11-19-2015 06:25 AM
We have a virtualized Ironport ESA and normally it ran one interface on our DMZ, 192.168.1.200.
On this DMZ the firewall only allows mail flow from the internal mail server 10.1.1.10 to 192.168.1.200 to and from, plus the obvious other nessesary traffic like DNS and web for filter updates.
However I want to integrate with AD, so in order to do that I had to connect another interface on our lan in vmware, and in the Ironport ESA config I established this interface on the lan at 10.1.1.200. I have all the services turned off on this interface, so accessing the web UI for spam or configuration still goes to the original interface of 192.168.1.200.
Now I was able to communicate to AD and do an LDAP query which is great, but now incoming email is hitting our exchange from the new interface 10.1.1.200 instead of the original 192.168.1.200.
When exchange sends email out, it still sends it to 192.168.1.200, and Ironport correctly processes it. But when Ironport recieves e-mail it is now sending it to Exchange on the new internal IP.
Question is can I pin it so that Ironport uses the 192.168.1.200 (Management) interface for all SNMP traffic? The ONLY reason I added an internal inteface at data 1 is to query AD.
Is this secure or not?
Thanks!
Solved! Go to Solution.
11-19-2015 02:52 PM
Hey Keith,
From the details provided, may i ask to ensure the ESA uses the right interface to send emails to your exchange (192.168.1.200) instead of 10.1.1.200.
(Assuming 2 interfaces, one for generally most of the traffic, other one for only AD queries.
I would advise to change the following.
GUI > System Admin > LDAP > Change the LDAP interface for usage (for queries) to your new 10.1.1.200 (if you haven't already).
Then, CLI > deliveryconfig
Change the interface used for mail deliveries to the 192.168.1.200 interface (Chosen by Name).
I believe this should correct the behaviour.
Regards,
Matthew
11-19-2015 02:52 PM
Hey Keith,
From the details provided, may i ask to ensure the ESA uses the right interface to send emails to your exchange (192.168.1.200) instead of 10.1.1.200.
(Assuming 2 interfaces, one for generally most of the traffic, other one for only AD queries.
I would advise to change the following.
GUI > System Admin > LDAP > Change the LDAP interface for usage (for queries) to your new 10.1.1.200 (if you haven't already).
Then, CLI > deliveryconfig
Change the interface used for mail deliveries to the 192.168.1.200 interface (Chosen by Name).
I believe this should correct the behaviour.
Regards,
Matthew
11-20-2015 05:20 AM
Ok the cli command deliveryconfig must not have a GUI equivalent.
We did sort this out. Once our firewall expert came in, he created a rule to allow the original interface 192.168.1.200 to speak to our domain controllers on port 686. We were then able to remove the internal inteface.
Just trying to keep it simple.
Thanks for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide