Re: New Capabilities to Protect Your Users with Cisco Secure Email - AMA - Page 2

ciscomoderator · ‎01-31-2021

Ask Me Anything Forum

This event is a chance to review how customers of all sizes face the same daunting challenge: email is simultaneously the most important business communication tool and the leading attack vector for security breaches. Cisco Secure Email enables users to communicate securely and helps organizations combat Business Email Compromise (BEC), ransomware, advanced malware, phishing, spam, and data loss with a multilayered approach to security.

To participate in this event, please use the button below to ask your questions

Ask questions from Monday, February 1 to Friday, February 12, 2021

Featured Experts

Dennis McCabe Jr is a Technical Consulting Engineer at the Cisco Global Technical Assistance Center (TAC) for Content Security Email. With more than five years of experience and a broad scope of knowledge relating to Cloud Email Security (CES) and the Email Security Appliance (ESA), Dennis holds certifications including Cisco’s Certified Specialist with Email Security and an MCITP concentrating on Microsoft Exchange. He holds a CCNA Security certification.

Erica Parker is an experienced Technical Consulting Engineer with a demonstrated history of working in the computer networking and cybersecurity industry. With a Bachelor's degree focused in Computer Systems Networking and Telecommunications from Rochester Institute of Technology, she is skilled in Email Security, Software Deployment, and Security Penetration testing with a passion in biomedical sciences. She holds two certifications on CCNA R&S and Security.

**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to your Questions

Do you know you can get answers before opening a TAC case by visiting the Cisco Community?
For more information, visit the Email Security category. To find further Cisco Community events: Click here.

dmccabej · ‎02-06-2021

Hello,

In Exchange, you will need to configure Send/Receive connectors based on the flow of traffic that you require. As an example, a Receive connector to accept mail being sent in from external > ESA > Exchange, and a send connector for outbound traffic going from Exchange > ESA > External.

For HA, it would depend on what you're referring to. The ESAs do not have any form of HA functionality builtin; however, you can configure them into a cluster to share configuration across devices. More information on that can be found here.

For actual high availability as far as mail traffic is concerned, you will want to configure DNS round-robin and/or have some form of load balancer in place within your network. Then, traffic can move between ESAs automatically if for some reason one is unreachable.

Thanks!

-Dennis M.

ciscomoderator · ‎02-05-2021

You're amazing!

Find below a question from @Doug Maxfield :

vESA on AWS

Good Morning,

We are looking at moving/building new a vESA in AWS. Just checking to see if anyone has done this. Any information would help. I would think it would be similar to "standing up" in a VM environment.

TIA,

Doug

dmccabej · ‎02-06-2021

Hello,

We do have AWS deployment on the roadmap; however, there is nothing available at this moment as far as a supported implementation. I believe this is currently tracking for AsyncOS 14.0 which is tentative for this/next month. However, that of course may be subject to change depending on how the Beta progresses.

You can always contact TAC for updates moving forward. It may also be helpful to keep an eye on the following links:

Release Notes

Virtual Install Guide

Thanks!

-Dennis M.

ciscomoderator · ‎02-05-2021

Best Practices? Sure we can help!

Find below the question from @Fwaggle :

Best Practice for allowing DMARC passed mail items from mail hosting platform and restricting other mails based on SBRS

Apologies if this has been addressed in previous threads.

I have scenario whereby a partner org sends inbound mail including time based passcodes utilising a mail hosting platform (e.g amazones, mailgun, etc. Message trace shows that a number of other orgs utilise the same mail hosting platform and the sending IP's are the same. The partner org has configured SPF, DKIM and DMARC and from the mail items I have reviewed all of these mail items pass these checks where as the mail items from the other orgs do not. Currently all mail from this hosting platform are subject to SBRS (values range from 2.8 to 3.5 hourly) and as such the appropriate mail flow policy and throttling are applied.

I am looking for advice/ best practice for a way that will allow the DKIM/DMARC passed mail items to bypass the throttling and keep the others subject to policies based on SBRS value. What I don't want to happen is create a new flow policy that is applicable to all inbound mail enforcing DKIM/ DMARC check so that every mail item that fails these checks ends up in the Quarantine pool.

Best Practice for allowing DMARC passed mail items from mail hosting platform and restricting other mails based on SBRS.

I should say that our mail flow policies are as currently as out of the box and we have been using up to now the HAT exemptions to by-pass throttling so certain IP's.

Thanks in advance,

Fraser

dmccabej · ‎02-06-2021

Hello,

If you have a specific MTA (hostname/IP/CIDR/Etc) that you're looking to bypass throttling for, then the recommendation would be to create a custom Sender Group and Mail Flow Policy and add that host to the list of senders. Then, only that MTA will be tied to that Sender Group and Mail Flow Policy with the lesser throttling restrictions. However, if you're asking to only bypass throttling if a sender passes DMARC verification, then, that functionality is not available at this time.

