Solved

Watchguard Firewall, DMZ, DNS, and SMTP

Posted on 2006-10-30
7
1,849 Views
Last Modified: 2013-11-16
I have a Watchguard III 700 firewall. This firewall is configured with a single computer as a DMZ server. This DMZ computer is used for SMTP virus scanning using McAfee Webshield.  All email comes into the DMZ for scanning before being forwarded onto the Exchange server via Webshield DNS Lookup and Mail Relay.  Works great.  However, I am in the process of installing a new Exchange server.  The new server has been configured for DNS and MS Exchange has been configured to relay the outgoing mail to the DMZ computer.  Fully tested and all works fine.  The new server has been added to the network infrastructure in the Watchguard firewall and also as a DNS server. The problem I have is that I am unable to "see" the new server from within Webshield via DNS or Mail Relay.  There is an option to test the DNS server or Mail Relay from within the Webshield software and I'm not getting through. All I need to do is change the webshield software to the new settings and my new exchange server should be fully functional.  Can anyone please provide any assistance with what else I need to configure in the firewall to enable the new server to be accessed. Thanks in Advance.
0
Comment
Question by:nataliemartin
7 Comments
 
LVL 13

Expert Comment

by:hstiles
ID: 17849152
This should be the steps required.

Assuming you're running WFS 7.x

1) You need an outgoing DNS rule to allow the Exchange server (which is also DNS) to make external DNS requests.  Your mail gateway should be configured to use your internal DNS server.  So, the incoming tab of the DNS service will need to allow the SMTP gateway to talkt o your Exchange server.

2) You need an incoming SMTP rule to allow any > your SMTP server in your DMZ.  This will be a NATTing rule.  The outgoing tab of the same service will to allow the DMZ SMTP server > ANY

3) You need a second rule to allow your exchange server to SMTP to your DMZ SMTP gateway and vice versa.

then, you need to configure a smarthost for your SMTP connector and you need to tell the MCAFee box to relay mail to your internal domains to your Exchange server.
0
 

Author Comment

by:nataliemartin
ID: 17886945
Thanks hstiles for your input.  I do have all these rules created, they were already there for the old exchange server and it was simple to add the new exchange/dns server into the WFS.  We are using version 7.2.  I have also added the new DNS server to the DNS networking part of the optional SMTP gateway computer.  The problem is still there in that from within the McAfee webshield configuration, I am unable to input the new DNS server or mail relay. In that software, you can test a new DNS or Mail Relay and it always comes up as cannot find DNS server etc etc.  I have just configured a reverse lookup zone in the new exchange server (which is also a DNS server) but still have the same problem.  Any further thoughts??

Thanks

Natalie
0
 
LVL 4

Expert Comment

by:LBACIS
ID: 17888558
A) Flush the arp cache of the firewall
B) Open the rule config and press the following keys CTRL + ALT + Spacebar (Will display the text of the config)
        1) Check to see if the any of the original references exist in the rulebase.
C) Reboot the firewall and whatever is connecting you to the internet router, dsl modem etc...

let me know
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:nataliemartin
ID: 17911312
Hi,

Would like to let you know that I have had success.  After configuring the reverse DNS lookup zone on the new DNS/Exchange server I had neglected to change the DNS IP address on the DMZ to the new DNS server.  Once I had done this I was successfully able to test both DNS and mail relay from within Webshield.  Fully implemented new exchange server for testing and everything is well.  Thanks for your input.

Natalie
0
 
LVL 4

Expert Comment

by:LBACIS
ID: 17946174
Ok,

       Hope my direction at least sparked the inspiration hava a good one.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 18136454
PAQed with points refunded (125)

Computer101
EE Admin
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cannot upgrade to version 2.2.6 of PFSense firewall 4 174
Open BDS Pf 3 48
Firewall connection 10 66
suspending the anti virus 6 113
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now