FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Jonathan_Body_FTNT

Description

This article gives an example on how to deploy Microsoft Exchange Server's 2003/2007/2010 with FortiGate UTM protection.


Scope

FortiOS all versions.


Solution

Network Scenario

-Microsoft Exchange Server deployed on the DMZ interface of the FortiGate
-SMTP deployment

jbody_FD33381_a_FD33381.jpg


Configuration (CLI)

1. Create a Virtual IP to map external to internal traffic towards the Microsoft Exchange server.
config firewall vip
edit "VIP_SMTP"
set extip 172.31.224.58
set extintf "wan1"
set mappedip 10.160.0.10
next
end

2. Create the appropriate Firewall Policies to allow SMTP traffic.
config firewall policy
edit 1
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next


edit 2
set srcintf "dmz1"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "SMTP"
next


edit 3
set srcintf "dmz1"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next
end

3. Create appropriate UTM profiles to enable features such as DLP for logging, antivirus for checking attachments, and some IPS signatures specific for protecting the Microsoft Exchange Servers.  More information on this subject can be found in the "FortiOS v4.0 MR3 UTM Guide" (Page 195).

4. Apply the UTM profile(s), to the appropriate Firewall Policies as created in step 2

It should be noted that there is no best practice in terms of deploying a Microsoft Exchange Server with the FortiGate.  The basic configuration steps given above will protect the Exchange Server for incoming and outgoing SMTP traffic. However, certain IPS signatures within the UTM profile specific to Exchange will be required to optimize Real-Time protection.  For more advanced VIP scenarios, consult the related article "Technical Note : Configuration example of Policy Based Routing and VIP for SMTP services in Dual Wan scenario".

 

Related Articles

Technical Note : Configuration example of Policy Based Routing and VIP for SMTP services in Dual Wan...

Contributors