Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9311
Views
9
Helpful
8
Replies

IronPort Email high availability

Go to solution
Carlos Yahir Ramirez Huerta
Level 1
Level 1

‎10-07-2013 08:11 AM

Hi,

I have 2 IronPort Email Security Appliances and I want to know if it is possible to do a high availability with them.

I have searched in the Cisco guides and I have not found anything.

Does anybody knows if it is possible?

Thanks

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP

‎10-07-2013 08:16 AM

Not in the way you're thinking...  As in, the boxes don't monitor one another, and pass "responsibility" back and forth...

You can do "clustering" so that they pass configurations around, and its multimaster, so you can do your config on either one (though it gets hokey if you're hitting box A, and your collegue is hitting box B.  "last change" wins.)

Typically inbound "failover" is handled by using DNS MX records and the SENDING end should try each mail exchanger available until it finds one that will take the mail.

Outbound from your groupware (Exchange, Notes, whatever) is typically handled the same way...

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Ken Stieers
VIP
VIP

‎10-07-2013 08:16 AM

Not in the way you're thinking...  As in, the boxes don't monitor one another, and pass "responsibility" back and forth...

You can do "clustering" so that they pass configurations around, and its multimaster, so you can do your config on either one (though it gets hokey if you're hitting box A, and your collegue is hitting box B.  "last change" wins.)

Typically inbound "failover" is handled by using DNS MX records and the SENDING end should try each mail exchanger available until it finds one that will take the mail.

Outbound from your groupware (Exchange, Notes, whatever) is typically handled the same way...

0 Helpful

Go to solution
Carlos Yahir Ramirez Huerta
Level 1
Level 1
In response to Ken Stieers

‎10-07-2013 08:33 AM

Thanks Ken Stieers,

Ok. But,

do I need to configure some in the ironport?

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to Carlos Yahir Ramirez Huerta

‎10-07-2013 08:36 AM

No... Other than clustering, which is optional, the boxes don't know about one another...

0 Helpful

Go to solution
Carlos Yahir Ramirez Huerta
Level 1
Level 1
In response to Ken Stieers

‎10-07-2013 08:57 AM

Good!! Finally, are the any guide or document to support that I can´t do the HA?

Thanks!!

0 Helpful

Go to solution
melepruma
Level 1
Level 1
In response to Carlos Yahir Ramirez Huerta

‎10-22-2014 12:07 AM

Please refer to the documents bellow:

Page 7 of:

http://www.cisco.com/c/dam/en/us/td/docs/solutions/SBA/August2012/Cisco_SBA_BN_EmailSecurityUsingESADeploymentGuide-Aug2012.pdf

Page 9 of:

http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2013/CVD-EmailSecurityUsingCiscoESADesignGuide-AUG13.pdf

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee

‎10-07-2013 08:21 AM

"High Availability" as in failover between appliance, or load balancing?

 

The email security appliance doesn't do load balancing for any internal or external emails by itself.  With the Centralized Management feature key enabled – this only allows the ability to share the configuration across appliances.

 

You will need to use a load balancing product internally for outbound emails if you want these clustered appliances run same amount of traffic. Also for inbound emails, you need to setup MX records with similar priority for this purpose. As example, IronPort 1 with priority 5 and IronPort 2 with priority 5. 

 

This is not the perfect solution though as compare to having a load balancer which would manually distribute the email equally to both the appliances.

 

Any external load balancing is setup and configured from the customer-side.

 

You may also find DSR (Direct Server Return) helpful:

Per the advanced guide,

http://www.cisco.com/en/US/docs/security/esa/esa7.6/ESA_7.6_AdvancedGuide.pdf

 

Direct Server Return (DSR) is a way of providing support for a light-weight load balancing mechanism to load balance between multiple IronPort appliances sharing the same Virtual IP (VIP).
Enabling DSR on the Ironport appliance involves the following 3 steps:
1. Enable DSR by enabling the “loopback” ethernet interface on each participating appliance.
  mail3.example.com> etherconfig
  Choose the operation you want to perform:
  - MEDIA - View and edit ethernet media settings.
  - PAIRING - View and configure NIC Pairing.
  - VLAN - View and configure VLANs.
  - LOOPBACK - View and configure Loopback.
  []> loopback
  Currently configured loopback interface:
  Choose the operation you want to perform:
  - ENABLE - Enable Loopback Interface.
  []> enable
  Currently configured loopback interface:
  1. Loopback
  Choose the operation you want to perform:
  - DISABLE - Disable Loopback Interface.

  []>
  Choose the operation you want to perform:
  - MEDIA - View and edit ethernet media settings.
  - PAIRING - View and configure NIC Pairing.
  - VLAN - View and configure VLANs.
  - LOOPBACK - View and configure Loopback.
  []>
2. Create an IP interface on the loopback interface with a virtual IP (VIP).
  mail3.example.com> interfaceconfig
  Currently configured interfaces:
  1. Data 1 (10.10.1.10/24: example.com)
  2. InternalV1 (10.10.31.10/24: mail31.example.com)
  3. Management (10.10.0.10/24: example.com)
  Choose the operation you want to perform:
  - NEW - Create a new interface.
  - EDIT - Modify an interface.
  - GROUPS - Define interface groups.
  - DELETE - Remove an interface.
  []> new
  Please enter a name for this IP interface (Ex: "InternalNet"):
  []> LoopVIP
  IP Address (Ex: 10.10.10.10):
  []> 10.10.1.11
  Ethernet interface:
  1. Data 1
  2. Data 2
  3. Loopback
  4. Management
  5. VLAN 31
  6. VLAN 34
  [1]> 3
  Netmask (Ex: "255.255.255.0" or "0xffffff00"):
  [255.255.255.0]> 255.255.255.255
  Hostname:
  []> example.com
--------------------------------------------------------------------------------------------
Note: It is important to note that the Loopback interface configuration will need a /32 or all 1's subnet mask as to avoid an overlap with the physical adapter's subnet address even though the IP space obviously overlaps.
--------------------------------------------------------------------------------------------
  Do you want to enable FTP on this interface? [N]>
  Do you want to enable Telnet on this interface? [N]>
  Do you want to enable SSH on this interface? [N]>
  Do you want to enable HTTP on this interface? [N]>
  Do you want to enable HTTPS on this interface? [N]>
  Currently configured interfaces:
  1. Data 1 (10.10.1.10/24: example.com)
  2. InternalV1 (10.10.31.10/24: mail31.example.com)
  3. LoopVIP (10.10.1.11/24: example.com)
  4. Management (10.10.0.10/24: example.com)
  Choose the operation you want to perform:
  - NEW - Create a new interface.
  - EDIT - Modify an interface.
  - GROUPS - Define interface groups.
  - DELETE - Remove an interface.
  []>
  mail3.example.com> commit
3. Finally, create a listener on the new IP interface.
This can be accomplished via the listenerconfig command in the CLI or via the "Network -> Listeners" page in the GUI. Remember to commit all changes.
Note: The following rules apply when you enable DSR.
• All systems must use the same Virtual IP (VIP) address
• All systems must be on the same switch as the load balancer

 

-Robert

Cheers,
Robert Sherwin

Go to solution
Carlos Yahir Ramirez Huerta
Level 1
Level 1
In response to Robert Sherwin

‎10-07-2013 08:34 AM

Thanks Robert Sherwin.

Actually I am trying to configure failover.

0 Helpful

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee
In response to Carlos Yahir Ramirez Huerta

‎10-07-2013 08:55 AM

Exactly as Ken said, we don't do failover - just configuration sharing between cluster members.

-Robert

Cheers,
Robert Sherwin
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents