McAfee MSA-3400-SWGI Installation Guide - Page 19

Pre-installation Deployment Strategies for Using the device in a DMZ To implement a DMZ configuration using a proprietary mail gateway, add the scanning device to the DMZ on the SMTP side of the gateway. Figure 8: Protecting a mail gateway in DMZ In this situation, configure: • The public MX records to instruct external mail servers to send all inbound mail to the device (instead of the gateway). • The device to forward all inbound mail to the mail gateway, and deliver all outbound mail using DNS or an external relay. • The mail gateway to forward all inbound mail to the internal mail servers and all other (outbound) mail to the device. • The firewall to allow inbound mail that is destined for the device only. NOTE: Firewalls configured to use Network Address Translation (NAT), and that redirect inbound mail to internal mail servers, do not need their public MX records reconfigured. This is because they are directing traffic to the firewall rather than the mail gateway itself. In this case, the firewall must instead be reconfigured to direct inbound mail requests to the device. Firewall rules specific to Lotus Notes By default, Lotus Notes servers communicate over TCP port 1352. The firewall rules typically used to secure Notes servers in a DMZ allow the following through the firewall: • Inbound SMTP requests (TCP port 25) originating from the Internet and destined for the device. • TCP port 1352 requests originating from the Notes gateway and destined for an internal Notes server. • TCP port 1352 requests originating from an internal Notes server and destined for the Notes gateway. • SMTP requests originating from the device and destined for the Internet. All other SMTP and TCP port 1352 requests are denied. Firewall rules specific to Microsoft Exchange A Microsoft Exchange-based mail system requires a significant workaround. McAfee Email and Web Security Appliance 5.5 Installation Guide 19