Jul 16 2012

Tips When Configuring Untangle to work with Microsoft Exchange 2010

Untangle is a powerful firewall that has many advanced features like IPS, Spam Filtering, Virus Filtering, and Phishing Filtering. Configuring it to work with Microsoft Exchange 2010 is relatively straight forward, however, there are a few “gotchas” that you should  be aware of :).

  • Its important to know that Untangle’s Spam filter is transparent, or in line. This means that although you typically point MX records to its external IP, you must then forward the port to the internal incoming SMTP device, typically your hub transport server in Exchange 2010. Untangle its self does not initiate the SMTP handshake, Exchange does. This caught me off guard since the Spam appliances I am used to working with typically act as the incoming SMTP gateway.
  • Untangle is NOT a smart host. In most configurations with Untangle it is best to let Exchange act as the outbound SMTP gateway. In my setup, I at first configured the transport settings in Exchange to use Untangle as the outbound SMTP gateway, but this of course did not work because Untangle’s Spam filter is transparent. So, in most cases its best to let Exchange establish the SMTP communication with other servers on the internet. It is possible however to use your ISP’s outbound SMTP server’s as a gateway if you need to send via a smart host, however, I wouldn’t recommend this due to the unnecessary added complexity.
  • Change the quarantine port to 8443, or something other than 443. 443 will be used by your CAS server for OWA, Outlook Anywhere, and Active Sync. This assumes you have your CAS servers behind Untangle.
  • Configure the Default receive connector to allow email from Anonymous Users (Under Permission Groups Tab). This allows unauthenticated incoming SMTP traffic from external hosts. This sounds counter intuitive, but remember, External email is being delivered to your Hub Transport Server and NOT the Untangle Spam Filter. If the Untangle server was forwarding email to your Hub Transport server, then you would only allow connections from your SMTP gateway and typically it would be an authenticated SMTP connection.