New Install question

Unanswered Question
Jun 13th, 2008

Setting up a new system what are the pros and cons of putting the Ironport behind a firewall.

In the past I have set them up "in series" with the firewall and never had an issue. By "in series" I mean one ethernet interface is numbered with a routable (public) IP address, the other with a non-routable (private) IP address. The world talks directly to the Ironport on port 25 traffic goes through the Ironport, is filtered and on to our Exchange server out the private interface and does not go through the corporate firewall. The inbound mail listener is configured on the public interface.

Any thoughts or advice would be appreciated.

FYI, Ironport support claims that both setups (in front of or behind a firewall) are valid.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
steven_geerts Fri, 06/13/2008 - 23:09

If you disable all (management) protocols on you public interface that interface will not listen on anything else that the configured listeners on that interface.
I think you would be pretty safe with this setup, bu I personally prefer to have a firewall between the Ironport and the Internet. Since only incoming SMTP traffic is important for your Ironport, the firewall configuration is rather simple. (Outgoing traffic is also not hard to configure, you need SMTP. DNS and HTTP(s) to specific websites noted in the AsyncOS help file (search for “firewall”))
Keeping a firewall in between prevents you (most likely) from being hacked when there is a bug on your Ironport system.


wmchurch_ironport Sun, 06/15/2008 - 01:28

While I've run a test IronPort out in the wild and unprotected for a few years now, I always put the IronPort behind a firewall for my customers. The IronPort "firmware" is pretty well stripped down and hardened, but it never hurts to have an added layer of protection to protect yourself from misconfiguration on the IronPort or an unknown vulnerability.

Just make sure you disable any sort of protocol fixups on your firewall (i.e. PIX/ASA).


This Discussion