Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2245
Views
0
Helpful
3
Replies

Multiple SMA with Multiple ESA

jean-marc.vuithier
Level 1
Level 1

‎11-07-2017 07:19 AM - edited ‎03-08-2019 07:27 PM

Hi Forum,

I have one customer that use 2 ESA and 2 SMA, actually i backup from SMA1 to SMA2 scheduled. The customer have planned to make a DRP to cutting off 1 ESA and 1 SMA. During this test the main (master SMA) are planned to be not reachable. What happening during this DRP, the mail remain on ESA until SMA are available ? It's possible to define 2 SMA on ESA (seem not possible) any idea or suggestion about this topis ?

 

Thanks for your help

Labels:
0 Helpful
3 Replies 3

Libin Varghese
Cisco Employee
Cisco Employee

‎11-07-2017 07:50 AM

If the SMA becomes unreachable the data would remain on the ESA till the SMA becomes available again.

 

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/212101-ESA-Reporting-and-Tracking-Data-Retentio.html

 

The ESA cannot be configured to push the same data to two SMA's, However, you can push some data such as reporting, tracking to one SMA and quarantine to another SMA.

 

Ideally data from SMA should be backed up to another SMA in case the first one fails,

 

Regards,

Libin Varghese

0 Helpful

jean-marc.vuithier
Level 1
Level 1
In response to Libin Varghese

‎11-07-2017 08:14 AM

Hi Libin,

 

Thanks for your quick answer. I agree with you, but in case you are in DR during 24 hours and the master SMA are not reachable no way! you are not able to release some mails that are in the ESA correct ? Backup between the 2 SMA are configured and working as expected. 

 

Thanks and regards.

 

JM

0 Helpful

marc.luescherFRE
Spotlight
Spotlight

‎11-07-2017 09:04 AM

For DR reasons we have split all our ESA's over two computer centers in two different DMZ's as well as using two different external ISP's. Initially we ran a nightly backup of SMA1 to SMA2 but quickly had to further split them into functions due to disk space requirements.

 

Now the first SMA did monitoring and message tracking the second one did SPAM and PVO. We have performed a DR test all our ESA queued the traffic as expected for up to 24 hours before dropping oldest data.

 

To improve spoof malware protection we have added a lot of custom filters and AMP to all DMZ based ESA's so we can duplicate messages into the quarantine when certain criteria was meet. This is when things become more messy and we had multiple tickets with Cisco about that.

 

When the SMA is used for AMP (as it should) and the SMA is unavailable for extended period of time several things can happen (file attachments will no longer be checked and will be released -unchecked- after 1h or in our case 30 Min since we changed the defaults).

 

When the SMA is used to duplicate messages with the the policy to delete them after XX days another issues happens that mails will be released automatically after 40 hours no matter what resulting in double or triple delivery of the same emails to end users, depending on how many copies of a message you have.

 

We were unable to reproduce this at will but have suffered at least 3 occurrences of both issue. Cisco has promised to put a real SMA HA solution or setup on the roadmap but in the meantime we split our PVO SMA further to mitigate the risk.

 

Hope that helps.

 

0 Helpful
Customers Also Viewed These Support Documents