cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2226
Views
0
Helpful
3
Replies

Multiple vs single listener advice

Asim Ansari
Level 1
Level 1

Hello community,

We are planning to deploy ESA (c390) in our environment in front of Zimbra mail servers. I have read in the forums and official guides that all features could be used even when using a single listener, and that the only benefit of using multiple listeners (for inbound and outbound mail) would only result in cleaner configuration, easier filter rules (mail policies) and sometimes might even be necessary if the network layout (IP scheme) dictates so.

Currently our network IP scheme does not need multiple listeners.

I have also seen that it's quite easy to bypass AV, OF and anti-spam checks for outbound mails if we use "recv-listener" filter condition for the private listener (when using separate listener for outbound mails).

Please note that we are a medium sized organization, running multiple email domains with ambitions to expand a lot further. We want to be able to support any unforeseen requirements/ scenarios when they arise. Also we would be using virtual gateways to segregate various kinds of traffic (which is possible using single listener as well using alt-src-host tables).

I have also read on forums that people have bee able to support very complex organizational setups using single listeners, but I still want your feedback about the way forward in our case?

Thanks.

1 Accepted Solution

Accepted Solutions

Even though all that you say is true, I would still do 2 listeners, on 2 ips... one "public" and one "private"...  even if they are on the same subnet.

It will greatly simplify you're configuration, you'll know exactly which boxes should be connecting to which interfaces.  That will make troubleshooting easier.  It will also make things like IPS rules, firewall rules, etc. easier... for deployment and for that time when your digging into an issue at 4am.

And it will make more sense to the next guy who has to dig into it when you're on vacation, won the lottery, whatever...

View solution in original post

3 Replies 3

Even though all that you say is true, I would still do 2 listeners, on 2 ips... one "public" and one "private"...  even if they are on the same subnet.

It will greatly simplify you're configuration, you'll know exactly which boxes should be connecting to which interfaces.  That will make troubleshooting easier.  It will also make things like IPS rules, firewall rules, etc. easier... for deployment and for that time when your digging into an issue at 4am.

And it will make more sense to the next guy who has to dig into it when you're on vacation, won the lottery, whatever...

Asim Ansari
Level 1
Level 1

Thanks Ken,

I was always in favor of multiple listeners but still wanted to validate it from here.

I would be using /32 subnets for private listeners and /24 for public listeners to help ESA differentiate between same subnet IP scheme.

Thanks again.

Asim,

 

Can you elaborate on why you would use the /32 for the private listener?  I am working on setting up a second private listener and am trying to understand why you would use that subnet instead of a /24 like you have on the primary listener.  Wouldn't using a /32 stop your private listener from being able to reach your gateway?   I am assuming you are using an IP on the same subnet as your public listener.  If its a completely different subnet then that makes more sense.