04-10-2012 12:09 PM
Hi all,
What is the largest size message that can be encrypted by the IronPort ESA PXE engine? Is this a configurable parameter?
Thanks very much,
- Steve
Solved! Go to Solution.
04-13-2012 07:34 AM
Thanks Steve. I actually received the same response yesterday also. I'm fine with the change since we were definitely experiencing the lockup when someone tried to push an extremely large file through the DLP system. My concern now is what to do if someone needs to send a file larger but the DLP policy is trying to trigger and encrypt the message. I'm thinking of possibly creating a bypass message filter so if a certain keyword is found in the subject line the message immediately gets emailed without scanning for DLP. Of course this brings up the concern of people sending out items they shouldnt be and bypassing the DLP policy. I'm thinking I could CC our Management on any sensitive information that has been requested to be sent unencrypted to avoid it being taken advantage of.
04-12-2012 03:31 PM
I actually have the same question and I'm looking for an answer also.
I believe from the testing I've done that the current default PXE size is set to an encrypted size of 10MB. I believe this was put into place when version 7.6 of AsyncOS was rolled out. I also assume the reason this was put into place was because of a common issue we were experiencing where customers of our would try to send out extremely large emails that required encryption and it would effectively make our Ironport become unresponsive to the point that we would have to manually hard power cycle them. Also bringing up the question again of why don't our C370's have DRAC cards in them. I am yet to figure out if there is a way to adjust this size.
I sent in a support case to ask for the same information. If I receive a reply back I'll update you.
Thanks,
Mike
04-12-2012 05:31 PM
Hi Mike,
Coincidentally, I got an answer on this just today from IronPort Support:
Starting with the 7.6.0-444 version, the size limit has been changed to 10MB as the previous size limit of 40MB was causing too many issues such as the encryption engine locking up so therefore the limit was reduced. For the 10MB size limit about 20% also needs to be accounted for MIME inflation so the actual limit is really about 8MB.
- Steve
04-13-2012 07:34 AM
Thanks Steve. I actually received the same response yesterday also. I'm fine with the change since we were definitely experiencing the lockup when someone tried to push an extremely large file through the DLP system. My concern now is what to do if someone needs to send a file larger but the DLP policy is trying to trigger and encrypt the message. I'm thinking of possibly creating a bypass message filter so if a certain keyword is found in the subject line the message immediately gets emailed without scanning for DLP. Of course this brings up the concern of people sending out items they shouldnt be and bypassing the DLP policy. I'm thinking I could CC our Management on any sensitive information that has been requested to be sent unencrypted to avoid it being taken advantage of.
04-13-2012 07:45 AM
Mike, that's definitely a concern. We are not doing any automatic encryption yet, but we will be in the future. I did see one incident in our tracking logs where it looked like IronPort defaulted to TLS when a message was too large to be encrypted, but I'm not sure if that was by design.
07-06-2012 04:51 PM
I came to this thread after one of my users had a message bounce that was only about 7.2MB.
I understand Cisco wants to cut down on support calls and costs but this seems like a drastic reduction. We're a very small shop and rarely send out messages of any kind over 10MB but it's the big ones that are usually the most sensitive, yes? I would very much like to see this limit at least somewhat configurable in the future, even if it's capped at, say, 20MB, or even maybe see it indexed on throughput but effectively cutting the limit of what can be protected by 75% or more puts a huge dent in the value argument for IronPort. The ability to easily encrypt anything from any device is the prime reason we have IronPort versus numerous other options.
We renewed this year but if this is not addressed it will put a serious damper on our enthusiasm to spend the extra cash next year.
10-20-2017 10:38 AM
Any changes for this on version 10 ESA? I'm getting bounced email at 27MB. Can this be configured now?
10-20-2017 11:46 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide