Exchange Hybrid / Mail-Protection / NAT-Rule

Hallo,

DNATs take precedence - see #2 in Rulz (last updated 2021-02-16).  I suspect you will want to ask some questions in the Exchange community as there are several basic decisions to make.  When you have a clearer picture of how you want to do Hybrid, we can work on it better here.

Also see https://community.sophos.com/utm-firewall/f/hardware-installation-up2date-licensing/132837/waf-issues-after-updating-to-9-709-3/492706#492706 which includes posts on problems with WAF and Hybrid.

Cheers - Bob

Dear,

THANK YOU!

I think I HAVE a clear picture of how I want to do EX-Hybrid,
but I´m missing a clear view on how to get there ;-) AND have a
little to less knwoing about my UTM.... :-(

A few questions:
When I restrict my NAT-Rule on Port 25 to only access connections
from MS-Online-Servers, what would be enough for EX-Hybrid, will
incomming Mail from other Servers be rejected or will that then
go (in a "2nd run") through my SMTP-Proxy?

Rule #2 says "then Proxies (except the SMTP Proxy in Transparent mode
which captures traffic after it has been forwarded by a DNAT)"
This "Transparent Mode" means "Operations Mode" in/under Web-Protection
\Web Filtering or is there an extra "Transparent Mode" for my SMTP-Proxy?

I´m in Standard Mode there but also have defined Exceptions for "Skip
Transparent Mode Host/Nets" in/under Email Protection\SMTP\Advanced.
Is this useless?

You 2nd link tells me, that it seems to be possible, or in other words
is not impossible, to do EX-Hybrid through SMTP-Proxy an WAF and without
bypassing them wit NAT-Rules, WHEN I have the right firmware. People
there mention that thes could do so with FW 9.707. Do you also understand
it like this?

THANK YOU!!

TJ

Bitte schön !

OK, those are questions we can work with!

"When I restrict my NAT-Rule on Port 25 to only access connections from MS-Online-Servers, what would be enough for EX-Hybrid, will incomming Mail from other Servers be rejected or will that then go (in a "2nd run") through my SMTP-Proxy?"

Assuming that only Ex-Hybrid incoming mail comes from MS-Online-Servers, yes, all other mails will go through the SMTP Proxy.

"Rule #2 says "then Proxies (except the SMTP Proxy in Transparent mode which captures traffic after it has been forwarded by a DNAT)" This "Transparent Mode" means "Operations Mode" in/under Web-Protection \Web Filtering or is there an extra "Transparent Mode"  or my SMTP-Proxy?"

There is a separate Transparent mode for the SMTP Proxy.  It's not what you want in your situation.

"I´m in Standard Mode there but also have defined Exceptions for "Skip Transparent Mode Host/Nets" in/under Email  Protection\SMTP\Advanced.  Is this useless?"

If you haven't selected any Transparent mode ports, the Exceptions won't be considered.

"You 2nd link tells me, that it seems to be possible, or in other words is not impossible, to do EX-Hybrid through SMTP-Proxy an WAF and  without bypassing them wit NAT-Rules, WHEN I have the right firmware. People there mention that thes could do so with FW 9.707. Do you  also understand it like this?"

I understood the same from that thread as you did.  I don't remember if 9.707 was the version that worked or the one that didn't.

Cheers - Bob

Dear,

once more: DANKESCHÖN!

This afternoon I finished the Exchange Hybrid Connection Wizard (HCW) and now have a working Hybrid-Scenario.
This worked WITHOUT making NAT-Rules, it works just throug SMTP-Proxy and WAF (as far as it looks like .. so far...)

Nevertheless one more Question about SMTP Transparent Mode:

Where can I activate that, I can´t find a switch in my Admin-Portal...
My Exception-Setting is like this. Does this (or when does this) have Impact?
Or do I have to activate something first (Transparent SMTP-Mode) for this to have an Impact?

THANK YOU!

TJ

You have selected Transparent SMTP Proxy by checking the boxes for Port 25, Port 465 and Port 587.

Complex question.  If your internal Exchange server is not using the UTM as a smart host, then configuring Transparent as you have done will allow the Proxy to handle outbound emails from your server.  If you also have the internal server in one of the networks in the Skip list, then outbound mail will only go through the Proxy if Exchange is configured to use the UTM as a smart host.

As it is, you have configured, for example, LAN-01 to be skipped by the proxy.  This means that the devices in LAN01 must use the UTM as a smart host if you want them to go through the Proxy.  Otherwise, if they try to communicate directly with the outside world, you may need a firewall rule allowing the traffic.

I'm guessing that you want all internally-generated emails to go via your internal Exchange server.  If that's the case, you probably want to disable Transparent mode by unchecking the Port boxes.  If you disable Transparent, then the Skip list will never be considered.

Cheers & mfG - Bob

Dear Bob,

GREAT Explanation! THANK YOU!!

Outgoing:
As of now my EX is one of the skipped Hosts and I have configured a smarthost in my EX,
but that´s not the UTM but an outside SMTP-Server of our Provider.
I also have a Firewall-Rule that allows my EX to communicate to the outside.
In this szenario, all outgoing Mail from my EX is completely not "botherd" by the UTM but
simply "plain and clean" routed to the outside, right?

