Solved: ESA With 2 NICS - Different Gateways - Updates Fail

dcreamer11 · ‎09-11-2015

Hello All,

So, I have a client that would like to use the 2 interfaces on the C170 ESA. One is strictly for internal management - GUI access, SSH, SCP, etc. The second interface they would like configured for all external and email traffic - Inbound/Outbound email, Sophos Updates, AntiSpam updates, etc. Is this possible? I have not found a way to get the 2nd interface to properly route traffic for the updates. I hope I'm missing something simple - if not, I'll have to ask them to change a few firewall rules.

As for a test, we added a proxy server to the service update field, and everything ran fine. In the logs, it states it cannot connect to the update site on 443 - so I believe it's not routing through the 2nd interface.

Thank you in advance,

Dave

Mathew Huynh · ‎09-11-2015

Hey Dave,

Yes this setup is fine and you'll be able to do it.

Generally i assume the interface for internal management for example will be under the Management Interface, while other interface configured will be a Data1 port or so.

When you create that 1 listener (Public) make sure it's using Data1.

Even though it's public listener, you can still use it for outbound routing as well, so no issues there.

After your mail routing is all setup, you can fix the 'delivery' interface for all email traffic going out of the ESA with the CLI > deliveryconfig command to specify this

For your service updates to use the data1 interface and not management, ensure all network routes are ready. From the CLI you will use CLI > updateconfig follow the prompts on the setup and change the update interface to use data1 as per your requirement.

This interface selection for the updater service is also available in the Gui > Security Services > Service Updates > Edit and you can see an 'interface' option to choose.

I hope this helps,

Matthew

View solution in original post

Mathew Huynh · ‎09-11-2015

Hey Dave,

Yes this setup is fine and you'll be able to do it.

Generally i assume the interface for internal management for example will be under the Management Interface, while other interface configured will be a Data1 port or so.

When you create that 1 listener (Public) make sure it's using Data1.

Even though it's public listener, you can still use it for outbound routing as well, so no issues there.

After your mail routing is all setup, you can fix the 'delivery' interface for all email traffic going out of the ESA with the CLI > deliveryconfig command to specify this

For your service updates to use the data1 interface and not management, ensure all network routes are ready. From the CLI you will use CLI > updateconfig follow the prompts on the setup and change the update interface to use data1 as per your requirement.

This interface selection for the updater service is also available in the Gui > Security Services > Service Updates > Edit and you can see an 'interface' option to choose.

I hope this helps,

Matthew

dcreamer11 · ‎09-15-2015

Hi Matthew,

Would I have to add in the routes for the IronPort Update services in the routing tables? I'm still not able to get to those servers using the correct interface, even though that interface is set, and the default gateway is set to the firewall/DMZ IP?

Thanks,

-Dave

Mathew Huynh · ‎09-15-2015

Hello Dave,

In regards to this updateconfig change, the source IP used for the update servers will be the interface chosen. As i believe if packet captures were done the information seen would be the IP interface chosen as the source to the update servers.

The actual route it takes will be determined by the default gateway set for that IP; else you'll need to generate static routes as you have understood to route it through a specific next hop for the handling.

Regards,

Matthew