Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

NAT and Email appliance

djhurt1djhurt1 Enthusiast ✭✭
edited March 2021 in High End Firewalls

We had the SW email security appliance installed recently and is working fine. I think I understand the basics of how this is working but I'm un-clear on one area. I see a NAT rule for incoming packets from WAN to be forwarded to the email security appliance based on a "service" group. Currently the port assigned to the email appliance, HTTPS, SMTP, and PPTP are assigned to this group. Our mail server and email security appliance are both behind the same WAN IP. I understand the appliance is forwarding email to our mail server(exchange). What I don't get is how do we access the webmail/owa successfully when it's an HTTPs request as well since all HTTPs packets will be forwarded to the SW email security appliances internal address?

Category: High End Firewalls
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @djhurt1

    you should only forward SMTP to your E-Mail Appliance, that's all what needed. Except you wanna grant HTTPS for accessing the Junkbox from the outside? In that case you should use a different port for that to avoid conflict with your OWA.

    --Michael@BWC

  • djhurt1djhurt1 Enthusiast ✭✭

    @BWC


    You read my mind. I need to figure out a way for users to access the junkbox from the net(external). I'm curious how OWA is working now though. Currently we have the appliance host name set to it's internal Ip. Of course that means nobody can access the junk box when accessing OWA externally. I wanted to be clear, you don't see any reason at all that HTTPs should be forwarded to the email appliance then? If that's the case that'd be a pretty easy fix.

  • SaravananSaravanan Moderator

    Hi @DJHURT1,

    The junk box would be accessed on a different port such as 10443. You should be able to check this in the Junk Box Summary page in the Anti-Spam section of the SonicWall GUI.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @djhurt1

    if your users don't need to access the Junkbox from the public Internet then no additional Rules are necessary. My rule of thumb, every services that is not exposed to the outside is one less hazzle.

    Otherwise as mentioned by @Saravanan on Manage -> System Setup -> Junk Box -> Summary Notifications you can specify an URL for the User View, like https://mail.mydomain.de:10443 which could be a NAT to Port 443 on your ESA. You have to make sure that the hostname can be resolved in the Internet and internally and that the NAT Rule is working from WAN to DMZ and LAN to DMZ as well.

    --Michael@BWC

  • djhurt1djhurt1 Enthusiast ✭✭

    This next question is a little out of the scope of this forum. We currently have a rule where a port is NATd to the email appliance and a few others to the mail server. I'm thinking since we're specifying the port in the URL, I can put our current mail server URL with port number in the summary notification URL. This in theory should point the external users to our external Ip, then the firewall would forward that port to the SW Email appliance. Would anyone disagree with this?

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited March 2021

    Hi @djhurt1

    if you put let's say https://mail.mydomain.tld:1443 in the mail summary as url you have to have a NAT rule and two access rules

    NAT Rule
    ANY -> Original, X1 IP -> ESA, Port 1443 -> HTTPS, ANY IF inbound/outbound
    
    Access Rules
    WAN -> DMZ, ANY, X1 IP, Port 1443
    LAN -> DMZ, ANY, X1 IP, Port 1443
    

    As long as your URL for the mail server is pointing to X1 IP, like in my example, you're golden with recycling the IP on different ports.

    Is this what you're looking for?

    --Michael@BWC

  • djhurt1djhurt1 Enthusiast ✭✭
    edited March 2021

    @BWC


    I think so. We're on the phone with our vendor going over this option now. The vendor however suspects the URL specified at Manage -> System Setup -> Junk Box -> Summary Notifications doesn't really do anything. I just want to make sure that we CAN specify our public domain name with port number in that field and it will in fact provide THAT URL to users in the junk notification email?

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @djhurt1

    I checked real quick for you and the port is indeed part of the URL in the Summary Report. Was just in time for the hourly report :)

    --Michael@BWC

  • djhurt1djhurt1 Enthusiast ✭✭

    @BWC


    I think we're 90% there on this project and I'm thankful for your help thus far. Our MX record points to the email security appliance eg. mail.mydomain.org. I've set an A record for snwl.mydomain.org. I can successfully get the appliance login screen publicly so I think all I need is to set the summary URL, mentioned earlier, to snwl.mydomain.org. I just wanted to confirm changing the summary URL will in not change anything on the host name of the email appliance.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @djhurt1

    setting the summary URL will not interfere with your hostname (HELO) whatsoever :)

    --Michael@BWC

  • djhurt1djhurt1 Enthusiast ✭✭

    I have this setup now however I want to do a real time test. However I can't get an email to trigger as spam and generate a junk box summary to myself. I've tried everything from forwarding spam emails from another account, foul language all over the email, even porn lol. Any suggestions how to do this with Sonicwall email security appliance? We just had this installed so I'm not very familiar with it at all yet.

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited March 2021

    Hi @djhurt1

    if you need something in your Junk Box real quick, I would take the Filter approach. Just send an e-Mail from your private account for example and have it store in Junk.


    --Michael@BWC

Sign In or Register to comment.