Showing results for 
Search instead for 
Did you mean: 

Cisco ESA Deployment Question

Ahmad Murad
Level 1
Level 1


I have a question about the ESA deployment, In case I have 1 ESA deployed in my network with MX record and the public IP is natted to the ESA IP located on the DMZ.

If the ESA goes down for any reason like power failure, still I can recieve and send email or not? I mean in this case, can the device work in fail-open mode to relay the emals but without applying the policy?

Or in this case, the mail system will be completly down, and I need to add 2nd MX record (High avaailbility) to ensure that the email system is UP?



4 Replies 4

No, the ESA does not "fail open".  You will need a second MX record.  And really, that second MX record should point at a second ESA or point at something that isn't live until you turn it on in response to the ESA being down, because you WILL get traffic to it, even if your ESA is up.  Mostly spam and other trash... so you don't want that just flowing without a filter unless you REALLY have to....

This is very logical for me.

I had a discussion with Cisco SE and he insists that ESA acts as a proxy not as email server, so the mail server would still deliver email but without any ESA policies applied to it.

Here, if you point the exchange server to the ESA and the ESA is down, then the recieving and sending will be down, and only the internal emails will be working.



The SE is probably confusing the WSA (Web Security Appliance) with the ESA...

ravi saini
Level 1
Level 1

hi ahmad,

if the ESA fails then only your internal domain emails (within a domain) can be delivered,(cause they don't reach to ESA)

if you want to sent any email outside you can't send untill you remove the ESA connected to your mail server or it should be fixed.