10-07-2013 08:11 AM
Hi,
I have 2 IronPort Email Security Appliances and I want to know if it is possible to do a high availability with them.
I have searched in the Cisco guides and I have not found anything.
Does anybody knows if it is possible?
Thanks
Solved! Go to Solution.
10-07-2013 08:16 AM
Not in the way you're thinking... As in, the boxes don't monitor one another, and pass "responsibility" back and forth...
You can do "clustering" so that they pass configurations around, and its multimaster, so you can do your config on either one (though it gets hokey if you're hitting box A, and your collegue is hitting box B. "last change" wins.)
Typically inbound "failover" is handled by using DNS MX records and the SENDING end should try each mail exchanger available until it finds one that will take the mail.
Outbound from your groupware (Exchange, Notes, whatever) is typically handled the same way...
10-07-2013 08:16 AM
Not in the way you're thinking... As in, the boxes don't monitor one another, and pass "responsibility" back and forth...
You can do "clustering" so that they pass configurations around, and its multimaster, so you can do your config on either one (though it gets hokey if you're hitting box A, and your collegue is hitting box B. "last change" wins.)
Typically inbound "failover" is handled by using DNS MX records and the SENDING end should try each mail exchanger available until it finds one that will take the mail.
Outbound from your groupware (Exchange, Notes, whatever) is typically handled the same way...
10-07-2013 08:33 AM
10-07-2013 08:36 AM
No... Other than clustering, which is optional, the boxes don't know about one another...
10-07-2013 08:57 AM
Good!! Finally, are the any guide or document to support that I can´t do the HA?
Thanks!!
10-22-2014 12:07 AM
Please refer to the documents bellow:
Page 7 of:
http://www.cisco.com/c/dam/en/us/td/docs/solutions/SBA/August2012/Cisco_SBA_BN_EmailSecurityUsingESADeploymentGuide-Aug2012.pdf
Page 9 of:
http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2013/CVD-EmailSecurityUsingCiscoESADesignGuide-AUG13.pdf
10-07-2013 08:21 AM
"High Availability" as in failover between appliance, or load balancing?
The email security appliance doesn't do load balancing for any internal or external emails by itself. With the Centralized Management feature key enabled – this only allows the ability to share the configuration across appliances.
You will need to use a load balancing product internally for outbound emails if you want these clustered appliances run same amount of traffic. Also for inbound emails, you need to setup MX records with similar priority for this purpose. As example, IronPort 1 with priority 5 and IronPort 2 with priority 5.
This is not the perfect solution though as compare to having a load balancer which would manually distribute the email equally to both the appliances.
Any external load balancing is setup and configured from the customer-side.
You may also find DSR (Direct Server Return) helpful:
Per the advanced guide,
http://www.cisco.com/en/US/docs/security/esa/esa7.6/ESA_7.6_AdvancedGuide.pdf
Direct Server Return (DSR) is a way of providing support for a light-weight load balancing mechanism to load balance between multiple IronPort appliances sharing the same Virtual IP (VIP). Enabling DSR on the Ironport appliance involves the following 3 steps: 1. Enable DSR by enabling the “loopback” ethernet interface on each participating appliance. mail3.example.com> etherconfig Choose the operation you want to perform: - MEDIA - View and edit ethernet media settings. - PAIRING - View and configure NIC Pairing. - VLAN - View and configure VLANs. - LOOPBACK - View and configure Loopback. []> loopback Currently configured loopback interface: Choose the operation you want to perform: - ENABLE - Enable Loopback Interface. []> enable Currently configured loopback interface: 1. Loopback Choose the operation you want to perform: - DISABLE - Disable Loopback Interface.
[]> Choose the operation you want to perform: - MEDIA - View and edit ethernet media settings. - PAIRING - View and configure NIC Pairing. - VLAN - View and configure VLANs. - LOOPBACK - View and configure Loopback. []> 2. Create an IP interface on the loopback interface with a virtual IP (VIP). mail3.example.com> interfaceconfig Currently configured interfaces: 1. Data 1 (10.10.1.10/24: example.com) 2. InternalV1 (10.10.31.10/24: mail31.example.com) 3. Management (10.10.0.10/24: example.com) Choose the operation you want to perform: - NEW - Create a new interface. - EDIT - Modify an interface. - GROUPS - Define interface groups. - DELETE - Remove an interface. []> new Please enter a name for this IP interface (Ex: "InternalNet"): []> LoopVIP IP Address (Ex: 10.10.10.10): []> 10.10.1.11 Ethernet interface: 1. Data 1 2. Data 2 3. Loopback 4. Management 5. VLAN 31 6. VLAN 34 [1]> 3 Netmask (Ex: "255.255.255.0" or "0xffffff00"): [255.255.255.0]> 255.255.255.255 Hostname: []> example.com -------------------------------------------------------------------------------------------- Note: It is important to note that the Loopback interface configuration will need a /32 or all 1's subnet mask as to avoid an overlap with the physical adapter's subnet address even though the IP space obviously overlaps. -------------------------------------------------------------------------------------------- Do you want to enable FTP on this interface? [N]> Do you want to enable Telnet on this interface? [N]> Do you want to enable SSH on this interface? [N]> Do you want to enable HTTP on this interface? [N]> Do you want to enable HTTPS on this interface? [N]> Currently configured interfaces: 1. Data 1 (10.10.1.10/24: example.com) 2. InternalV1 (10.10.31.10/24: mail31.example.com) 3. LoopVIP (10.10.1.11/24: example.com) 4. Management (10.10.0.10/24: example.com) Choose the operation you want to perform: - NEW - Create a new interface. - EDIT - Modify an interface. - GROUPS - Define interface groups. - DELETE - Remove an interface. []> mail3.example.com> commit 3. Finally, create a listener on the new IP interface. This can be accomplished via the listenerconfig command in the CLI or via the "Network -> Listeners" page in the GUI. Remember to commit all changes. Note: The following rules apply when you enable DSR. • All systems must use the same Virtual IP (VIP) address • All systems must be on the same switch as the load balancer
-Robert
10-07-2013 08:34 AM
Thanks Robert Sherwin.
Actually I am trying to configure failover.
10-07-2013 08:55 AM
Exactly as Ken said, we don't do failover - just configuration sharing between cluster members.
-Robert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide