Hi Ken,

Thank you for your reply. Can i install ESAv with Async os 15.0.x on Vmware Esxi version 8.0.2. I'm following below document but their no such data present.

 

You can try it, and support will be "best effort"...
But it's not on the supported Hypervisor list yet... and there may be a reason for it.
Read the text in that document on that page and the next.
They also only support VMWare on USC hardware...

Will it work? Very high probability.

Hi ken,

does joining an cluster using ccs needs to have 2 factor enable on appliances. PFA snap.

 

 

No... what that line means is that IF you have 2 factor enabled, you must use preshared keys. There's no mechanism for the 2-factor to happen when one ESA SSH's to the other for the cluster setup.



________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.

Hi Ken,

I didn't get you by this reply 

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.

If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.

The reply was: "No... what that line means is that IF you have 2 factor enabled, you must use preshared keys. There's no mechanism for the 2-factor to happen when one ESA SSH's to the other for the cluster setup."


The rest is disclaimer that I forgot to clean up. 

 

Hi Ken,

Basically i need to migrate from physical to virtual Esa, for same i'm referring below document and as per below document it would be better if we create an cluster between physical and V-ESA and then decommision physical. 

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance-c390/221697-understand-best-practices-to-migrate-har.html

Does V-ESA also process traffic if we cluster it with physical, if yes what i can do to stop it from processsing mail traffic 

@Ken Stieers could you please share your input here. 

Thanks in advance ☺️ 

Keep the following in mind: ESA clustering is ONLY ESA configuration replication, its NOT High Availability, its NOT Failover... traffic is directed to the ESAs via OUTSIDE means...

Inbound mail is directed to your ESAs by MX record which points at A record in your external DNS... that probably points at IPs on your firewall that are NAT'd to the ESAs.
Your email system has a connector that defines how mail leaving is processed. Does it go to your ESAs now? If so, it needs to be pointed at the new vms.


Using the document you referenced as a framework, I'd do the following:
As part of step 1, set it up with interfaces using the same inter names and IPs that are on the same networks as your physical ESA. Set the IP Routes the same. Give the new ESAs new hostnames.

As part of step 2, I make sure all of the various license terms get approved... that may happen once you apply the license , but you may have to go turn on a feature, and approve the license. Check the Feature Keys page to see which ones need it.

Once you have completed Step 5, if you are using Cisco IronPort Email Encryption, open a TAC case and get the VMs registered with the Cisco Registered Envelope Service.

Now, test the new ESAs. I use an old smtp command line tool called BLAT (www.blat.net<>) to send mail through the ESAs to make sure inbound mail flows. You can do it with Powershell too.
Or with telnet https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118234-technote-esa-00.html

Once you know each of them will send mail through, look at how the mail gets to the ESAs.


For the LEAST disruptive way.

1. NAT the new ESAvs to new IPs on the public internet.
2. Create access rules for those ips to allow inbound and outbound SMTP
3. Create A records for those IPs in your public DNS, this should line up with what your Hostname is for the Public interfaces.
4. Create new MX records that point at the new A records.
5. Add the IPs to your SPF Record
6. On your internal mail system, it will have a connector or something that says "Send external outbound mail here:" , add your new ESAs...

Give it a bit, but your new boxes should start seeing mail now, depending up what your MX record TTL was.
Once you see mail flowing in and out from the ESAs you can remove the OLD MX records and A records, and remove the old ESAs from your outbound connector.

Once all mail is flowing through the new ESAs, on one of the new ESAs, login to the CLI and do the following
>clustermode cluster
>clusterconfig
>Removemachine, pick one of the hardware boxes, hit enter
Repeat removemachine for each hardware box you want to remove.

Hi Ken,

Thank you for your response.

As per your response it means i have to set highest priority for virtual esa mx record and same for outbound mail connector. 

Does it work well with 2 esa in same network [ with different ip address], i mean to say if new esa misses any mail does old esa process it ?, as its mx priority value lesser than new one. If everything works well then i have to just shutdown the old esa and  bound same hostname, interfaces details to new esa

How you set your MX priority is more about how quickly you want to push traffic over to the VMS...
Set it same if you're confident things are ready to go and that you didn't miss anything in the config.

Once you've shutdown the old boxes, you can move the names over.



________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.

I'm planning to put higher priority to New V-esa and below that to old existing physical appliance. So that if anything has been missed by virtual esa would be deliver by old mx record.

is that works.