WatchGuard Email Protection Integration with Microsoft Exchange

Deployment Overview

This document describes the steps to integrate WatchGuard Email Protection with Microsoft Exchange.

Contents

• WatchGuard Email Protection Integration with Microsoft Exchange
• • Deployment Overview
  • • Contents
  • Platform and Software
  • Before You Begin
  • Add the Domain to Email Protection
  • Add a Mailbox to Email Protection
  • Configure Spam and Malware Protection
  • Update the Domain MX Record
  • Update Domain SPF Records and Activate SPF Check
  • Create a Receive Connector for Inbound Email Traffic
  • Create a Send Connector for Outbound Email Traffic
  • Add Recipients to the Microsoft Exchange Server
  • Test the Integration
  • WatchGuard Email Protection Server MX Records
  • • Europe
    • United States
    • Canada
  • IP Addresses of WatchGuard Email Protection Servers
  • • WatchGuard Email Protection Servers IP Address Ranges
    • WatchGuard Email Protection Servers IP Address Ranges in Canada

Before You Begin

Before you complete the procedures in this document, make sure that:

• You have a domain that is managed by your DNS hosting provider.
• You add Microsoft Exchange Server MX/TXT records in the DNS hosting provider.
• Your Microsoft Exchange Server 2019 can send email messages to an external mailbox and receive email messages from an external mailbox.

Add the Domain to Email Protection

To add your domain to Email Protection:

1. Log in to Email Protection as an administrator.

2. From the Scope Selection drop-down list, select the company domain you want to configure the Microsoft Exchange Server as a destination server for.
   
3. From the navigation menu, select Customer Settings > Domains.
   The Customer Settings - Domains page opens.

4. Click Add Domain.
5. In the Domain text box, type the name of the domain. Click Add.
6. Next to the new domain, click .
   A menu opens.
7. To verify that the MX records point to Email Protection, click Trigger Verification.
   If the domain passes verification, the domain status shows as Verified.

Add a Mailbox to Email Protection

To add a mailbox to Email Protection:

1. From the navigation menu, select Customer Settings > Mailboxes.
   The Customer Settings - Mailboxes page opens.
2. Click Add Mailbox.

3. In the Email text box, type an email address. The domain for the email address must be the same as the domain you added in Add the Domain to Email Protection.
4. In the Password text box, type a password.
5. Click Add.
   The mailbox shows in the list.

Configure Spam and Malware Protection

To configure Spam and Malware Protection in Email Protection:

1. From the navigation menu, select Security Settings > Spam and Malware Protection.
   The Security Settings - Spam and Malware Protection page opens.

2. Select the General Settings tab.
3. From the Domain drop-down list, select the alias domain you want to activate Spam and Malware Protection for.
4. From the Primary Environment Settings > Destination section, select IP/Hostname.
5. In the Destination Server text box, type the domain or Exchange Server IP address. For example, we typed the Exchange Server IP address. When you update the destination server IP address, it might take some time to complete.
6. If you configure the outgoing traffic relay in the server, enable IP Addresses of Relay Servers for Outgoing Emails.
   1. In the text box, type the IP addresses of the server that sends the outgoing messages to Email Protection.
   2. Clear the Restrict Email Sending to the Relay Server IP Addresses and Bounce Management (Recommended) check boxes.
7. From the User Check section, select SMTP.
8. Disable Alternative IP Address for User Check.
9. Click Save.
10. From the Email Filter Settings section, keep the default settings.

Update the Domain MX Record

When you add WatchGuard Email Protection servers to the MX record for your domain, you can route incoming email messages for your domain to WatchGuard servers. WatchGuard Email Protection servers then filter the email messages and forward them to the Microsoft Exchange server. This process takes place before the email messages reach your inbox.

To update the MX record for your domain:

1. Log in to your DNS hosting provider. Delete the original MX record.
   
2. Add the WatchGuard Email Protection MX records shown in WatchGuard Email Protection Server MX Records. We recommend that you add all the records with different priorities in each range.
   

3. Add an A-type record for your Microsoft Exchange Server IP address.

Update Domain SPF Records and Activate SPF Check

The Sender Policy Framework (SPF) records of your domains must point to Email Protection SPF records. This authorizes Email Protection to send email messages from your domain. Recipients outside your organization can use the SPF record to perform SPF checks on email messages from your domain.

To update the SPF record and activate SPF check:

1. Log in to your DNS hosting provider.
2. Add this SPF record: v=spf1 include:spf.hornetsecurity.com ~all

3. Wait for the DNS resolution to take effect.
4. Log in to Email Protection as an administrator.
5. From the Scope Selection drop-down list, select the company domain.
   
6. From the navigation menu, select Security Settings > Email Authentication.
7. To refresh the status, click Refresh DNS Settings.
   The DNS status settings for the domain show in the table.
   • A green check mark indicates that the domain settings are correct.
   • A yellow exclamation mark icon indicates that no records are set for the domain.
   • A red X icon indicates that the domain settings are not correct.

8. From the Sender Authentication section, enable Activate SPF Check.
9. Select For All Incoming Emails.

Create a Receive Connector for Inbound Email Traffic

To make sure that the Exchange Server does not receive unprocessed email messages by WatchGuard Email Protection services, you must create a receive connector for inbound email traffic. This connector makes sure that the Exchange Server only accepts messages coming from the WatchGuard Email Protection server IP address range. Any email messages that do not originate from WatchGuard Email Protection IP address range are rejected.

To create a receive connector for inbound email traffic:

1. Log in to Microsoft Exchange admin center.
2. From the navigation menu, select Mail Flow > Receive Connector.
3. Disable all original FrontendTransport receive connectors.

