I am new to the SaaS Email product (though have done some work with MEG7 and Firewall Enterprise).
It is possible the answers I seek are located within the documentation and I simply haven't reached that part yet, but I thought I'd ask the questions in advance.
I am shortly going to be assisting an existing customer with the transition from an old on-site email security appliance to SaaS Email. With an on-premise solution the only gateway Firewall requirement is to allow SMTP traffic in and out. However, with the solution moving to the cloud there are a couple of additional considerations. To ensure that people of questionable intent don't try to by-pass the SaaS solution, I would imagine that locking down the inbound SMTP firewall rule to only allow traffic from the SaaS servers is necessary. Which hostnames/IP addresses are associated with the SaaS SMTP servers?
Similarly there will be a requirement to create an inbound rule to allow the SaaS system to perform the Active Directory Synchronization task. Again, I'm sure it would be wise to make sure that no-one else is allowed to try and access these services, so (again) which hostnames or IP addresses should we use?
Welcome to the McAfee SaaS Email Protection Community! All of the SaaS Services (the former MX Logic line of products) use the same IP ranges. You can find these in your Email Protection service, under Email Protection > Setup > MX Records. At the bottom of the page is a section for locking down servers. You'll need only the CIDR /21 or /24 notation, but not both, depending on what format your firewall works with. For some older firewalls, individual IPs are needed, and are provided.
If your firewall requires host min/max and subnets, those are available as well.
Thanks for the prompt response, Brad.
I haven't seen the configuration GUI in anger as yet (had a quick WebEx with one of the EMEA SEs yesterday, and as a reseller partner have also noted there are some SaaS Email videos on the Partner Learning Center site). However, I can see from the link to the support article the CIDRs you are referring to, and as McAfee Firewall Enterprise does support this kind of notation (I've worked with the Firewall for more years than I can remember and the vast majority of my community forum post count comes by way of that particular forum) I should just be able to lock down the rule to the two /21 CIDR entries mentioned in this article.
Can I just confirm that these same values would apply to the inbound LDAP traffic in addition to SMTP traffic?
You're correct. The same IP blocks apply to Inbound and Outbound SMTP Traffic, LDAP connections, as well as the Web Proxy services.