Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Jonathan_Body_FTNT
Staff
Staff

Created on ‎11-18-2011 05:47 AM Edited on ‎06-11-2025 12:19 PM By Moderator

Article Id 197864

Technical Tip: FortiOS and Microsoft Exchange Server deployment

Description

 

This article gives an example on how to deploy Microsoft Exchange Server's 2003/2007/2010 with FortiGate UTM protection.


Scope

 

FortiOS all versions.


Solution

 
Network Scenario:
 
  • Microsoft Exchange Server deployed on the DMZ interface of the FortiGate.
  • SMTP deployment.

 

jbody_FD33381_a_FD33381.jpg


Configuration (CLI):
 
  1. Create a Virtual IP to map external to internal traffic towards the Microsoft Exchange server.
 
 
config firewall vip
    edit "VIP_SMTP"
        set extip 172.31.224.58
        set extintf "wan1"
        set mappedip 10.160.0.10
    next
end

  1. Create the appropriate Firewall Policies to allow SMTP traffic.
config firewall policy
    edit 1
        set srcintf "internal"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ANY"
        set nat enable
    next

    edit 2
        set srcintf "dmz1"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "SMTP"
    next

    edit 3
        set srcintf "dmz1"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ANY"
        set nat enable
    next
end
 

  1. Create appropriate UTM profiles to enable features such as DLP for logging, antivirus for checking attachments, and some IPS signatures specific for protecting the Microsoft Exchange Servers. More information on this subject can be found in the 'FortiOS v4.0 MR3 UTM Guide' (Page 195).

  1. Apply the UTM profile(s), to the appropriate Firewall Policies as created in step 2.

It should be noted that there is no best practice in terms of deploying a Microsoft Exchange Server with the FortiGate. The basic configuration steps given above will protect the Exchange Server for incoming and outgoing SMTP traffic. However, certain IPS signatures within the UTM profile specific to Exchange will be required to optimize Real-Time protection.  For more advanced VIP scenarios, see the related article 'Technical Tip: Configuration example of Policy Based Routing and VIP for SMTP services in Dual Wan scenario'.

 

Related article:

Technical Tip: Configuration example of Policy Based Routing and VIP for SMTP services in Dual WAN s...

Labels:
11473
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.