This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Office 365 question

Hi,

Currently we have setup our exchange to use UTM for anti virus and Spam detection and Exchange is published with WAF and not NAT. now we are going to migrate our Exchange to office365 and we  want to keep the UTM to scan for virus and spam. but according to the Microsoft support this is not possible. it is only possible if the UTM forward port 25 to the exchange server and I think this would mean no scan for virus and spam.

we want to run a test, if I create a DNAT rule that allow access to our exchange server on port 25, must we first remove all of the  WAF rules? or NAT will first be process and then WAF rules? I dont want to remove anything.

If we go with NAT should we change any settings onder Mail protection-SMTP?

 

Thanks



This thread was automatically locked due to age.
Parents
  • You can use UTM before mails are sent to O365! We do the same.

     

    Just make sure your MX-records for your domain(s) keep pointing to your UTM and in UTM make sure to route mails for your domain(s) to the O365 servers which Microsoft specifies as being the servers where MX records should point.

    In my case I have several domains and use SMTP Profiles for it, for every domain I have:

    Domains: the domainname where mail is received
    Routing: Route by static host list -> O365 specified MX record (yourdomain-yourtld.mail.protection.outlook.com)

    This will work, however O365 might complain that the DNS-check fails as their MX-record is either not listed or doesn't have highest prio.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Thank you for reply,

    We have also multiple email domains and we have a single SMTP profile.

    As I said before we have configure the UTM with WAF for our exchange and we are going to configure a Hybrid migration and later in time we will remove our exchange server and we want even after removing the Exchange server our UTM keep on scanning the emails for all of the domains. should we  we leave the WAF rules as they are? or we should we create a DNAT rule to allow all in comeing requests on port 25 to the UTM?

    I understand that we should point the MX of all domains to the UTM but how should we route mails for our domain(s) to the O365 servers?

     

    Thanks you.

  • See the attached image on how I have configured each maildomain to forward to O365. I think you need to create SMTP profiles separately for each maildomain since they need different DNS-hostnames to forward to.

    I don't have any experience with hybrid setup so I cannot really advise in whether or not to keep your WAF rules or what to do with DNAT rules. I think Microsoft has more documentation on how to set up the local environment in a hybrid situation.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Thank you for the update,

    your mailboxes are in the Office 365 and you dont have a on-permis Exchange server and with your currecnt configuration your utm does the work of scanning of the virus and spam correct?

    Can you please tell me if you are useing a DNAT rule or a WAF rules from incoming mails to the UTM?

    Thanks

  • You are correct. I have neither DNAT or WAF. In DNS I have configured the MX-record to point to the public IP-addresses of the UTM. In UTM whenever you configure SMTP profiles, UTM will automatically accept emails destined for the domains you configure, so there's no DNAT or WAF necessary when everything is in O365 (there are no exchange servers inside my own UTM).

    In a hybrid environment you may need WAF (for OWA access and/or I suppose you may need transport rules between O365 and your own Exchange server, but please read through Microsofts documentation because I don't have experience nor knowledge of hybrid Exchange installations).


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • You are correct. I have neither DNAT or WAF. In DNS I have configured the MX-record to point to the public IP-addresses of the UTM. In UTM whenever you configure SMTP profiles, UTM will automatically accept emails destined for the domains you configure, so there's no DNAT or WAF necessary when everything is in O365 (there are no exchange servers inside my own UTM).

    In a hybrid environment you may need WAF (for OWA access and/or I suppose you may need transport rules between O365 and your own Exchange server, but please read through Microsofts documentation because I don't have experience nor knowledge of hybrid Exchange installations).


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
No Data