Server Mode Deployment

Leave a reply

Example 3: FortiMail unit in DMZ

In this example, a FortiMail unit operates in server mode within the demilitarized zone (DMZ). It is protected by a firewall but also separated from local email users’ computers by it. Remote email users’ computers and external email servers are located on the Internet, outside of the private network. The FortiMail unit hosts and protects accounts for email addresses ending in “@example.com”.

Figure 18:Server mode deployment in a DMZ

@example.com

The FortiMail unit has also been configured with an access control rule that allows local and remote email users to send email to unprotected domains if they first authenticate:

Sender Pattern *@example.com
Recipient Pattern *
Sender

IP/Netmask

 0.0.0.0/0
Reverse DNS Pattern *
Authentication Status authenticated
TLS < none >
Action RELAY

To deploy the FortiMail unit in the DMZ of a NAT device such as a firewall or router, you must complete the following:

  • Configuring the firewall
  • Configuring the email user accounts
  • Configuring the MUAs
  • Testing the installation

This example assumes you have already completed the Quick Start Wizard and configured records on the DNS server for each protected domain. For details, see “Running the Quick Start Wizard” on page 34 and “Configuring DNS records” on page 101.

Configuring the firewall

With the FortiMail unit located in the DMZ of a FortiGate unit which is between the FortiMail unit and local email users, you must configure policies to allow traffic:

  • from local email users to the FortiMail unit
  • from the FortiMail unit to the Internet
  • from the Internet to the FortiMail unit

To create the required policies, complete the following:

  • Configuring the firewall addresses
  • Configuring the service groups
  • Configuring the virtual IPs
  • Configuring the firewall policies

Configuring the firewall addresses

In order to create the firewall policies that govern traffic to and from the IP addresses of local email users and the IP address of the FortiMail unit, you must first define the IP addresses of the local email users and the IP address of the FortiMail unit by creating firewall address entries.

To add a firewall address for the FortiMail unit

  1. Access FortiGate.
  2. Go to Firewall > Address > Address.
  3. Select Create New.
  4. Complete the following:
Name Enter a name to identify the firewall address entry, such as FortiMail_address.
Type Select Subnet/IP Range.
Subnet /IP Range Enter 192.168.1.5.
Interface Select dmz.
  1. Select OK.

To add a firewall address for local email users

  1. Go to Firewall > Address > Address.
  2. Select Create New.
  3. Complete the following:
Name Enter a name to identify the firewall address entry, such as local_email_users_address.
Type Select Subnet/IP Range.
Subnet /IP Range Enter 172.168.1.0/24.
Interface Select internal.
  1. Select OK.

Configuring the service groups

In order to create firewall policies that govern only FortiMail-related traffic, you must first create groups of services that define protocols and port numbers used in that traffic.

Because FortiGuard-related services for FortiMail units are not predefined, you must define them before you can create a service group that contains those services.

To add a custom service for FortiGuard Antivirus push updates

  1. Access FortiGate.
  2. Go to Firewall > Service > Custom.
  3. Select Create New.
  4. Configure the following:
Name Enter a name to identify the custom service entry, such as FortiMail_antivirus_push_updates.
Protocol Type Select TCP/UDP.
Protocol Select UDP.
Destination Port  
Low Enter 9443.
High Enter 9443.
  1. Select OK.

To add a custom service for FortiGuard Antispam rating queries

  1. Access FortiGate.
  2. Go to Firewall > Service > Custom.
  3. Select Create New.
  4. Configure the following:
Name   Enter a name to identify the custom service entry, such as FortiMail_antispam_rating_queries.
Protocol Type   Select TCP/UDP.
Protocol   Select UDP.
Destination Port    
  Low Enter 8889.
  High Enter 8889.
  1. Select OK.

To add a service group for incoming FortiMail traffic

  1. Access FortiGate.
  2. Go to Firewall > Service > Group.
  3. Select Create New.
  4. In Group Name, enter a name to identify the service group entry, such as FortiMail_incoming_services.
  5. In the Available Services area, select HTTP, HTTPS, SMTP, POP3, IMAP, and your custom service for FortiGuard Antivirus push updates, FortiMail_antivirus_push_updates, then select the right arrow to move them to the Members area.
  6. Select OK.

