10-18-2012 10:34 PM
I'm configuring an Ironport in an Exchange 2010 environment. I'm having a little trouble getting outgoing mail to work. Incoming mail is working, but I'm not quite sure if the Ironport is setup correctly. My question is when setting up the Ironport, will I change my MX records? Or am I simply just adding the Ironport as a SmartHost and all mail will go through the SmartHost. I've pointed the Ironport to my Exchange server and added the SmartHost on Exchange.
10-18-2012 10:53 PM
Hi Evan,
For outgoing mail to flow through IronPort appliance you need to do following two config changes:
- Configure Exchange server with smarthost pointing to IronPort's Outbound listener.
- Define Exchange's IP address in RelayList Sendergroup on outbound listener.
If you have configured above two settings, than I would recommend checking mail_logs to see what IronPort is doing with the connection coming from the Exchange side. To check the logs, you can use followling command from CLI:
> grep "
NOTE: replace the
Once you get ICID, please grep that ICID to see the details about that connection.
I hope this will help.
Rehan
10-23-2012 02:13 PM
Hi Rehan,
So I've configured the Smarthost on the Exchange server, I'm not exactly sure where you configure the RelayList Sendergroup on outbound listener on the Ironport. Where exactly is this on the C170 Ironport?
10-23-2012 02:25 PM
There are 2 ways to get to it.
1. Click on Network>Listeners, in the row for the Outbound listener, click on the HAT link.
Then click on RelayList and add the Exchange servers to the list at the bottom.
2. Click on Mail Policies/HAT Overview. Select the Outbound Listener.
Then click on RelayList and add the Exchange servers to the list at the bottom.
10-23-2012 02:28 PM
I actually tried that, but I got the error stating 'Port already used by Listener "IncomingMail" which is for the TCP Port: 25. This happens when I'm trying to make my Outgoing Mail listener.
10-23-2012 02:29 PM
Do you have 2 listeners?
10-23-2012 02:30 PM
No, at the moment I only have IncomingMail under Listeners.
10-23-2012 02:39 PM
You need another listener, call it OutboundMail.
Listeners need their own IP interface (not necessarily a seperate physical interface), but that's what I did...
Take a look at the section in the Online Help titled "Receiving Email with Listeners"
10-23-2012 02:45 PM
Ken,
Thanks for taking the time to assist. I probably should read up a little more, but I thought I was on the right track.
I've configured a listener called OutbountMail, typer of listener set as Private, Interface Data 2, and TCP Port: 25 of course yet I still get an error that it's used by InboundMail. Do I need to set something else to distinguish it from InboundMail?
10-23-2012 02:49 PM
I think I figured it out. My interfaces are labeled as Data 2 (external) and Managment (Internal). Now I was under the impression that the 2nd NIC, the Management port was used as an out-of-band port. Should these ports be configured as External and Internal, and have a pass-through? Or am I totally off base here.
10-23-2012 03:12 PM
You're on the right track.
Physically, the ports are labled Data1 and Data2
Then you create IP interfaces on them, I'd have used Private and Public, or Internal and External. (l'll use those going forward) Put External on Data2 and plug it in to your DMZ, put Internal on Data1 and put it on your server subnet.
On the Private/Internal interface turn on the Appliance Management/Spam Quarantine/etc
on the External interface, turn all that off...
Create the InboundListener on the External IP interface
Create the OutboundListener on the Internal IP interface
You probably don't have to do ALL of that, maybe just rename the internal stuff, so its less confusing... And put the second listener on the "internal" interface.
10-23-2012 03:46 PM
So the external interface of the Ironport will definitly sit on the DMZ, just as my Edge Transport did at one time during testing, good to know. I wasn't 100% on this so I'm glad that's cleared up.
I'm going to reconfigure it from the ground up as you listed it above. Thanks so much Ken. I'll post back my status and findings.
10-23-2012 03:51 PM
You don't HAVE to put it on the DMZ, but its best-practice...
05-07-2013 04:56 PM
Was there a happy ending to this story? Did it finally work?
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide