This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exchange Hybrid / Mail-Protection / NAT-Rule

Dear,

currently we use a single EX2016 on Premise.

Incomming Mails are delivered to our UTM (SG330),
which scans for Spam/Virus and then routes them to
our EX-Server. Outgoing Mails are routed to an ext.
Smarthost. Outlook Web Access is published through WAF.

Classic Setup I think...

We now want to use EX Hybrid with "Centralized Mail Transport",
which means Mail-Flow should stay as described above.

I read a lot of Articles that say, that EX Hybrid is not possible
as long as Communication is interrupted by the UTM Mail Protection (and WAF).
Instead there should be a NAT-Rule for Port 25 (and may be 443) that
routes traffic directly to our EX on Premise. (I can minimize the "hole"
that is made through that by restricting the rule to MS Servers/IPs).

My question is:
What happens to incomming Commnication when I build a NAT-Rule for Port 25 and 443?
Will (other than Hybrid) incomming Mail still be filtered for Spam/Virus and will OWA
Access still be routed throug WAF or will then ALL Traffic use NAT ONLY and
my protective mechanisms from UTM are not used any longer?

How do you realize EX Hybrid?

THANK YOU!

TJ



This thread was automatically locked due to age.
Parents
  • Hallo,

    DNATs take precedence - see #2 in Rulz (last updated 2021-02-16).  I suspect you will want to ask some questions in the Exchange community as there are several basic decisions to make.  When you have a clearer picture of how you want to do Hybrid, we can work on it better here.

    Also see https://community.sophos.com/utm-firewall/f/hardware-installation-up2date-licensing/132837/waf-issues-after-updating-to-9-709-3/492706#492706 which includes posts on problems with WAF and Hybrid.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Dear,

    THANK YOU!

    I think I HAVE a clear picture of how I want to do EX-Hybrid,
    but I´m missing a clear view on how to get there ;-) AND have a
    little to less knwoing about my UTM.... :-(

    A few questions:
    When I restrict my NAT-Rule on Port 25 to only access connections
    from MS-Online-Servers, what would be enough for EX-Hybrid, will
    incomming Mail from other Servers be rejected or will that then
    go (in a "2nd run") through my SMTP-Proxy?

    Rule #2 says "then Proxies (except the SMTP Proxy in Transparent mode
    which captures traffic after it has been forwarded by a DNAT)"
    This "Transparent Mode" means "Operations Mode" in/under Web-Protection
    \Web Filtering or is there an extra "Transparent Mode" for my SMTP-Proxy?

    I´m in Standard Mode there but also have defined Exceptions for "Skip
    Transparent Mode Host/Nets" in/under Email Protection\SMTP\Advanced.
    Is this useless?

    You 2nd link tells me, that it seems to be possible, or in other words
    is not impossible, to do EX-Hybrid through SMTP-Proxy an WAF and without
    bypassing them wit NAT-Rules, WHEN I have the right firmware. People
    there mention that thes could do so with FW 9.707. Do you also understand
    it like this?

    THANK YOU!!

    TJ

  • Bitte schön !

    OK, those are questions we can work with!

    "When I restrict my NAT-Rule on Port 25 to only access connections from MS-Online-Servers, what would be enough for EX-Hybrid, will incomming Mail from other Servers be rejected or will that then go (in a "2nd run") through my SMTP-Proxy?"

    Assuming that only Ex-Hybrid incoming mail comes from MS-Online-Servers, yes, all other mails will go through the SMTP Proxy.

    "Rule #2 says "then Proxies (except the SMTP Proxy in Transparent mode which captures traffic after it has been forwarded by a DNAT)" This "Transparent Mode" means "Operations Mode" in/under Web-Protection \Web Filtering or is there an extra "Transparent Mode"  or my SMTP-Proxy?"

    There is a separate Transparent mode for the SMTP Proxy.  It's not what you want in your situation.

