Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7273
Views
0
Helpful
13
Replies

Fresh Ironport w/ Exchange

hackerboss
Level 1
Level 1

‎10-18-2012 10:34 PM

I'm configuring an Ironport in an Exchange 2010 environment.  I'm having a little trouble getting outgoing mail to work.  Incoming mail is working, but I'm not quite sure if the Ironport is setup correctly.  My question is when setting up the Ironport, will I change my MX records?  Or am I simply just adding the Ironport as a SmartHost and all mail will go through the SmartHost.  I've pointed the Ironport to my Exchange server and added the SmartHost on Exchange.

Labels:
0 Helpful
13 Replies 13

Rehan Latif
Cisco Employee
Cisco Employee

‎10-18-2012 10:53 PM

Hi Evan,

For outgoing mail to flow through IronPort appliance you need to do following two config changes:

- Configure Exchange server with smarthost pointing to IronPort's Outbound listener.

- Define Exchange's IP address in RelayList Sendergroup on outbound listener.

If you have configured above two settings, than I would recommend checking mail_logs to see what IronPort is doing with the connection coming from the Exchange side. To check the logs, you can use followling command from CLI:

> grep "" mail_logs

NOTE: replace the with actual IP of the Exchange.

Once you get ICID, please grep that ICID to see the details about that connection.

I hope this will help.

Rehan

0 Helpful

ZiPPygEEk
Level 1
Level 1
In response to Rehan Latif

‎10-23-2012 02:13 PM

Hi Rehan,

So I've configured the Smarthost on the Exchange server, I'm not exactly sure where you configure the RelayList Sendergroup on outbound listener on the Ironport.  Where exactly is this on the C170 Ironport?

0 Helpful

Ken Stieers
VIP
VIP

‎10-23-2012 02:25 PM

There are 2 ways to get to it.

1.  Click on Network>Listeners, in the row for the Outbound listener, click on the HAT link.

Then click on RelayList and add the Exchange servers to the list at the bottom.

2. Click on Mail Policies/HAT Overview.  Select the Outbound Listener.

Then click on RelayList and add the Exchange servers to the list at the bottom.

0 Helpful

ZiPPygEEk
Level 1
Level 1
In response to Ken Stieers

‎10-23-2012 02:28 PM

I actually tried that, but I got the error stating 'Port already used by Listener "IncomingMail" which is for the TCP Port: 25.  This happens when I'm trying to make my Outgoing Mail listener.

0 Helpful

Ken Stieers
VIP
VIP
In response to ZiPPygEEk

‎10-23-2012 02:29 PM

Do you have 2 listeners?

0 Helpful

ZiPPygEEk
Level 1
Level 1
In response to Ken Stieers

‎10-23-2012 02:30 PM

No, at the moment I only have IncomingMail under Listeners.

0 Helpful

Ken Stieers
VIP
VIP
In response to ZiPPygEEk

‎10-23-2012 02:39 PM

You need another listener, call it OutboundMail.

Listeners need their own IP interface (not necessarily a seperate physical interface), but that's what I did...

Take a look at the section in the Online Help titled "Receiving Email with Listeners"

0 Helpful

ZiPPygEEk
Level 1
Level 1
In response to Ken Stieers

‎10-23-2012 02:45 PM

Ken,

Thanks for taking the time to assist.  I probably should read up a little more, but I thought I was on the right track.

I've configured a listener called OutbountMail, typer of listener set as Private, Interface Data 2, and TCP Port: 25 of course yet I still get an error that it's used by InboundMail.  Do I need to set something else to distinguish it from InboundMail?

0 Helpful

ZiPPygEEk
Level 1
Level 1
In response to ZiPPygEEk

‎10-23-2012 02:49 PM

I think I figured it out.  My interfaces are labeled as Data 2 (external) and Managment (Internal).  Now I was under the impression that the 2nd NIC, the Management port was used as an out-of-band port.  Should these ports be configured as External and Internal, and have a pass-through?  Or am I totally off base here.

0 Helpful

Ken Stieers
VIP
VIP
In response to ZiPPygEEk

‎10-23-2012 03:12 PM

You're on the right track.

Physically, the ports are labled Data1 and Data2

Then you create IP interfaces on them, I'd have used Private and Public, or Internal and External. (l'll use those going forward)  Put External on Data2 and plug it in to your DMZ, put Internal on Data1 and put it on your server subnet.

On the Private/Internal interface turn on the Appliance Management/Spam Quarantine/etc

on the External interface, turn all that off...

Create the InboundListener on the External IP interface

Create the OutboundListener on the Internal IP interface

You probably don't have to do ALL of that, maybe just rename the internal stuff, so its less confusing... And put the second listener on the "internal" interface.

0 Helpful

ZiPPygEEk
Level 1
Level 1
In response to Ken Stieers

‎10-23-2012 03:46 PM

So the external interface of the Ironport will definitly sit on the DMZ, just as my Edge Transport did at one time during testing, good to know.  I wasn't 100% on this so I'm glad that's cleared up.

I'm going to reconfigure it from the ground up as you listed it above.  Thanks so much Ken.  I'll post back my status and findings.

0 Helpful

Ken Stieers
VIP
VIP
In response to ZiPPygEEk

‎10-23-2012 03:51 PM

You don't HAVE to put it on the DMZ, but its best-practice...

0 Helpful

johnsmith1000
Level 1
Level 1
In response to Ken Stieers

‎05-07-2013 04:56 PM

Was there a happy ending to this story? Did it finally work?

Sent from Cisco Technical Support iPad App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents