Last adaptation to the version: 3.3.5
- General revision of the article
- Adaptation of the design to UTM v12.6
- Detailed list of the required ports
- Update of the Timestamp server
- Update of the Updateserver
- 01.2024
Introduction
The UMA is usually used in an internal network of an upstream firewall or a router with a firewall function. To ensure full functionality, it is necessary in some cases to release the required ports for the UMA.
Required ports
The following ports must be configured in the firewall so that the UMA can be used:
| Function | Port/protocol |
|---|---|
| Updates and timestamp retrieval | 80/TCP, 443/TCP |
| Time server | 123/TCP, 123/UDP |
| IMAP | 143/TCP, 993/TCP |
| POP3 | 110/TCP, 995/TCP |
| SMTP | 25/TCP, 465/TCP, 587/TCP |
| Name resolution | 53/TCP, 53/UDP |
Corresponding firewall rules must be created for these ports. If a UTM is used for this, the following Wiki articles describe the Configuration of the port filter.
In , the button adds a corresponding rule.
| # | Source: | Target: | Service: | NAT | Task: | Active: | Description | ||
 |
1 |  UMA |
Mailserver |
 imap or imap-ssl or pop3 or pop3s |
Accept | On | Rule for retrieving emails from an external mail server | ||
|
2 | UMA |
 internal-interface |
 dns |
Accept | On | Rule for name resolution. | ||
|
3 | UMA |
Mailserver |
smtp |
Accept | On | Rule for sending Alertincenter messages | ||
Timestamp
A firewall rule is also required for the time stamp signature and time synchronization. The firewall rules for the timestamp server and time synchronization must apply:
- Source: the UMA used
- Destination: for the timestamp tsa.utimaco.com, for time synchronization ntp.securepoint.de
- Service: https
- NAT: the external interface
| In click to create the network object. | |||
| Caption | Value | Description | UTMuser@firewall.name.fqdnFirewallNetwork object: 
|
|---|---|---|---|
| Name: | Timestamp server | The name of the network object | |
| Type: | Select hostname as type | ||
| Hostname: | tsa.utimaco.com | Enter the host name tsa.utimaco.com | |
| Zone: | Select as zone where the server is located | ||
| Groups: | A group can be added | ||
| # | Source: | Target: | Service: | NAT | Task: | Active: | ||
|
4 | UMA |
Timestamp server |
https |
HN | Accept | On | |
|
5 | UMA |
Time synchronization |
ntp-tcp or ntp-udp |
HN | Accept | On | |
Updateserver
A corresponding firewall rule must exist so that the UMA can download updates.
The update server responsible for this is: ext.proxy-001.spnoc.de
| In click to create the network object. | |||
| Caption | Value | Description | UTMuser@firewall.name.fqdnFirewallNetwork object: 
|
|---|---|---|---|
| Name: | Updateserver | The name of the network object | |
| Type: | Select hostname as type | ||
| Hostname: | ext.proxy-001.spnoc.de | Enter the host name tsa.utimaco.com | |
| Zone: | Select as zone where the server is located | ||
| Groups: | A group can be added | ||
| # | Source: | Target: | Service: | NAT | Task: | Active: | ||
|
6 | UMA |
Updateserver |
https |
Accept | On | ||
Further setting options
Depending on the firewall used, further functionalities can then be set, such as checking the mails for viruses, filtering for spam or forwarding the mails to an internal mail server.
If a UTM is used, the following wiki articles describe how to configure the Mailrelay and the Mailfilter.