Office 365 with Firebox SMTP-Proxy Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to configure the Firebox to filter emails before they reach the Office 365 Online Exchange Server.

Integration Summary

Firebox policy settings:

  • Incoming SMTP-proxy policy with a static NAT (SNAT) action
  • SNAT action settings:
  • Source IP address: Firebox external IP address
  • FQDN: <YourDomain>-com.mail.protection.outlook (supported in Fireware v12.2 and higher)
  • In the SMTP-proxy action, enable content inspection and security services

Configuration Requirements

To complete this integration, you must have:

  • Firebox that runs Fireware v12.7 or higher
  • Office 365 tenant

Configure Your Firebox for Office 365

On the Firebox, add an SMTP-proxy policy with a static NAT action, and enable content inspection in the proxy action.

Add a Static NAT

To add a static NAT:

  1. Log in to Fireware Web UI with an administrative account.
  2. Select Firewall > SNAT.
  3. To add a new SNAT, click Add.
    The Add SNAT page opens.

  1. In the Name text box, type a name for the SNAT.
  2. Select Static NAT.
  3. Click Add.
    The Add Member dialog box opens.

  1. From the IP Address or Interface drop-down list, select External or select an external IP address.
  2. From the Choose Type drop-down list, select FQDN.
  3. In the Host text box, type your Office 365 MX record in the format: <YourDomain>-com.mail.protection.outlook.
  4. Select the Set Source IP check box and type your external IP address.
  5. Click OK.

Add an SMTP Proxy Action

Because you cannot edit predefined proxy actions, you must clone a proxy action to customize the configuration.

To add an SMTP proxy action:

  1. Log in to Fireware Web UI with an administrative account.
  2. Select Firewall > Proxy Actions.
    The Proxy Actions page opens.

  1. Click SMTP-Incoming.Standard (Predefined). Click Clone.
  2. Type a Name for the proxy action.

  1. Select ESMTP > STARTTLS Encryption.

  1. Select the Enable STARTTLS with Content Inspection check box.
  2. Select ESMTP > Authentication.

  1. From the Action to take if no rule above is matched drop-down list, select Allow.
  2. Click Save.

Finalize Your Configuration

After you save the SMTP proxy with the SNAT to Office365, you must update your email domain MX record to point to a host name that resolves to the Firebox external IP address.