cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.0.0-418
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

1736
Views
0
Helpful
2
Replies
engineer girl
Beginner

ESA deployment architecture

Hi,

i deployed en ESA C380 at cutomer with two armed like shown on the diagram below, now the customer want to change the architecture to 1 armed, because for him, two armed is not secure sinc the dmz is connected to lan

 

the appliance is on production, and there is risk to change configuration cause we have to reinstall  the ESA

 

2nd Scénario is to create another DMZ for the private listner, so it will be not connected to lan anymore but to the firewall, so all traffic will be redirected to firewall before getting to ESA, i don't know if this scenario will works and  what is the impact when changing the architecture

 

Also i want to know if when we deployed in one armed, is there any latency in queue knowing that the flow is 2000 mail per hour

 

Regards

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Hrvoje (Harry) Dogan
Cisco Employee

Hi there,

 

You don't really need to reinstall the unit - if you can allocate another IP address on the physical interface where the public listener is, create a new IP interface on the ESA bound to that physical interface. Then in the Private listener settings, just bind that listener to the new interface.

Of course, you need to make sure that the ESA can reach local mail servers correctly from the DMZ (and vice-versa). 

 

Another approach, if you have not done much customization of the HAT on the private listener, is to just add the "RELAYLIST" sender group to the public listener and use a single listener to receive incoming mail and accept outgoing. Just copy all the settings of the "RELAYED" mail flow policy from private listener to the public, and do the same for "RELAYLIST" sender group.

 

I would also suggest to reach out to your local Cisco Security Consulting Systems Engineer for advice.

 

Hope that helps!

View solution in original post

2 REPLIES 2
Hrvoje (Harry) Dogan
Cisco Employee

Hi there,

 

You don't really need to reinstall the unit - if you can allocate another IP address on the physical interface where the public listener is, create a new IP interface on the ESA bound to that physical interface. Then in the Private listener settings, just bind that listener to the new interface.

Of course, you need to make sure that the ESA can reach local mail servers correctly from the DMZ (and vice-versa). 

 

Another approach, if you have not done much customization of the HAT on the private listener, is to just add the "RELAYLIST" sender group to the public listener and use a single listener to receive incoming mail and accept outgoing. Just copy all the settings of the "RELAYED" mail flow policy from private listener to the public, and do the same for "RELAYLIST" sender group.

 

I would also suggest to reach out to your local Cisco Security Consulting Systems Engineer for advice.

 

Hope that helps!

View solution in original post

Hi All,

 

I am new in Gateway deployment. I have a vESA appliance and planned to have two armed connection. First vESA connection to DMZ and the second will be connected to internal network which will talk to Microsoft Exchange 2010.

 

Need you help and advise on how to configure the vESA.