Install the standalone EAS proxy
- You’ve installed and set up Sophos Mobile.
- All required email servers are accessible. The EAS proxy installer will not configure connections to servers that are not available.
- You are an administrator on the computer where you install the EAS proxy.
For details about the integration of the standalone EAS proxy into your company’s infrastructure, see “EAS proxy architecture examples” in the Sophos Mobile server deployment guide.
Sophos Mobile EAS Proxy Setup.exeto start the Sophos Mobile EAS Proxy - Setup Wizard.
On the Choose Install Location page, choose the destination folder and click Install to start installation.
After the installation has been completed, the Sophos Mobile EAS Proxy - Configuration Wizard is started automatically and guides you through the configuration steps.
In the Sophos Mobile server configuration dialog, enter the URL of the Sophos Mobile server the EAS proxy will connect to.
If required, select Use proxy server to configure a proxy server that the EAS proxy uses to connect to the Sophos Mobile server.
You should also select Use SSL for incoming connections (Clients to EAS Proxy) to secure the communication between clients and the EAS proxy.
Optionally, select Use client certificates for authentication if you want the clients to use a certificate in addition to the EAS proxy credentials for authentication. This adds an additional layer of security to the connection.
Select Allow all certificates if your Sophos Mobile server presents varying certificates to the EAS proxy, for example because there are several server instances behind a load balancer, and each instance uses a different certificate. When this option is selected, the EAS proxy will accept any certificate from the Sophos Mobile server.
Because the Allow all certificates option reduces the security level of the server communication, we strongly recommend that you select it only if required by your network environment.
If you selected Use SSL for incoming connections (Clients to EAS Proxy) before, the Configure server certificate page is displayed. On this page you create or import a certificate for the secure (HTTPS) access to the EAS proxy.
Sophos Mobile includes a tool that lets you request an SSL/TLS certificate. See Request an SSL/TLS certificate.
- If you do not have a trusted certificate yet, select Create self-signed certificate.
If you have a trusted certificate, click Import a certificate from a trusted issuer and select one of the following options from the list:
- PKCS12 with certificate, private key and certificate chain (intermediate and CA)
- Separate files for certificate, private key, intermediate and CA certificate
On the next page, enter the relevant certificate information, depending on the type of certificate that you selected.
For a self-signed certificate, you need to specify a server that is accessible from the client devices.
If you selected Use client certificates for authentication before, the SMC client authentication configuration page is displayed. On this page, you select a certificate from a certification authority (CA), from which the client certificates must be derived.
When a client tries to connect, the EAS proxy will check if the client certificate is derived from the CA that you specify here.
On the EAS Proxy instance setup page, configure one or more EAS proxy instances.
- Instance type: Select EAS proxy.
- Instance name: A name to identify the instance.
- Server port: The port of the EAS proxy for incoming email traffic. If you set up more than one proxy instance, each of these must use a different port.
- Require client certificate authentication: Email clients must authenticate themselves when connecting to the EAS proxy.
ActiveSync server: The name or IP address of the Exchange ActiveSync Server instance with which the proxy instance will connect.
The value you enter here must match the Common Name (CN) or Subject Alternative Name (SAN) field of the server’s SSL/TLS certificate.
SSL: Communication between the proxy instance and Exchange ActiveSync Server is secured by SSL or TLS (depending on what the server supports).
Allow EWS (Sophos Secure Email): Allow mail client requests to the Exchange server’s Exchange Web Services (EWS) interface.
Only turn this setting on if you’re using Sophos Secure Email on iPhones and iPads.
Enable Traveler client access: Only select this check box if you need to allow access by IBM Notes Traveler clients on non-iOS devices.
After entering the instance information, click Add to add the instance to the Instances list.
For every proxy instance, the installer creates a certificate that you need to upload to the Sophos Mobile server. After you have clicked Add, a message window opens, explaining how to upload the certificate.
In the message window, click OK. This will open a dialog, showing the folder in which the certificate has been created.
You can also open the dialog by selecting the relevant instance and clicking the Export config and upload to Sophos Mobile server link on the EAS Proxy instance setup page.
Make a note of the certificate folder. You need this information when you upload the certificate to Sophos Mobile.
- Optional: Click Add again to configure additional EAS proxy instances.
- When you have configured all required EAS proxy instances, click Next. The server ports that you entered are tested and inbound rules for the Windows Firewall are configured.
On the Allowed mail user agents page, you can specify mail user agents (i.e. email client applications) that are allowed to connect to the EAS proxy. When a client connects to the EAS proxy using an email application that is not specified, the request will be rejected.
- Select Allow all mail user agents to configure no restriction.
- Select Only allow the specified mail user agents and then select a mail user agent from the list. Click Add to add the entry to the list of allowed agents. Repeat this for all mail user agents that are allowed to connect to the EAS proxy.
On the Sophos Mobile EAS Proxy - Configuration Wizard finished page, click Finish to close the configuration wizard and return to the setup wizard.
- In the setup wizard, make sure that the Start Sophos Mobile EAS Proxy server now check box is selected, then click Finish to complete the configuration and to start the Sophos Mobile EAS proxy for the first time.
- To complete the EAS proxy configuration, upload the certificates that were created for every proxy instance to Sophos Mobile:
- Sign in to Sophos Mobile Admin as a super administrator.
- On the menu sidebar, under SETTINGS, click Setup > Sophos setup, and then click the EAS proxy tab.
Under External, click Upload a file. Upload the certificate created during configuration.
If you have set up more than one instance, repeat this for all instance certificates.
- In Windows, open the Services dialog and restart the EASProxy service.
This completes the initial setup of the standalone EAS proxy.
Every day, the EAS proxy log entries are moved to a new file, using the naming pattern
EASProxy.log.yyyy-mm-dd. These daily log files are not deleted automatically and thus may cause disk space issues over time. We recommend that you set up a process to move the log files to a backup location.