Installing Email Security Software on Exchange Server

03/26/2020 5 10067

DESCRIPTION:

This article goes through the steps of installing SonicWall Email Security Software on an Exchange server. This is not a recommended configuration.

RESOLUTION:

CAUTION: Installing ES Software on an Exchange server is not recommended

CAUTION: Exchange uses all available resources and may impact Email Security performance.

CAUTION: Email Security Software initiates constant disk input/output and may affect overall server performance.

CAUTION: Troubleshooting Email Security may require rebooting the server.

CAUTION: Java can never be updated once the Email Security Software has been installed.

On Exchange, configure a receive connector to listen on port 25 to allow Exchange to receive email messages from the Email Security Software. 

On Exchange, configure a send connector to smarthost to port 2525 to allow Exchange to send email messages back to the Email Security Software.

NOTE: For Exchange 2016, follow this link for instructions on configuring an alternate port

 https://www.authsmtp.com/exchange-2016/exchange2016_alternative_port.html

On the Firewall, configure 2 NAT policies

1. Inbound NAT policy to translate port 25 to port 2525 and push to a dual natured server.
2. Outbound NAT policy to translate port 2525 to port 25 (may not be needed).

Disable User Access Control on the Windows server.

NOTE: If using Windows 2016, disabling UAC requires a registry edit.

http://original-network.com/script-to-disable-uac-server-on-windows-server-2016/

Disable all AV and endpoint security (firewall, AV, anti-malware, anything that does scanning).

Uninstall all Java.

Reboot the server.

Install software as administrator.

For the inbound path, configure SES to listen on port 2525, and to forward on email to port 25.

                Set a different name for 220 banner on the inbound listener to help in diagnosing issues.

For the outbound path, configure SES to listen on port 2525 on it’s own IP and to use mx routing for sending.

Configure HTTP access to port 8088 and HTTPS to 4553 on the server.  This will allow access without interfering with normal exchange traffic by using unregistered but similar ports.

NOTE: If you have AV software, the entire sonicwallES folder must be excluded from any form of virus scanning.

NOTE: If you have any firewall software, make sure that traffic to DMZ, LAN or where SES is located allows for 2525, 4553, and 8088 connections.