AirWatch series post number 3 today, we’ll be focusing on the Secure Email Gateway (SEG) and Mobile Access Gateway (MAG) features of AirWatch.  By now you have a good understanding of what AirWatch is and how it works from a high level view, today we’re going to go a little deeper and discuss these two features and whether or not you need to install them.


What’s a SEG and what does it do?

As part of AirWatch’s enterprise mobility solution, the SEG provides an increased layer of protection and control of your organization’s corporate email.  Everyone wants access to email all the time, and they want it in the palm of their hand.  While 24/7/365 access to corporate email on the go is a nice perk, there are inherent security risks that need to be addressed and mitigated and incorporating a SEG will help you get there.  Some of the known risks to corporate email are:

  • Misplaced devices – Leaving a BYOD/corporate owned device in a cab or at a restaurant gives strangers access to your email.
  • Interception of communications – With WiFi on phones, you are leaving the front door open to your device to anyone with scanning tools who has the know-how to intercept email traffic.
  • Mobile Malware – Yes, malware is mobile!  Phones are very susceptible to malware attacks, especially rooted or ROMd phones that are non-compliant with your organization’s BYOD program.

So what does SEG do to hit these risks head on and apply a security blanket to your corporate email infrastructure?  SEG can do a number of things to keep you safe, and while implementing all of them isn’t strictly necessary, you can find some features that would help you feel warm and fuzzy about your email on the go.  Here’s how SEG saves the day:

  • Whitelisting/Blacklisting Devices – The SEG can be configured to allow certain devices access to corporate email.  If you have corporate owned devices in your organization, you can create a whitelist and allow the SEG to pass email traffic to all whitelisted devices.  Conversely, if you have devices that need to be blocked from having access to email, you can create a blacklist to have SEG block email traffic to those devices.
  • Email attachment security – With emails comes email attachments and one of the easiest ways malware and viruses are introduced to your corporate network.  With the SEG deployed, you can rest assured knowing that you can configure and determine how you would like email attachments to act in your organization.  You can configure SEG to force email attachments to open in an approved application such as AirWatch’s mobile content management tool, Content Locker
  • Enhanced Administrative Control – SEG provides administrators greater control over the email traffic that flows in and out of the organization.  You can monitor email activity dashboards as an administrator to detect, isolate and manage email in accordance with your organization’s policies.

To give you an idea of how the SEG is position inline with your network resources and email infrastructure, check out the diagrams below; the first diagram is a SEG deployment with Exchange ActiveSync and no proxy in the DMZ.  The second diagram shows the SEG proxy relay in the DMZ with the SEG behind the corporate firewall.

Exchange ActiveSync SEG Configuration
Exchange ActiveSync SEG Configuration





Exchange ActiveSync SEG Using Reverse Proxy Configuration
Exchange ActiveSync SEG Using Reverse Proxy Configuration

What’s a MAG and what does it do?

In every organization there are certain internal resources that we don’t want exposed to the Internet or devices that aren’t compliant with the BYOD program.  However, you want to maintain an environment where your employees can be productive when mobile, so how do you solve this issue?  Here’s is where the mobile access gateway comes into play.  Lets first look at some things that you don’t want happening to your corporate assets.

  • Data leakage – In today’s corporate world I think we know all too well about the potential for data leaks.  Not even high level government data is safe in some well-known recent instances, so it’s important to precaution against data leaks.
  • Data corruption – Many hackers out there today just want to get behind your firewall or exploit your employee’s device in order to corrupt corporate data.
  • Corporate espionage – There are companies out there, and third-party partners that will look to gather whatever they can from your corporate data that is exposed to the Internet.  Obviously breaking into the network through the firewall is criminal, but picking up an employees phone left at the bar and “browsing” is most definitely not an illegal offense.

