Re: Outbound Forced TLS Connections

Wargot_ironport · ‎10-15-2009

Guys

Before I log a feature request, I was wondering if anyone else has a better suggestion in realtion to Forced Outbound TLS connections.

We currently have Preferred TLS turned on for all Inbound and Outbound conenctions. However for specific 3rd parties we have defined via the Destination controls that TLS must be used.

We are now in the situation that we are getting more and more requests to setup forced TLS conenctiosn to 3rd parties. This means that each time we have to add a new domain into the destination controls list, using the default settings, except for the "Forced" TLS option.

I have been looking for a better way to do this, but I can see anything. It would be nice to have something like the HAT with specific Outbound MFP's that we can just add domains to the Sender Group.

I suppose this is one of those nice to have things, but I am just trying to find a way to make the management of the Forced TLS connections a bit easier from our end.

Has anyone asked this previously, or got a better option?

kyerramr · ‎10-16-2009

There is an existing feature request # 50836, ability to import/export destination control list which can be edited off the box for bulk upload.

Please contact your sales rep or Cisco IronPort Support to have your request added to the FR.

Best,
Kishore

Jason Meyer · ‎10-20-2009

I am getting ready to switch our IronPort appliances to use Preferred TLS for all incoming/outgoing connections. Anyone else doing this? Good results?

Wargot_ironport · ‎10-21-2009

Jason

We have been using Prefferred TLS for all Inbound and Outbound messages for the last year.

We have had no issues with it to date, and there was no performance hit on the appliances that we were aware of.

It also helps us to identify conpamies that our users are emailing that could be candidates for then moving to a forced TLS connection.

Jason Meyer · ‎10-22-2009

Thanks Wargot, it's on my list of changes to make.

steven_geerts · ‎10-30-2009

Hello,

I can assure you that turning "prefered TLS" on has had no impact on our production traffic at all.

Steven

frederic.lens · ‎11-04-2009

Dear all,

We also have set TLS to preferred since at least a year. No problem so far. The change was completely transparent to all users ! Like Wargot, we had no performance impact.

What we've done, specifically, is to set TLS to preferred for all HAT entries except for the THROTTLED and BLOCKED policies.

Make sure to use publicly trusted certificates (we use Wildcard certificates from Comodo), it will save you a lot of troubles !

Cheers,
Fred

Jason Meyer · ‎11-04-2009

Thanks for the input Fred.

Ferdinand Mazon · ‎06-28-2010

Why would going from a forced TLS setting to a preferred TLS setting increase load?

I have some big banks requiring me to go from preferred to forced for hundreds of their domains. Has anyone done this? My concerns are basically load and syntax errors.

Scott Wertz · ‎07-12-2010

It increases load simply because encryption/decryption requires CPU time. It's not much for an individual message, but it adds up when you're processing many simultaneously.