Solved: Ironport ESA behind a NAT address

lfkentwell · ‎09-10-2012

I know it is recomended to give an ironport ESA a public IP on a dedicated interface to take advantge of the reputation checking etc. I believe this is so it recieves the email frmo the original sender IP and if you put a relay between the Ironport and the original sender you break this. I know there is some things you can turn on in this case but my question is if I NAT from an external IP to the ironports internal IP this shouldnt loose the feature becuase the origin IP doesnt change and the connection is still direct to the ironport, not via a relay. Is this correct? Will i loose any functionality if I NAT the Ironport? Reason im asking is I dont have a free IP to give just to the Ironport but have others I can reuse since SMTP is not in use on these IP's.

Rehan Latif · ‎09-10-2012

Hi Lance,

Using NATed IP address does not break any of the ESA functionality including reputation filtering. The ESA is only looking at the source IP address for inbound connections and if the firewall is not changing the source IP, ESA will be able to perform reputation filtering without issues.

Using another MTA before the ESA will include a little bit of complexity. However, even with that it is possible to perform reputation filtering using combination of "Incoming Relay" feature and content/message filters.

Regards,

Rehan Latif

View solution in original post

Rehan Latif · ‎09-10-2012

Hi Lance,

Using NATed IP address does not break any of the ESA functionality including reputation filtering. The ESA is only looking at the source IP address for inbound connections and if the firewall is not changing the source IP, ESA will be able to perform reputation filtering without issues.

Using another MTA before the ESA will include a little bit of complexity. However, even with that it is possible to perform reputation filtering using combination of "Incoming Relay" feature and content/message filters.

Regards,

Rehan Latif