Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1214
Views
0
Helpful
2
Replies

listener vs virtual gateway technology

maldonado.m
Level 1
Level 1

‎12-16-2009 08:47 AM

Hello,

I am studding how virtual gateway technology works and I think I understand how it does. If I have 2 domains: one.com and two.com I can specify the ironport through which interface mail can leave the ironport. My scenario is the following:

*) 1 interface: Data2
*) 2 Ip address: x.x.x.1 x.x.x.2

So I used altsrchost to match one.com and tow.com to an specific ip address, resulting the following:

@one.com -> x.x.x.1
@two.com -> x.x.x.2

By doing this, I now that email from one.com will use the x.x.x.1 IP to leave the ironport and email from two.com will use x.x.x.2 to leave the ironport.

Now, after I configure this set of IPs, an error is ocurring that the ironport cannot connect to phonehome through port 443. We only have granted access to this port in the ip x.x.x.1 but no on the x.x.x.2 IP. So here is one of my questions:

Is ironport updating from all its interfaces?


The following question is regarding listeners. Within a listener I can configure politics and hat and rat lists. So here is my question:

Do I have to configure a separate listener to use the second IP x.x.x.2?

Here is our scenario:

data1: management ip, listener management
data2: x.x.x.1 ip, listener production, with hat, rat and politics
data2: x.x.x.2 ip

@one.com -> x.x.x.1
@two.com -> x.x.x.2

My third question is that after creating the virtual gateways, in the monitor windows, a message appears that no virtual gateways are created.

Am I missing a step or why does it not show a virtual gateway configured:


Thank you for your thoughts!

Labels:
0 Helpful
2 Replies 2

Donald Nash
Level 3
Level 3

‎12-16-2009 01:51 PM

When we added a second IP address to use for a virtual gateway, I discovered quite to my shock that all traffic started using it. I had to use a message filter to force the traffic back over to the interface it had been using before. I think the interface that AsyncOS selects as its "primary" interface is not quite as deterministic as we would like. My advice is to put both IP addresses in your firewall.

Do I have to configure a separate listener to use the second IP x.x.x.2?

Only if you want to receive incoming mail via that IP address. You don't need it for sending outbound mail using the virtual gateway mechanism.

I have no answer for your third question, since I've never run into that.

0 Helpful

meyd45_ironport
Level 1
Level 1

‎12-16-2009 10:31 PM

The "Auto" interface is the one which sorts first in the string-wise sort of the IP addresses in dotted-quad form. i.e 1.2.3.32 on a machine with IPs 1.2.3.4 and 1.2.3.32

This means that adding a new IP to a box may change nothing, or almost everything.

0 Helpful
Customers Also Viewed These Support Documents