Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2535
Views
5
Helpful
2
Replies

ESA Integration With SMA M170

rmujeeb81
Level 1
Level 1

‎01-03-2015 10:13 PM

 

Hi All,

 

I have to deploy SMA M170 for one of customer who is already using 2 * WSA and 2 * ESA appliances. So could you please guide me, if there will any downtime for WSA and ESA services if I add them into SMA ?

After addition of WSA and ESA with SMA the current configuration on these devices will remain intact ?

Also kindly confirm what other ports would need to be open between SMA and WSA/ESA appliacnes other then SSH and HTTPS.

Waiting for your response.

Thanks & Reagrds,

Labels:
0 Helpful
2 Replies 2

Paul Cardelli
Level 1
Level 1

‎01-04-2015 01:30 AM

I recommend checking out chapters 2 and 8 in the SMA user guide,

http://www.cisco.com/c/dam/en/us/td/docs/security/security_management/sma/sma7-9/SMA_7-9_User_Guide.pdf

For the ESA you will defiantly have no down time, there are migration wizards and everything. The ESAs continue to be configured and manged directly by the ESA. The only parts of the ESA that moves to the SMA are reporting, SPAM, Policy, Virus, and Outbreak Quarantines. 

I'm pretty sure the only ports you need to be concerned about for the communication between the SMA and the ESAs is port 22. This is likely the case between the WSA and SMAs as well. 

Because you will need to manage the filters directly on the ESA you will probably want to use ClusterConfig. There is no separate license for this anymore so take advantage of this, and don't use the DNS/CCS port(a known bug) of the communication but stick to IP/SSH.

Also one other thing I ran into after setting up the SMA, is that I needed a feature Key, you will need the SMA feature keys to manage both ESA and WSA. There is a 30 day trial, but if you have any issues with your reseller and Cisco account manager like I do you will want to check this out right away.

I don't have the WSA so I can't speak for the management on the SMA, but if it is anything like the ESA, there is probably a migration path for that as well. I would recommend reading the SMA user guide, or opening a support ticket. You well be able to import the existing configurations and set them as Configuration Masters. It sounds like to can then associate WSA appliances to the same or different config masters.

 

Mathew Huynh
Cisco Employee
Cisco Employee
In response to Paul Cardelli

‎01-07-2015 09:14 PM

Paul has basically summed up all the key points.

Additionally I would also recommend consulting the compatibility matrix of the SMA to ensure that your ESA's and WSA's are supported on the version you would wish to go to.

 

http://www.cisco.com/c/dam/en/us/td/docs/security/security_management/sma/sma_all/SMA-ESA-WSA_Compatibility.pdf

Another key point to note:

SMA to ESA integration will not change any configurations on live mail production

Once ESA is set to use Centralized Reporting and Tracking (And/Or quarantines as well) then it will simply ready the data for the SMA to pull out.

 

As long as port 22 is opened, they will be able to communicate for reporting and tracking pulling.

However Centralized Quarantines will require additional ports depending on the port numbers you wish to use.

 

The ports used for Spam quarantine can be defined to your requirements, and this is seen in the centralized spam quarantine configuration on ESA and SMA

(The same for the Centralized Policy,Virus and Outbreak Quarantine).


Regards,

APAC ESA Engineer - Matthew

0 Helpful
Customers Also Viewed These Support Documents