Good evening everyone,
I am wondering if something like this is possible with the Sophos XG Firewall.
We are hoping to have a scenario like the following.
MX Record is pointing to IP of Sophos > Sophos XG performs email scanning and protection > email then is forwarded or relayed to Exchange Online.
Biggest reason for wanting to do so is that the current Exchange Online license E3 only provides basic email protection and we already pay for Sophos XG which has better protection regarding spam and a number of other nice features. I understand that we could by pass Sophos XG and go directly to EO but the costs for the advanced email protection are not warranted.
Is the above possible or am I SOL and should go the better Office 365 license route?
This article at the end states that it only accepts IPs from Sophos Central. We are not using Sophos Central for firewall management.
This also does not apply to Sophos XG Firewall appliance.
Have you read this: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/tasks/EmailSMTPRouteAndScanPolicyAdd.html ?
Looks like it is possible,i'm very interested in your findings.
Should be possible.
You have to create a connector within exchange online and forward the mails from XG to this connector
Sophos Solution Partner since 2003 If a post solves your question click the 'Verify Answer' link.
that's a bit correct .... if you input the Sophos-Central-Mail-IP at step 18"18. Enter the Sophos (central) Email delivery IP addresses for your region"... Insert your onPrem-Mail-IP ... and it should work.
I don’t think it “should” work. This article is talking about using the Email Gateway which the XG Firewall does not have the same settings/options as the Email Gateway software.
Hi there,all settings in the article refer to the Exchange-Online interface.What do you think, which settings are missing on the sophos xg side?and yes ... the Sophos Email Gateway has more functions ...
Thank you for contacting the Sophos Community.
Yes, this is possible to achieve, however, your XG is prompt to be an open relay, so this configuration is not recommended.
You need to do two things:
1. Is to create in the XG an IP Host for each one of the subnets mentioned in this article, once you have created the IP Hosts, just add them under the Host-Based Relay.
2.Under SMTP Route & Scan, select Rout By = Static Host, and Create and select the IP addresses used by your Office 365 MX records. (This can also be found by issuing the command nslookup -q=MX <domain> in the command prompt of a workstation.)
Then configure your Exchange rule online accordingly to Route Email through these smart hosts and enter your Sophos XG Public IP.
This configuration might cause an open relay security issue, I would recommend you to reach out to your Sales Engineer, if you still decide to go with this configuration.
I think the TO asks to receive the external mails at the XG and to forward them to Exchange Online ... looks like you are describing the other direction.
Brad Clement :: Good day!
You can configure the settings to route and protect emails in MTA mode.
In MTA mode, Sophos Firewall routes emails between the mail server and the internet. When you turn on MTA mode, a firewall rule is created automatically to allow SMTP/SMTPS traffic. We recommend that you keep this rule at the top of the firewall rule table.https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContent/EmailConfigureEmailProtectionMTA.html
Email Protection Best Practice: https://community.sophos.com/sophos-xg-firewall/f/discussions/100293/email-protection-best-practice
Thank & Regards,
If a post solves your question, use the 'Verify Answer' link.
I don't want to send emails from Exchange Online through the Sophos Firewall.
I've described what I wanted in the post. Emails come in to public IP of Sophos Firewall > they get scanned processed by the Firewall > then forwarded to Exchange Online. What you are describing I don't think is what I need.