Overview
This document provides guidance on configuring the network and server firewalls for inbound and outbound traffic to the Virtru Customer-Hosted Gateway, using the <container-name>-port as an example. This firewall configuration can be applied to the following Virtru Customer-Hosted Gateway use cases:
- Outbound Encrypt & Outbound DLP
- Outbound Decrypt
- Inbound Decrypt & Inbound Encrypt etc.
The setup includes:
- An email tenant (i.e., Google Workspace, Microsoft, or another email application) for initial email routing.
- A Virtru Customer Hosted Gateway instance for encryption or decryption.
- An SMTP relay to deliver emails from the Virtru Customer-Hosted Gateway back to the email tenant.
Email Flow
- Emails from the senders (desktop or web) application to email tenant (i.e., Google Workspace, Microsoft, or another mail application).
- Inbound Traffic to the Gateway: The email tenant routes emails meeting specific mail flow rules to the gateway via a specified host/server port.
- Outbound Traffic from the Gateway: The gateway encrypts/decrypts the email and sends it back to the email tenant for final delivery using the SMTP relay using port 587 (for Google Workspace) or 25 (for Microsoft).
Firewall Configuration
-
Inbound Traffic to the Gateway
- Purpose: The email tenant forwards specific emails to the <container-name>-port gateway for encryption or decryption.
- Host/Server Port:
- For Google Workspace: Use a custom port, such as <9001-9005>, which can be defined during installation (mapped to port 25 within the container).
- For Microsoft: Use port 25 exclusively, as Microsoft requires this for all SMTP traffic
- Required Firewall Settings:
- Server Firewall: Open the defined port <9001-9005> for Google Workspace or 25 for Microsoft to allow traffic to reach the <container-name>-port.
- Network Firewall (if applicable): Open the defined port on the network to allow external traffic to reach the server.
-
Outbound Traffic from the Gateway
- Purpose: After encryption or decryption, the gateway sends emails back to the email tenant, for example, via smtp-relay.gmail.com or [MX Record]:25 for final delivery.
- SMTP Relay Port:
- Use 587 for Google Workspace or 25 for Microsoft.
- Important: If you are using Google Workspace, port 25 does not need to be opened on the host or network firewall. However, if you are using Microsoft or another tenant that requires port 25 for final delivery, you will need to open port 25 for outbound traffic.
-
Communication with Virtru Endpoints:
In addition, the Virtru Gateway needs to confirm that the user or organization is authorized to send encrypted emails. For this purpose, the gateway must connect toapi.virtru.com
on port 443. This connection verifies the necessary permissions to utilize Virtru’s encryption service. - Required Firewall Settings:
- Server Firewall: Allow outbound traffic on port 587 (for Google Workspace) or 25 (for Microsoft) to enable the gateway to communicate with smtp-relay.gmail.com or [MX Record]:25.
- Allow outbound traffic on port 443 to enable the gateway to reach
api.virtru.com
. This is necessary for eligibility verification of encrypted email transmissions. - Network Firewall (if applicable): Permit outbound traffic on port 587 or 25 for the SMTP relay.
-
Internal Container Port (Port 25)
- Container Use Only: Each gateway container listens on port 25 internally.
- Note: Host and network firewalls do not need to open port 25 if you're using Google Workspace, as the container's internal port is only accessible via the mapped external host/server defined port. However, port 25 must be opened if Microsoft is used for final delivery.
- Port Mapping: To route traffic from the defined host port to the container, you must set up a port mapping. This way, emails sent from the tenant to the server/host are forwarded to port 25 inside the container where the SMTP service is listening.
- Container Use Only: Each gateway container listens on port 25 internally.
Example Configuration
For the <container-name>-port, configure the firewall as follows:
- Inbound (to Gateway Server/Container):
- Open the defined port for inbound traffic on both the network firewall and server firewall.
- Outbound (to SMTP Relay):
- Open port 587 (Google Workspace) or 25 (Microsoft) for outbound traffic on both the network firewall and server firewall.
Summary Table
Traffic Direction | Purpose | Port on Firewall | Ports Open on | |
---|---|---|---|---|
Inbound | Google Workspace, Microsoft, or Email tenant to the Gateway defined port | Network & Server | ||
Google Workspace | Defined Port | |||
Microsoft | 25 | |||
Outbound | Encrypted/Decrypted Email from the Gateway to Email tenant SMTP port | |||
smtp-relay.gmail.com | 587 | |||
[MX Record] | 25 | |||
To allow communication from the Gateway Server to Virtru Endpoints on port 443 | ||||
Internal (within the gateway) | Container Listens for SMTP (Container-Only) | 25 | Not Required if using Google Workspace |
Following these configurations will ensure proper routing of emails through the Virtru Customer Hosted Gateway while maintaining security on the host server and network.