Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1096
Views
0
Helpful
2
Replies

IronPort ESA C170: two listeners configuration w/ two firewalls

marcel.balan
Level 1
Level 1

‎04-17-2016 09:22 PM

Hi,

Have a IronPort C170 ESA. Looking into deploying it in a two listeners configuration. 

The IronPort User Guide only shows the "typical placement of the Email Security appliance in an enterprise network environment" (Page 3-3): behind the perimeter firewall with one interface talking to the Firewall and the other one to the email servers. 

It also mentions that "in some scenarios the Email Security appliance resides inside the network “DMZ,” in which case an
additional firewall sits between the Email Security appliance and the groupware server".

I would prefer to use the second scenario however I would first like to know:

1. is the 'typical" placement a recommended configuration?

i.e. it's assumed that the configuration where the firewall allows  only SMTP traffic only on the 1st interface while the 2nd interface sits in the 'trusted' zone of the Groupware servers is a secure configuration. Anyone seen any documentation supporting this?  

2. Anyone seen a document or have more details on the two listeners configuration with a firewall between ESA and Groupware servers? I found none. 

Regards,

Marcel 

Labels:
0 Helpful
2 Replies 2

Rehan Latif
Cisco Employee
Cisco Employee

‎04-22-2016 06:03 PM

Hi Marcel,

This typical placement is recommended and totally supported. There are quite a few customers using this scenario without issues.

The ESA is not a router and works in store and forward fashion. This means it cannot route connections from one segment to the other.

The connections from internet will be SMTP connections only and will be terminated at ESA end.

ESA will create a new SMTP connection to the groupware server and this connection will have no relation to the actual inbound connection.

Therefore, there is no security risk in this deployment method. The user guide has some details about this under "Setup and Installation -> Segregating Incoming and Outgoing Mail" 

Hope this will help.

Regards,

Rehan

0 Helpful

marcel.balan
Level 1
Level 1
In response to Rehan Latif

‎04-24-2016 05:42 PM

Thank you Rehan!

0 Helpful
Customers Also Viewed These Support Documents