Showing results for 
Search instead for 
Did you mean: 

DLP inside the organiztion


I'm curious as to what other email admins are doing today with DLP inside the organization. I mean, the Ironport is meant to monitor traffic in and out of the org and apply DLP policies, but what about internal mail traffic going from dept to dept that might viloate as well? Any crafty transport rules if using Exchange out there? Any add-on third party software that I don't know about? Modify internal routing so that all messages pass through ironport for dlp processing.

What are you doing today? And also if this is not allowed discussion on the board, please let me know and I will post on a blog.


4 Replies 4

Cisco Employee
Cisco Employee

Hi Chris,

I am not aware of any third party softwares but you can diffinitely route your internal traffic through IronPort. Customers normally route internal traffic through IronPort for virus scanning, can go for DLP too.



Customer Support Engineer Cisco IronPort

Viquar -

Thanks for the response. Do you have any customers that are currently routing internal exchange 2007 / 2010 messages through the ironport for processing?

I ask because the way the hub transport role works, I'm not sure how one would achieve this, even if they configure all connectors to route through a smart host.


Hi Chris,

Routing internal traffic through IronPort is not recommended but it is configurable. Your internal traffic is still going to match the sender group 'RelayList' but instead of sending traffic to internet, IronPort will deliver back to internal servers. IronPort check the destination host once recieved the message and based on destination it routes the traffic. If the destination host is your internal server, it will check the RAT table for the destination domain entry and via SMTP routes it will deliver to the destination server. If the message is going to internet, DNS servers will decide the destination server based on domain MX record.

Hope answered the question.


Customer Support Engineer

Thanks Viquar, I'm following you with the IronPort routing. However, I'm not following how I could route my internal exchange traffic through the ironport.

The hub transport server introduced with Exchange 2007 handles all message routing for intra-org and inter-org messages. Intra-org messages however will not be routed through to my smarthost (ironport) for processing, only delivered to proper destination mailbox server and eventually my email client.

So my question is still this.. Specific to Exchange 2007 and Exchange 2010, if it's possible and has been done, how would one configure the hub transport role

to route ALL mail traffic to the IronPort device for processing?

Thanks again for the help,


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: