Server mode deployment Example 1: FortiMail unit behind a firewall
FortiMail™ Secure Messaging Platform Version 4.0 Patch 1 Install Guide
Revision 2 145
http://docs.fortinet.com/ • Feedback
To add a service group for incoming FortiMail traffic
1 Go to Firewall > Service > Group.
2 Select Create New.
3 In Group Name, enter a name to identify the service group entry, such as
FortiMail_incoming_services.
4 In the Available Services area, select HTTP, HTTPS, SMTP, POP3, IMAP, and your
custom service for FortiGuard Antivirus push updates,
FortiMail_antivirus_push_updates, then select the right arrow to move them to the
Members area.
5 Select OK.
To add a service group for outgoing FortiMail traffic
1 Go to Firewall > Service > Group.
2 Select Create New.
3 In Group Name, enter a name to identify the service group entry, such as
FortiMail_outgoing_services.
4 In the Available Services area, select DNS, NTP, HTTPS, SMTP, and your custom
service for FortiGuard Antispam rating queries, FortiMail_antispam_rating_queries,
then select the right arrow to move them to the Members area.
5 Select OK.
Configuring the virtual IPs
In order to create the firewall policy that forwards email-related traffic to the FortiMail unit,
you must first define a static NAT mapping from a public IP address on the FortiGate unit
to the IP address of the FortiMail unit by creating a virtual IP entry.
To add a virtual IP for the FortiMail unit
1 Go to Firewall > Virtual IP > Virtual IP.
2 Select Create New.
3 Complete the following:
4 Select OK.
Note: To add virtual IPs, the FortiGate unit must be operating in NAT mode. For more
information, see the FortiGate Administration Guide.
Name Enter a name to identify the virtual IP entry, such as
FortiMail_VIP.
External Interface Select wan1.
Type Select Static NAT.
External IP
Address/Range
Enter 10.10.10.1.
Mapped IP
Address/Range
Enter 172.16.1.5.