Route UTM to XG to Core Switch

Dear All,

Introduction of what I am trying to achieve :

I would like to have the OTP reverse proxy for my Exchange OWA which is protected behind the XG310's WAF, however, the feature has not been introduced to XG like the UTM. Therefore I downloaded a UTM image and would like it to handle just the Exchange OWA where I can have the OTP.

The Diagram Infra : 

Configuration (For the simplicity did not implement the WAF at the UTM) :

  • UTM:




  • At the UTM i can ping Exchange P8 over interface UTM P2 ! however, traceroute just reaching XG P3
  • The UTM and XG can ping each other
  • From the Exchange can not ping XG P3, UTM P2, and traceroute is just reaching XG P5
  • I had to create static route at the UTM as i have a feeling that policy route does route to XG P3 !
  • XG P3 is under a new Zone called UTM type LAN

I think i am missing something to route XG P5 - XG P3 or the policy route at XG does not work as i want 

Much appreciated your help

Kind regards,


  • Hi,

    why don't you connect the UTM to the switch instead of the XG?

    Shouldn't there be email ports in the firewall rules?



  • In reply to rfcat_vk:

    Hi Lan,

    Thanks for your reply, as I am using the Email protection at the XG so I need to route the traffic to XG "don't know if my switch can route based on protocol meaning https to UTM and SMTP,IMAP,POP3 to XG from the same Exchange IP ?"

    If the above solution does not work, my workaround would be using another IP port at the Exchange and this IP would be used for the Https going to UTM directly  ... 



  • In reply to AbdullahAmer:

    Hi Abdullah,

    what you are saying is that your external users ned to come in via the UTM connection to access the OWA. The OWA sends and receives all mail from external companies and is scanned by the XG and the anti whatever is installed on your OWA before being made available to your users?

    So. I am not sure what you are achieving other than a complex network to have the XG scan the mail from your users?

    My thoughts only.


  • In reply to rfcat_vk:

    Hi Lan,

    As i have everything setup for Exchange through the XG "It includes all Modules licenses", and now i am just splitting the OWA service from the XG and use the UTM OTP WAF for it "to avoid buying as well the Email module at UTM and handle all Exchange at UTM"

    I am reading PBR policy for the core switch to split the routing HTTP to UTM and the rest default route to XG "As you suggested in the first reply"