Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Email protection with Exchange hybrid

Hi,

we migrated one month ago from Sophos UTM to Sophos XGS. We also migrated email protection settings succesfully. With one exception.

With the old UTM we routed emails from Exhange Online directly to our internal Exchange Server. Now with the XGS, this is not possible. We use the firewall as mail transfer agent, therefore we must configure Exchange Online servers as relay. But we don't want to. We want to route all emails from Exchange Online directly to our internal email server. I made and tried some NAT rules, no chance. Email protection seems to overrule all other rules.

Some hints or solutions? Thanks for your patience!



This thread was automatically locked due to age.
  • Do you still have access to the UTM? Can you copy paste both settings? 

    __________________________________________________________________________________________________________________

  • I need to turn it on in the office next tuesday. Do I need valid licenses for this?

    I think the problem is, that the target of our emails from Exchange Online is not our domain but external domains. That's why SFOS refuses to route the emails. But I don't know how we solved that in UTM or if we did anything at all........Thanks!

  • Why does your Exchange online send such emails to your firewall? 
    That sounds like a faulty config in M365. 

    __________________________________________________________________________________________________________________

  • No, this is an Exchange Hybrid configuration. Exchange Online holds the mailboxes and Exchange On Prem does work as mail hub, handles the traffic. This is a very common configuration.

    The question is, how can we bypass email protection for traffic from Exchange Online? And why did it work perfectly with UTM but not with SFOS!?

    Maybe I miss something, but when we migrated we checked both sides (UTM and SFOS) with a whole team. We recognized that it did not work with SFOS and turned relay for Exchange Online on. But now we do have some time to find out what the problem is and we want to get back our comfort with internal Exchange Server.................

  • Again: You did something different on UTM compared to SFOS. Because the way both system works is the same. 

    It might be something like you had a DNAT from M365 to the Exchange and bypass UTM mail protection. 

    Because both system works with Exim and the same approaches. 

    __________________________________________________________________________________________________________________

  • This was the right hint. We made NAT and firewall rules, but it only works with DNAT. I was confused cause it's only available through an assisted menue......Thanks!!!!!