Fortinet Community

Configuration (CLI)

1. Create a Virtual IP to map external to internal traffic towards the Microsoft Exchange server.

config firewall vip edit "VIP_SMTP" set extip 172.31.224.58 set extintf "wan1" set mappedip 10.160.0.10 next end

2. Create the appropriate Firewall Policies to allow SMTP traffic.

config firewall policy edit 1 set srcintf "internal" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable next edit 2 set srcintf "dmz1" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set schedule "always" set service "SMTP" next edit 3 set srcintf "dmz1" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable next end

3. Create appropriate UTM profiles to enable features such as DLP for logging, antivirus for checking attachments, and some IPS signatures specific for protecting the Microsoft Exchange Servers.  More information on this subject can be found in the "FortiOS v4.0 MR3 UTM Guide" (Page 195).

4. Apply the UTM profile(s), to the appropriate Firewall Policies as created in step 2

It should be noted that there is no best practice in terms of deploying a Microsoft Exchange Server with the FortiGate.  The basic configuration steps given above will protect the Exchange Server for incoming and outgoing SMTP traffic. However, certain IPS signatures within the UTM profile specific to Exchange will be required to optimize Real-Time protection.  For more advanced VIP scenarios, consult the related article "Technical Note : Configuration example of Policy Based Routing and VIP for SMTP services in Dual Wan scenario".