cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1378
Views
0
Helpful
2
Replies

ESA How to pin specific traffic on a specific interface for mail flow?

keithsauer507
Level 5
Level 5

We have a virtualized Ironport ESA and normally it ran one interface on our DMZ, 192.168.1.200.

On this DMZ the firewall only allows mail flow from the internal mail server 10.1.1.10 to 192.168.1.200 to and from, plus the obvious other nessesary traffic like DNS and web for filter updates.

However I want to integrate with AD, so in order to do that I had to connect another interface on our lan in vmware, and in the Ironport ESA config I established this interface on the lan at 10.1.1.200.  I have all the services turned off on this interface, so accessing the web UI for spam or configuration still goes to the original interface of 192.168.1.200.

Now I was able to communicate to AD and do an LDAP query which is great, but now incoming email is hitting our exchange from the new interface 10.1.1.200 instead of the original 192.168.1.200.

When exchange sends email out, it still sends it to 192.168.1.200, and Ironport correctly processes it.  But when Ironport recieves e-mail it is now sending it to Exchange on the new internal IP.

Question is can I pin it so that Ironport uses the 192.168.1.200 (Management) interface for all SNMP traffic?  The ONLY reason I added an internal inteface at data 1 is to query AD.

Is this secure or not?


Thanks!

1 Accepted Solution

Accepted Solutions

Mathew Huynh
Cisco Employee
Cisco Employee

Hey Keith,

From the details provided, may i ask to ensure the ESA uses the right interface to send emails to your exchange (192.168.1.200) instead of 10.1.1.200.

(Assuming 2 interfaces, one for generally most of the traffic, other one for only AD queries.


I would advise to change the following.

GUI > System Admin > LDAP > Change the LDAP interface for usage (for queries) to your new 10.1.1.200 (if you haven't already).

Then, CLI > deliveryconfig

Change the interface used for mail deliveries to the 192.168.1.200 interface (Chosen by Name).

I believe this should correct the behaviour.

Regards,

Matthew

View solution in original post

2 Replies 2

Mathew Huynh
Cisco Employee
Cisco Employee

Hey Keith,

From the details provided, may i ask to ensure the ESA uses the right interface to send emails to your exchange (192.168.1.200) instead of 10.1.1.200.

(Assuming 2 interfaces, one for generally most of the traffic, other one for only AD queries.


I would advise to change the following.

GUI > System Admin > LDAP > Change the LDAP interface for usage (for queries) to your new 10.1.1.200 (if you haven't already).

Then, CLI > deliveryconfig

Change the interface used for mail deliveries to the 192.168.1.200 interface (Chosen by Name).

I believe this should correct the behaviour.

Regards,

Matthew

Ok the cli command deliveryconfig must not have a GUI equivalent.

We did sort this out.  Once our firewall expert came in, he created a rule to allow the original interface 192.168.1.200 to speak to our domain controllers on port 686.  We were then able to remove the internal inteface.

Just trying to keep it simple.

Thanks for your help!