recommended setting is to round-robin with persistence. Note: Do not install the Secure App Proxy and Secure Email Proxy on the same server. Figure 1-1 Typical email proxy deployment model Deployment recommendations are as follows: No more than 5,000 connections per proxy.¹

Selecting your email proxy deployment model 11 Install your proxy in a DMZ or behind a firewall. No more than one proxy per Exchange Client Access server (CAS).¹ ¹ Microsoft recommendations Refer to the following table for information about connectivity: Between the proxy and App Center Between the device and the proxy The email proxy makes HTTPS requests to App Center by connecting over SSL through port 443. ActiveSync is an HTTP-based protocol and, therefore, the device makes a HTTP/S request to the proxy (HTTPS is recommended). If HTTPS is used, you can install SSL certificates on a load balancer in front of the proxy, on the proxy, or both. You must determine the best point(s) of SSL termination based on your organization's architecture and requirements. While you can configure the email proxy to listen on any port regardless of whether you use SSL, standard practices are to configure port 80 for non-ssl traffic and port 443 for SSL HTTP/S traffic. Therefore, the deployment scenario you select determines which ports you should open. You configure the listening port for the email proxy during proxy installation. See Installing and registering the email proxy on page 12. Note: You can configure the ios native email client to connect over any port, but the Secure Email client always connects over port 443 for HTTPS traffic. Between the proxy and Exchange You can configure CAS servers to listen with or without SSL. Typically, SSL is configured, and the proxy connects to it over port 443. You enable SSL and specify the port in the App Center Admin Console. Next See Creating, configuring, and managing email proxy clusters on page 15. See Installing and registering the email proxy on page 12. More information Click here for the interactive workflow. Hardening your App Center Secure Email Proxy See Restricting mobile device access to organizational email on page 8.

Installing and registering the email proxy 12 Installing and registering the email proxy After you decide on your deployment model, you're ready to install the email proxy and register it with Symantec App Center. What you'll need Server on which to install the email proxy The server on which you install the proxy must meet the following minimum system requirements: 4 cores 8-GB RAM 20-GB disk space Physical or virtual machine 64-bit CentOS/RHEL 6.4 See Install libicu on page 13. Java JRE 1.7.0_51 or later Recommend two NICs: one internal facing; one external facing For proxy installation, you'll need the following: IP address and port for receiving incoming connections Proxy name The proxy name is arbitrary, but it must be unique. It's the name by which App Center knows the proxy server. For proxy registration, you'll need the following: Your App Center URL For example: http://appcenter.example.com User name and password A user that has admin rights to App Center Download the email proxy.iso file In the Admin Console, click Downloads > Download Secure Email Proxy. Tip: This option appears at the bottom of the Downloads page.

Installing SSL certificates for the email proxy 13 Install libicu The email proxy needs the libicu package. On RHEL 6.4 installations, you may need to install libicu prior to installing the email proxy. On the server on which you install Secure Email Proxy, type the following command: yum install libicu Install and register your email proxy 1 Copy the.iso to the server and mount it. 2 Run the following command: #./setup.sh install 3 Follow the installation script. Next The installation script prompts you to register your proxy, but you can also register later through the command line. Important: You must register the proxy for the proxy and App Center to communicate, and it must be registered before it can be added to a cluster. See Secure Email Proxy command line tools on page 25. Tip: If any installation or registration issues occur, refer to the logs. See Secure Email Proxy default file locations on page 26. See Installing SSL certificates for the email proxy on page 13. More information See Restricting mobile device access to organizational email on page 8. See Selecting your email proxy deployment model on page 10. Installing SSL certificates for the email proxy After you install the email proxy and register it with Symantec App Center, you have the option to set up SSL certificates on the proxy server. The SSL certificate chain must begin with the server certificate and the chained-certificate bundle must be concatenated after the server certificate. For more information, see the section on SSL certificate chains at the following Nginx website. http://nginx.org/en/docs/http/configuring_https_servers.html#chains

Installing SSL certificates for the email proxy 14 The certificate file should include all of the certificates in the same order of the certificate chain, starting from the SSL certificate itself down to the root CA (but excluding the root). Set up the SSL certificate on your proxy server 1 Copy the certificate file to the following directory: /usr/local/nginx/certs/ 2 Open the nginx.conf file in the following directory: /usr/local/nginx/conf 3 In the server section in the http configuration block, locate the following text: server { } listen YourIPAddress:YourPort; include /usr/local/nginx/conf/ngao.conf; 4 Add an ssl identifier to the listen directive. For example: server { } listen 172.17.38.18:443 ssl; include /usr/local/nginx/conf/ngao.conf;

Creating, configuring, and managing email proxy clusters 15 5 Add the following lines beneath the listen directive: ssl_certificate /usr/local/nginx/certs/yourcert.crt; ssl_certificate_key /usr/local/nginx/certs/yourcertkey.key; For example: server { } listen 172.17.38.18:443 ssl; ssl_certificate /usr/local/nginx/certs/yourcert.crt; ssl_certificate_key /usr/local/nginx/certs/yourcertkey.key; include /usr/local/nginx/conf/ngao.conf; 6 Type the following command to restart nginx: #service nginx restart Next See Creating, configuring, and managing email proxy clusters on page 15. More information Click here for the interactive workflow. See Restricting mobile device access to organizational email on page 8. See Installing and registering the email proxy on page 12. Creating, configuring, and managing email proxy clusters Create email proxy clusters to organize and assign proxies common configurations. In Symantec App Center, email proxy clusters are for shared configuration only. Email proxy clusters are not a cluster in the traditional sense of load balancer or failover. You must register your proxies before you can add them to a cluster. You can register your email proxy when you install it or later through the command line. See Installing and registering the email proxy on page 12. See Secure Email Proxy command line tools on page 25.

Creating, configuring, and managing email proxy clusters 16 Create and configure a cluster 1 Click Settings > Email Proxy > Create New Cluster. 2 On the General Settings page, specify the cluster settings. Important: In active mode, the proxy enforces rules when the device is registered and in compliance. Otherwise, access is denied. In passive mode, the proxy behaves the same way as active mode. However, the verdict of which connections would have been permitted if the cluster had been in active mode is recorded in the log. This information lets you test the cluster before you make it active. Tip: You may want to initially set a cluster to passive mode until you have tested all of the proxies in the cluster. See Testing your email proxy on page 17. 3 Under Traffic Settings, specify the host name, ActiveSync server, and port for the cluster. Also indicate if you want to use SSL. 4 Click Save. The new cluster appears in the Available Clusters table. Add a proxy to a cluster Under Available Proxies, locate and drag one or more proxies to a cluster. Tip: To reassign a proxy to a different cluster, unlink the proxy from the cluster first and then add it to the desired cluster. You can't simply drag a proxy to another cluster. See Remove (unlink) a proxy from a cluster on page 17. Edit an existing cluster 1 In the Available Clusters table, click Edit beside the cluster that you want to edit. 2 Make your desired changes, and click Save. When you make any modifications to a cluster, the services for all of the clusters restart.

Testing your email proxy 17 Remove (unlink) a proxy from a cluster In the Available Clusters table, click the x beside the name the proxy that you want to remove. Then confirm that you want to unlink the proxy from the cluster. The unlinked proxies appear in the Available Proxies list. When a proxy is no longer part of a cluster, it no longer processes data and stops accepting connections. Proxies that have been removed from a cluster continue to check in with App Center on the regular basis for updates in case it's added back to a cluster. Important: You must unlink every proxy from the cluster before you can delete the cluster. Delete an existing cluster Next When all proxies have been removed from the cluster, in the Available Clusters table, click Delete on the right column of the cluster row that you want to remove. Then confirm that you do want to remove it. See Testing your email proxy on page 17. More information Click here for the interactive workflow. See Restricting mobile device access to organizational email on page 8. See Installing SSL certificates for the email proxy on page 13. See Monitoring the health of your email proxy on page 22. See Unregistering your email proxy on page 23. Testing your email proxy Before you create Symantec App Center device policies to use the Secure Email Proxy, you should test it in passive mode first. In passive mode, the proxy allows access to your organization's email, but also logs activity for you to view for troubleshooting purposes. See Secure Email Proxy default file locations on page 26.

Testing your email proxy 18 Configure the cluster to passive mode 1 Click Settings > Email Proxy. 2 Select the cluster that contains the proxy you want to test, and click Edit. 3 Change the Mode to Passive, change the Logging Level to Information, and click Save. Create a device policy 1 Create a device policy. See Creating device policies that route email access through your email proxy on page 19. 2 Make sure that the device policy has the highest precedence. See "Prioritizing device policies". Attempt email access From a mobile device, attempt to access your organization's email. The device that you use to test the policy should... Belong to a person in the target group to whom you've assigned the device policy Meet the device policy compliance rules, if any Contain the email app that you permit in your device policy Have MDM enabled if required per the device policy Contain the native App Center App

Creating device policies that route email access through your email proxy 19 Check the proxy logs 1 On the proxy server, access the logs in the following location: /usr/local/nginx/logs 2 View the logs to determine if email access would have been permitted. Log file entries in passive mode are prepended with the following: [Passive Mode] Decision in Active Mode will be: Below is an example of what the log files might look like in passive mode: 2014/04/03 14:40:06 [info] 22043#0x00007f872a535700: [EmailProxy] [Passive Mode] Decision in Active Mode will be: Request is blocked: [EAS:Applxxxxxxxxxx] key does not exist in Redis. User: domain\user1; DeviceId: Applxxxxxxxxxx PolicyId: xxxxxxxxx; UserAgent: Apple-iPhone3C1/1102.55400001 domain\user1 2014/04/03 14:40:09 [info] 22043#0x00007f872a535700: [EmailProxy] [Passive Mode] Decision in Active Mode will be: Request is blocked: [EAS:Applxxxxxxxxxx] is BLOCKED. User: domain\user1; DeviceId: Applxxxxxxxxxx PolicyId: xxxxxxxxx; UserAgent: Apple-iPhone3C1/1102.55400001 domain\user1 Allowed requests: 2014/04/03 15:35:43 [info] 43678#0x00007f01fdbd2700: [EmailProxy] [Passive Mode] Decision in Active Mode will be: Request is allowed. User: domain\user1; DeviceId: Applxxxxxxxxx; PolicyId: xxxxxxxx; UserAgent: Apple-iPhone3C1/1102.55400001 domain\user1 Tip: When you've finished your testing, don't forget to delete or modify your test device policy and set your cluster to Active mode. Next See Blocking email access for non-compliant devices on page 22. More information Click here for the interactive workflow. See Restricting mobile device access to organizational email on page 8. See Creating device policies that route email access through your email proxy on page 19. Creating device policies that route email access through your email proxy You can create a device policy in Symantec App Center that directs email traffic through your email proxy for the email apps that you allow.

Creating device policies that route email access through your email proxy 20 Create a device policy 1 Click Device Policy > New Policy and specify a name and description for your policy. 2 Add the groups for which this policy applies. 3 Under General Settings, indicate whether MDM is required. The ios native email app requires MDM be enabled. The Symantec Secure Email app (for ios or Android) supports MDM, but doesn't require it. See Specify which email apps are allowed on page 20. Select a compliance rule (optional) Click the Compliance Rule drop-down list and select a rule. Compliance rules are optional. See Blocking email access for non-compliant devices on page 22. Specify which email apps are allowed Under Email Settings, do one of the following: To use an existing Shared Settings configuration To create a new configuration Click the EAS Access Control drop-down list and select an existing configuration. 1 Click New. 2 Type a name and description for this configuration. 3 Select which email apps are permitted. Tip: The ios native email app requires MDM be enabled. The Symantec Secure Email app (for ios or Android) supports MDM, but doesn't require it. 4 Click Save. Specify the proxy through which to direct email traffic Configure the options for the email apps that are allowed: Secure Email app Under Email Settings, do one of the following: To use an existing Shared Settings configuration: Click the Secure Email Configuration drop-down list and select an existing configuration. To create a new configuration:

