firewall access with necessary ports on inbound and outbound

D_wathi
D_wathi used Ask the Experts™
on
Dear Experts

We have the application server ( CRM system web-based ) running on windows 2012 R2 which is deployed on premises behind the firewall. we have to configure CRM application to send mails to the customers through office365 email account hence network team has provided access only to smtp.office365.com and on port 587 and denied rest of the outbound or inbound access i,e no http or https access to this system.  
1. The CRM application is not able to send mails when the http/https is disabled for this system.   Through the CRM workflows we are able to send the mails out only when the http and https is allowed to this system at firewall .
2.  we are not able to convince the network team as they say we allowed outbound smtp.office365.com and 587 the issue would be at application side, they are asking explanation on why http/ https required,
can you please help me to understand on what all ports or access to be enabled at firewall for this system/server in additional to smtp.office365.com and port 587 in case of  INBOUND and OUTBOUND so that we can communicate to the network team please.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
while sending mail from your CRM application using o365 email ID doesn't require HTTP and https access to outside world.

Email SMTP communicates using SMTP server 587 which is already done by your network team.

As you are using SMTP for sending emails, it doesn't require port 80 and 443 to be open.

here is the config doc on SuiteCRM.

https://community.sugarcrm.com/thread/23638

Author

Commented:
thank you very much for the reply, when provided access to the outside world able the CRM system sends out mails but when stop it the mails also gets stopped, we are able to telnet from this system and connect to smtp.office365.com on port 587, is there any handshake to happen between this system and office365 smtp servers due to this is it failing, can you help to steps to investigate please.
DevOps Engineer
Distinguished Expert 2018
Commented:
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
as you are confused with handshake with the smtp server , how it is depended to Web server ports 80 and 443

Author

Commented:
thanks for the reply, yes the network team wanted only to keep outbound access limited to smtp.office365.com on port 587 and close the rest all access, the issue faced when https is allowed it works else it does not,netstat output may help I think so.
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
can you try telnet send email using the above link

Author

Commented:
yes through telnet able to connect and as well able to send and receive mail. do you suggest windows server firewall has something to do here , should we have to disable and see.
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
I Hope you are performing telnet (for send /receive) from the windows server. If that's the case it not the problem with the firewall. iF you want you can disable windows firewall itself.

Author

Commented:
thanks, let me dig little more and see the logs and will post, thank you so much.
Prabhin MPDevOps Engineer
Distinguished Expert 2018
Commented:
are you sure you are using TLS??

if not try with 465 port!!! tell your NW team to allow 465 and check.
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
is there any  logs in sugarcrm logs?


if any post it here!!!

Author

Commented:
following were used
Account Type: IMAP
incoming mail server: outlook.office365.com
outgoing mail server (SMTP): smtp.office365.com
Outgoing Server (SMTP) requires authentication- YES
Ports:
Incoming Server (IMAP) over SSL: 993
Outgoing server SMTP over TLS: 587
27sugarcrmlog.txt
Top Expert 2016
Commented:
Account Type: IMAP
incoming mail server: outlook.office365.com
outgoing mail server (SMTP): smtp.office365.com
Outgoing Server (SMTP) requires authentication- YES
Ports:
Incoming Server (IMAP) over SSL: 993
Outgoing server SMTP over TLS: 587

Why don't you do a capture of the packets and see where it fails.
Unfortunately I can't test this using the trial.

Author

Commented:
thanks for the reply, in linux can use tcpdump can you please suggest on which tool to use on windows 2012R2 to capture the packets please.
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:

Author

Commented:
now that in CRM system by configuring email settings able to send email to the office365 smtp relay server (outlook protection) but though the process definitions( replacement of workflows) emails are not getting delivered, this works based on task scheduler, is the task scheduler user to be part of local admin group/domain group or IIS office 365 relay server some group, please suggest

Author

Commented:
I am back for your help, when we tested with TCP Viewer as well netstat commands we could see the connection getting ESTABLISHED but packets are not flowing , to be more clear the CRM system work flow triggers emails to the prospect email via the SMTP server and with email account ( without password that is without authentication as it is Relay server hosted locally ) as and when the status of the prospect changes, any time status changes an email through workflow to be sent to the prospect, we could see the connection to the email server getting established but no packets sent/received , but through telnet we can send and receive mails with from and to email commands, can you help where the things are going wrong.

Author

Commented:
using offfice 365 SMTP relay to send mails to the external users though the CRM application, i,e option 3 in the following URL
https://support.office.com/en-us/article/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-office-365-69f58e99-c550-4274-ad18-c805d654b4c4
Important observation
1. we observed the  CRM system workflow triggers emails when port 80 is opened for the CRM system at the gateway/firewall level, the CRM system gets connected to internet and connects to crl.globalsign.com  and from here it is connecting to office365 smtp.
2. when we disable access to external network i,e port 80 http blocked for CRM system at gateway/firewall then emails does not flow ,
3. we only allowed CRM system can talk to crl.globalsign.com  then emails are getting triggered.
can you please help me understand how this office365 is working when it is configured to the CRM system. is it essential that CRM system to be allowed to talk to crl.globalsign.com . please suggest.
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
crl.globalsign.com this for checking certification revocation list.
Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.

this is the new method of checking whether a certificate expired or not.
For more info please find the below link

https://www.techrunnr.com/certificate-revocation-crl-vs-ocsp/

Author

Commented:
thanks for the reply and allowing access to this URL and blocking should not make any difference to email sending to external users from CRM system and also I am aware allowing http or https for the CRM system outbound to the external network i,e is internet has nothing to do with emails sending out to external network as long as CRM system is able to connect to the smtp server with required ports. I also did not find log in the tcpviewer of smtp traffic when CRM system executed the workflow for email triggers, tcpviever or netstat should capture smtp traffic if CRM system is sending out mail to smtp server is this correct.
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
do you have endpoint security installed in your server or network

Author

Commented:
it is installed in the network, the network team is not supporting can you please help me in understanding what to be done if installed on network and same what to be done if installed on server on this basis I can talk with them,please.
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
this is very curious how email works when port 80 is allowed in firewall.


if possible if you have outlook in that system, please try to send and receive mail. I know this won't make any sense.
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
any new error in sugarcrm logs?
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:

Author

Commented:
thank you so much for this link, in that is is mentioned the following in the last section
"It should be noted that 3rd party certificate revocation will be required which is carried out normally anonymously on port 80 so any proxies/firewalls routing the traffic should expect this. Depending on your provider you may be able to get the CRL URL in advance but for Office 365 this is not as simple."

1. does it mean port 80 to be allowed for CRM system
2. also mentioned for office365 this is not as simple
can you please help me understand this, thank you.
Prabhin MPDevOps Engineer
Distinguished Expert 2018
Commented:
even I'm not sure about this,
this is an assumption, During the time of sending email server and client exchanges the certificate, at the same time, there is a communication happening with  CRL server for certificate validity checks with Certification authority which is the global sign in your case. so I hope port 80 should be opened for the CRM system in a firewall.




I would like to conclude like this, as I don't have any other options or links to dig down into.
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
if possible you can share the link to your network team for more understanding

Author

Commented:
yes I have done it thank you very much.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial