FortiGate Sub Interfaces (VLAN Trunking)

KB ID 0001772

Problem

I was asked by a colleague at work the other day, can we replace the Cisco firewalls with FortiGate firewalls for a client? As a business we are heading towards Forti, but before I said yes I wanted to know what the firewall was actually doing before I said yes. On closer inspection the firewall in question didn’t appear to be doing anything too scary, but I did notice that the LAN interface was sub-interfaced to the various internal VLANs. I didn’t know how FortiGate handled this, so I fired it up on the test bench to test FortiGate Sub Interfaces.

So I needed to create TWO sub interfaces on the FortiGate (on port3).

Creating FortiGate Sub Interfaces

Simply put, on a FortiGate if you want what a Cisco engineer would refer to as a ‘sub interface‘, then you simply add a VLAN interface to a physical interface. Like so, Network > Interfaces > {Physical Interface} > Create New > Interface.

Give the new interface a name (and alias if required) > Interface Type should be VLAN > Select the parent physical interface > Add the VLAN ID (Tag) and specify an IP address of the interface.

Just for testing I’ll allow PING, on the VLAN interface also > OK.

Repeat the procedure to add further sub interfaces (VLANs).

Remember this is just a ‘Router on a stick‘ configuration, to further allow traffic to the internet, (or between VLANs) you still need to add that traffic to the firewall policy to let the traffic through, (it is a firewall after all!)

Setting up Switches for FortiGate Sub Interfaces?

I’ve probably got this covered elsewhere on the site, but the core switch is Cisco so I just created a trunk port, and allowed ALL VLANs, (because I’m lazy, in production, you might want to lock that down a little!)

[box]

!
interface Ethernet0/0
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Ethernet0/1
 switchport access vlan 150
 switchport mode access
!
interface Ethernet0/2
 switchport access vlan 200
 switchport mode access
!
interface Ethernet0/3
 switchport access vlan 150
 switchport mode access
!
interface Ethernet1/0
 switchport access vlan 200
 switchport mode access
 no cdp enable
!

[/box]

My Switch isn’t Cisco it’s HP/Aruba! Then you simply TAG the VLANs required to the uplink see this article.

Related Articles, References, Credits, or External Links

NA

Group Won’t Accept Mail From ‘Outside’

KB ID 0001771

Problem

Exchange has been this way for a long time here’s me explaining this very problem with older versions of Exchange. If you create a ‘Group’, be that a Distribution Group, or a ‘Microsoft 365’ Group, the default setting is to NOT ALLOW mail from anyone outside your organisation. If you attempt to send mail to that group you will see errors like these;

Errors;

550 5.7.133 RESOLVER.RST.SenderNotAuthenticatedForGroup; authentication required; Delivery restriction check failed because the sender was not authenticated when sending to this group

550 5.7.133 RESOLVER.RST.SenderNotAuthenticatedForGroup; authentication required; Delivery restriction check failed because the sender not authenticated when sending to the group’

550 5.7.193 UnifiedGroupAgent; Delivery failed because the sender isn’t a group member or external senders aren’t permitted to send to this group.

Allow External Senders (On Premises & Hybrid Exchange)

If you have your own on premises Exchange server, this includes those of you that have migrated to Exchange online, but are in Hybrid Mode and are syncing your domain objects into Microsoft/Office 365 (Azure). Then you should change this setting in the on premises Exchange Admin Centre.

Recipients > Groups > Select the group in question  > Edit > Delivery Management > Change to ‘Senders inside and outside of my organisation’ > Save.

Note: Remember in hybrid mode this will need to sync to Microsoft online, so apply the ‘cup of coffee rule’ before testing it.

Allow External Senders Office/Microsoft 365 (Exchange Online)

Classic Exchange Admin Center

Recipients > Groups > Select the group in question  > Edit > Delivery Management > Change to ‘Senders inside and outside of my organisation’ > Save.

 

New Exchange Admin Center

Microsoft 365 Groups: Recipients > Groups > Microsoft 365 > ‘Double Click’ the group in question > Settings  > Allow external senders to email this group > Save.

Distribution Groups: Recipients > Groups > Distribution List > ‘Double Click’ the group in question > Settings  > Edit Delivery Management.

Allow messages from people inside and outside my organisation > Save changes.

Related Articles, References, Credits, or External Links

NA

Can you Use ‘Let’s Encrypt’ on Hybrid Exchange?

KB ID 0001770

Problem

A few months ago I wrote an article about getting free exchange certificates with Lets ‘Encrypt’. And that still works peachy, I implemented it on my test Exchange 2019 server (in Hybrid mode) and all appeared well. 

