Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2434
Views
0
Helpful
1
Replies

Cisco ESA cluster behind F5 load balancer for inbound emails

SHABEEB KUNHIPOCKER
Level 3
Level 3

‎06-05-2020 12:28 PM

Hello All,

 

One of our customer has 2 Cisco ESAs running in a cluster. Currently they have two MX records published in public DNS with same preference (say 10). The customer has F5 load balancer and now they are asking whether it is possible to place the ESAs behind  the load balancer and utilize a VIP IP which they will publish in the MX record. The advantages that see are

 

- they can add multiple ESAs in the same cluster without adding multiple MX records

- they can save public IPs since all the ESAs will use the same VIP of the load balancer.

 

The concerns I see are 

- the load balancers are known to use SNAT feature which will basically beat the IP reputation feature in the ESAs and the ESA will see the load balancer IP in all the SMTP connections (not the actual public IP of the remote SMTP servers)

- if I disable the SNAT from the load balancer then the  we need to make the F5 LB as the gateway for the ESAs to avoid asymmetric routing.

 

I would like to know whether it is a nice idea to place the ESAs behind a LB for inbound emails?. Kindly advise.

 

Thanks 

Shabeeb

Labels:
0 Helpful
1 Reply 1

Ken Stieers
VIP
VIP

‎06-05-2020 01:08 PM

You need to make the LB transparent...

Here's an earlier thread covering the concerns.

https://community.cisco.com/t5/email-security/esa-behind-load-balancer-any-consideration/td-p/3026916






0 Helpful
Customers Also Viewed These Support Documents