Security Email Security C170 TO C190

zubairgondal77@gmail.com · ‎03-19-2018

I have currently one ESA C170 configured and deployed in our production network and working fine. Now I want to replace that C170 with two C190 which will be configured in cluster.

Q1. Can I import the existing configuration of C170 into C190 if yes what is minimum requirement for Asyns OS on both appliances.

Q2. DO I need two MX for my appliances. One MX for each appliance which will have entry in DNS for FQ host name of appliance which will point to MX of each appliance or I can use a single MX for both my appliances(C190's).C190 will be in outer DMZ and there is a firewall b/w internal network and internet.

Q3. Currently I have only a single MX record for my domain which I will replace later with MX of appliances.

Libin Varghese · ‎03-19-2018

Hi,

Based on Async OS release notes, support for x90 hardware models began at 9.7.2.

https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa9-7/ESA_9-7-2_Release_Notes.pdf

So you would want to upgrade all devices (C170 and C190) to 9.7.2 or above, once the versions match you should be able to import the configuration file over.

You can use a single or multiple MX records depending on how you intend to get the connections reach the ESA. You can have a single MX pointing to the firewall, which would NAT the connections to both ESA's. The firewall would be responsible for sending the connections to both ESA's and load balancing.

If you would like SMTP traffic to be sent directly to the ESA load-balanced by the DNS weights then you would need two separate DNS MX records.

Regards,

Libin Varghese