Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Secureworks and O365

BGMRobBGMRob Newbie ✭
edited October 2020 in Entry Level Firewalls

I have a TZ300 and have just signed up with Secureworks to monitor our O365 tenant. I've been with Secureworks for a year and have their CTA and iSensor appliances onsite. I recently migrated to O365 and would like to keep our email under Secureworks' watchful eye. As part of the implementation configuration I need to open up our CTA appliance on TCP/443 to 4 different destinations: manage.office.com, graph.windows.net, graph.microsoft.com, and reportingservice.activedirectory.windowsazure.com I've attempted to follow the directions here: https://www.sonicwall.com/support/knowledge-base/how-can-i-enable-port-forwarding-and-allow-access-to-a-server-through-the-sonicwall/170503477349850/ but haven't had any success. I think I'm getting tripped up on the NAT Policy. Are there any clearer, simpler directions out there that will help me in doing this? I'm not a firewall guy by any stretch of the imagination.

Category: Entry Level Firewalls
Reply

Best Answers

  • CORRECT ANSWER
    shiprasahu93shiprasahu93 Moderator
    Answer ✓

    Hello @BGMRob,

    Welcome to SonicWall Community.

    Here are the access rule and NAT policy:

    Access rule:

    Action: Allow

    Source: Any (You can also create FQDN address objects for the URLs manage.office.com, graph.windows.net, graph.microsoft.com, and reportingservice.activedirectory.windowsazure.com and group them and use here)

    Destination: WAN address (Usually X1 IP)

    Service: HTTPS

    NAT policy:

    Original Source: Any

    Translated Source: Original

    Original Destination: WAN address (Usually X1 IP)

    Translated Destination: CTA appliance private IP

    Original Service: HTTPS

    Translated Service: Original

    Inbound Interface: WAN Interface (Eg: X1)

    Outbound Interface: Any

    You can use the public server wizard if you find that easier. It adds access rule, inbound, outbound and loopback NATs.

    I hope this helps!

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • CORRECT ANSWER
    shiprasahu93shiprasahu93 Moderator
    Answer ✓

    Hello @BGMRob,

    Have you created a separate address group that contains the Microsoft URLs in question? If yes, please use that group in the source field of the access rule and also in the Original source field of the NAT rule.

    With that, it will forward the HTTPS traffic when being sent from those Microsoft URLs to the CTA and on all other occasions to the web server.

    I hope that helps!

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

Answers

  • mikinmikin Newbie ✭

    There was an error rendering this rich post.

  • BGMRobBGMRob Newbie ✭

    @shiprasahu93 I was able to use your directions and set up the NAT policy. However, when I did so I created another problem. I have a web server in a DMZ that communicates through the firewall over port 443 with a database server on the LAN. When I enabled the new NAT policy it broke that connection because the policy uses HTTPS (port 443). That makes sense, because a port can't be forwarded to 2 destinations. BUT, any web traffic to a secure website using https would also be using 443 wouldn't it? Is there a way to modify my new NAT policy that will allow the CTA appliance to talk over 443 with the Microsoft URLs without breaking my connection from the web server to the database server?

Sign In or Register to comment.