Contents

Office 365 with Firebox SMTP-Proxy Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to configure the Firebox and Microsoft Outlook clients so that Office 365 connections go through the SMTP-proxy on the Firebox.

Integration Summary

Firebox policy settings:

  • Incoming SMTP-proxy policy with a static NAT (SNAT) action
  • SNAT action settings:
  • Source IP address: Firebox external IP address
  • FQDN: smtp.office365.com (supported in Fireware 12.2 and higher)
  • In the SMTP-proxy action, enable inspection and security services

Outlook client profile settings:

  • Incoming mail server: outlook.office365.com
  • Outgoing mail server (SMTP): Firebox external IP address
  • Incoming server (IMAP):
  • Port: 993
  • Encrypted connection: SSL/TLS encryption
  • Outgoing server (SMTP):
  • Port: 25
  • Encrypted connection: Auto

Configuration Requirements

To complete this integration, you must have:

  • Firebox that runs Fireware v12.2 or higher
  • Office 365 tenant

This guide describes three types of configuration for three different scenarios.

Remote Employee Proxy SMTP Traffic

Configure Your Firebox for Office 365

On the Firebox, add an SMTP-proxy policy with a static NAT action, and enable content inspection in the proxy action.

Add a Static NAT

  1. Log in to Fireware Web UI with an administrative account.
  2. Select Firewall > SNAT.
  3. To add a new SNAT mapping, click Add.
    The Add SNAT page appears.
  4. In the Name text box, type a name for the SNAT mapping.
  5. Select Static NAT.

  6. Click Add.
    The Add Member dialog box appears.
  7. From the IP Address or Interface drop-down list, select External or select an external IP.
  8. From the Choose Type drop-down list, select FQDN.
  9. In the Host text box, type outlook.office365.com.
  10. Select the Set source IP check box and type your external IP address.

  11. Click OK.

Add a Proxy Action

Because you cannot edit predefined proxy actions, you must clone a proxy action to customize the configuration.

  1. Log in to Fireware Web UI with an administrative account.
  2. Select Firewall > Proxy Actions.
    The Proxy Actions page appears.
  3. Click SMTP-Incoming.Standard (Predefined). Click Clone.
  4. Type a Name for the proxy action.
  5. Select ESMTP > STARTTLS Encryption.
  6. Select the Enable STARTTLS with Content Inspection check box.
  7. Select TLS.

  8. To disable inspection, from the Action drop-down list, select Allow.
  9. Click Save.

Add an SMTP-Proxy

  1. Log in to Fireware Web UI with an administrative account.
  2. Select Firewall > Firewall Policies.
  3. Click Add Policy.
  4. For the policy type, select Custom.

  5. Click Add.
  6. Type a Name for the policy.
  7. Select Proxy as the policy type, then select SMTP from the drop-down list.
  8. In the SMTP Ports section, click Add, then add an SMTP port with this information:
    • Type: Single Port
    • Protocol: TCP
    • Server Port: 587
  9. In the SMTPS Ports section, click Add, then add an SMTPS port with this information:
    • Type: Single Port
    • Server Port: 465

  10. Click Save.
    The Add Firewall Policy page appears.
  11. From the drop-down lists, select the policy template and the proxy action you added.
  12. Click Add Policy.
    A new policy page appears.
  13. Remove all members from the From and To lists.
  14. Below the From list, click Add, then add a source with the alias Any-External.
  15. Below the To list, click Add, add a destination with the Member type of Static NAT, and select the SNAT you added for this integration.
  16. Click Save.

Test the Integration

To configure the Outlook client to connect through the Firebox, add an Outlook profile that specifies the Firebox external IP address as the outgoing mail server, and configure the other settings described below.

  1. In the Outlook client, select File > Account Settings.

  1. Click Manage Profiles.

  1. Click Show Profiles.
    A list of current profiles appears.
  2. To add a new profile, click Add.
  3. Specify a profile name. Click OK.
  4. Select Manual setup or additional server types. Click Next.
  5. Select POP or IMAP. Click Next.
    The POP and IMAP Account Settings appear.

Screen shot of the POP and IMAP account settings

  1. In the Server Information section, specify these settings:
    • Account Type — IMAP
    • Incoming mail server — outlook.office365.com
    • Outgoing mail server (SMTP) — the external IP address of the Firebox where you added the SMTP-proxy policy
  2. Click More Settings.
  3. Select the Outgoing Server tab.
  4. Select My outgoing server (SMTP) requires authentication.

Screenshot of the Outgoing Server tab

  1. Select the Advanced tab.
  2. Configure the settings as shown below.

  1. Click OK. Click Next.
    Outlook automatically tests the connection.

Screen shot of the Test Account Settings dialog box with a successful result

  1. After the test is complete, click Close.
    The new profile is added.
  2. Below the list of profiles, select Always use this profile, and select the profile you configured.
  3. Click OK.

Office 365 Fully Hosted

Duplicate the Firebox configuration described in the Remote Employee Proxy SMTP Traffic section. Then follow the steps below to configure Office 365.

