Firewall Email

  • 1
  • Question
  • Updated 3 years ago
Hello,

I am creating a new UserProfile for my SSID Guest with DHCP Aerohive (I don't know the real name).
I have a problem with my firewalls rules :

I authorized the protocols HTTP,HTTPS and HTTP-8080. Internet works properly on smartphone and laptop.
I authorize the protocols POP3, IMAP and SMTP for people retrieve mails on samrtphone but it don't work.

I don't understand witch protocols I foreget.

Screenshot :

Photo of Dubois

Dubois

  • 7 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I'd first check the order that these are being applied.
Photo of Will Rhodes

Will Rhodes

  • 45 Posts
  • 9 Reply Likes
The issue is the rule set is blocking your guest email traffic.

Without changing the rules as they are written, the 3 "Deny" rules should be moved to the bottom of the list. This isn't perfect though because it could allow guests to access internal resources on those protocols through the use of "any" source to "any" destination.

One way you could do it would be to write the rules to say:

Drop Guests (use subnet or userprofile to identify) to your specific internal LAN range
Allow Guests to internet on the approved protocols

Source----Destination----Application----Action
Guests----Internal LAN----any--------------drop
Guests ----any---------------web-------------allow
Guests-----any--------------email -----------allow
etc....

Just be sure that the first Drop rule doesn't block their access to the Guest's default gateway.
Photo of Dubois

Dubois

  • 7 Posts
  • 0 Reply Likes
Hello,

We change for this configuration (see captures).

If we change the rule 6 "Any to Any for Any Network Service" to Deny :
Access to internet is available.
Access to Gmail or Hotmail is available.
Access to our internal Exchange Server is unavailable.
Access to our internal Network after Aerohive is unavailable (RDP...).

If we change the rule 6 "Any to Any for Any Network Service" to Nat :
Access to internet is available.
Access to Gmail or Hotmail is available.
Access to our internal Exchange Server is unavailable.
Access to our internal Network after Aerohive is available (RDP...).

If we change the rule 6 "Any to Any for Any Network Service" to Permit :
Access to internet is available.
Access to Hotmail is available (send/recieve)
Access to Gmail is partially available (recieve only/ send failed)
Access to our internal Exchange is unavailable.
Access to our internal Network after Aerohive is unavailable.

On our firewall i can see AP Aerohive going out to internet.
But when it's about connecting to Public Peer of our Mail server Exchange, it's deny because of "Unhandled Internal Packet-00" on port 443/TCP https, even if i activate "any rules" to free our AP aerohive from our firewall rules.

So do we miss something ? wrong parameters in AP Aerohive or something in our firewall ?



(Edited)
Photo of Dubois

Dubois

  • 7 Posts
  • 0 Reply Likes
Finally we added our internal DNS to DHCP configuration and all is fine !!
Photo of Will Rhodes

Will Rhodes

  • 45 Posts
  • 9 Reply Likes
Sorry I didn't get back to you earlier. I'm glad to hear it is working. Good Job!