Messaging Gateway

 View Only

  • 1.  Using a physical SBG9 server in front of the firewall?

    Posted Apr 15, 2010 09:30 AM
    It is possible to use an SBG 9 physical server in front of the firewall to pre-scan and drop spam before it is forwarded to the firewall?  Is the server OS secure enough to do this?  We have been pounded by spam lately and notice our clustered firewalls are queueing mail and causing delays, pre-scanning them would work if the appliance can be placed there.

    Thanks


  • 2.  RE: Using a physical SBG9 server in front of the firewall?

    Posted Apr 15, 2010 10:26 AM

    I'd nevery do that, but this is more my paranoid nature. I'll let symantec answer the security questions.  You should look at the installation guide and review the 3 scenarios layed out there.

    What kind of firewall are you running?   Since it sounds like it is running an SMTP proxy, this could affect how well SBG functions, since it wouldn't see the source IP address, just that of your firewall proxy.

    My configuration is behind a Cisco ASA firewall.  We NAT the SBG interface.  Only port 25 inbound is allowed.  

    If you disbled your firewall SMTP proxy and just pass the traffic to the SBG you should see a big improvement. 

    Also, make sure you go into reputation and enable Sym Sender Rep to reject, and enabled traffic shaping (connection).   CAUTION - if you enable these while using your SMTP proxy, you might find your firewal proxy IP address blocked - since SBG would see all the spam as coming from the proxy IP.

     



  • 3.  RE: Using a physical SBG9 server in front of the firewall?

    Broadcom Employee
    Posted Apr 16, 2010 05:06 PM
    As long as you have a strong password on your admin account this should be OK. Make sure it does not have any LDAP data in it that could be harvested nor have any quarantine, so It should be a scanner.


  • 4.  RE: Using a physical SBG9 server in front of the firewall?

    Posted Apr 16, 2010 06:24 PM

    SBG 8 LDAP replicates content to the scanners, and SBG 9 caches only selected content (e-mail addresses, AD groups used in polices).  So SBG 8 has more data at risk, while SBG 9 has less, but it could be your entire address book.

    You should also have an upstream router than only allows inbound connections for the protocols you support @ the firewall.  e.g.  SSL should be disabled inbound.  This will prevent password attacks against the SBG command line interface.

    Router with mimimum ACLs -> SBG -> firewall -> inside mail server.

    Also don't forget the high number ports sbg uses in the 410xx range.  41015-17 use SMTP protocol stack.  (JDavis - I know, they are "protected" using the Agent-Config command.