Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1389
Views
0
Helpful
8
Replies

2 C170s without an M Series to manage them?

Go to solution
webabc123
Level 1
Level 1

‎02-06-2015 06:41 PM

We have a single C170 and since it is a single point of failure that doesn't even have a redundant power supply, we would like to add a second ESA in a second physical location across a WAN.

So, I believe these can be clustered even without an M series ESA to manage them.  If you only have the two C170s and cluster them, what do you lose without the central management the M series provides?  Not sure the cost of getting an M series on top of a second ESA will be justified in a small environment.

We are somewhat concerned about user confusion if some of their quarantined email goes to one ESA and the rest goes to the other.

Maybe kill the quarantine altogether and forward suspect mail to the users and try to get Outlook and OWA to deal with it by the putting suspect mail in their Junk folder (maybe something can be done on the Exchange server side to recognize messages prepended with [SUSPECT MAIL] and automatically flag those messages as junk disabling links and attachments)? Some other solution?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP

‎02-06-2015 07:25 PM

M series provides centralized quarantines (Spam, as well as Policy, Virus and Outbreak).  It also provides centralized message tracking and maybe centralized reporting?...

Configuration sync is handled by the appliances themselves, so you'll still have that.

If 2 spam quarantines and 2 notifications are going to be an issue for your users, marking the messages and letting Exchange or Outlook sort them out is probably your best bet.

 

I am in the same boat.  99.000% of my traffic comes through one. (mostly due to MX preferences)... We're currently just letting the other pass mail, and not sending out spam quarantine notifications.

View solution in original post

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎02-07-2015 02:30 AM

Though this may already be known but I think i'd just like to point this out as well.

Two ESA's clustered (centralized Management) is for configuration to be shared and syncced across the two in the cluster (or more if you decide to add more down the line).

 

Running two ESA's in a cluster without an M series is perfectly fine.


M series is mainly used for centralized reporting, tracking, quarantines.

Where you can monitor mail traffic from a centralized point rather than going between two ESAs etc.

Centralized quarantines to help with maintenance and also for ease of management.

 



Anyhow onto your enquiry;

Running two ESAs in a cluster without an M series you won't  be losing much I'd say.

 

But with your issue with the quarantines, this is a common question.

Some admins don't mind having two seperate spam quarantines running with two notifications.


Alternatively you can manipulate the mail flows and have one ESA act as the centralized spam quarantine within the cluster, but this will take a bit of play with the configurations between the two.

 

Essentially something like..

ESA 1 will act as the spam quarantine, so quarantine is enabled, spam policies will send emails to quarantine as per normal

 

ESA2 you need to manually configure it's policies seperately (IE: make it have a machine level override).

Edit spam policy settings to add a custom X-Spam-Quarantine header or so

Then run a content filter on ESA2 where X-Spam-Quarantine header exists, alter the mail host for delivery to go to the ESA1 system.

 

Then run a message filter on ESA1 where if remote IP = ESA2 and X-Spam-Quarantine Header exists -> Send it to spam quarantine with alternate mail host -> the.euq.queue

 

But the supported method or recommended if you want 1 centralized quarantine is running an M series.

 

I believe currently there are plans to make a the M series into a virtual system (similar to vESA) so could always wait for this :)

 

 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Ken Stieers
VIP
VIP

‎02-06-2015 07:25 PM

M series provides centralized quarantines (Spam, as well as Policy, Virus and Outbreak).  It also provides centralized message tracking and maybe centralized reporting?...

Configuration sync is handled by the appliances themselves, so you'll still have that.

If 2 spam quarantines and 2 notifications are going to be an issue for your users, marking the messages and letting Exchange or Outlook sort them out is probably your best bet.

 

I am in the same boat.  99.000% of my traffic comes through one. (mostly due to MX preferences)... We're currently just letting the other pass mail, and not sending out spam quarantine notifications.

0 Helpful

Go to solution
Paul Cardelli
Level 1
Level 1
In response to Ken Stieers

‎02-07-2015 08:57 AM

The new virtual SMA is out earlier this month, getting my license ready to test it out. Big fan of central reporting and quarantines. If your small then you should be fine with just two.

+1 for Clusterconfig well worth it when you have more then one ESA Ironport.

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to Paul Cardelli

‎02-08-2015 12:18 AM

It's also always fun to play around with cluster -> group -> machine level configuration as well for maximum customization of the configurations at hand :>

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎02-07-2015 02:30 AM

Though this may already be known but I think i'd just like to point this out as well.

Two ESA's clustered (centralized Management) is for configuration to be shared and syncced across the two in the cluster (or more if you decide to add more down the line).

 

Running two ESA's in a cluster without an M series is perfectly fine.


M series is mainly used for centralized reporting, tracking, quarantines.

Where you can monitor mail traffic from a centralized point rather than going between two ESAs etc.

Centralized quarantines to help with maintenance and also for ease of management.

 



Anyhow onto your enquiry;

Running two ESAs in a cluster without an M series you won't  be losing much I'd say.

 

But with your issue with the quarantines, this is a common question.

Some admins don't mind having two seperate spam quarantines running with two notifications.


Alternatively you can manipulate the mail flows and have one ESA act as the centralized spam quarantine within the cluster, but this will take a bit of play with the configurations between the two.

 

Essentially something like..

ESA 1 will act as the spam quarantine, so quarantine is enabled, spam policies will send emails to quarantine as per normal

 

ESA2 you need to manually configure it's policies seperately (IE: make it have a machine level override).

Edit spam policy settings to add a custom X-Spam-Quarantine header or so

Then run a content filter on ESA2 where X-Spam-Quarantine header exists, alter the mail host for delivery to go to the ESA1 system.

 

Then run a message filter on ESA1 where if remote IP = ESA2 and X-Spam-Quarantine Header exists -> Send it to spam quarantine with alternate mail host -> the.euq.queue

 

But the supported method or recommended if you want 1 centralized quarantine is running an M series.

 

I believe currently there are plans to make a the M series into a virtual system (similar to vESA) so could always wait for this :)

 

 

0 Helpful

Go to solution
webabc123
Level 1
Level 1
In response to Mathew Huynh

‎02-07-2015 09:20 AM

I don't think the forwarding option would work for us because ESA2 would be intended as a failover to be used only if ESA1 was unavailable.  So, having a rule to forward to ESA1 would not work because it most likely would not be available to receive the email at a time ESA2 is getting the failover traffic.

However, maybe we could still do that if we would rather the mail be queued on ESA2 (rather than the sender's MTA) and have it wait for ESA1 to come back online.  That way, mail will always eventually go through ESA1 and be logged and quarantined in one place even if ESA1 is temporarily unavailable. 

 

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to webabc123

‎02-07-2015 09:58 AM

So how are you doing failover?  If you're using something like a loadbalancer with traffic only going to #2 if #1 is down or manually putting #2 into traffic when needed then you are totally overthinking this....

They wont get double notifications and have to multiple spam quarantines except when you have an outage...  and if you set one to mail the spam notification in the am and one in the pm they probably wont even notice the difference for the day or two it might happen...

0 Helpful

Go to solution
webabc123
Level 1
Level 1
In response to Ken Stieers

‎02-07-2015 10:07 AM

We plan to add the second C170 and just adjust the MX record score in public DNS so ESA1 would be the default.  The ESAs would be physically installed in different cities and ESA1 is in the city closest to our main offices.

If ESA1 is not there due to an outage, then the senders would send mail to ESA2 for however long it takes to get ESA1 back up and running.

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to webabc123

‎02-07-2015 10:16 AM

This is what we do, we do get traffic to the second esa.  I don't know that I've ever seen non-spam come through it, but it could happen.  You don't even have to adjust the score, if the primary is unreachable, the secondary WILL get the traffic. 

0 Helpful
Customers Also Viewed These Support Documents