NAT and Email appliance
 djhurt1                
                
                     Enthusiast ✭✭
djhurt1                
                
                     Enthusiast ✭✭                
            We had the SW email security appliance installed recently and is working fine. I think I understand the basics of how this is working but I'm un-clear on one area. I see a NAT rule for incoming packets from WAN to be forwarded to the email security appliance based on a "service" group. Currently the port assigned to the email appliance, HTTPS, SMTP, and PPTP are assigned to this group. Our mail server and email security appliance are both behind the same WAN IP. I understand the appliance is forwarding email to our mail server(exchange). What I don't get is how do we access the webmail/owa successfully when it's an HTTPs request as well since all HTTPs packets will be forwarded to the SW email security appliances internal address?
 
             
            
Answers
Hi @djhurt1
you should only forward SMTP to your E-Mail Appliance, that's all what needed. Except you wanna grant HTTPS for accessing the Junkbox from the outside? In that case you should use a different port for that to avoid conflict with your OWA.
--Michael@BWC
@BWC
You read my mind. I need to figure out a way for users to access the junkbox from the net(external). I'm curious how OWA is working now though. Currently we have the appliance host name set to it's internal Ip. Of course that means nobody can access the junk box when accessing OWA externally. I wanted to be clear, you don't see any reason at all that HTTPs should be forwarded to the email appliance then? If that's the case that'd be a pretty easy fix.
Hi @DJHURT1,
The junk box would be accessed on a different port such as 10443. You should be able to check this in the Junk Box Summary page in the Anti-Spam section of the SonicWall GUI.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Hi @djhurt1
if your users don't need to access the Junkbox from the public Internet then no additional Rules are necessary. My rule of thumb, every services that is not exposed to the outside is one less hazzle.
Otherwise as mentioned by @Saravanan on Manage -> System Setup -> Junk Box -> Summary Notifications you can specify an URL for the User View, like https://mail.mydomain.de:10443 which could be a NAT to Port 443 on your ESA. You have to make sure that the hostname can be resolved in the Internet and internally and that the NAT Rule is working from WAN to DMZ and LAN to DMZ as well.
--Michael@BWC
This next question is a little out of the scope of this forum. We currently have a rule where a port is NATd to the email appliance and a few others to the mail server. I'm thinking since we're specifying the port in the URL, I can put our current mail server URL with port number in the summary notification URL. This in theory should point the external users to our external Ip, then the firewall would forward that port to the SW Email appliance. Would anyone disagree with this?
Hi @djhurt1
if you put let's say https://mail.mydomain.tld:1443 in the mail summary as url you have to have a NAT rule and two access rules
As long as your URL for the mail server is pointing to X1 IP, like in my example, you're golden with recycling the IP on different ports.
Is this what you're looking for?
--Michael@BWC
@BWC
I think so. We're on the phone with our vendor going over this option now. The vendor however suspects the URL specified at Manage -> System Setup -> Junk Box -> Summary Notifications doesn't really do anything. I just want to make sure that we CAN specify our public domain name with port number in that field and it will in fact provide THAT URL to users in the junk notification email?
Hi @djhurt1
I checked real quick for you and the port is indeed part of the URL in the Summary Report. Was just in time for the hourly report :)
--Michael@BWC
@BWC
I think we're 90% there on this project and I'm thankful for your help thus far. Our MX record points to the email security appliance eg. mail.mydomain.org. I've set an A record for snwl.mydomain.org. I can successfully get the appliance login screen publicly so I think all I need is to set the summary URL, mentioned earlier, to snwl.mydomain.org. I just wanted to confirm changing the summary URL will in not change anything on the host name of the email appliance.
Hi @djhurt1
setting the summary URL will not interfere with your hostname (HELO) whatsoever :)
--Michael@BWC
I have this setup now however I want to do a real time test. However I can't get an email to trigger as spam and generate a junk box summary to myself. I've tried everything from forwarding spam emails from another account, foul language all over the email, even porn lol. Any suggestions how to do this with Sonicwall email security appliance? We just had this installed so I'm not very familiar with it at all yet.
Hi @djhurt1
if you need something in your Junk Box real quick, I would take the Filter approach. Just send an e-Mail from your private account for example and have it store in Junk.
--Michael@BWC