Hello.
We had an old ISA Server from Microsoft to publish our Exchangeserver (2007 SP3) and replaced it now with a Sophos UTM 320 (FW 9.106-17). I’m not really a firewall professional, so I thought maybe there is someone in this forum who can take a look at my configuration and give me some advice if I did something wrong. I did the same before with my configuration of the Webserver in the DMZ and I’m glad that a professional looked over it (https://community.sophos.com/products/unified-threat-management/astaroorg/f/57/t/50158).
Hope that someone can have a look at this one too. Thanks in advance.
Firewall Profiles
In Firewall Profiles I made a new Profile where mode is set to drop and the only other thing that is enabled is Pass Outlook Anywhere. I’m not sure if this is a best practice or if I can get more security without breaking the services by enabling something other.
Real Webservers
Then I defined a Real Webserver and Type SSL (HTTPS) and Port 443.
Virtual Webservers
In Virtual Webserver I defined a Server for Exchange, an external Interface, Type SSL (HTTPS), Port 443 and my imported wildcard certificate. In Domains I added the domain names that I need for my Exchange Server and in Real Webservers I enabled my real webserver. For the firewall profile I took my profile for Exchange that I made before. And I enabled Pass Host Header.
Firewall
In the Firewall I made a rule from any to my Exchangeserver and vice versa for the service SMTP. Is this right even with activated Email Protection? If I understand that right, the SMTP Connection is from External to the utm for Email Protection and from there to the Exchangeserver. But it looks like the rule nevertheless has to be from any to Exchangeserver.
Email Protection
At the moment I still have Forefront Protection for Exchange but with the change to Sophos utm I also enabled Email Protection. Under Routing I added all domains we have and in the Host list I added my Exchangeserver.
Intrusion Prevention
I changed nothing in Intrusion Prevention, but since my internal Network is added at the Local networks of Intrusion Prevention I hope all the connections to the Exchange Server are secured by IPS.
I hope, I didn’t made something wrong and we’re safe. But I would feel more comfortable if someone of you could confirm this. Thanks.
This thread was automatically locked due to age.