4. To add a new receive connection, click .

5. In the Name text box, type a name.
6. From the Role section, select Frontend Transport.
7. From the Type section, select Custom (For example, to allow application relay).
8. Click Next.
   The Network Adapter Bindings dialog box opens.

9. In the Network Adapter Bindings section, click .
10. Add ports 25 and 587 for all available IPv4 and IPv6 addresses.
11. Click Next.
    The Remote Network Settings dialog box opens.

12. In the Remote Network Settings section, click .
13. Add all IP addresses shown in IP Addresses of WatchGuard Email Protection Servers.
14. Click Save.

15. Double-click the receive connector you added.
16. Select Security.

17. In the Permission Groups section, enable Anonymous Users.
18. Keep the other default settings. Click Save.

Create a Send Connector for Outbound Email Traffic

To prevent email messages sent by your Microsoft Exchange server from being defined as malicious by other external mail servers, you must add a send connector to route all outbound emails through the Email Protection smart host.

To create a send connector for outbound email traffic:

1. Log in to Microsoft Exchange admin center.
2. From the navigation menu, select Mail Flow > Send Connectors.
   

3. Disable the original send connectors.
4. To add a new send connector, click .

5. In the Name text box, type a name.
6. From the Type section, select Internet (For example, to send internet mail).
7. Click Next.

8. From the Network Settings section, select Route mail through smart hosts.
9. To add a new smart host, click .

10. In the text box, type the domain name for the region:
    • United States — relay-cluster-usa01.hornetsecurity.com
    • Europe — relay-cluster-eu01.hornetsecurity.com
    • Canada — relay-cluster-ca01.hornetsecurity.com
11. Click Save.
12. Click Next.
    The New Send Connector dialog box opens.

13. From the Smart Host Authentication section, select Basic Authentication.
14. Type the user name and password you added in Add a Mailbox to Email Protection.
15. Click Next.
16. To add a new address space, from the Address Space section, click .
    The Add Domain dialog box opens.

17. In the Full Qualified Domain Name FQDR) text box, type *.
18. Keep the other default settings. Click Save.
19. Click Next.
    The Select a Server dialog box opens.

20. To add a new source server, from the Source Server section, click .
21. Select the source server and click Add.
22. Click OK. Click Finish.

Add Recipients to the Microsoft Exchange Server

To test that you can send and receive email messages, you must add recipients to your Microsoft Exchanger server.

To add recipients:

1. Log in to Microsoft Exchange admin center.
2. From the navigation menu, select Recipients > Mailboxes.
   

3. Click .
4. Select User Mailbox.
   The New User Mailbox dialog box opens.

5. In the text boxes, type the required user information. Click Save.

Test the Integration

To test the integration:

1. Go to https://<your.domain>.

2. Log in with the credentials of the recipient you added in Add Recipients to the Microsoft Exchange Server.

3. Send an email message to an external mailbox, for example, [email protected].
4. Log in to the external mailbox and verify that you received the email message.
5. From the external mailbox, send an email message to your internal mailbox on the Microsoft Exchange Sever.
6. In WatchGuard Email Protection, verify that email messages appear in the Email Live Tracking page.

WatchGuard Email Protection Server MX Records

Europe

The MX records for customers in Europe are:

Domain	Class	Type	Priority	Email server
<domain.tld>	IN	MX	10	mx01.hornetsecurity.com
<domain.tld>	IN	MX	20	mx02.hornetsecurity.com
<domain.tld>	IN	MX	30	mx03.hornetsecurity.com
<domain.tld>	IN	MX	40	mx04.hornetsecurity.com

For customers of the DNS provider 1&1, these MX records apply instead:

Domain	Class	Type	Priority	Email server
<domain.tld>	IN	MX	10	mx23a.antispameurope.com
<domain.tld>	IN	MX	20	mx23b.antispameurope.com
<domain.tld>	IN	MX	30	mx23c.antispameurope.com
<domain.tld>	IN	MX	40	mx23d.antispameurope.com

United States

The MX records for customers in the United States are:

Domain	Class	Type	Priority	Email server
<domain.tld>	IN	MX	10	mx-cluster-usa01.hornetsecurity.com
<domain.tld>	IN	MX	20	mx-cluster-usa02.hornetsecurity.com
<domain.tld>	IN	MX	30	mx-cluster-usa03.hornetsecurity.com
<domain.tld>	IN	MX	40	mx-cluster-usa04.hornetsecurity.com

Canada

The MX records for customers in Canada are:

Domain	Class	Type	Priority	Email server
<domain.tld>	IN	MX	10	mx-cluster-ca01.hornetsecurity.com
<domain.tld>	IN	MX	20	mx-cluster-ca02.hornetsecurity.com
<domain.tld>	IN	MX	30	mx-cluster-ca03.hornetsecurity.com
<domain.tld>	IN	MX	40	mx-cluster-ca04.hornetsecurity.com

IP Addresses of WatchGuard Email Protection Servers

WatchGuard Email Protection Servers IP Address Ranges

83.246.65.0/24	94.100.128.0/24	94.100.129.0/24	94.100.130.0/24	94.100.131.0/24
94.100.132.0/24	94.100.133.0/24	94.100.134.0/24	94.100.135.0/24	94.100.136.0/24
94.100.137.0/24	94.100.138.0/24	94.100.139.0/24	94.100.140.0/24	94.100.141.0/24
94.100.142.0/24	94.100.143.0/24	173.45.18.0/24	185.140.204.0/24	185.140.205.0/24
185.140.206.0/24	185.140.207.0/24

WatchGuard Email Protection Servers IP Address Ranges in Canada

108.163.133.224/27

199.27.221.64/27

209.172.38.64/27

216.46.2.48/29

216.46.11.224/27