Solved: Re: Cloud Email Security Search and Remediate

Johan Anderstrom · ‎03-17-2021

Hi all!

I have configured Cloud Email Security Search and Remediate according to this guide - https://www.cisco.com/c/en/us/td/docs/security/ces/user_guide/esa_user_guide_13-5-1/b_ESA_Admin_Guide_ces_13-5-1/b_ESA_Admin_Guide_12_1_chapter_010101.html

Has anyone succeeded with this?
We are running CES, with version 13.5.1
Two ESAs in clusters with an SMA.

I have done the following:
"" refers to the chapter contents within the guide

- Secured communication - "Certificate for Secure Communication"
- Registered my appliance - "Registering Your Appliance as an Application on Azure AD"
- Enabled Account Settings - "Enabling Account Settings on Cisco Email Security Appliance"
- Created an Account Profile - "Creating an Account Profile" and also tested the connection within Account profile creation.
- Mapped our domain to the account profile - "Mapping Domains to the Account Profile"

I manage to initiate a job, but nothing appears in mail_logs or remediation logs, but the successful tests appear in remediation logs.

Nothing appears in Remediation reports either.

Best regards
Johan

Johan Anderstrom · ‎03-24-2021

Reply from TAC:

The SMA shows the following alerts pertaining to Server Verification error
“Warning: Remediation failed for MID(s): 21172 initiated as part of batch Remediate. Reason: server certificate verification error (Host IP)”

What can be done?

This generally happens if there’re any self-signed certs on the ESA and SMA.

However, the fix for this is to log into the SMA’s CLI and make the following changes:

SMAHOSTNAME> esaapiconfig

Choose the operation you want to perform:
- VALIDATE_CERTIFICATES - Whether to validate ESA API server certificates.
[]> validate_certificates

Should ESA API server certificates be validated during interaction? [Y]> N << Please change this to N

Afterwards, please try the remediation function again to see if the feature is working.

View solution in original post

charella · ‎03-17-2021

Hello Johan Anderstrom,

Enable API logs on both the ESA cluster and the SMA. > System Adninstration > Log Subscriptions > new > api log(option)
This carries the SMA >>> ESA communications and would log content.

Additionally, S&R may be interrupted if the Interface does not have the properly signed SSL Certificate configured.
This would be the simple drop down certificate option within the interface.
The interface settings would be masked from view within the CES environment due to security policy.
You can open a ticket for S&R “Error” to verify that setting as we cannot do that on the public forum..

Thank you,
Chris

Johan Anderstrom · ‎03-17-2021

Hello Chris,

I enabled API logging as you suggested, but it does not log when I initiate a job. Should I instead start a case with TAC regarding this?

Best regards

Johan

Johan Anderstrom · ‎03-24-2021