Microsoft 365 with Firebox SMTP-Proxy Integration Guide

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, refer to the documentation and support resources for that product.

This integration guide describes how to configure the Firebox to filter emails before they reach the Microsoft 365 Mail Server.

Contents

Platform and Software

The platform and software used in this guide include:

  • WatchGuard Firebox with Fireware v12.10 or higher
  • Microsoft 365 subscription
  • DNS Hosting provider

Integration Topology

Screenshot of the SMTP-Proxy Policy

Before You Begin

Before you begin these procedures, make sure that:

  • Microsoft 365 Mail Server MX records are added in the DNS hosting provider.
  • Microsoft 365 has added the domain (ecosys.solutions).
  • Microsoft 365 Mail Server can send and receive mail using the domain (ecosys.solutions).

Configure Your Firebox for Microsoft 365

On the Firebox, add an SMTP-proxy policy with a static NAT action, and enable content inspection in the proxy action.

Add a Static NAT

To add a static NAT, from Fireware Web UI:

  1. Log in with an administrative account.
  2. Select Firewall > SNAT.
  3. To add a new SNAT, click Add.
    The Add SNAT page opens.

Screenshot of the Add a Static NAT page

  1. In the Name text box, enter a name for the SNAT.
  2. Select Static NAT.
  3. Click Add.
    The Add Member dialog box opens.

The screenshot of Add SNAT member

  1. From the IP Address or Interface drop-down list, select External or select an external IP address.
  2. From the Choose Type drop-down list, select FQDN.
  3. In the Host text box, type or paste your Microsoft 365 domain MX record in the format: <Your Domain>.mail.protection.outlook.com.
  4. Select the Set Source IP check box and enter your external IP address.
  5. Click OK.

Add an SMTP Proxy Action

Because you cannot edit predefined proxy actions, you must clone a proxy action to customize the configuration.

To add an SMTP proxy action, from Fireware Web UI:

  1. Log in with an administrative account.
  2. Select Firewall > Proxy Actions.
    The Proxy Actions page opens.

The screenshot of choosing a proxy action

  1. Click SMTP-Incoming.Standard (Predefined).
  2. Click Clone.
  3. In the Name text box, enter a name for the proxy action.

The screenshot of clicking static encryption

  1. Select ESMTP > STARTTLS Encryption.

The screenshot of static encryption

  1. Select the Enable STARTTLS with Content Inspection check box.
  2. Select ESMTP > Authentication.

The screenshot of esmtp content inspection

  1. From the Action to take if no rule above is matched drop-down list, select Allow.
  2. Click Save.

Add an SMTP-Proxy Policy

To add an SMTP-Proxy policy, from Fireware Web UI:

  1. Select Firewall > Firewall Policies > Add Policy.
  2. Select Proxies, then select SMTP-proxy from the first adjacent drop-down list.
  3. From the second adjacent drop-down list, select the SMTP proxy action you added. In this example, select SMTP-Incoming.Standard.clone.

The screenshot of adding proxy policy type

  1. Click Add Policy.
    The Firewall Policies / Add page opens.
  2. Remove all members from the From and To Lists.
  3. In the From list, click Add, then add a source with the alias Any-External.
  4. In the To list, click Add, then add a destination with a Member type of Static NAT, and select the SNAT you added for this integration.
  5. Leave the default value for all other settings.

The screenshot of  SMTP Proxy Policy

  1. Click Save.

Update the Domain MX Record

After you save the SMTP proxy with the SNAT to Microsoft 365, you must update your email domain MX record to point to a host name that resolves to the Firebox external IP address.

Test the Integration

Verify that the Microsoft 365 Mail Server can receive the mail filtered by your Firebox with the domain (ecosys.solutions).