Article ID: KB-EC-0047
Last Updated: January 16, 2026
Applicable Product: ManageEngine Endpoint Central (On-Premises)
Version: All versions supporting Secure Gateway Server (SGS)
Category: Configuration, Troubleshooting, MDM
After configuring or enabling a Secure Gateway Server (SGS) in an on-premises Endpoint Central deployment, new user invitation emails contain an incorrect activation link. The link points to the server's internal, domain-joined hostname and port (e.g., CHDC04.corp.local:8443) instead of the public-facing SGS URL configured in the NAT Settings (e.g., mdm.company.com).
Symptoms:
Users receive an enrollment email with a link to an internal server name.
Clicking the link results in a "Site cannot be reached" error or a certificate mismatch warning.
External devices (smartphones, laptops off the corporate network) cannot enroll in MDM.
The issue only occurs for invitation emails; direct browser access to the SGS URL may work correctly.
Impact:
Breaks the mobile device enrollment process for remote users.
Creates user confusion and increases support tickets.
Prevents successful deployment of MDM profiles to external devices.
When the Secure Gateway Server is enabled and the main Web Console UI is disabled (a common configuration for MDM-only or locked-down access), Endpoint Central defaults to using the server machine's internal Fully Qualified Domain Name (FQDN) when generating the links for invitation emails.
This behavior occurs even when a public NAT FQDN is correctly configured under Admin → Network → NAT Settings. The system does not automatically apply the NAT URL to the email notification component without a specific configuration override.
The fix involves adding a specific configuration key to the Endpoint Central server's websettings.conf file to force the system to use the public NAT FQDN in all user invitation emails.
Pre-requisite: Ensure your public NAT FQDN (e.g., mdm.company.com) is correctly configured and points to your Secure Gateway Server. This can be verified under Admin → Network → NAT Settings.
Procedure:
Stop the Endpoint Central Server Service.
On the Endpoint Central server, open the Windows Services console (services.msc).
Locate the "EndpointCentral Server" service.
Right-click and select Stop. Wait for the service to fully stop.
Locate and Backup the Configuration File.
Navigate to the Endpoint Central installation directory (e.g., C:\Program Files\ManageEngine\EndpointCentral).
Go to the \conf\ subfolder.
Find the file named websettings.conf.
(Recommended) Create a backup copy of this file (e.g., websettings.conf.backup_20260116) in the same folder.
Edit the Configuration File.
Right-click websettings.conf and open it with a text editor like Notepad or Notepad++ (Run as Administrator if necessary).
Add the following line on a new line at the end of the file:
fqdn.enabled.mail=true
Explanation: This directive explicitly enables the use of the configured NAT FQDN for generating email invitation links.
Save the file and close the editor.
Restart the Endpoint Central Server Service.
Return to the Services console.
Right-click the "EndpointCentral Server" service and select Start.
Wait for the service to start completely.
Log in to the Endpoint Central admin console.
Navigate to MDM → Device Management → Enroll Devices.
Create a test user or select an existing user and choose "Send Invitation."
Check the received email. The activation link should now correctly begin with your public NAT FQDN (e.g., https://mdm.company.com/...).
The link should be accessible from a network outside your corporate environment.
Port Configuration: The invitation link will use the standard HTTPS port (443) defined for the SGS/NAT configuration. Ensure the non-standard port 8443 is not hard-coded anywhere in your NAT or SGS settings for external access.
Certificate: The public FQDN used in the invitation link must match the Subject Alternative Name (SAN) on the SSL certificate installed on your Secure Gateway Server to avoid browser warnings.
Related Configuration (Custom URL): If you need the invitation email to use a different URL than the one set in NAT Settings, you can use the key fqdn.for.emails=custom.url.com instead of fqdn.enabled.mail=true. Use only one of these settings.
Change Management: Always document changes to configuration files. The websettings.conf file should be included in your regular server backup and disaster recovery procedures.
Tags: Secure Gateway, SGS, Invitation Email, MDM Enrollment, NAT FQDN, Configuration, websettings.conf
Need further assistance?
If the issue persists after applying this solution, please contact the IT Infrastructure Team or raise a ticket with ManageEngine Support, referencing this KB article and providing details of the steps you have taken.