Sophos XG as MTA mode but not gateway, how to configure it?

Hi changqing li 

You can deploy the XG in bridge mode.

Please refer to the article- https://community.sophos.com/kb/en-us/122973 and https://community.sophos.com/kb/en-us/123098

You may check our pocket guides - https://community.sophos.com/kb/en-us/126223

Hi Keyur,

thanks for your reply,   the bridge mode is not suitable,  because this Sophos already configured as Web proxy ,  I follow the configuration (https://community.sophos.com/kb/en-us/123522) and it works fine.    now I need to configure email protection samiliar with web proxy,   but I cannot find such solution for my scenario,  do I need to creat another Dummy IP for SMTP relay on WAN port?   

Hi,

you can setup two ports in bridge mode that does not affect the existing port configuration. You would then use firewall rules for the local traffic access to the email server.

Ian

Hi Chanqgqing,

This becomes a bit more complicated since some of the configuration has to be done on the email server side and gateway device. 

Basically you need the following.

1. For inbound email you need to DNAT port 25 to the XG at the gateway (unless the XG is already the gateway or you can point the MX records directly to it). 

2. For outbound email you need to create send connectors (exchange) and set the XG as the smarthost. 

Now as long as you have the XG correctly configured, you should have both inbound and outbound going through it. 

Thanks for your reply,  you really understand my network,    I put the topology for everyone,   please help me to solve this issue.     

now we plan to use Sophos XG to replace Barracuda WEB and Email protection system,    we will use the same IP and keep the configuration on ASA and Exchange server,  that means the DNAT on ASA (from Public IP to  Sophos XG port 1 IP)  and the send connectors on exchange will not change,  we juse follow the old environment,  only replace Barracuda with same IP.

now my question is,   how to configure email-protection on Sophos,   I have only one connection from Sophos XG to network,  that means  both inbound and outbound traffic will through same port,   how can I make a rule for only one port?   or do I need to create a Dummy IP on another port but no phasical connection ?  the Dummy IP conception come from another solution https://community.sophos.com/kb/en-us/123522,   I have already configured it for web proxy on Sophos XG,  it works.  that is reason why I don't use bridege mode, because I have to change all the web protection configuration .   I think the bridge mode cannot match my network topology because the client,exchange and Sophos are in the different zone.

I am really appreciate if who can help me on this issue,   I have to migrate network on weekend.

Funny part about XG MTA is, you do not need a FW rule at all to make the proxy working.

Simply enable in device Access "SMTP Proxy" for your Zone and configure your MTA Mode properly in Email (Host based Relay for your internal Mail server and your domain).

Then configure your DNAT SMTP Rule on your Firewall (ASA) and point to XG.

Should work fine. 

Firewall Rules for SMTP MTA are only needed in case you want to MASQ certain traffic. 

I attached the Topology on previouse mail,    the ASA make the DNAT and also the MASQ from DMZ to Internet,   so in this case,  I don't need to make firewall rules on Sophos,  only the SMTP setting on Sophos ?

I attached the Topology on previouse mail,    the ASA make the DNAT and also the MASQ from DMZ to Internet,   so in this case,  I don't need to make firewall rules on Sophos,  only the SMTP setting on Sophos ?

Yes and make sure, Device Access has SMTP enabled. 

Enabling the SMTP proxy in MTA mode will automatically create a Firewall Business Application Rule to allow traffic to the proxy.  can I disable this rules?   or just disable the NAT,  but allow all SMTP traffic.