en-US
search-icon

Email Security 9.0 MSP Deployment Guide

Using Multi-Tenancy with Email Security

Multi-Tenancy features allow for a single instance of software to run on a server and serve multiple groups of users, or tenants. The following sections provide information for deploying the Multi-Tenancy functionality for Email Security.

Topics:

Pre-configuration caveats

The following caveats should be considered when setting up Multi-Tenancy with your Email Security solution:

Each tenant has both Inbound and Outbound email filtered by the Email Security solution.
The tenant has modified the MX record to point to the public IP, where the SonicWall Email Security appliance can be reached. Note that this is typically not the same IP address where the Exchange server is located.
The local Exchange server has the Email Security IP address as a smart host in the Send Connector section. The image below shows how to navigate to the ESMT Send Connector page.

To integrate Active Directory (AD) with the hosting Email Security solution, a VPN tunnel must be set up between the sites, or an Inbound Firewall rule for TCP port 389 or port 636 must be configured. The image below shows how to set the rule on a SonicWall network security appliance between two zones:

* 
NOTE: When the source IP is a public IP, an inbound NAT Policy must be created on the SonicWall network security appliance. Refer to the following KB article for more information: https://support.sonicwall.com/kb/sw7979
When deploying your Email Security solution, the basic Host Configuration information may be changed from the default IP address (192.168.168.169). Navigate to the System > Host Configuration page to configure your Network Settings. This procedure is applicable to all Email Security deployments.

Adding an Organizational Unit (OU)

To add a tenant, or Organizational Unit:
1
Navigate to the Users, Groups & Organizations > Organizations page on your SonicWall Email Security solution.
2
Click the Add Organization button.
3
Enter a name for the Organization Admin Login ID.
4
Enter a password for the Organization Admin Password.
5
Enter the Domain(s) associated with the tenant.
 
* 
NOTE: Adding multiple domains under one Organization allows you to manage multi-tenancy.
6
Click Add.
7
A warning message displays regarding domains per-user data migration. Click OK to finish adding an OU.

Setting up Active Directory on the OU

To set up Active Directory (AD) on the OU:
1
On the Users, Groups & Organizations > Organizations page, click the Sign In icon of the OU you wish to configure.
2
Once logged in as the OU Admin, navigate to the System > LDAP Configuration page.
3
Click Add Server.
4
Enter a Friendly Name or keep the default provided.
5
Enter the LDAP IP address in the Primary Server name or IP address field.
6
Enter the LDAP Port Number or keep the default provided.
7
Select Active Directory as the LDAP server type.
8
For The LDAP login method is via, select Login.
9
Enter a Login Name to log into the domain. This can be a regular domain user.
10
Enter the Password for this user.
11
Click the Test LDAP Login button to verify this user is able to successfully log in to the LDAP server.
12
Click Save Changes to finish setting up AD.

Configuring Inbound Email

To configure the Inbound Email path:
1
On the Users, Groups & Organizations > Organizations page, log in as the OU Administrator.
2
Navigate to the System > Network Architecture > Server Configuration page.
3
With All in One selected, click the Add Path button. If you are editing an existing path, click the Edit Path button.
4
In the Source IP Contacting Path section, select Any source IP address is allowed to connect to this path, but relaying is allowed only for emails sent to one of these domains and enter the domains for the tenants.
* 
NOTE: SonicWall recommends listing all the domains that will be filtered through the Email Security solution.
5
In the MTA section, select This is an MTA. Route email using MX record routing with these exceptions and list the IP address(es) or hostname(s) that send the messages to the tenants.

Configuring Outbound Email

To configure the Outbound Email path:
1
On the Users, Groups & Organizations > Organizations page, log in as the OU Administrator.
2
Navigate to the System > Network Architecture > Server Configuration page.
3
With All in One selected, scroll down to the Outbound Email Flow section.
4
Click the Add Path button. If you are editing an existing path, click the Edit Path button.
5
In the Source IP Contacting Path section, select Only these IP addresses/FQDNs can connect and relay through this path and enter the IP addresses that connect to the Email Security solution.
6
In the MTA section, select This is an MTA. Route email using MX record routing. Queue email if necessary.
7
Click Apply to finish configuring the Outbound Email path.