To add a service group for outgoing FortiMail traffic

  1. Access FortiGate.
  2. Go to Firewall > Service > Group.
  3. Select Create New.
  4. In Group Name, enter a name to identify the service group entry, such as FortiMail_outgoing_services.
  5. In the Available Services area, select DNS, NTP, HTTPS, SMTP, and your custom service for FortiGuard Antispam rating queries, FortiMail_antispam_rating_queries, then select the right arrow to move them to the Members area.
  6. Select OK.

To add a service group for email user traffic to the FortiMail unit

  1. Access FortiGate.
  2. Go to Firewall > Service > Group.
  3. Select Create New.
  4. In Group Name, enter a name to identify the service group entry, such as local_email_users_services.
  5. In the Available Services area, select HTTP, HTTPS, SMTP, POP3, and IMAP, then select the right arrow to move them to the Members
  6. Select OK.

Configuring the virtual IPs

In order to create the firewall policies that forward email-related traffic to the FortiMail unit from the internal network and from the Internet, you must first define two static NAT mappings:

  • from a public IP address on the FortiGate unit to the IP address of the FortiMail unit • from a virtual IP address on the 172.16.1.* network to the IP address of the FortiMail unit by creating a virtual IP entries.

To add a wan1 virtual IP for the FortiMail unit

  1. Access FortiGate.
  2. Go to Firewall > Virtual IP > Virtual IP.
  3. Select Create New.
  4. Complete the following:
Name Enter a name to identify the virtual IP entry, such as FortiMail_VIP_wan1.
External Interface Select wan1.
Type Select Static NAT.
External IP

Address/Range

 Enter 10.10.10.1.
Mapped IP

Address/Range

 Enter 192.168.1.5.
  1. Select OK.

To add an internal virtual IP for the FortiMail unit

  1. Access FortiGate.
  2. Go to Firewall > Virtual IP > Virtual IP.
  3. Select Create New.
  4. Complete the following:
Name Enter a name to identify the virtual IP entry, such as FortiMail_VIP_internal.
External Interface Select internal.
Type Select Static NAT.
External IP

Address/Range

 Enter 172.168.1.2.
Mapped IP

Address/Range

 Enter 192.168.1.5.
  1. Select OK.

Configuring the firewall policies

First, create a firewall policy that allows incoming email and other FortiMail services that are received at the virtual IP address, then applies a static NAT when forwarding the traffic to the private network IP address of the FortiMail unit.

Second, create a firewall policy that allows outgoing email and other FortiMail connections from the FortiMail unit to the Internet.

Last, create a firewall policy that allows outgoing email and other FortiMail connections from the local email users to the FortiMail unit.

To add the Internet-to-FortiMail policy

  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:

Source Interface/zone Select wan1.

Source Address Name Select all.

Destination

Interface/zone

 Select dmz.
Destination Address

Name

 Select FortiMail_VIP_wan1.
Schedule Select ALWAYS.
Service Select FortiMail_incoming_services.
Action Select ACCEPT.
  1. Select OK.

To add the FortiMail-to-Internet policy

  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:

Source Interface/zone Select dmz.

Source Address Name Select FortiMail_address.

Destination

Interface/zone

 Select wan1.
Destination Address

Name

 Select all.
Schedule Select ALWAYS.
Service Select FortiMail_outgoing_services.
Action Select ACCEPT.
  1. Select NAT.
  2. Select OK.

To add the internal-to-FortiMail policy

  1. Access FortiGate.
  2. Go to Firewall > Policy > Policy.
  3. Select Create New.
  4. Complete the following:

Source Interface/zone Select internal.

Source Address Name Select local_email_users_address.

Destination

Interface/zone

 Select dmz.
Destination Address

Name

 Select FortiMail_VIP_internal.
Schedule Select ALWAYS.
Service Select local_email_users_services.
Action Select ACCEPT.
  1. Select OK.
Pages: 1 2 3 4 5 6
This entry was posted in Administration Guides, FortiMail and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.