    "I´m in Standard Mode there but also have defined Exceptions for "Skip Transparent Mode Host/Nets" in/under Email  Protection\SMTP\Advanced.  Is this useless?"

    If you haven't selected any Transparent mode ports, the Exceptions won't be considered.

    "You 2nd link tells me, that it seems to be possible, or in other words is not impossible, to do EX-Hybrid through SMTP-Proxy an WAF and  without bypassing them wit NAT-Rules, WHEN I have the right firmware. People there mention that thes could do so with FW 9.707. Do you  also understand it like this?"

    I understood the same from that thread as you did.  I don't remember if 9.707 was the version that worked or the one that didn't.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Dear,

    once more: DANKESCHÖN!

    This afternoon I finished the Exchange Hybrid Connection Wizard (HCW) and now have a working Hybrid-Scenario.
    This worked WITHOUT making NAT-Rules, it works just throug SMTP-Proxy and WAF (as far as it looks like .. so far...)

    Nevertheless one more Question about SMTP Transparent Mode:

    Where can I activate that, I can´t find a switch in my Admin-Portal...
    My Exception-Setting is like this. Does this (or when does this) have Impact?
    Or do I have to activate something first (Transparent SMTP-Mode) for this to have an Impact?


    THANK YOU!

    TJ

  • You have selected Transparent SMTP Proxy by checking the boxes for Port 25, Port 465 and Port 587.

    Complex question.  If your internal Exchange server is not using the UTM as a smart host, then configuring Transparent as you have done will allow the Proxy to handle outbound emails from your server.  If you also have the internal server in one of the networks in the Skip list, then outbound mail will only go through the Proxy if Exchange is configured to use the UTM as a smart host.

    As it is, you have configured, for example, LAN-01 to be skipped by the proxy.  This means that the devices in LAN01 must use the UTM as a smart host if you want them to go through the Proxy.  Otherwise, if they try to communicate directly with the outside world, you may need a firewall rule allowing the traffic.

    I'm guessing that you want all internally-generated emails to go via your internal Exchange server.  If that's the case, you probably want to disable Transparent mode by unchecking the Port boxes.  If you disable Transparent, then the Skip list will never be considered.

    Cheers & mfG - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Dear Bob,

    GREAT Explanation! THANK YOU!!

    Outgoing:
    As of now my EX is one of the skipped Hosts and I have configured a smarthost in my EX,
    but that´s not the UTM but an outside SMTP-Server of our Provider.
    I also have a Firewall-Rule that allows my EX to communicate to the outside.
    In this szenario, all outgoing Mail from my EX is completely not "botherd" by the UTM but
    simply "plain and clean" routed to the outside, right?

    Incomming:
    As of now, without NAT-Rule, incomming Mail ist handled and checked (Spam/AV) by the SMTP-Proxy.

    When I now create a NAT-Rule for Port 25 pointing to my EX, does incomming Mail go through
    my SMTP-Proxy, because I´m in Transparent Mode and in this case SMTP-Proxy is catching Mail
    "after it has been forwarded by a DNAT" or is it also not "botherd" by the UTM but simply
    "plain and clean" routed to the inside because my EX is on of the skipped Hosts?

    Background:
    As I told I finished the EX HCW and have now a Hybrid-Szenario. As I recognized last night
    and unlike previously reported I DO have some problems with Mailflow between "On Premise"
    and "Online" and therefor I (maybe) have to open my UTM by a NAT-Rule. But before I do so,
    I would like to understand what I´m doing.

    At the Moment all our Mailboxes are "On Premise" and for now we do not plan to migrate Mailboxes
    to the Cloud, so wo do not need Mailflow between "On Premise" and "Online" actually.
    (Additional Info for other Readers: I configued HCW with "Centralized Mail Transport")
    We only did Hybrid for the Teams-Calender communication with the local Outlook/Exchange-Calender
    and that works as it looks like at the Moment. Seems to use other (here working) ways than Mail/Port 25.

    DANKE!!

    TJ

  • Yes, "plain and clean" routed to the outside.

