Professional Documents
Culture Documents
Transparent Mode
Module 11
Transparent Mode
• Transparent relay
• FortiMail is inline, in front of the mail servers or mail relays
MAIL FLOW
INTERNET
MTAs
06-50000-0221-20130726 1
Course 221 - FortiMail Email Filtering Transparent Mode
• IP layer transparency
» FortiMail unit acts as a bridge for SMTP and non SMTP traffic
» The IP address scheme does not require any change
06-50000-0221-20130726 2
Course 221 - FortiMail Email Filtering Transparent Mode
• Configured in route mode the network interface is not part of the bridge
anymore
• CLI syntax to remove the interface from the bridge is:
config system interface
(interface)# edit port2
(port2)# set bridge-member disable
(port2)# set ip 192.168.2.100 255.255.255.0
(port2)# set allowaccess ping
(port2)# next
Transparent Mode
MAIL FLOW
INTERNET
MTAs
06-50000-0221-20130726 3
Course 221 - FortiMail Email Filtering Transparent Mode
MAIL FLOW
INTERNET
MTAs
FORTIMAIL DEFAULT
ROUTE
THIRD INTERFACE IN
ROUTE MODE FOR OOB
MANAGEMENT MANAGEMENT
FORTIMAIL STATIC ROUTE TO PLATFORMS
THE MANAGEMENT
PLATFORMS
ROUTE MODE
INTERFACE
INTERNAL
INTERNET
SMTP NETWORK
06-50000-0221-20130726 4
Course 221 - FortiMail Email Filtering Transparent Mode
Transparency Settings
• By default, the transparent mode unit does not hide its presence in the
mail flow
• The management IP address (if in bridge mode) or the interface IP
address (if in route mode) will be used to establish a new session to
the destination MTA
• To hide the transparent unit you can use one of the following options
depending on the direction of the email:
» Incoming emails: Enable the option “Hide the transparent box” (System > Domain)
» Outgoing emails: Enable the option “Hide this box from the mail server” (Session
profile > Connection Settings)
» In both cases, the TP unit will reuse the sender IP address to establish the new
session
10
06-50000-0221-20130726 5
Course 221 - FortiMail Email Filtering Transparent Mode
Built in MTA
11
Transparent Proxy
12
06-50000-0221-20130726 6
Course 221 - FortiMail Email Filtering Transparent Mode
13
gw.smarthost.lab
10.0.3.100
Port2
Transparent unit (tp.smarthost.lab) configured to Pass Through
incoming and outgoing SMTP connections. tp.smarthost.lab
The session from 10.0.1.100 to 10.0.3.100 is bridged. 10.0.3.201
14
06-50000-0221-20130726 7
Course 221 - FortiMail Email Filtering Transparent Mode
gw.smarthost.lab
10.0.3.100
tp.smarthost.lab
10.0.3.201
Port1
Mail From: user@internal.lab
RCPT To: user@external.lab 1 2
MX record for domain external.lab: gw.smarthost.lab(10.0.3.100)
15
gw.smarthost.lab
10.0.3.100 The Gateway FortiMail unit receives the email.
MX lookup is performed to route the email to destination.
MX record for domain external.lab: server.external.lab (10.0.2.100)
Domain smarthost.lab defined with IP 10.0.3.100
The transparent mode unit intercepts the email and it forwards
it to 10.0.3.100 (as indicated in the protected domain section)
A new session is initiated from the TP unit with source IP of 2
10.0.3.201 to 10.0.3.100 Port2
tp.smarthost.lab
10.0.3.201
Mail From: user@internal.lab
RCPT To: user@external.lab Port1
MX record for domain external.lab:
gw.smarthost.lab(10.0.3.100)
1 3
FQDN server.internal.lab
FQDN server.external.lab
IP 10.0.1.100
IP 10.0.2.100
Domain: internal.lab
Domain: external.lab
16
06-50000-0221-20130726 8
Course 221 - FortiMail Email Filtering Transparent Mode
gw.smarthost.lab
10.0.3.100
tp.smarthost.lab
Mail From: user@internal.lab 10.0.3.201
RCPT To: user@external.lab Port1
MX record for domain external.lab: gw.smarthost.lab(10.0.3.100)
1 2
17
gw.smarthost.lab
10.0.3.100 The Gateway unit receives the email.
MX lookup is performed to route the email to destination.
MX record for domain external.lab: server.external.lab (10.0.2.100)
No protected domain configured on the Transparent unit.
All traffic is considered outgoing.
Port1 configured to proxy outgoing SMTP connections.
The transparent mode unit intercepts the email and it forwards it to
10.0.3.100 (as indicated by the client). 2
A new session is initiated from the TP unit with source IP of 10.0.3.201 Port2
tp.smarthost.lab
10.0.3.201
Mail From: user@internal.lab
RCPT To: user@external.lab Port1
MX record for domain external.lab:
gw.smarthost.lab(10.0.3.100) 1 3
18
06-50000-0221-20130726 9