Hi guys,
I hope someone can help me. Following scenario: Our customer has a Fortigate 100E unit with Build v5.6.5 installed (I know its outdated), running in "proxy mode" with explicity proxy settings and needs port opening for SMTP, SMTPs, HTTP and HTTPs directly to the Exchange Server for connectivity with O365.
I created a Virtual IP 'Public IP -> Exchange Server' with the mentioned services and the fitting policy that allows all Microsoft IPs plus our public ip to access the virtual ip object with all services. As soon as I enable the rule telnet to port 25 is working but the internet connectivity from the exchange server doesn't work. As soon as I disable the rule I can surf through internet and can make a traceroute to www.google.com for example.
I also created a explicity proxy rule but the exchange doesn't use the firewall as a proxy.
I hope someone had the same behaviour and did found a solution.
Thanks in advance!
Solved! Go to Solution.
Someone may want to chime in...
If the Exchange server is behind the fgt you likely need a firewall policy going in the opposite direction from the Exchange server ->WAN. Move this firewall rule to near the top so it is triggered. Apply any IPS options you want.
If the Exchange server only has an internal IP address, you may need to enable NAT on the outgoing firewall policy.
If the exchange server has a different public IP than the fgt own's you may need to set up a one-to-one ippool using the Exchange server's public IP and put that on the outgoing firewall policy.
You may need to adjust both the Administrator HTTP and HTTPS port access to something like 8080 and 8443 so you can still access the fgt's GUI.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Someone may want to chime in...
If the Exchange server is behind the fgt you likely need a firewall policy going in the opposite direction from the Exchange server ->WAN. Move this firewall rule to near the top so it is triggered. Apply any IPS options you want.
If the Exchange server only has an internal IP address, you may need to enable NAT on the outgoing firewall policy.
If the exchange server has a different public IP than the fgt own's you may need to set up a one-to-one ippool using the Exchange server's public IP and put that on the outgoing firewall policy.
You may need to adjust both the Administrator HTTP and HTTPS port access to something like 8080 and 8443 so you can still access the fgt's GUI.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Thank you! This was not the solution but it helped me anyways.
A colleague of mine made a mistake and didn't look at the interface... there is a router in front of the firewall... the solution was to set the virtual ip mapped to the router ip "192.168.x.x -> Exchange Server" and a policy that allows inbound traffic to the virtual ip we also had to open the ports on the router for the services that are going to be used.
Well, maybe this post helps someone else as food for thought ;)
alper_n wrote:Well, maybe this post helps someone else as food for thought ;)
For what's it's worth, there should be 2-3 similar posts from others and myself on this - but usually the exchange server (or any server) is on the internal network with a private IP but has a public static IP assigned to it. Your set up is different. :)
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.