cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.0-698
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.0.0-404
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

719
Views
0
Helpful
3
Replies
oh_ironport
Beginner

Setup one IronPort to send to another

We will be setting up 4 IronPort systems and for reasons that I don't want to explain, we will be setting up 2 systems as 'external' and 2 systems as 'internal'. The 'external' systems will accept email from the internet and will use SBRS and LDAP accept. The 'internal' systems will accept email from the 'external' systems and will be used for Spam and Virus filtering.

How would a setup like this be configured for SMTP Routes on the 'external' and RAT on the 'internal'?

The RAT for the 'external' would simply be ourdomain.com. Would the SMTP Route be the IP address of the 'internal' IronPort?

The SMTP Route for the 'internal' would be our email server's IP address. What would be the RAT? Would it be ourdomain.com or would it be the IP address of the 'external'? How would we tell the 'internal' to only accept email from the 'external'?

3 REPLIES 3
kyerramr
Beginner

The RAT for the 'external' would simply be ourdomain.com. Would the SMTP Route be the IP address of the 'internal' IronPort?

Yes, SMTP route for "yourdomain.com" would be the IP address of the IronPort.


The SMTP Route for the 'internal' would be our email server's IP address. What would be the RAT? Would it be ourdomain.com or would it be the IP address of the 'external'? How would we tell the 'internal' to only accept email from the 'external'?

RAT would be "yourdomain.com", Set up the HAT for the listener such that there is only WHITELIST and delete everything else. List the IP address of the external IronPort's delivery interface in the WHITELIST (make sure there is no throttling). By deleting other sender groups there would be only two sendergroups (WHITELIST and ALL). Set the policy action ACCEPTED to reject, this way messages from your external IronPort would be the only messages accepted by the internal IronPort.

oh_ironport
Beginner

Thanks to kyerramr for the solution. Works great.

Now that the systems are setup and working, I have another question. Hopefully someone knows a solution/workaround.

When I look at the 'internal' IronPort web interface, going to Monitor, then Incoming Mail by IP address, I only see the IP address of our 'external' IronPort. This is both for Threat and Clean messages.

I would like to see the IP address of the system which connected to our 'external' IronPort. I've tried removing Add Received Header on both IronPorts' listeners and each one separately. This doesn't fix it.

Is there an IronPort setting that ignores the last hop (Received header)?

rokeeffe265
Beginner

Hi Oh,

I may be sending you down the wrong road here, and if I am I apologise.
I think what you are looking for is in Network>Incoming Relays

Enable this feature and add the IP of the external Ironport, you can also adjust headers here at this stage.
Hope this helps,
R.

Content for Community-Ad