03-09-2016 05:08 AM
Hi everyone,
It doesnt help that we are still on 7.5.x or 7.6.x I think from memory, however running C670's
I see that 9.7.1 is the latest - would prefer to upgrade to a more current version before doing the below.
Just after some information on best way to approach this problem.
Currently the setup is two external (DMZ) facing interfaces and then two internal interfaces - therefore four interfaces.
External routes traffic to internal - the external facing does the content filtering, etc before passing off to the internals to complete the processing of the Email to exchange servers.
Internal allow certain allowed/whitelisted IP addresses to send Email directly outbound from the network, if it doesnt exist, its rejected.
So currently they are in parralell and we are looking to move them into series - all four will be the external/DMZ interfaces and internal ones will no longer exist.
So my question is - what is the best way to achieve that goal, I assume that rules will need to be exported from internal and added to the external ones and other configurations, interfaces changed.
Anyone done this before? Instructions on what to do/check to make it work with minimal chance of issues?
03-09-2016 07:47 AM
I may be looking to do this shortly.
What we have already in the DMZ appliances are separate IP Interfaces for Private and Public.
As a quick thought...
Capacity planning during this cut-over may mean at some point losing high availability to migrate one box to assist with DMZ capacity.
Your choice whether the internal DNS MX records actually use all the DMZ appliances for outbound. Think about topology and throughput to determine best layout.
03-09-2016 08:55 PM
Basically sounds like our setup that you have listed there - we are looking at using the F5 as the entry points to the mail servers for future work, internal and external.
Unfortunately was tired late last night and I didnt go into alot of detail - however your comments have certainly given me information to work with, so thank you for that.
03-10-2016 05:54 AM
Lots of testing when using an LB. For both the inbound and outbound configuration as some people are blocking emails due to enhanced checks that are not entirely in-line with RFCs
Most of the issues are around transparency, subnets and how the IronPort hostname / NAT IP is presented to the outside world.
When there is a problem, is both the LB team and Email team woken and point fingers at each other. We have moved to a more simplistic MX arrangement rather than the extra layer of technology due to lack of understanding from LB team over SMTP and delays in resourcing for enhancements to routing paths.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide