Install the standalone EAS proxy

Prerequisites:
  • All required email servers are accessible. The EAS proxy installer will not configure connections to servers that are not available.
  • You are an administrator on the computer where you install the EAS proxy.
  • You know the URL of the Sophos Mobile server. See Determine the Sophos Mobile server URL.
Note The Sophos Mobile server deployment guide contains schematic diagrams for the integration of the standalone EAS proxy into your company’s infrastructure. We recommend that you read the information before performing the installation and deployment of the standalone EAS proxy.
  1. Run Sophos Mobile EAS Proxy Setup.exe to start the Sophos Mobile EAS Proxy - Setup Wizard.
  2. On the Choose Install Location page, choose the destination folder and click Install to start installation.
    After the installation has been completed, the Sophos Mobile EAS Proxy - Configuration Wizard is started automatically and guides you through the configuration steps.
  3. In the Sophos Mobile server configuration dialog, enter the URL of the Sophos Mobile server the EAS proxy will connect to.

    If required, select Use proxy server to configure a proxy server that the EAS proxy uses to connect to the Sophos Mobile server.

    You should also select Use SSL for incoming connections (Clients to EAS Proxy) to secure the communication between clients and the EAS proxy.

    Optionally, select Use client certificates for authentication if you want the clients to use a certificate in addition to the EAS proxy credentials for authentication. This adds an additional layer of security to the connection.

  4. If you selected Use SSL for incoming connections (Clients to EAS Proxy) before, the Configure server certificate page is displayed. On this page you create or import a certificate for the secure (HTTPS) access to the EAS proxy.
    • If you do not have a trusted certificate yet, select Create self-signed certificate.
    • If you have a trusted certificate, click Import a certificate from a trusted issuer and select one of the following options from the list:
      • PKCS12 with certificate, private key and certificate chain (intermediate and CA)
      • Separate files for certificate, private key, intermediate and CA certificate
  5. On the next page, enter the relevant certificate information, depending on the type of certificate that you selected.
    Note For a self-signed certificate, you need to specify a server that is accessible from the client devices.
  6. If you selected Use client certificates for authentication before, the SMC client authentication configuration page is displayed. On this page, you select a certificate from a certification authority (CA), from which the client certificates must be derived.
    When a client tries to connect, the EAS proxy will check if the client certificate is derived from the CA that you specify here.
  7. On the EAS Proxy instance setup page, configure one or more EAS proxy instances.
    • Instance type: Select EAS proxy.
    • Instance name: A name to identify the instance.
    • Server port: The port of the EAS proxy for incoming email traffic. If you set up more than one proxy instance, each of these must use a different port.
    • Require client certificate authentication: Email clients must authenticate themselves when connecting to the EAS proxy.
    • ActiveSync server: The name or IP address of the Exchange ActiveSync Server instance with which the proxy instance will connect.
    • SSL: Communication between the proxy instance and Exchange ActiveSync Server is secured by SSL or TLS (depending on what the server supports).
    • Allow EWS subscription requests from Secure Email: Select this to allow the Sophos Secure Email app on iPhones and iPads to subscribe to push notifications through Exchange Web Services (EWS). Push notifications inform the device when there are messages for Secure Email.
      Note
      • By default, the EAS proxy blocks all requests to the Exchange server’s EWS interface for security reasons. If you select this check box, subscription requests are allowed. Other requests remain blocked.
      • For information on how to configure EWS for your Exchange server, see Sophos knowledge base article 127137.
    • Enable Traveler client access: Only select this check box if you need to allow access by IBM Notes Traveler clients on non-iOS devices.
  8. After entering the instance information, click Add to add the instance to the Instances list.
    For every proxy instance, the installer creates a certificate that you need to upload to the Sophos Mobile server. After you have clicked Add, a message window opens, explaining how to upload the certificate.
  9. In the message window, click OK.
    This will open a dialog, showing the folder in which the certificate has been created.
    Note You can also open the dialog by selecting the relevant instance and clicking the Export config and upload to Sophos Mobile server link on the EAS Proxy instance setup page.
  10. Make a note of the certificate folder. You need this information when you upload the certificate to Sophos Mobile.
  11. Optional Click Add again to configure additional EAS proxy instances.
  12. When you have configured all required EAS proxy instances, click Next.
    The server ports that you entered are tested and inbound rules for the Windows Firewall are configured.
  13. On the Allowed mail user agents page, you can specify mail user agents (i.e. email client applications) that are allowed to connect to the EAS proxy. When a client connects to the EAS proxy using an email application that is not specified, the request will be rejected.
    • Select Allow all mail user agents to configure no restriction.
    • Select Only allow the specified mail user agents and then select a mail user agent from the list. Click Add to add the entry to the list of allowed agents. Repeat this for all mail user agents that are allowed to connect to the EAS proxy.
  14. On the Sophos Mobile EAS Proxy - Configuration Wizard finished page, click Finish to close the configuration wizard and return to the setup wizard.
  15. In the setup wizard, make sure that the Start Sophos Mobile EAS Proxy server now check box is selected, then click Finish to complete the configuration and to start the Sophos Mobile EAS proxy for the first time.

To complete the EAS proxy configuration, upload the certificates that were created for every proxy instance to Sophos Mobile:

  1. Sign in to Sophos Central Admin and go to Mobile.
  2. On the menu sidebar, under SETTINGS, click Setup > Sophos setup, and then click the EAS proxy tab.
  3. Under External, click Upload a file. Upload the certificate created during configuration.

    If you have set up more than one instance, repeat this for all instance certificates.

  4. Click Save.
  5. In Windows, open the Services dialog and restart the EASProxy service.
This completes the initial setup of the standalone EAS proxy.
Note Every day, the EAS proxy log entries are moved to a new file, using the naming pattern EASProxy.log.yyyy-mm-dd. These daily log files are not deleted automatically and thus may cause disk space issues over time. We recommend that you set up a process to move the log files to a backup location.