Skip to main content
Alperen_Uysal
Alperen_Uysal
New Member
July 9, 2020
Solved

Weird behaviour Virtual IP and Policy

  • July 9, 2020
  • 1 reply
  • 4110 views

Hi guys,

 

I hope someone can help me. Following scenario: Our customer has a Fortigate 100E unit with Build v5.6.5 installed (I know its outdated), running in "proxy mode" with explicity proxy settings and needs port opening for SMTP, SMTPs, HTTP and HTTPs directly to the Exchange Server for connectivity with O365.

 

I created a Virtual IP 'Public IP -> Exchange Server' with the mentioned services and the fitting policy that allows all Microsoft IPs plus our public ip to access the virtual ip object with all services. As soon as I enable the rule telnet to port 25 is working but the internet connectivity from the exchange server doesn't work. As soon as I disable the rule I can surf through internet and can make a traceroute to www.google.com for example.

 

I also created a explicity proxy rule but the exchange doesn't use the firewall as a proxy.

 

I hope someone had the same behaviour and did found a solution.

 

Thanks in advance!

    Best answer by Dave_Hall

    Someone may want to chime in...

     

    If the Exchange server is behind the fgt you likely need a firewall policy going in the opposite direction from the Exchange server ->WAN.  Move this firewall rule to near the top so it is triggered.  Apply any IPS options you want.

     

    If the Exchange server only has an internal IP address, you may need to enable NAT on the outgoing firewall policy. 

     

    If the exchange server has a different public IP than the fgt own's you may need to set up a one-to-one ippool using the Exchange server's public IP and put that on the outgoing firewall policy.

     

    You may need to adjust both the Administrator HTTP and HTTPS port access to something like 8080 and 8443 so you can still access the fgt's GUI. 

    1 reply

    Dave_Hall
    Dave_HallAnswer
    New Member
    July 10, 2020

    Someone may want to chime in...

     

    If the Exchange server is behind the fgt you likely need a firewall policy going in the opposite direction from the Exchange server ->WAN.  Move this firewall rule to near the top so it is triggered.  Apply any IPS options you want.

     

    If the Exchange server only has an internal IP address, you may need to enable NAT on the outgoing firewall policy. 

     

    If the exchange server has a different public IP than the fgt own's you may need to set up a one-to-one ippool using the Exchange server's public IP and put that on the outgoing firewall policy.

     

    You may need to adjust both the Administrator HTTP and HTTPS port access to something like 8080 and 8443 so you can still access the fgt's GUI. 

    Alperen_Uysal
    Alperen_UysalAuthor
    New Member
    July 10, 2020

    Thank you! This was not the solution but it helped me anyways.

     

    A colleague of mine made a mistake and didn't look at the interface... there is a router in front of the firewall... the solution was to set the virtual ip mapped to the router ip "192.168.x.x -> Exchange Server" and a policy that allows inbound traffic to the virtual ip we also had to open the ports on the router for the services that are going to be used.

     

    Well, maybe this post helps someone else as food for thought ;)

    Dave_Hall
    Dave_Hall
    New Member
    July 10, 2020

    alper_n wrote:

    Well, maybe this post helps someone else as food for thought ;)

    For what's it's worth, there should be 2-3 similar posts from others and myself on this - but usually the exchange server (or any server) is on the internal network with a private IP but has a public static IP assigned to it.  Your set up is different. :)

    Terms & ConditionsAccessibility statement