Creating device policies that route email access through your email proxy 21 Beside Secure Email Configuration, click New. Type a name and description for this configuration. In the Exchange ActiveSync Host field, type the host name or IP address of the proxy or load balancer (if the proxy is fronted by a load balancer). Configure the remainder of the options based on your email proxy server. See "Symantec Secure Email shared policy settings". Click Save. Native ios email app Under ios Settings > Exchange Active Sync Configuration, do one of the following: To use an existing Shared Settings configuration: In the Exchange Active Sync Configuration box, click Add, click the configuration that you want to use, and click Select. To create a new configuration: In the Exchange Active Sync Configuration box, click New. Type a name and description for this configuration. Type the Exchange Server Name that you want to appear as the email location on the device. In Exchange ActiveSync Host field, type the host name or IP address of the proxy or load balancer (if the proxy is fronted by a load balancer). Configure the remainder of the options as needed. See "ios shared policy settings". Click Save. Configure other device policy options 1 Configure any of the other device policy options you require. See "Creating device policies". 2 Click Save. Next See Monitoring the health of your email proxy on page 22. More information Click here for the interactive workflow.

Blocking email access for non-compliant devices 22 See Restricting mobile device access to organizational email on page 8. Blocking email access for non-compliant devices You can create device policies in Symantec App Center that block user access to your organization's email if their device is non-compliant. Configure the compliance rule 1 Create or edit a compliance rule and specify the rule requirements. 2 Under Enforcements, check Block access to email and click Save. Apply the compliance rule to a device policy 1 Create or modify a device policy. See Creating device policies that route email access through your email proxy on page 19. 2 Under General Settings, click the Compliance Rule drop-down menu and select the rule that you created. 3 Click Save. More information Click here for the interactive workflow. See Creating device policies that route email access through your email proxy on page 19. See Restricting mobile device access to organizational email on page 8. Monitoring the health of your email proxy Registered Secure Email Proxies check in with Symantec App Center on a regular basis and report their status. You can monitor your proxy status from the Admin Console. Proxy health is color-coded as follows: Gray Green The proxy is registered, but it is not assigned to a cluster. Healthy The proxy checked in 10 minutes or less ago. Yellow Warning The proxy hasn't checked in for more than 30 minutes.

Unregistering your email proxy 23 Red Error The proxy has experienced a failure applying configuration updates or applying policies. App Center might have also detected the proxy processes are not running. If the email proxy can't communicate with App Center, Access is based on the last known device policy. Important: Access is allowed during this time even if the device becomes non-compliant. But users who are blocked email access continue to be blocked. After the proxy restarts, users are allowed/blocked access based on the most current device policy. Monitor the health of your proxies 1 Click Settings > Email Proxy. 2 In the Available Clusters table or the Available Proxies list, click on the name of the proxy you want to see more information about. Details about that proxy along with all of the other proxies in the cluster appear. This information includes the date and time of the last check-in, the status of the proxy, and any available information about the proxy. 3 For additional information, check the proxy logs. By default, the proxy logs are in the following location: /user/local/nginx/logs More information Click here for the interactive workflow. See Restricting mobile device access to organizational email on page 8. Unregistering your email proxy When you unregister Secure Email Proxy from Symantec App Center, the following events occur: The proxy no longer checks in with Symantec App Center It stops accepting connections Policy, configuration, and user data is deleted The proxy no longer appears on the Settings > Email Proxy page in the App Center Admin Console You must unregister the email proxy before you uninstall it. See Uninstalling your email proxy on page 24.

