Email Security: SonicWall Email Security Deployment Firewall considerations.

12/20/2019 1030 11529

DESCRIPTION:
Email Security: SonicWall Email Security Deployment Firewall considerations.

RESOLUTION:
SonicWall Email Security Deployment Firewall considerations.
 
Before placing your SES Server into a production environment, it is imperative that your Firewall is configured to support the Server and its traffic. Generally speaking, you will need to allow access through your Firewall to the appropriate zone or interface for TCP ports 25, 80 and or 443 depending on your needs. This section will take an in-depth look at the many different configuration options to support your SES deployment, across several different Firewall vendors, including SonicWall, Microsoft and Cisco.
 
We will not be going into great depth on configuring these Firewall products, as each has its own respective configuration documentation available from the vendor’s website. However, e will be discussing any potential caveats to be aware of, critical configuration settings and options, along with best practice for configuring these products to integrate with your SonicWall Email Security Server.
 
As stated above, you will need to determine first, what traffic you will be allowing through your Firewall to your SES Server. If you intend to allow end users to access the WebUI to login and manage their own junk email, or the administrator to manage the WebUI remotely via a Public IP or FQDN, you will need to allow inbound traffic through the Firewall to the SES Server over TCP port 80 or 443 for secured SSL traffic.
 
On this note, if you have a Cisco PIX/ASA firewall, you will want to disable the HTTP fixup protocol to avoid any potential problems with not only the WebUI but also regular updates that are performed by the SES for Thumbprint Databases, AV DAT file updates etc.
 
When Microsoft ISA server is on the perimeter and SES configure to handle all outbound email via SmartHost on the Exchange back-end mail server.
First, the SES Appliance or Windows Server MUST be configured as a Secure-NAT client to the ISA Server. Meaning the SES configured Default Gateway MUST point directly to the ISA server and not to another router or Firewall on its way to the ISA server. The ISA Firewall Client on the Email Security Windows Server will not work, nor can you install the ISA Firewall Client on SES Appliance. Even if the client has a routed internal network, the SES Server cannot point to the router as its Default GW due to how ISA handles Secure-NAT connections.
Ensure that the SES Server has Layer 3 connectivity to the ISA server via ICMP Echo Reply packets(most internally routed networks have defined routes to allow the Layer 3 Traffic from one segment to another). If the SES Server can ping the ISA Server, simply configure the SES to use the ISA Server as its default GW.
If this is not done, ANY and ALL ACLs (access rules) or Server Publishing Rules that are created on the ISA Server will seem to have no effect (SES will not be able to send TCP port 25 traffic out) until it is a Secure-NAT client of the ISA Server.
With any Firewall, albeit SonicWall, Microsoft, Cisco or any other, you will want to ensure that you exclude the IP address of the SES Server from all perimeter Security Services. This would include, GAV, CAV, IPS, Content Filtering, and any other. This will avoid any potential problems in downloading updates for all needed services on the SES server. IF you are running a Cisco PIX/ASA you will also want to disable the smtp fixup protocol as well to avoid excessive connections outbound when performing updates. 
 
SonicWall also recommends restricting Outbound SMTP Traffic at the firewall from anyone except the IP Address(s) of your SES Server. This will prevent a host who has been compromised by a bot, mass mailing worm, etc from sending out traffic through your firewall and possibly causing the Public IP address of your Firewall to be blacklisted.
On that note, you will want to ensure that whatever IP Address is going to be used for the SES Server, either via a One2One NAT statement or Port Forwarding in your firewall, is not currently blacklisted by visiting www.mxtoolbox.com and performing a check against that IP address.
If the Public IP Address of the SES server is or does become blacklisted, you will almost immediately notice that you can receive from many domains including AOL, Comcast, ATT, SBCglobal and others, but all outbound email destined for those domains from your SES will be bounced back to you with an NDR that usually states that your IP Address has been blacklisted.
You may also notice this symptom if you do not have a PTR or Reverse Pointer DNS Record created up at your ISP for you domains SES Server’s Public IP address. This can also be verified using the suite of tools provided free to you by www.mxtoolbox.com
 
SonicWall also recommends that if feasible, your SES Server resides on the DMZ of your Firewall as a Bastian Host to further enhance the overall security of your network. The SES Server can be placed behind the same Firewall interface as your email clients and functional properly but from a Defense in Depth standpoint, segregating your Email Security server from your actual client machines allows for much more granular security when it comes time to create your Access Rules on your Firewall.
 
Once all of the aforementioned items have been successfully completed, in relation to DNS and your Firewall, you may now consider how you wish to deploy tour SonicWall Email Security solution into your existing production environment.