SecurityGateway Deployment Options
SecurityGateway can be configured to filter both your inbound and outbound email traffic and can be deployed in a several different ways dependent upon your requirements.
Below you’ll find the most comon deployment options explained along with some information on why you might wish to choose one over another.
Scenario 1. A typical Exchange server installation without SecurityGateway
Before installing SecurityGatway a typical Exchange deployment would look like this. The DNS MX record would be configured to point to the Public IP address of the Internet router and so SMTP ( TCP port 25) trafic will arrive there.
In most cases the router is configured using what is known as ‘static NAT’ and this redirects all of the inbound SMTP traffic to the internal IP address of the Exchange server (set to receive on port 25 by default). There is no filtering happening and the Exchange server will receive every SMTP session directly.
Scenario 2. Installing SecurityGateway on a dedicated Windows PC
Where possible, the simplest way to deploy SecurityGateway is to install it on to a dedicated Windows PC as shown above.
In this scenario, the router’s NAT translation is re-configured to point SMTP traffic to the internal IP address of the new PC running SecurityGateway. The destination port of this NAT translation remains unchanged from scenario 1, its just the internal IP address that is changed.
Once the email has been acepted by SecurityGateway it will pass it on to the Exchange server again on the default SMTP port (TCP port 25).
This scenario also gives the administrator the ability to toggle SecurityGateway’s filtering on and off by simply editing the NAT translation in the router to point to either the SecurityGateway PC or the Exchange servers internal IP address.
This option is ideal for high traffic sites that require extra resources for SecurityGateway to run. It also allows for easy demonstrating and testing of SecurityGateway by using a laptop or a loaned server, without having to change the Exchange server in any way, just a quick change to the routers NAT translation.
Scenario 3. Installing SecurityGateway on a Windows PC shared with Exchange (PAT)
Senario 3 moves away from using dedicated hardware and instead SecurityGateway is sharing the same server hardware as Exchange.
Please note – this option requires that your router supports Port Address Translation or PAT. A PAT enabled router provides the ability to change the destination port in addition to the IP address. If your router does not support PAT, we recommend following the method shown below in Scenario 4.
In this example, SMTP traffic arriving on port 25 is now redirected to the single server on port 26. SecurityGateway is configured to answer SMTP traffic on this port where it filters and then passes the email to Exchange on port 25.
One of the main reasons for choosing this option is the cost saving associated with utilising the same hardware to run both Exchange and SecurityGateway. It’s important to check the load you’ll be putting on the server isn’t going to be excessive (you can do this using the trial version) however in most small business environments this is a popular and cost effective way to protect your Exchange users.
Scenario 4. Installing SecurityGateway on a Windows PC shared with Exchange (non-PAT)
Scenario 4 is similar to scenario 3 however in this instance, we’re not using a PAT enabled router and so it’s necessary to handle the routing of email traffic in a slightly different way.
In the diagram above, Microsoft Exchange has been reconfigured so that instead of listening for SMTP on the standard port 25, it now does so on port 26. By moving the port Exchange listens on, we’re able to configure SecurityGateway to take its place on port 25. By doing so SecurityGateway is able to receive all email traffic, filter it and then forward on only the clean messages to Exchange on port 26.
It’s worth pointing out that the reason we do this is that two different services (SecurityGateway and Exchange server) cannot share the same port, in this case, port 25.