This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP Proxy With NAT - how to publish Exchange/OWA

I'm currently using NAT with our Exchange server (I've not had any success with WAF). I've setup the UTM SMTP proxy to filter inbound and outbound mail, with Exchange using the UTM as a smart host. Any outbound mail is going through the proxy but inbound seems to come straight to the Exchange server, bypassing the smtp proxy. If I turn the NAT rule off, the proxy seems to work properly, but then I can't connect with Outlook, or Outlook Web App. It's probably really straightforward but can anyone give some advice on how I might get this to work? I'd use WAF ideally but I've tried numerous times, following the docs word for word and it never works properly for me. Thanks, Michael



This thread was automatically locked due to age.
  • Did you configure Exchange DNAT rule for only HTTP/S protocols or for ANY ?

    Regarding WAF, try to configure it first with only one virtual webserver for all https traffic, and firewall profile enabled with only:
    - Pass Outlook Anywhere
    - Common threats filter
    - Antivirus: Dual Scan for both Downloads and Uploads
    - Trojans

  • Hello colly72, did you find a way to successfully publish Exchange through the WAF? I've been working on this for days and can't get it to work either.

    When I call tech support the people their seem like they don't even know what Exchange is. Quite upsetting.

    The partner I purchased the UTM from suggests that I DNAT all HTTP and HTTPS traffic to the Exchange Server. I think that's just a stupid idea. It totally defeats the purpose of having a firewall, insofar as HTTP traffic goes.


    I used Microsoft ISA Server 2006 prior to purchasing this UTM and it handled Exchange perfectly. I don't understand why Sophos can't get it to work.

    Please let me know if you found a solution.

    Thank you, Herb

  • Hi Herb,

    I've not got it working yet but I'm planning on migrating our existing Exchange 2010 server to 2016 and then try again, to see if I have more success.  It might take a while for me to complete but I'll update here, if I get anywhere when I've migrated.

    Cheers,

    Michael

  • colly72 said:

    I've not got it working yet but I'm planning on migrating our existing Exchange 2010 server to 2016 and then try again, to see if I have more success....

    In opposite, it will be even more complicated to publish Exchange 2016 than Exchange 2010. Not based on mine, but from other community forum members experience.

    As a last resort, publish the Exchange with no firewall profile in WAF, just to check that everything is correctly setup on DNS/Networking level.

  • I spent hours on this following the documentation. It's wrong.

    I now have this working although there are bugs with 9.4 which require occasional reboot of the UTM.

    Happy to discuss if you still have issues.

    Regards Rob.

  • Hello Rob,


    Yes I am actively working to get my Exchange server published and have been working with engineers at Sophos but they have not been able to figure it out.


    I used the article they have published called Sophos UTM Web Application Firewall for Microsoft Exchange Services

    Would appreciate any assistance you can provide as I am running out of options. Right now I have to DNAT all SSL traffic to my on-premis Exchange server and that's not the right way to do it.

    Thank you, Herb

  • Hi Herb

    This is easier to talk through rather that via messages. I see you're located in the states. If I can get an idea of your infrastructure it would be easier to discuss.

    I'm based in the UK. You're more than welcome to call me 9-5 GMT. Alternatively, email me with your current setup. (rcullen (at) ttsonline.net) and I'll try and point you in the right direction.

    Kind Regards

    Rob

  • That's the document I used and I set my rules up exactly the way they describe them. I used AD, instead of LDAP, but I wouldn't think that would make a difference.

    I used Authentication Services to prefetch the credentials and made sure that I could login to the User Portal with the credentials to confirm that they were working.

    So are you using just the publishing rule or did you add a DNAT rule to direct SSL traffic from the External address to your Exchange Server?

  • Hi Rob,

    It would be great if you could share your solution.  I'll send you an email with my setup.

    Many thanks,

    Michael