I am totally new for Cisco Ironport and due to some needs of present scenario I am engage to implement Cisco Email Security Appliance C680 as cluster with M680 for centralize management of ESA.
Could you please help me out to understand the basic installation help to basic configuration guide.
1. Already using Ironport C670 & C3xx in cluster
2. Rough diagram as per my understanding attached.
1. Want to replace with new model C680 in cluster.
2. Need to configure M680 for centralize management of ESA.
3. To enable all new features and tighten the email security.
4. Separation of internal and external traffic.
5. Ip addressing to configure the two nos of C680 and one M680. (Management, communication etc etc)
6. To redesign as per the best practice.
Thanks in advance!
This reply will be a high-level response as for concerns where you need to have infrastructure re-design to cater to new requirements, I believe your Cisco Systems(sales) engineers can be of better assistance as they will be able to provide details to assist in this regard.
With replacing existing models to the new C680
Best approach i would recommend.
Apply a temporary IP to your C680 devices and upgrade them to the same version as devices in the existing cluster so you can add them in.
If the C680 is in a newer version; then you may need to schedule an upgrade timing for existing clustered systems to match that of the C680 for an easier cluster integration process.
To configure ESA's to point to the M680 device, you need to ensure network routes on port 22 and SSH protocols are allowed between the IP interfaces that will be used to reach each other.
Ensure no SSH key fingerprint exchange interruption or proxying is happening as this will break the communication.
Configuring the SMA (M series) to talk to the ESA would require enabling the centralized services on the ESA ( GUI > Security Services > Centralized Tracking/Reporting and anything else) then go to the SMA (M series) and go to Management > Security Appliances, add the ESA's IP that will be communicated to and establish a connection
Once this is done, they're centralzied.
TO enable all new features, depending on which features you're seeking on -- some features require purchase of feature keys (thus your Cisco Sales/Systems engineer is the best person to approach to sort this) -- then general instructions are available through the Systems Online help guide on implementation and use of the features (GUI > Help and Support > Online Help)
Seperation of internal and external traffic, this is generally tied to Listeners -- if only using 1 Listener, then sendergroups will seperate inbound to outbound traffic.
If you device to wish to change from 1 listener to 2 for more seperation, network routes need to be configured from the devices on port 25, IP interface configured on ESA and new private/public listener setup to use the IP for seperation of traffic.
IP addressing for communication, GUI > Network > IP interfaces > Enable ports you want to allow for the management, communication is generally on port 22 between devices
Redesign best practises; as a TAC engineer myself, I cannot really comment on this.
Thanks Matty for your reply. It is really helps me a lot. I am also preparing myself from the available docs from Cisco portal itself. One more think I would like to know that, what are the basic prerequisite points that need to consider before migrating. Can you help me on this?
Thanks in advance!
Main key points i'd recommend:
+ AsyncOS matching
+ Feature keys (atleast temp keys) available on the newer devices
+ All network + firewall rules between you IPs
Thats essentially the main points.