Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1373
Views
0
Helpful
5
Replies

Direct Server Response Desgin

Jay Tiwari
Cisco Employee
Cisco Employee

‎07-08-2019 09:37 AM

Hi Experts,

Is it possible to configure VIP using Direct Server Response (DSR) feature in ESA without Load-balancer.

 

Scenario:

Customer ha purchased 4 ESA boxes and want to get configured with VIP, but, customer doesn't have any Load-balancer.

 

Any good design document around it would be much appreciated.

 

Regards,

Jay

Labels:
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎07-08-2019 09:43 AM

Best is Hardware LoadBalancerr ( cheaper one KEMP you can get good return for money)

You can consider use DNS MX or A records by having equal weight.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Ken Stieers
VIP
VIP

‎07-08-2019 10:09 AM

No. DSR needs a load balancer to actually host the live VIP.



The VIP that gets put on the ESAs the loopback so that they "look like" the VIP on the load balancer that the external mail system connected to.

That way responses for the conversation can come from the correct IP without breaking the connection, while at the same time those packets don't have to go through the load balancer (eg DSR). The copy of the VIP on the ESA doesn't participate in ARP so new inbound connections can't find it...




0 Helpful

Jay Tiwari
Cisco Employee
Cisco Employee
In response to Ken Stieers

‎07-08-2019 11:00 PM

it means, deploying DSR feature is not possible without Load Balancer. Correct me if my understanding is wrong!

 

Now, in scenario where customer doesn't have Load Balance and have 4 ESA appliances, what would be best design so that customer can load balance SMTP traffic?

 

Regards,

Jay

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Jay Tiwari

‎07-09-2019 12:30 AM

i have given suggestion using DNS and MX records to loadbalance, If you like 4 ESA to be cluster make DNS and MX records advantage.

 

here is the cluster guide :

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200885-ESA-Cluster-Requirements-and-Setup.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Ken Stieers
VIP
VIP
In response to Jay Tiwari

‎07-09-2019 07:12 AM

Correct, you can't use DSR without a load balancer. A more correct statement: DSR is only needed if you use a load balancer.



Without a load balancer, I would set the ESA's up with 2 IPs, an inbound listener on one IP, an outbound listener on the other IP.

Set the interface names on the inbound listener to an external DNS name (eg. Mail1.company.com, mail2.company.com, etc...)

NAT the inbound listener IPs to the internet

Allow port 25 from Any to that IP

Create an A record for each IP, matching the interface names.

Create MX records that point at the A records, each MX record should have the same weight

Create an SPF record that looks something like this: "v=spf1 mx -all"



(That list isn't exhaustive but hits the high points... )


0 Helpful
Customers Also Viewed These Support Documents