How does MAG protect you from these types of threats?  First off, user education should be your first line of defense, and because you can’t always trust the end users to follow security guidelines, it’s necessary to take another proactive measure.  Implementing MAG will allow users and devices to traverse the firewall and get to the corporate data that they need to do their job on the go.  Here are several things you can configure the MAG to do for your organization:

  •  Document repositories – The MAG can create internal document repositories and content in collaboration with AirWatch Content Locker.
  • Secure internal websites – MAG will allow you to secure internal company websites by forcing users to use AirWatch Secure Browser.
  • App Tunneling – This is a feature that is only for iOS 7 and higher devices.  Using the AirWatch Tunnel users can gain access to internal resources via secure tunneling.

For an idea of what your typical and more advanced AirWatch deployment including MAG, see the following diagrams below.  The first diagram will show you what a typical AirWatch deployment with MAG could look like and the second is a more advanced MAG deployment with a relay endpoint.

Simple MAG deployment.
Simple MAG deployment
Advanced MAG deployment with relay proxy and loadbalancer.
Advanced MAG deployment with relay proxy and loadbalancer.



Do you need either of them?

If you have AirWatch installed in your environment and you care about securing your company’s mobile email and internal resources, then the answer is simple… YES.  If you don’t have either the SEG or MAG deployed currently, learn more about it, contact me or contact your AirWatch/VMware sales person for help on getting it deployed if you don’t know how to.  SEG is built-in to the AirWatch console, can be downloaded and deployed from the email proxy section.  Be proactive with security, not reactive.  As the late great President JFK said, “The time to repair the roof is when the sun is shining.”  Well put.

Greg W Stuart
Greg is the owner and editor of He's been a VMware vExpert every year since 2011. Greg enjoys spending time with his wife and 3 kids. He works as a Sr. Consultant at VMware and resides in Northern Virginia, 15 minutes west of Washington DC.

13 thoughts on “AirWatch SEG & MAG… Do I need these?

  1. Hi Greg,

    Nicely written article.. clear and concise.
    I have one question…
    What does SEG and more importantly MAG provide over and above for a company that is using an APN to reach their back end systems?


    1. @adhughesy Thanks for the kind words. I’m assuming you mean VPN, not sure what an APN is in relation to this article. With a SEG, you are going to get much more granularity in managing your corporate email and defining how it will be accessed and who will access it. There are far more rule sets available that are specifically designed for corporate email, which gives you the flexibility and monitoring that you want, without having to be a network know it all!

      1. We have multiple components with Air watch …
        1) Directory service server
        2) cloud messaging servive

        How to configure tags in air watch for smart groups filteration ??

        Help me in explaining these

  2. Hi
    I am new to airwatch – used MI before. New Company has an AW installation, but console only, no SEG and MAG. So as we do only have the green Bundle, are we allowed to use either one of those products? For me it is totally unclear where the SEG and MAG are included in the licenses. Another question is if the MAG is the same as the Tunnel, but only on Linux instead of Windows.


  3. Why SEG is required if the exchange server is present in internal network? Isn’t it enough to provide security?

  4. Why SEG is required if the exchange server is already placed in internal network, isn’t placing the server in internal network provides security?

    1. SEG is another layer of security that filters emails inbound and keeps your infrastructure safe from malicious attacks. Through Secure Gateway, companies can secure and manage their corporate email infrastructure by defining the business logic for connectivity. IT can allow or block both selected mobile users and approved devices and classes as well as create rule sets that require users to access mail using only approved Webmail clients and services. SEG offers more manageability of your corporate email access.

  5. Can the same MAG and SEG work for different entities in one infrastructure?
    Say I have company one with emails and company two with emails, they have trusts with each other and share resources, but live in different domains, have different mail servers, different Sharepoint and SQL.

    Thank you.

    1. Lucian,
      Thanks for reading! In this case you would need separate SEG and MAG deployments in order for it to work how it should. SEG is going to pass traffic through based on specific security settings, and it will pass it through to a singular Exchange endpoint. You may be able to pull this off with MAG, because MAG passes users through to secure internal resources behind the corporate firewall. I would need to know more about the MAG configuration and what you are trying to get to in order to answer that accurately. I’m getting ready to write an update to this post with all the new info based on AirWatch 9.1… there have been many changes, especially to MAG.

      Hope that helps,

Leave a Reply

Your email address will not be published. Required fields are marked *