    If you want to use the SMTP Proxy, you will not want a NAT rule for incoming mail.  See #2 in Rulz (last updated 2021-02-16).

    Please post back here with any other info that might help the next person doing Hybrid with UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Dear,

    what I WANT to do is sadly orientated on what i HAVE to do.

    ...so it´s possible that I, in the end, will need a NAT-Rule to make it work.

    For now it look´s better than I thought and better than I reported 3 days ago.

    My Mail-Flow-Problems resulted from a false way to create new Users/Mailboxes.
    When I do that the right way, I have a working Mail-Flow between "On Premise" and
    "Online" through my UTM.

    Outgoing: From "On Premise" to "Online" it works like a Charm (as I told I defined a Smarthost
    on my EX that is one of the SMTP-Servers of my Provider and I made a Exception in my UTM-
    SMTP-Proxy for my EX-Server, so that Mails will be sent without my UTM doing anything
    to them.

    Incomming: From "Online" to "On Premise" my Mails are checked by my UTM-SMTP-Proxy. I have
    a big delay of about one hour, but that seems to have to do with greylisting and is, may be,
    not an special EX-Hybrid problem but a UTM-O365-Problem.
    (look at
    community.sophos.com/.../mail-delay-when-receiving-mail-from-microsoft-cloud-office-365 )

    Except that delay, it seems to work THROUGH my UTM but for "deleting" that delay I might have to make a NAT-Rule,
    bur that´s something I´m investigating actually. Therefor: Can you answer the Question I made in my last Posting:

    When I now create a NAT-Rule for Port 25 pointing to my EX, does incomming Mail go through
    my SMTP-Proxy, because I´m in Transparent Mode and in this case SMTP-Proxy is catching Mail
    "after it has been forwarded by a DNAT" or is it also not "botherd" by the UTM but simply
    "plain and clean" routed to the inside because my EX is on of the skipped Hosts?

    For other Readers: I did my Firewall-Rules according to:

    www.frankysweb.de/.../

    Without that, EX-Hybrid will, according to my experiencesso far, not work.

    TJ

Reply
  • Dear,

    what I WANT to do is sadly orientated on what i HAVE to do.

    ...so it´s possible that I, in the end, will need a NAT-Rule to make it work.

    For now it look´s better than I thought and better than I reported 3 days ago.

    My Mail-Flow-Problems resulted from a false way to create new Users/Mailboxes.
    When I do that the right way, I have a working Mail-Flow between "On Premise" and
    "Online" through my UTM.

    Outgoing: From "On Premise" to "Online" it works like a Charm (as I told I defined a Smarthost
    on my EX that is one of the SMTP-Servers of my Provider and I made a Exception in my UTM-
    SMTP-Proxy for my EX-Server, so that Mails will be sent without my UTM doing anything
    to them.

    Incomming: From "Online" to "On Premise" my Mails are checked by my UTM-SMTP-Proxy. I have
    a big delay of about one hour, but that seems to have to do with greylisting and is, may be,
    not an special EX-Hybrid problem but a UTM-O365-Problem.
    (look at
    community.sophos.com/.../mail-delay-when-receiving-mail-from-microsoft-cloud-office-365 )

    Except that delay, it seems to work THROUGH my UTM but for "deleting" that delay I might have to make a NAT-Rule,
    bur that´s something I´m investigating actually. Therefor: Can you answer the Question I made in my last Posting:

    When I now create a NAT-Rule for Port 25 pointing to my EX, does incomming Mail go through
    my SMTP-Proxy, because I´m in Transparent Mode and in this case SMTP-Proxy is catching Mail
    "after it has been forwarded by a DNAT" or is it also not "botherd" by the UTM but simply
    "plain and clean" routed to the inside because my EX is on of the skipped Hosts?

    For other Readers: I did my Firewall-Rules according to:

    www.frankysweb.de/.../

    Without that, EX-Hybrid will, according to my experiencesso far, not work.

    TJ

Children
No Data