Thanks!

-Dennis M.

mds1 · ‎02-08-2021

Hi Erica,

Hope you can point me in the right direction, we recently selected cisco email security cloud version for our company.

We got everything installed and working, but noticed that the plugin that cisco suggested only helps cisco more then the our employees or end user. I would like to know were I can submit an enchantment suggestion for this plugin.

Cisco is so big just trying to find out were I should could start.I tried TAC but I don't think this is the right place?

Thank you.

Marty

ericpark · ‎02-09-2021

Hi Marty,

Hope you're doing well. You were actually headed in the right direction - you can have TAC file an enhancement request for whichever plugin you're looking to provide enhancement recommendations for. When you open the ticket, just make sure to mention that it's an enhancement request that you're looking to file and provide the limitations of the plugin, the features that would be changed or added, and any particular visions you have for how the enhancement(s) could be added. This will help the TAC engineer file your enhancement. There's also a chance that your enhancement request already exists, but the TAC engineer working on your case will be able to let you know if it does.

I hope that helps!

Erica

mds1 · ‎02-09-2021

Ok thanks, Erica

dmccabej · ‎02-09-2021

Hello Marty,

I can definitely understand with there being so many paths and not knowing which to take. For your question, the best path forward will be as you had initially thought, to reach out to Cisco TAC and let them know that you wish to file an enhancement for the plugin.

Though once the enhancement is filed, TAC is out of the picture and it becomes up to our Product Management (PM) team for how any/all enhancements will be prioritized. If the enhancement is important to you and your company, then the next steps would be to reach out to your Account/Sales team and let them know that you have an enhancement you wish to prioritize, and they will then work with PM to identify the next steps.

I hope that helps.

Thanks!

-Dennis M.

mds1 · ‎02-09-2021

Thank you.

John Ventura · ‎02-09-2021

Hi,

How do I generate a Certificate Signing Request (CSR) from the ESA?

- John

ericpark · ‎02-09-2021

Hello John,

To generate a certificate signing request from the Email Security Appliance, you'll want to pull up the GUI of the appliance and navigate to Network > Certificates. Here, create a new self-signed certificate and save the changes. From here, you'll have the option to download a Certificate Signing Request from the appliance.

I hope that helps answer your question.

Erica

John Ventura · ‎02-09-2021

Many thanks for the prompt reply @ericpark !

- John

chumonito · ‎02-10-2021

Hello, thanks for this space!

quick question from an CES Customer regarding Talos email status portal.

the customer has a CES Solution with 100 domains sending all the mails from incoming and outgoing perspective through CES (tough Project I know...).

finnaly after the integration, he wants deliver to all end-users of every domain (100 separately) the Outlook plugin in order to submit any phising, Spam, graymail and so on...

The Cisco Talos Portal has change in order to receive and show this info, and right now he has no clue (neither do I) on what are the steps in order to accomplish this.

he is the IT Ciber-security manager for all this 100 domains (this kind of companies who are holded by a big one firm) and he wants to understand better how to manage this:

inside https://talosintelligence.com/tickets/email_submissions/help there is something related to his CES that he needs to susbcribe? do we have to Link the CES to the talos portal?
he needs to declare him as the Admin of every single domain (100 domains) separately?
if he has a MSA with a contractor, the contractor can be declared for this 100 domains to verify/check all the submitted info from the end users?

thanks a lot!

dmccabej · ‎02-10-2021

Hello,

Thank you for reaching out. I'll do my best to provide some detailed responses to your questions below. Happy to provide any additional clarity if you need further information.

Thanks!

-Dennis M.

inside https://talosintelligence.com/tickets/email_submissions/help there is something related to his CES that he needs to susbcribe? do we have to Link the CES to the talos portal?
- Yes and No. You may link the CES devices to the Email Status Portal (ESP) through the registration steps on that link; however, this is only relevant to any submissions being sourced from the ESA/SMAs themselves. For direct submissions via the add-on/plugin/etc, it is not required to register the ESA/CES devices.
he needs to declare him as the Admin of every single domain (100 domains) separately?
- Correct, yes. Each domain approval is requested separately which then forwards an approval email to the postmaster address for the respective domain. I am unfortunately not aware of any bulk-add/approve option. Though, it may be worth requesting an enhancement for this feature.
if he has a MSA with a contractor, the contractor can be declared for this 100 domains to verify/check all the submitted info from the end users?
- The owner of the domain can delegate access as they need. So if I'm reading the question correctly this should be possible, yes. This can be done from the Manage Accounts page.