Incomming:
As of now, without NAT-Rule, incomming Mail ist handled and checked (Spam/AV) by the SMTP-Proxy.

When I now create a NAT-Rule for Port 25 pointing to my EX, does incomming Mail go through
my SMTP-Proxy, because I´m in Transparent Mode and in this case SMTP-Proxy is catching Mail
"after it has been forwarded by a DNAT" or is it also not "botherd" by the UTM but simply
"plain and clean" routed to the inside because my EX is on of the skipped Hosts?

Background:
As I told I finished the EX HCW and have now a Hybrid-Szenario. As I recognized last night
and unlike previously reported I DO have some problems with Mailflow between "On Premise"
and "Online" and therefor I (maybe) have to open my UTM by a NAT-Rule. But before I do so,
I would like to understand what I´m doing.

At the Moment all our Mailboxes are "On Premise" and for now we do not plan to migrate Mailboxes
to the Cloud, so wo do not need Mailflow between "On Premise" and "Online" actually.
(Additional Info for other Readers: I configued HCW with "Centralized Mail Transport")
We only did Hybrid for the Teams-Calender communication with the local Outlook/Exchange-Calender
and that works as it looks like at the Moment. Seems to use other (here working) ways than Mail/Port 25.

DANKE!!

TJ

Yes, "plain and clean" routed to the outside.

If you want to use the SMTP Proxy, you will not want a NAT rule for incoming mail.  See #2 in Rulz (last updated 2021-02-16).

Please post back here with any other info that might help the next person doing Hybrid with UTM.

Cheers - Bob

Dear,

what I WANT to do is sadly orientated on what i HAVE to do.

...so it´s possible that I, in the end, will need a NAT-Rule to make it work.

For now it look´s better than I thought and better than I reported 3 days ago.

My Mail-Flow-Problems resulted from a false way to create new Users/Mailboxes.
When I do that the right way, I have a working Mail-Flow between "On Premise" and
"Online" through my UTM.

Outgoing: From "On Premise" to "Online" it works like a Charm (as I told I defined a Smarthost
on my EX that is one of the SMTP-Servers of my Provider and I made a Exception in my UTM-
SMTP-Proxy for my EX-Server, so that Mails will be sent without my UTM doing anything
to them.

Incomming: From "Online" to "On Premise" my Mails are checked by my UTM-SMTP-Proxy. I have
a big delay of about one hour, but that seems to have to do with greylisting and is, may be,
not an special EX-Hybrid problem but a UTM-O365-Problem.
(look at
community.sophos.com/.../mail-delay-when-receiving-mail-from-microsoft-cloud-office-365 )

Except that delay, it seems to work THROUGH my UTM but for "deleting" that delay I might have to make a NAT-Rule,
bur that´s something I´m investigating actually. Therefor: Can you answer the Question I made in my last Posting:

When I now create a NAT-Rule for Port 25 pointing to my EX, does incomming Mail go through
my SMTP-Proxy, because I´m in Transparent Mode and in this case SMTP-Proxy is catching Mail
"after it has been forwarded by a DNAT" or is it also not "botherd" by the UTM but simply
"plain and clean" routed to the inside because my EX is on of the skipped Hosts?

For other Readers: I did my Firewall-Rules according to:

www.frankysweb.de/.../

Without that, EX-Hybrid will, according to my experiencesso far, not work.

TJ

Dear,

what I WANT to do is sadly orientated on what i HAVE to do.

...so it´s possible that I, in the end, will need a NAT-Rule to make it work.

For now it look´s better than I thought and better than I reported 3 days ago.

My Mail-Flow-Problems resulted from a false way to create new Users/Mailboxes.
When I do that the right way, I have a working Mail-Flow between "On Premise" and
"Online" through my UTM.

Outgoing: From "On Premise" to "Online" it works like a Charm (as I told I defined a Smarthost
on my EX that is one of the SMTP-Servers of my Provider and I made a Exception in my UTM-
SMTP-Proxy for my EX-Server, so that Mails will be sent without my UTM doing anything
to them.

Incomming: From "Online" to "On Premise" my Mails are checked by my UTM-SMTP-Proxy. I have
a big delay of about one hour, but that seems to have to do with greylisting and is, may be,
not an special EX-Hybrid problem but a UTM-O365-Problem.
(look at
community.sophos.com/.../mail-delay-when-receiving-mail-from-microsoft-cloud-office-365 )

Except that delay, it seems to work THROUGH my UTM but for "deleting" that delay I might have to make a NAT-Rule,
bur that´s something I´m investigating actually. Therefor: Can you answer the Question I made in my last Posting:

When I now create a NAT-Rule for Port 25 pointing to my EX, does incomming Mail go through
my SMTP-Proxy, because I´m in Transparent Mode and in this case SMTP-Proxy is catching Mail
"after it has been forwarded by a DNAT" or is it also not "botherd" by the UTM but simply
"plain and clean" routed to the inside because my EX is on of the skipped Hosts?

For other Readers: I did my Firewall-Rules according to:

www.frankysweb.de/.../

Without that, EX-Hybrid will, according to my experiencesso far, not work.

TJ