TZ470 - How to block / allow mobile phone access

Simon_Weel

So this is bothering me for quite some time now. We're a small company and we host our own Exchange 2016 server. About 5 of my colleagues would like to be able to access their mailbox on their smartphone. Setting this up is done in a jiffy. But. It means I have to expose Exchange to the internet. And I'm not happy with that, as there seems to be no easy way to block / allow access for mobile devices. I know Sonicwall has SMA devices, but they are a bit too expensive. You can also have two Exchange servers - one in the DMZ and one on the LAN side, but this is way too convoluted / expensive too. And then we could host Exchange in the cloud - that will probably happen in the future.

So I'm looking for ways on the TZ470 to get this done. My first thought was using the MAC address of the mobile device. But it seems mobile devices can have several MAC addresses and they might not be fixed addresses. Same is probably true for the IP-address, which will most likely not be fixed as well. I had a look at a VPN solution, but that seems quite complicated.

So my question is: how do I allow access for selected mobile devices? If it's possible at all?

BWC

@Simon_Weel IMHO there is nothing you can do, because there is no form of authentication from the mobile device to the firewall if no VPN is involved. MAC address gets lost on Layer 3 and the IP is dynamic so your only option might be to reduce the attack surface by using GeoIP for your country.

SMA 500v isn't that expensive and might be of use for other scenarios, like having Wireguard instead of TCP based SSL-VPN, better Portal, etc.

--Michael@BWC