Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5753
Views
0
Helpful
5
Replies

how virtual gateway works?

Go to solution
Alibek Ismailov
Level 1
Level 1

‎02-02-2015 01:32 AM

Hello, i don't understand exactly how Virtual Gateway on Ironport works?

I configured the second IP interface on ironport with IP-address of DMZ zone and the second public listener.

On DNS i have 2 mx-records for Ironport.

How Ironport would appeal to the second mx-record?  by hostname on IP interface?

If on DNS would be 1 mx-record with 2 IP-addresses for Ironport, would Ironport sends from 2 IP-addresses or It needs 2 mx-records?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Valter Da Costa
Cisco Employee
Cisco Employee

‎02-06-2015 05:58 AM

Please refer to:

http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-5-6/ESA_8-5-6_User_Guide.pdf

Virtual gateways

The Virtual Gateway technology enables users to separate the appliance into multiple Virtual Gateway addresses from which to send and receive email. Each Virtual Gateway address is given a distinct IP address, hostname and domain, and email delivery queue.

For more information, see “Using Virtual GatewayTM Technology” in the “Configuring Routing and Delivery Features” chapter. 

 

Cisco ESA (Email Security Appliance, former Cisco IronPort Email Security Appliance) will use the DNS resolution of the MX records in order to try delivering the messages. That is the primary choice. If none MX record is found, then ESA will try the A record. If there is a SMTP route, though, that will take precedence. 

To answer you directly, then, it will depend on the DNS algorithm (round robin). That will provide ESA with the answer for the MX,A query. Based on that, it will make the decision about which destination server (hostname,ip address) to communicate in order of trying to deliver the message.

With the SMTP route (which is a manual configuration) you could have ESA to equally deliver messages to the destination servers. We know DNS algorithm is not even.

To answer your question about multiple IP addresses (A record) associated with one host name in the MX record, that will then fall under DNS algorithm. ESA will query for the hostname and wait to get a response from the DNS server. That IP address will be used by ESA to make the connection for delivering the message.

I hope that helps.

Best regards,

-Valter

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Valter Da Costa
Cisco Employee
Cisco Employee

‎02-06-2015 05:58 AM

Please refer to:

http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-5-6/ESA_8-5-6_User_Guide.pdf

Virtual gateways

The Virtual Gateway technology enables users to separate the appliance into multiple Virtual Gateway addresses from which to send and receive email. Each Virtual Gateway address is given a distinct IP address, hostname and domain, and email delivery queue.

For more information, see “Using Virtual GatewayTM Technology” in the “Configuring Routing and Delivery Features” chapter. 

 

Cisco ESA (Email Security Appliance, former Cisco IronPort Email Security Appliance) will use the DNS resolution of the MX records in order to try delivering the messages. That is the primary choice. If none MX record is found, then ESA will try the A record. If there is a SMTP route, though, that will take precedence. 

To answer you directly, then, it will depend on the DNS algorithm (round robin). That will provide ESA with the answer for the MX,A query. Based on that, it will make the decision about which destination server (hostname,ip address) to communicate in order of trying to deliver the message.

With the SMTP route (which is a manual configuration) you could have ESA to equally deliver messages to the destination servers. We know DNS algorithm is not even.

To answer your question about multiple IP addresses (A record) associated with one host name in the MX record, that will then fall under DNS algorithm. ESA will query for the hostname and wait to get a response from the DNS server. That IP address will be used by ESA to make the connection for delivering the message.

I hope that helps.

Best regards,

-Valter

 

0 Helpful

Go to solution
Alibek Ismailov
Level 1
Level 1
In response to Valter Da Costa

‎02-10-2015 01:35 AM

I have Ironport c170 model with 2 network adapters, so i can create only 2 VG or more?

0 Helpful

Go to solution
Valter Da Costa
Cisco Employee
Cisco Employee
In response to Alibek Ismailov

‎02-10-2015 04:33 PM

With the new version, 9.0 (which is currently available for our ESAv - ESA virtual) you don't have a limit and don't require license to over 200 IP addresses. If you have your C170 using version prior to 9.0, you will be limited to 4 IP addresses.

Please visit:

https://software.cisco.com/download/navigator.html?mdfid=282509130&i=rm

And select: Email Security Virtual Appliance.

From the Release Notes (which you can download from the same page) you will see:

I hope that helps.

Regards,

-Valter

 

0 Helpful

Go to solution
eng.malak
Level 1
Level 1

‎05-22-2016 12:01 PM

Hi

is the virtual gateway supported on the virtual edition "ESAv" ?

0 Helpful

Go to solution
Valter Da Costa
Cisco Employee
Cisco Employee
In response to eng.malak

‎05-23-2016 07:57 AM

Yes. It is. Pretty much everything that we have on hardware device is support on virtual. Exception for NIC Paining. Which we dont support on ESAv. I am quite sure we have another feature which is not support on ESAv only, but I can recall now. I will update the thread once I find it and if I dont, will update the thread also. 

Hope that helps.

-Valter

0 Helpful
Customers Also Viewed These Support Documents