Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Firewall considerations when deploying InterScan Messaging Security Suite (IMSS)

    • Updated:
    • 11 Mar 2015
    • Product/Version:
    • InterScan Messaging Security Suite 7.1 Windows
    • InterScan Messaging Security Suite 7.5 Windows
    • Platform:
    • Windows 2000 Advanced Server
    • Windows 2000 Server
    • Windows 2003 Enterprise
    • Windows 2003 Standard
    • Windows 2008 Enterprise
    • Windows 2008 Standard
Summary

Learn the different ways to deploy IMSS based on the location of firewalls on your network.

Details
Public

The following image shows how to deploy IMSS when your network does not have a firewall:

Deploying IMSS without a firewall 
 
Trend Micro does not recommend installing IMSS without a firewall. Placing the server hosting IMSS at the edge of the network may expose it to security threats.

The following image shows how to deploy IMSS in front of your firewall:

Installing IMSS in front of a firewall 

Incoming Traffic

  • IMSS should be the first server to receive incoming email. Configure the MX records on the DNS servers that currently reference your SMTP gateway or firewall to reference the address of the IMSS server, or the switch that performs load balancing between scanners.
  • Configure the Relay Control settings to only allow relay for local domains.

Outgoing Traffic

  1. Configure the firewall (proxy-based) to route all outbound messages to IMSS, so that:
    • Outgoing SMTP email can only go to IMSS servers.
    • Incoming SMTP email can only come from IMSS servers.
  2. Configure IMSS to allow internal SMTP gateways to relay to any domain through IMSS.

The following image shows how to deploy IMSS and Postfix behind your firewall:

Installing IMSS behind a firewall

Incoming Traffic

  • Configure IMSS to route incoming email to the SMTP gateway and the newly allocated port.

Outgoing Traffic

  1. Configure the SMTP gateway to route outgoing email to the IMSS port 25.
  2. Configure IMSS to route all outgoing email (those messages destined to domains that are not local) to the firewall or deliver them using an external DNS server.

You can also install IMSS in the De-Militarized Zone (DMZ):

Incoming Traffic

  1. Configure your proxy-based firewall, so that incoming and outgoing SMTP email can only go from the DMZ to the internal email servers.
  2. Reconfigure your packet-based firewall so that the mail exchange (MX) records on the DNS server that currently reference your SMTP gateway reference the address of the server hosting IMSS or the switch performing load balancing between scanners.
  3. Configure IMSS to route email destined to your local domain(s) to the SMTP gateway or your internal mail server.

Outgoing Traffic

  1. Configure IMSS to route all outgoing email (destined to other than the local domains) to the firewall or deliver them using an external DNS server.
  2. Configure all internal SMTP gateways to forward outgoing mail to then to IMSS.
  3. Configure IMSS to allow internal SMTP gateways to relay to any domain, through IMSS.

You can also install IMSS on the same server that formerly hosted your SMTP gateway.

On the SMTP gateway:

  1. Allocate a new TCP/IP port to route SMTP mail to the gateway. Ensure the port is not used by any other services.
  2. Configure the existing SMTP gateway to bind to the newly allocated port, which frees port 25.
  3. Install IMSS—and it binds to port 25.

Incoming Traffic

  • Configure IMSS to route incoming email to the SMTP gateway and the newly allocated port.

Outgoing Traffic

  1. Configure the SMTP gateway to route outgoing email to the IMSS port 25.
  2. Configure IMSS to route all outgoing email (those messages destined to domains that are not local) to the firewall or deliver them using an external DNS server.
Premium
Internal
Rating:
Category:
Deploy
Solution Id:
1097049
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.