Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1682
Views
0
Helpful
1
Replies

Ironport Best Practices Design

elroylokh
Level 1
Level 1

‎01-01-2015 08:10 PM

Dear Sir,

  Is there any best practices for the placement of the ironport? Is it best practices to place ironport in DMZ?

 

Thanks

Best Regards,

Elroy

Labels:
0 Helpful
1 Reply 1

Paul Cardelli
Level 1
Level 1

‎01-01-2015 10:57 PM

You will want to read chapter 3 in the ESA User Guide:

http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-5-6/ESA_8-5-6_User_Guide.pdf

It all depends:

Ultimately you will want to have your ESA Public Listener Interface on the perimeter of your network and the first hop into and the last hop out of your email workflow. Perimeter is relative to your network setup, and business requirement, but the ESA should at minimum have a public IP NAT to it.

Most Common Configurations:

1. Hosted - either Cisco cloud or in another cloud provider or data center. Simplifies configuration as the whole world will hit your hosting provider and only a single set of rules to connect your gateway to your in-house email servers needs to exist.

2. DMZ or LAN Single IP Interface behind a firewall, NAT to a Public IP. A Public Listener on Port 25 and a private listener on port 26.

3. an Edge configuration with 1 or more public interfaces on one or more DMZs, with one or more private listener interfaces on an internal DMZ or LAN, as well as a management interface on a management network.

 

Of course there are plenty of grey areas for discussion, but for an email security appliance to work at it's best it needs to be able to resolve the original source public IPs of the message. Having a properly configured firewall between your ESA and the rest of the world is another best practice.

0 Helpful
Customers Also Viewed These Support Documents