Before you install Secure Email Proxy and integrate it with Symantec Mobility: Suite, make sure that you understand how to deploy the proxy in your environment. The deployment model that is depicted below is based on Symantec's recommendations and should be followed as a best practice. All of the instructions for Secure Email Proxy in this documentation are based on the following deployment model.
A:The device sends the request to the first public-facing entry point into your network. Open inbound port 443 for this entry point.
Specify this FQDN or IP address in the Exchange ActiveSync Host field in the device policy and the ActiveSync host in Device Policy field in the cluster configuration.
B: Your network infrastructure forwards the request to the email proxy inbound NIC. (You must configure your network infrastructure to forward the request.) You configure the inbound NIC address when you install the email proxy.
C: The proxy forwards the request through the outbound NIC to the entry point for your mail server.
You configure the outbound NIC address when you install the email proxy. You specify the entry point FQDN or IP address in the Server Address field when you configure the cluster.
You configure the entry point to listen on port 443.
In Figure: Typical Secure Email Proxy deployment, the firewall is your first public-facing entry point. So you would specify the FQDN or IP address of your firewall in the Exchange ActiveSync Host field in the device policy and the ActiveSync host in Device Policy field in the cluster configuration. You would specify the incoming and outgoing NIC addresses when you install the email proxy. The entry point into your mail server environment is a load balancer. So you would specify the FQDN or IP address of this load balancer in the Server Address field when you configure the cluster.
Based on a typical deployment model, also consider the following:
If you have a firewall and/or a load balancer, install Secure Email Proxy behind them in a DMZ.
You can stand up multiple proxies behind a load balancer. The load balancer is expected to handle failover. When you use a load balancer, the recommended setting is to round-robin with persistence.
Symantec recommends no more than one proxy per Exchange Client Access server (CAS).
You secure the transmission from the device to the proxy by uploading a certificate when you configure your cluster. You must provide the PCKS#12 certificate.