  1. Log in to the Office 365 admin portal with an administrative account.
  2. To add MX records, navigate to Home > Domains.
  3. To add a domain which will be used as the email address suffix for your users, click Add domain.
  4. Follow the steps in the wizard to add a domain.
  5. Your MX record is added and should be in the format yourdomain.mail.protection.outlook.com. Users with this domain suffix can now communicate through the Firebox to Office 365.

  6. To test the integration, follow the steps in the Remote Employee Proxy SMTP Traffic section.

Exchange Hybrid Deployment

In this scenario, customers keep their domain MX records pointing to the Firebox external interface. You add a SNAT to forward the traffic to the Exchange on-premise server that is behind a Firebox connected to the trusted interface.

Configure Your Firebox for Office 365

On the Firebox, add an SMTP-proxy policy with a static NAT action, and enable content inspection in the proxy action.

Add a Static NAT

  1. Log in to Fireware Web UI with an administrative account.
  2. Select Firewall > SNAT.
  3. To add a new SNAT mapping, click Add.
    The Add SNAT page appears.
  4. In the Name text box, type a name for the SNAT mapping.
  5. Select Static NAT.
  6. Click Add.
    The Add Member dialog box appears.
  7. From the IP Address or Interface drop-down list, select External or select an external IP.
  8. From the Choose Type drop-down list, select Internal IP Address.
  9. In the Host text box, type the IP address of your Exchange on-premise server.
  10. Click OK.

Add a Proxy Action

Because you cannot edit predefined proxy actions, you must clone a proxy action to customize the configuration.

  1. Log in to Fireware Web UI with an administrative account.
  2. Select Firewall > Proxy Actions.
    The Proxy Actions page appears.
  3. Click SMTP-Incoming.Standard (Predefined). Click Clone.
  4. Type a Name for the proxy action.
  5. Select ESMTP > STARTTLS Encryption.
  6. Select the Enable STARTTLS with Content Inspection check box.
  7. Select Subscription Services > Gateway AV.
  8. Select your newly added proxy action and click Configure.
  9. Select the Enable Gateway AntiVirus check box. Click Save.
  10. Select Subscription Services > spamBlocker,
  11. Select your newly added proxy action and click Configure.
  12. Select the Enable spamBlocker check box. Click Save.

To create an SMTP-outgoing proxy action, repeat this procedure (clone the predefined SMTP-Outgoing.Standard proxy action).

Add SMTP Proxies

  1. Log in to Fireware Web UI with an administrative account.
  2. Select Firewall > Firewall Policies.
  3. Click Add Policy.
  4. For the policy type, select Proxies.
  5. From the Select a proxy drop-down list, select SMTP-proxy.
  6. From the Select a Proxy action drop-down list, select the cloned SMTP incoming proxy action you added in the previous section.
  7. Click Add Policy.
  8. Type a Name for the policy.
  9. On the Settings tab, remove the members from the To list.
  10. Below the To list, click Add.
    The Add Member dialog box appears.
  11. From the Member Type drop-down list, select Static NAT, then select the SNAT you added. Click OK.
  12. From the TLS Support drop-down list, select Disabled.
  13. On the Proxy Action tab, enable Gateway AV and APT Blocker. Click Save.
  14. Select Subscription Services > APT Blocker, select the Enable APT Blocker check box, and click Save.
  15. Select Subscription Services > IntelligentAV, select the Enable IntelligentAV check box, and click Save.

To create an SMTP-Outgoing policy, repeat this procedure. If you have Data Loss Prevention. enable it on the Proxy Action tab when you create a proxy (or enable it later).

To configure the SMTP-Outgoing policy:

  1. On the Settings tab, disable TLS Support.
  2. Remove all members from the From and To lists.
  3. Below the From list, click Add, select the Member type as Host IPv4, type the IP address of your on-premise Exchange server, and click OK.
  4. Below the To list, click Add, select Member type as Alias. select Any-External, and click OK.
  5. Click Save.

Test the Integration

To configure the Outlook client to connect through the Firebox, add an Outlook profile that specifies the Firebox external IP address as the outgoing mail server, and configure the other settings described below.

  1. In the Outlook client, select File > Account Settings.

  1. Click Manage Profiles.

  1. Click Show Profiles.
    A list of current profiles appears.
  2. To add a new profile, click Add.
  3. Specify a profile name. Click OK.
  4. Select Manual setup or additional server types. Click Next.
  5. Select POP or IMAP. Click Next.
    The POP and IMAP Account Settings appear.

  1. In the Server Information section, specify these settings:
    • Account Type — IMAP
    • Incoming mail server — outlook.office365.com (you need to use an Office 365 user for this incoming mail server)
    • Outgoing mail server (SMTP) — Your Exchange on-premise server host name
  2. Click More Settings.
  3. Select the Outgoing Server tab.
  4. Select My outgoing server (SMTP) requires authentication.

Screenshot of the Outgoing Server tab

  1. Select the Advanced tab.
  2. Configure the settings as shown below.

  1. Click OK. Click Next.
    Outlook automatically tests the connection.

Screen shot of the Test Account Settings dialog box with a successful result

  1. After the test is complete, click Close.
    The new profile is added.
  2. Below the list of profiles, select Always use this profile, and select the profile you configured.
  3. Click OK.

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search