This section explains the requirements and prerequisites for using the ENS2 with Workspace ONE UEM.
Email Server Integration Supported Versions
- Email Client – For Android support, you must have ENS2 1.3.0.4 or later and Workspace ONE Boxer 5.2 or later.
- Email Server – Exchange 2010 SP3, Exchange 2013 SP1, Exchange 2016, Exchange 2019 (for on-premises ENS2 version 1.7 and later), or Office 365.
- For ENS2 on-premises with ENS2 version 1.8 and later, Office 365 is supported.
Workspace ONE UEM Requirements
- On-premises and Cloud deployment: Workspace ONE UEM console 1902 and later
Hardware Requirements (On-Premises Only)
CPU Core | RAM | Hard Disk Storage | Notes |
---|---|---|---|
2 (Intel processor) | 16 GB | 30 GB |
Per 100,000 users. |
CPU Core | RAM | Hard Disk Storage | Notes |
---|---|---|---|
2 (Intel processor) | 16 GB (minimum) | Approx. 0.0477 MB per user to estimate the DB storage size. |
Per 100,000 users. |
Software Requirements
Requirement (On-Premises) | Notes |
---|---|
Windows Server 2012 R2, Windows Server 2016, or Windows Server 2019 | The servers must be externally accessible through https (SSL Cert) and with a Fully Qualified Domain Name (FQDN) |
SQL Server 2016, 2017, and 2019 (Database Server) |
The db_owner role and public role must be assigned to the SQL server user that is used for running the application. The database option must be selected for external database and you must set the collation to SQL_Latin1_General_CP1_Cl_AS. A dedicated SQL instance for ENS is recommended. The steps to create an ENS database and the Workspace ONE UEM database are the same. For more information on creating the Workspace ONE UEM database, see Create the Workspace ONE UEM Database topic in the Installing Workspace ONE UEM guide.
Note: A shared SQL instance can only be used for demonstration purpose, where a small set of users can use the ENS. |
Basic Authentication for the Exchange environment | OAuth and Certificate-Based Authentication (CBA) is supported for Exchange Web Services |
CNS Certificate | |
Secure Channel Certificate | |
IIS 7 or later | Installed on Web Server |
Requirement (Cloud) | Notes |
Basic Authentication for the Exchange environment | OAuth and Certificate-Based Authentication (CBA) is supported for Exchange Web Services |
Autodiscovery enabled in the Exchange environment and Internet-facing EWS environment. If the autodiscovery is deactivated, you can use the EWSUrl key value pair to configure ENS. |
Networking Requirements
Source | Destination | Protocol (Port) |
---|---|---|
ENS | Exchange (EWS) | HTTPS (443) |
Exchange (EWS) | ENS | HTTPS (443) |
Mailbox/CAS | ENS | HTTPS (443) |
ENS | Exchange OAuth host** | HTTPS (443) |
ENS | AirWatch Cloud Notification Service (CNS) | HTTPS (443) |
ENS | SQL Server Instance | SQL (1433) |
Internet (Devices) | ENS | HTTPS (443) |
ENS* | AirWatch Signing Service | HTTPS (443) |
UEM Console* | ENS | HTTPS (443) |
*Applicable for ENS2 version 1.10 and later and Workspace ONE UEM console version 2101 and later.
** Required only if Exchange is configured for Modern authentication or OAuth based authentication, even if SEG is configured as EWS proxy.
Required External Services
ENS uses the following services and is dependent on the services for ENS operation. You must allowlist or ensure that the ENS server can access the following URLs.
Source | Destination | Domain Name | Supported Versions |
---|---|---|---|
ENS | AirWatch Trust Discovery | awtrustdiscovery.awmdm.com | ENS2 version prior to 21.04. |
ENS | AirWatch Signing Service | signing.awmdm.com | ENS2 version 1.10 and later and Workspace ONE UEM console version 2101 and later |
ENS | The actual Exchange OAuth host configured for Exchange* | https://login.microsoftonline.com (sample) | ENS2 all versions |
* Required only if Exchange is configured for Modern authentication or OAuth based authentication.
Note: When Modern authentication is used, ENS must directly communicate with Exchange to refresh the authentication token. ENS IPs must be allowlisted for Modern authentication to work if SEG is used as the EWS proxy because SEG cannot proxy the refresh token request.
CNS Server IP Allowlist
Source | Destination | Domain Name | Supported Versions |
---|---|---|---|
ENS |
44.239.192.231 44.235.169.212 44.237.141.156 |
ENS2 version 21.04 and later. |
Component Name | Required Services |
---|---|
Web Management Tools | IIS 6 Management Compatibility |
IIS Management Console | |
IIS Management Scripts and Tools | |
IIS Management Service |
Component Name | Required Services |
---|---|
Application Development Features | .NET Extensibility 3.5 |
.NET Extensibility 4.6 | |
Application Initialization | |
ASP | |
ASP.NET 3.5 | |
ASP.NET 4.6 | |
ISAPI Extensions | |
ISAPI Filters | |
Server-Side Includes | |
WebSocket Protocol | |
Common HTTP Features | Default Document |
Directory Browsing | |
HTTP Errors | |
Static Content | |
Health and Diagnostics | HTTP Logging |
Performance Features | Static Content Compression |
Security | Request Filtering |
SQL Server and High Availability Support
High availability configuration – ENS2 supports SQL Server AlwaysOn high availability configuration. To set up the SQL Server AlwaysOn for active/active or active/passive setup, see Overview of Always On Availability Groups (SQL Server). If you are using AlwaysOn, point to the availability group when choosing the database server during the ENS2 installation.
TLS Support for ENS
ENS2 cloud deployments require TLS 1.2 or greater to maintain security. You must ensure that TLS 1.2 or greater is enabled on your email server.
For ENS2 on-premises, see the Cipher Suites in TLS/SSL (Schannel SSP) topic for default ciphers suites for different Windows server versions and select the ENS2 on-premises server version accordingly.
Note: If SEG is configured, then ensure that the on-premises ENS server has all the ciphers that are enabled in the SEG server.
ENS supports TLS version 1.2 and 1.3. ENS does not choose any protocol, but permits the OS to choose the strongest available TLS version and the cipher suites. The following table lists the recommended cipher suites.
Cipher Suites | SSL Cipher Strength | TLS Protocol Version | Elliptic Curve Variants | Cryptographic Algorithm | Authenticated Encryption | Cryptographic Hash Algorithm |
---|---|---|---|---|---|---|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ECDHE-ECDSA-AES128-GCM-SHA256 | TLS 1.2 | ECDH-ephemeral | ECDSA | AESGCM (128) | SHA256 |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ECDHE-ECDSA-AES256-GCM-SHA384 | TLS 1.2 | ECDH-ephemeral | ECDSA | AESGCM (256) | SHA256 and SHA384 |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | ECDHE-ECDSA-AES128-SHA | TLS 1.2 | ECDH-ephemeral | ECDSA | AES (128) | SHA1 |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | ECDHE-ECDSA-AES256-SHA | TLS 1.2 | ECDH-ephemeral | ECDSA | AES (256) | SHA1 |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | ECDHE-ECDSA-AES128-SHA256 | TLS 1.2 | ECDH-ephemeral | ECDSA | AES (128) | SHA256 |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | ECDHE-ECDSA-AES256-SHA384 | TLS 1.2 | ECDH-ephemeral | ECDSA | AES (256) | SHA384 |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ECDHE-RSA-AES128-GCM-SHA256 | TLS 1.2 | ECDH-ephemeral | RSA | AESGCM (128) | SHA256 |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ECDHE-RSA-AES256-GCM-SHA384 | TLS 1.2 | ECDH-ephemeral | RSA | AESGCM (256) | SHA384 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | ECDHE-RSA-AES128-SHA | TLS 1.2 | ECDH-ephemeral | RSA | AES (128) | SHA1 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDHE-RSA-AES256-SHA | TLS 1.2 | ECDH-ephemeral | RSA | AES (256) | SHA1 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ECDHE-RSA-AES128-SHA256 | TLS 1.2 | ECDH-ephemeral | RSA | AES (128) | SHA256 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | ECDHE-RSA-AES256-SHA384 | TLS 1.2 | ECDH-ephemeral | RSA | AES (256) |
ENS2 Prerequisites
To enable and secure the communication between the Exchange server and the ENS server, note the following points:
- Communication between ENS and Exchange servers must not have any SSL errors.
- telnet and ping commands must work seamlessly between ENS and Exchange CAS/Mailbox servers.
- SSL certificates used for ENS and Exchange servers must not have any errors when they run through SSL checkers.
Upload the Root CA Certificate
To upload the root CA certificate to the Exchange server, perform the following steps:
- Download the SSL certificate from the on-premises ENS server. Access the ENS Alive endpoint in a browser and download the certificate from the address bar.
Note: You must only download the root certificate issued by a trusted authority and signed by an internal CA. For the cloud deployment, you can download the root certificate from https://ens.getboxer.com/api/ens/alive, https://ens-eu.getboxer.com/api/ens/alive, https://ens-apj.getboxer.com/api/ens/alive, or htpps://ens-uk.getboxer.com/api/ens/alive based on your region, issued by VMware for your account.
For the on-premises deployment, download the root certificate and replace acme.com with the resolved name or IP address of your ENS server.
- Import this certificate on the Exchange Server into the Trusted Root Certification Authorities through MMC.
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/WS1_ENS2_Doc/GUID-AWT-REQUIREMENTS-ENSV2.html