Some time later, (remember this is my test network so it’s not in production.) I noticed that mail was not getting forwarded from O365 to the on premises Exchange server. I’ve also had to fix similar problems like this before here.

These were to sort of errors I was seeing;

450 4.4.317 Cannot connect to remote server [Message=451 5.7.3 STARTTLS is required to send mail] [LastAttemptedServerName=mail.petenetlive.com] [LastAttemptedIP=x.x.x.x:25] [DB8EUR05FT046.eop-eur05.prod.protection.outlook.com]

450 4.4.317 Cannot connect to remote server [Message=451 4.4.0 TLS negotiation failed with error SocketError] [LastAttemptedServerName=mail.petenetlive.com] [LastAttemptedIP=x.x.x.x:25] [DB3EUR04FT033.eop-eur04.prod.protection.outlook.com]

So the problem is obviously something to do with the certificate on the on premises server, so either it’s misconfigured or Microsoft O365 does not like the ‘Lets Encrypt’ certificate.

Solution

Firstly I made sure the send and receive connecters were using the correct certificate.

 

[box]

Get-ReceiveConnector "PNL-MAIL-2019\Default Frontend PNL-MAIL-2019" | fl TlsCertificateName  
Get-SendConnector "Outbound to Office 365" | fl TlsCertificateName  

[/box]

Note: Above, change the server names and send connector name to match your own.

At this point I was pretty sure that the problem was with that cert so I bought myself a 12 month SSL cert (for the princely sum of $17) and used that instead.

How To Swap Hybrid Connector Certificates

Get the Thumbprint for the NEW publicly signed certificate (Get-ExchangeCertificate). Then use the following PowerShell.

[box]

$cert = Get-ExchangeCertificate -Thumbprint XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
$tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"
Set-SendConnector "Outbound to Office 365" -TlsCertificateName $tlscertificatename
Set-ReceiveConnector "PNL-MAIL-2019\Default Frontend PNL-MAIL-2019" -TlsCertificateName $tlscertificatename
Restart-Service MSExchangeTransport

[/box]

Now recheck the connectors again;

 

Then attempt to re-validate the connector in Office 365, and it works straight away.

SO NO YOU CAN’T USE ‘LETS ENCRYPT’ FREE CERTIFICATES IF YOUR EXCHANGE SERVER IS IN HYBRID MODE

Related Articles, References, Credits, or External Links

Office 365: Migrating To Exchange Online

Free Exchange Certificate

No Mail Flow On-Premises To/From Office 365

Exchange Y2KK Bug

KB ID 0001769

Y2KK Problem

Over the last couple of days the Exchange forums have been alight with the Y2KK bug, typically it affects Exchange 2016 and 2019 (though the chatter is, it actually effects any Exchange versions whose update version begins with 22…

This is fine below, (it begins with 21..)

[box]

Add-PSSnapin Microsoft.Forefront.Filtering.Management.Powershell
Get-EngineUpdateInformation

[/box]

Y2KK Symptoms 

Emails No Longer Being Delivered!

Event ID 5300

[box]

Log Name: Application 
Source: FIPFS 
Logged: 1/1/2022 1:03:42 AM 
Event ID: 5300 
Level: Error 
Computer: exch.petenetlive.com
Description: The FIP-FS "Microsoft" Scan Engine failed to load. PID: 23092, Error Code: 0x80004005. Error Description: Can't convert "2201010001" to long.

[/box]

Event ID 1106

[box]

Log Name: Application 
Source: FIPFS 
Logged: 1/1/2022 11:47:16 AM 
Event ID: 1106 
Level: Error 
Computer: exch.petenetlive.com 
Description: The FIP-FS Scan Process failed initialization. Error: 0x80004005. Error Details: Unspecified error.

[/box]

Error “Message Deferred By Categorizer Agent”

Messages seen stuck on message queues, with this error.

Y2KK Solution

Note: To avoid an error, ensure your PS Execution policy is set to Remote-Signed before attempting to run the following script or it will simply throw you an error.

[box]

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

[/box]

See this article for more information.

The simplest fix to this problem is to run the script that Microsoft have provided Reset-ScanEngineVersion.ps1

Note: This needs to be RAN on EACH Exchange server, (with the Exception of Edge Transport Servers).

You can apply the ‘fix‘ manually, instructions for doing so are on the link at the bottom of the page.

Update 04/01/21: You may need to disable all the transport rules before the queues will clear. (untested)

Related Articles, References, Credits, or External Links

Email Stuck in Exchange On-premises Transport Queues