Standalone EAS proxy
You can set up an EAS proxy to control the access of your managed devices to an email server. Email traffic of your managed devices is routed through that proxy. You can block email access for devices, for example a device that violates a compliance rule.
The devices must be configured to use the EAS proxy as email server for incoming and outgoing emails. The EAS proxy will only forward traffic to the actual email server if the device is known in Sophos Mobile and matches the required policies. This guarantees higher security as the email server does not need to be accessible from the Internet and only devices that are authorized (correctly configured, for example with passcode guidelines) can access it. Also, you can configure the EAS proxy to block access from specific devices.
There are two types of EAS proxy:
- The internal EAS proxy that is automatically installed with Sophos Mobile. It supports incoming ActiveSync traffic as used by Microsoft Exchange or IBM Notes Traveler for iOS and Samsung Knox devices.
- A standalone EAS proxy that can be downloaded and installed separately. It communicates with the Sophos Mobile server through an HTTPS web interface.
For information on how to integrate the standalone EAS proxy into your network architecture, see the Sophos Mobile server deployment guide. We recommend that you read the information before you set up the standalone EAS proxy.
Because macOS doesn’t support the ActiveSync protocol, you can’t use the internal or the standalone EAS proxy to filter email traffic coming from Macs.
For a list of mail servers that the standalone EAS proxy supports, see the Sophos Mobile release notes.
The standalone EAS proxy has additional features compared to the internal version:
- Support for IBM Notes Traveler for non-iOS devices (for example, Android). The Traveler client for these devices uses a protocol (not ActiveSync) that is not supported by the internal EAS proxy.
- Support for multiple Microsoft Exchange or IBM Notes Traveler email servers. You can set up one EAS proxy instance per email server.
- Load balancer support. You can set up standalone EAS proxy instances on several computers and then use a load balancer to distribute the client requests among them.
- Support for certificate-based client authentication. You can select a certificate from a certification authority (CA), from which the client certificates must be derived.
- Support for email access control through PowerShell. In this scenario, the EAS proxy service communicates with the email server through PowerShell to control the email access of your managed devices. Email traffic happens directly from the devices to the email server and is not routed through a proxy. See Set up email access control through PowerShell.
- The EAS proxy remembers the device status for 24 hours. If the Sophos Mobile server is offline, for example during an upgrade, email traffic is filtered based on the last known device status. After 24 hours, all email traffic is blocked.
For non-iOS devices, filtering abilities of the standalone EAS proxy are limited due to the specifics of the IBM Notes Traveler protocol. Traveler clients on non-iOS devices do not send the device ID with every request. Requests without a device ID are still forwarded to the Traveler server, even though the EAS proxy is not able to verify that the device is authorized.