1 Reply Latest reply on Jun 23, 2020 5:49 PM by chengtmskcc

    Exchange Full Hybrid (Exchange On-Premises & Exchange Online) & Secure Email Gateway

    mdasmall Lurker

      When running a full hybrid with Exchange on-premise and Exchange online, what options are there for maintaining Airwatch enrollment and protecting access to corporate email?

       

      We currently have SEG servers in place with Exchange on-premise only.

       

      If we move to a full hybrid scenario I mentioned above, how do you utilize the same protection the SEG server offers after a users mailbox is migrated to Exchange online?

       

      I would prefer to avoid having all ActiveSync traffic continue to depend on the Exchange on-premise servers for mailboxes that have been moved to Exchange online.

       

      Is there a way to configure Airwatch to maybe use the SEG servers for mailboxes that still live on-premise but deploy a different profile that maybe uses the newer Powershell method and have the people whose mailboxes were moved access them directly via Exchange online and still be protected?

       

      I'm trying to understand my options here.

        • 1. Re: Exchange Full Hybrid (Exchange On-Premises & Exchange Online) & Secure Email Gateway
          chengtmskcc Hot Shot

          Have you opened a support ticket with VMware? We are in the same boat migrating all on-premises mailboxes to the cloud by year end.

           

          I'm not an Exchange expert by any mean, but I do have a few ideas in mind:

           

          • New Exchange profile with OAuth enabled for password-less authentication for native mail app on iOS
            • VMware need to confirm traffic flow as it is not supported through SEG (for security)
            • Additional configuration maybe required for on-premises/online Exchange to allow direct EAS connection from mobile devices
            • Managed Gmail app on Android Enterprise device is not supported
          • Another option for password-less authentication is to set up Kerberos Constraint Delegation (KCD). This will work for both native client on iOS and managed Gmail app on Android
          • Migrate users in phases from existing mail profile to new mail profile pointing to the new mail endpoint