Uninstalling your email proxy 24 Remove the proxy from the cluster 1 Click Settings > Email Proxy. 2 In the Available Clusters list, locate the proxy that you want to unregister and click the x beside the name. You must unlink the proxy from the cluster before you can unregister it. 3 Confirm that you want to unlink the proxy from the cluster. Unregister the proxy 1 In the Available Proxies list, locate the proxy that you want to unregister and click the x beside the name. 2 Confirm that you want to delete the proxy. More information See Restricting mobile device access to organizational email on page 8. See Creating, configuring, and managing email proxy clusters on page 15. See Secure Email Proxy command line tools on page 25. Uninstalling your email proxy Before you uninstall Secure Email Proxy, you must unregister the proxy from Symantec App Center first. See Unregistering your email proxy on page 23. If you install the email proxy with the default settings, the uninstall script performs a clean uninstallation of the nginx directory removing Secure Email Proxy and its related files. If you modified the location of installation and log files, all email proxy files may not be removed during uninstallation. In that case, you'll need to locate and manually delete these files when you permanently uninstall the email proxy. A user and group account are created when you initially install Secure Email Proxy. The default user and group account names are both symc-proxy, but you can customize these names. You may want to remove the user and group account names if you permanently uninstall the email proxy. However, make sure that you don't inadvertently remove possible shared accounts.

Secure Email Proxy command line tools 25 Run the uninstall script 1 Change directories to the directory that contains the uninstall.sh script. The default location of the uninstall.sh script is: /usr/local/nginx/scripts Tip: If you cannot run the uninstallation from the uninstall.sh scripts folder for any reason, you can mount the email proxy.iso file and use the setup.sh script to uninstall. 2 Type the following command: #./uninstall.sh More information See Restricting mobile device access to organizational email on page 8. See Secure Email Proxy default file locations on page 26. Secure Email Proxy command line tools Modify Secure Email Proxy after installation through the command line using the configure.sh script. The nginx service automatically restarts after the command finishes executing. The default location of the script is as follows: /usr/local/nginx/scripts The usage is as follows: #/configure.sh [OPTIONS] {TOOL} Table 1-2 lists the tools that you can execute using the configure.sh script. Table 1-2 Configure.sh tools Tool network Description Configures the network parameters. The configuration script prompts you for the network interface and port that receives/transfer data. proxy listen Configures the listening parameters of your proxy. The configuration script prompts you for the listening parameters of the proxy: IP, port, SSL (on or off). proxy registration check Checks to see if your proxy server is registered.

Secure Email Proxy default file locations 26 Table 1-2 Tool Configure.sh tools (continued) Description proxy registration [App Center URI] [proxy name] [username] [ password] Provides the parameters to register your proxy with App Center. You can type all of the parameters to register your proxy or let the script prompt you. redis display_password redis new_password redis port [port number] Displays the password used by Redis. Generates a new password for Redis. Configures the Redis port. More information See Restricting mobile device access to organizational email on page 8. Secure Email Proxy default file locations Table 1-3 lists the default location for Secure Email Proxy files. Table 1-3 File Secure Email Proxy configure.sh and uninstall.sh files setup.sh installation data and log files Main binary files Configuration files Security certificates Secure Email Proxy default file locations Location /usr/local/nginx /usr/local/nginx/scripts /var/lib/symc.inventory /usr/local/nginx/sbin /user/local/nginx/conf /usr/local/nginx/certs

Secure Email Proxy default file locations 27 Table 1-3 File Nginx log files Secure Email Proxy default file locations (continued) Location /usr/local/nginx/logs The log files contained in this folder are as follows: error.log Contains logs on users and devices which are blocked or allowed by the proxy controller.log Contains logs on proxy communication with App Center registration.log This log is written during the proxy registration process with App Center redis.log Internal database process logs More information See Restricting mobile device access to organizational email on page 8. See Uninstalling your email proxy on page 24.