Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13968
Views
20
Helpful
11
Replies

Cisco IronPort C170 + Exchange Server 2013

lyndonlou
Level 1
Level 1

‎03-21-2015 10:42 PM

Hi,

By the way I'm newly hired as a Systems Engineer in the company  that I'm currently working. I was assigned to setup and configure Cisco IronPort together with Exchange Server 2013 for our clients purchasing Cisco IronPort ESA C160/C170. I'm new to Cisco Email Security Appliances and I have a basic knowledge on Email Servers that is why I'm having a trouble to setup the client's requirements. 

Currently, I already created Exchange Server 2013 in our lab environment for testing purposes. I've also changed Cisco IronPort C170 Management IP Address. The Exchange Server 2013 is working fine internally and I can also access the Cisco IronPort C170 in GUI.

 

How am I going to setup Cisco IronPort C170 with Exchange Server 2013? What are the requirements needed to setup?

As I understand while I'm reading some data sheets, at least the basic practice in setting up ironport would really help me like:

1. Setup the ironport to send emails.

2. Setup the ironport to receive emails.

 

I would really appreciate it if you kindly give some answers to my questions.

 

Thank You

Labels:
0 Helpful
11 Replies 11

Karsten Iwen
VIP
VIP

‎03-22-2015 05:31 AM

You can start with the Cisco Validated Design Guide for ESA:

http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2014/CVD-EmailSecurityUsingCiscoESADesignGuide-AUG14.pdf

It's a step-by-step guide to get your ESA working.

lyndonlou
Level 1
Level 1
In response to Karsten Iwen

‎03-22-2015 07:17 AM

thank you Karsten Iwen the pdf file helped me configuring the basics of cisco ESA.

0 Helpful

Mathew Huynh
Cisco Employee
Cisco Employee
In response to lyndonlou

‎03-22-2015 05:31 PM

Hey Lyndon,

 

Karsten's provided documentation will assist you for the deployment.

If you have fine tuning enquiries, do not hesitate to post here or better yet open a TAC case if your issue is a bit more complex ;

 

General information.

1. Setup the ironport to send emails.

> Configure an IP interface that can communicate to the internet on port 80, 443 and 25

> Configured DNS servers or firewall rules to allow Root DNS connection from ESA (UDP/TCP 53)

> Configure your Listener as Public / Private (Public for incoming and can be outgoing / Private for only outgoing emails)

> Configure a default gateway (Note the steps here and above is configured in initial setup wizard)


This will enable your device to send emails assuming there is network routes and firewall rule allowances.

 

2. Setup the ironport to receive emails.

> Configure your RAT table (Recipients Access Table) to allow emails in from external to your internal domain, ensure "All other domain" is left as REJECT else you'll be an open relay

> If running 1 listener setup, create a new mail flow policy and make it use the 'relay' action and name it RELAYED (GUI > Mail Policies > Mail Flow Policies)

> Create a new sendergroup ( GUI > Mail Policies > Sendergroup) and make it use the new RELAYED mail flow policy, order it as '1' and put in your exchange IP to allow emails from exchange outgoing smarthost connector to be treated as outgoing by the ESA 

 

As long as listener is configured on public it will receive external emails if port 25 traffic hits it.

lyndonlou
Level 1
Level 1
In response to Mathew Huynh

‎03-22-2015 06:14 PM

Thank You Matthew Huynh for your step by step guide in configuring ESA. However, if its okay for you, could you also give me a step by step guide on what to configure on my Exchange Server 2013 to communicate to ESA? The step by step guide you've given to me is good but their are some parts of the steps that I can hardly understand because I'm new to ESA and I only have basic knowledge on how to setup email server. In fact, this is the first time I installed an Exchange Server 2013.

Hope you understand.

0 Helpful

Mathew Huynh
Cisco Employee
Cisco Employee
In response to lyndonlou

‎03-22-2015 06:15 PM

Hello Lyndon,

 

I'm not too well versed on the exchange environment so I'm not sure how well i can assist.


I normally base my experiences off articles i read online on exchange, but it's essentially creating a smart host connector on Exchange environment to route to the ESA.

 

Then on the ESA you need to add the exchange IP which will be connecting to the RELAYLIST for outgoing mails to work

 

In terms of incoming email, you need to configure SMTP routes on your ESA to point to your exchange server (GUI > Network > SMTP routes) then your exchange just needs to simply accept the ESA's connection and handle it accordingly.

 

See:

https://www.quantumsoftware.com.au/Support/KB/Article.aspx?KBArticleID=183
 
 
0 Helpful

lyndonlou
Level 1
Level 1
In response to Mathew Huynh

‎03-23-2015 02:17 AM

Matthew Huynh thank you for your effort. Maybe I'll read first on how to setup email servers to send/receive outside the organization. After that I'll go to ESA.

If you have any idea on how to setup step by step guide on this please inform me.

Once again thank you

 

0 Helpful

Sohaib Atta
Level 1
Level 1
In response to Karsten Iwen

‎10-11-2015 02:21 AM

Hi Karsten,

 

I have a client who has IronPort C170 integrated with a Microsoft Exchange server 2013. He has email send and receive configured and working fine. He needs to implement secure communication between the IronPort and the Exchange server. Can you refer any document which list how to configure secure communication between the two.

0 Helpful

seamus_ryan
Level 1
Level 1

‎03-23-2015 06:28 PM

Hi lyndonlou,

1. Setup the ironport to send emails.

 

I will assume you have the following already configured:
- Your IronPort with an Internet facing address (that exists to receive mail from the internet), with a listener configured on port 25 of that address. For example the IP address may be 8.8.8.8, with a listener configured on that interface to accept mail on port 25


- Your IronPort with an Internal facing address (that exists to receive mail from your exchange server), with a listener configured on port 25 of that address. For example the IP address may be 10.10.10.10, with a listener configured on that interface to accept mail on port 25

Now, since your internal listener has a private address, there is no harm simply setting it up to relay all messages.

Navigate to Mail Policies > HAT Overview > Select your "internal" listener and ensure the Sender Group All is set to RELAY

Once this is done, simply configure your Exchange server to "relay" all internet bound messages to your IronPorts internal listener address.

In Exchange Admin Center, navigate to Mail Flow > Send Connectors.

There should be a send connector called Internet, if not skip to the steps below to create one. If you double click it and then select the "scoping" option (third down) the address space should read:
Type = SMTP
Domain = *
Cost = 1

If you have this, simply select the Deliver option and check the box "route mail through smart hosts". Then click add, and add the IP address if your internal IronPort interface. Ensure the Authentication is set to None, and then just hit save. This will route all external mail through ironport before it leaves your network.

 

 

If you dont have a send connector, you will need to create one. Simply hit Add (the plus sign) in the send connectors page of EAC. Use any name, set the type to "internet" and hit Next, then check the box "Route mail through smart hosts" and hit add. Add the IP address of your Internal interface on your IronPort, then hit next then add button to add the address space of:
Type: SMTP
FQDN: *
Cost: 1

Hit next, add your exchange server and then hit Finish.

2. Setup the ironport to receive emails.

Ok so this is where it gets fun. You can do as others have said, and simply use a RAT to define what domain names you want to accept mail on. However what I would STRONGLY suggest is that you also configure some form of recipient validation.

Traditionally I would have recommended SMTP Call-Ahead, as this validates recipients quite quickly without requiring access to Active Directory for your Exchange environment. However recipient validation doesn't work (ie not as intended) for Exchange 2013 so your only option is to use LDAP acceptance queries.

I would strongly suggest you look at setting up LDAP acceptance queries as this will cut back on invalid recipients, which reduces the impact of backscatter and also prevents your ironport from processing emails it doesn't need to.

 

Cheers,

Seamus

 

 

 

0 Helpful

lyndonlou
Level 1
Level 1
In response to seamus_ryan

‎03-29-2015 07:06 PM

Hi sir seamus_ryan thanks for your comment, I really appreciate your effort sir. By the way sir, I have slightly understood the steps that you've given, however, I can't perform that since I only have an internal email exchange server and  I don't have public ip address facing the internet. What I want to do now is that I want the messages to pass thru the ESA before the recipient receive the email so that I can track their messages internally. How can  I do that?

FYI I'm using Exchange Server 2013 and Cisco Email Security Appliance C170

Thank you.

0 Helpful

Paul Cardelli
Level 1
Level 1

‎05-09-2016 10:35 AM

For those running into this issue and want to know how to configure in exchange for the ESA:

Here is how to setup in exchange 2013 a proper receive connector for Cisco ESA

https://technet.microsoft.com/en-us/library/jj657467(v=exchg.150).aspx

Here is how to create the Send Connector in Exchange 2013

https://technet.microsoft.com/en-us/library/jj673059(v=exchg.150).aspx

Customers Also Viewed These Support Documents