SMTP outbound F5 Design

Question

Hello all,I've been unable to find a clear answer for SMTP outbound configuration with F5 Inline. Currently, I have SMTP and other Exchange services working inbound just fine. From the Internet, we're NATing public IP to F5 VIP in the DMZ and the backend pool members are sitting on the inside network, traffic comes in from the the Internet, through the firewall where its NATed and sent to the F5 VIP on the DMZ, where it forwards traffic to pool members on the inside network. Everything is working fine for inbound communications. We want to configure a similar flow for traffic outbound. Where the servers default gateway points to a self IP on the F5 on the inside network. So from an internal client perspective, they send mail to a separate VIP on the inside network, backend pool members receive client traffic and forward to the F5 self IP as it's the default gateway, and the outbound interface for that flow would be sourced from a self IP on the DMZ. Any thoughts on how to achieve this?I suppose there's another SNAT or possibly route domain somewhere but need some assistance on how to achieve this.

ca_valli · Answer

You're almost right! Since F5 is a default deny device, you must configure an object to accept and route this traffic flow. Usually, this is a Virtual Server. If F5 is the server's Gateway, you should account this VS to allow all the required connections. This means the VS should have wildcard destination. If a firewall is in place after the F5, I'm used to configuring this VIP in Forwarding (IP) mode and allow connections to "0.0.0.0/0 : any" and then filter traffic on the firewall. If you need NAT, you can configure it directly on the VS, or on the firewall if it's application-specific.&nbsp;&nbsp;
If you have routing domains in place, VS IP becomes "0.0.0.0/0%ID : any"

franky-frank-reg7 · Answer

The question is how do I make the outbound flow go through the DMZ self IP? As it stands at the moment, we don't have any route domains and all traffic is default routed through the Internal 10.x network, not on the DMZ network which is 192.x. I want this outbound traffic to route through DMZ self IP on 192.x network.

ca_valli · Answer

The easiest way would be to route this traffic through F5.&nbsp;SMTP server --&gt; gateway (routes destination x.x.x.x via F5) --&gt; F5 (routes destination x.x.x.x via external router) --&gt; router --&gt; destination x.x.x.x&nbsp;Or, you could proxy it via F5 by hiding the x.x.x.x address behind a y.y.y.y virtual server.SMTP server --&gt; gateway (routes y.y.y.y via F5) --&gt; F5 (translates y.y.y.y to x.x.x.x and routes x.x.x.x via external router) --&gt; router --&gt; destination x.x.x.x&nbsp;
Second option works well for a single x.x.x.x application, or for a x.x.x.x/xx network.&nbsp;First option is better if x.x.x.x is actually a large number of networks (a.a.a.a/aa + b.b.b.b/bb + c.c.c.c/cc etc.)&nbsp;In both cases, F5 needs to be configured to accept and forward this traffic. This object is usually a virtual server - I've detailed the setup in my previous message.&nbsp;

franky-frank-reg7 · Answer

The issue I have is the default gw on the F5 is a core switch on the inside network, so the traffic flow from an internal client is -> F5 inside VIP -> exchange servers -> F5 self IP -> internal core switch, then outside.

For external mail flow, we want the traffic to route from internal client -> F5 internal VIP -> Exchange servers -> default route to F5 and exit DMZ to the outside. The problem with current design is default GW on the F5 is a core switch on the internal network. If I create the IP forwarding VIP as you mentioned and change the gateway of the server to the forwarding VIP, youre saying I can SNAT the source of exchange servers to self IP on the DMZ?

Key thing is I need outbound traffic to exit the DMZ, right now I don't have a default route on the DMZ network on the F5. The destinations will be many networks as Exchange talks to O365 and this as you're aware are many public destination networks.

ca_valli · Answer

&nbsp;
Franky-frank-reg7 wrote:&nbsp;If I create the IP forwarding VIP as you mentioned and change the gateway of the server to the forwarding VIP, youre saying I can SNAT the source of exchange servers to self IP on the DMZ?&nbsp;
Correct, except F5 self-ip (or better, floating IP if it's a cluster) on the intenal VLAN will still be the gateway -- not the forwarding vip. Setup will be pretty much like this:

I'm assuming you have configured routing on F5 so that O365 networks are routed through DMZ gateway: from your schema, does the PC/mobile External client not&nbsp;hit the DMZ when traffic is inbound??&nbsp;
[EDIT]: if you're happy with self-ip on the DMZ, snat automap will work too. If you need a specific IP you can configure a snatpool with said IP and it willbe used instead.&nbsp;

Forum Discussion

SMTP outbound F5 Design

5 Replies

Recent Discussions

CelluCare Reviews (NEw Updated Customer Warning Alert!) EXPosed Ingredients ^&@pro$49

CITRIX remote desktop solution using F5 APM

BIG-IP rseries license

F5 iRule to route traffic based on AS2 headers doesnt work

Trouble with TCP::option set 28

Related Content

SMTP Smugglers Blues

GitLab Vulnerability, Secure by Design Pledge, & Near Miss Supply Chain Attack

F5 BIG-IP in Cisco ACI Multi-Site and Multi-Pod - Design Options

Mitigating OWASP Web Application Risk: Insecure Design using F5 XC platform

Verified Design: SSL Orchestrator with Palo Alto NGFW Virtual Edition-Part 1