Creating, configuring, and managing Secure Email Proxy clusters
Creating a Proxy cluster
After you successfully register your email proxy, you can create clusters to organize and assign common configurations to your email proxies. In Mobility Manager, clusters are for shared configuration only. Email proxy clusters are not a cluster in the traditional sense of load balancer or failover. As a best practice, Symantec recommends that you create a separate cluster for each CAS server that has a unique DNS entry.
Each Secure Email Proxy must be assigned to a cluster. (A proxy can only be assigned to one cluster and a single cluster can have one or more proxies.)
To create a cluster, access Settings > Email Proxy and click Create New Cluster. The cluster configuration page appears.
The Cluster configuration page
The above graphic illustrates the cluster configuration page.
Create and configure a cluster
Specify the General Settings:
Pick a name that helps you differentiate this cluster from other clusters.
Create that a description provides an explanation for why the proxies in this particular cluster are grouped together.
Tip: If you follow Symantec's recommendation of creating a separate cluster for each Client Access Server (CAS) that has a unique DNS entry, your description might include the name of the CAS server.
Active mode filters enrolled devices based on device compliance. Use active mode when running Secure Email Proxy in your production environment.
Passive mode allows all traffic through the proxy to your EAS. The verdict of which connections would have been permitted if the cluster had been in active mode is recorded in the log. Use passive mode when running Secure Email Proxy in a test environment.
Log levels specify the level of detail about the proxies in this cluster to be sent to your logs.
The logging levels are as follows:
Emergency situation where the system is in an unusable state; severe situation where action is needed promptly; important problems that need to be addressed; or an error has occurred (something was unsuccessful).
Contains all of the information for the Error logging level plus information in which something out of the ordinary happened, but there is not a cause for concern.
This log level is the default log level.
Contains all of the Warning and Error logging level information plus informational-type messages that might be nice to know.
Contains all of the Error, Warning, and Information logging information plus information that can be useful to pinpoint where a problem occurs.
Tip: Select a logging level that provides the information you need to monitor the proxy, but doesn't overload your logs. For example, you can set the log level to Debug when you need to diagnose an issue. Then set it back to Warning when the issue is resolved.
External Proxy Address
The external proxy address is the IP address or FQDN that is assigned to your email proxy which is public facing. If you have enabled a load balancer in front of your email proxy, the IP address or FQDN of the load balancer must be specified as the external proxy address. If you are using SSL, the external FQDN proxy address must include the FQDN of the SSL certificate used.
Specify the Proxy Connection to ActiveSync settings:
Address - Specify the fully qualified domain name or IP address of the server running ActiveSync. In most instances, this will be the same address as your Exchange Server. ActiveSync and Exchange mail function can be installed on different servers.
Port - Specify the port used for data transport between email proxy to the ActiveSync server.
SSL checkbox - If you check SSL, you secure data transmission between your email proxy and your ActiveSync server. Symantec recommends for secure connections from your email proxy to the ActiveSync server that you check SSL.
Terminate SSL at the proxy
There are 2 options available for this function:
Enable [New Certificate] - when this option is selected, you are prompted to upload a valid SSL certificate. (see below) This will secure data transmission between the device and your email proxy. The SSL certificate you upload must include the private key. (PKCS#12 format)
For more information, see the section on SSL certificate chains at the following Nginx website; http://nginx.org/en/docs/http/configuring_https_servers.html#chains
Disable - when this option is selected, the proxy does not terminate SSL. SSL may be terminated at some other point. (i.e. on a load balancer in front of the proxy)
Once you have completed all the required (and any optional) settings, click Save.
The new cluster appears in the Available Clusters table. In the example below, cluster Proxy_Cluster_1 has been created:
After you successfully register your email proxy, (normally, as part of the email proxy installation) your email proxy appears as a node under Settings > Email Proxy under the Available Proxies section. For available email proxies to be configurable and thus functional, you drag the email proxy node into a proxy cluster.
You must register your proxies before you can add them to a cluster. You can register your email proxy during installation or later through the command line.
Under Available Proxies, locate and drag one or more proxies to a cluster. In the example below, you can add ep51_2 or ep51.melega.loc to the Proxy Cluster_1 cluster.
Tip: To reassign a proxy to a different cluster, unlink the proxy from the cluster first and then add it to the desired cluster. You can't just drag a proxy to another cluster.
Edit an existing cluster
In the Available Clusters table, click Edit beside the cluster that you want to edit.
Make your desired changes, and click Save.
When you make any modifications to a cluster, the services for all of the proxies in that cluster restart.
Remove (unlink) a proxy from a cluster
In the Available Clusters table, click the x beside the name the proxy that you want to remove. Then confirm that you want to unlink the proxy from the cluster.
Unlinked proxies appear in the Available Proxies list. When a proxy is no longer part of a cluster, it no longer processes data and stops accepting connections. Proxies that are removed from a cluster continue to check in with Mobility Manager on the regular basis for updates in case it's added back to a cluster.
Tip: You must unlink every proxy from the cluster before you can delete the cluster.
Delete an existing cluster
When all proxies are removed from the cluster, in the Available Clusters table, click Delete on the right column of the cluster row that you want to remove. Then confirm that you do want to remove it.