03-03-2009 07:31 PM
We will be setting up 4 IronPort systems and for reasons that I don't want to explain, we will be setting up 2 systems as 'external' and 2 systems as 'internal'. The 'external' systems will accept email from the internet and will use SBRS and LDAP accept. The 'internal' systems will accept email from the 'external' systems and will be used for Spam and Virus filtering.
How would a setup like this be configured for SMTP Routes on the 'external' and RAT on the 'internal'?
The RAT for the 'external' would simply be ourdomain.com. Would the SMTP Route be the IP address of the 'internal' IronPort?
The SMTP Route for the 'internal' would be our email server's IP address. What would be the RAT? Would it be ourdomain.com or would it be the IP address of the 'external'? How would we tell the 'internal' to only accept email from the 'external'?
03-05-2009 04:41 AM
The RAT for the 'external' would simply be ourdomain.com. Would the SMTP Route be the IP address of the 'internal' IronPort?
Yes, SMTP route for "yourdomain.com" would be the IP address of the IronPort.
The SMTP Route for the 'internal' would be our email server's IP address. What would be the RAT? Would it be ourdomain.com or would it be the IP address of the 'external'? How would we tell the 'internal' to only accept email from the 'external'?
RAT would be "yourdomain.com", Set up the HAT for the listener such that there is only WHITELIST and delete everything else. List the IP address of the external IronPort's delivery interface in the WHITELIST (make sure there is no throttling). By deleting other sender groups there would be only two sendergroups (WHITELIST and ALL). Set the policy action ACCEPTED to reject, this way messages from your external IronPort would be the only messages accepted by the internal IronPort.
03-17-2009 03:29 PM
Thanks to kyerramr for the solution. Works great.
Now that the systems are setup and working, I have another question. Hopefully someone knows a solution/workaround.
When I look at the 'internal' IronPort web interface, going to Monitor, then Incoming Mail by IP address, I only see the IP address of our 'external' IronPort. This is both for Threat and Clean messages.
I would like to see the IP address of the system which connected to our 'external' IronPort. I've tried removing Add Received Header on both IronPorts' listeners and each one separately. This doesn't fix it.
Is there an IronPort setting that ignores the last hop (Received header)?
03-18-2009 05:09 PM
Hi Oh,
I may be sending you down the wrong road here, and if I am I apologise.
I think what you are looking for is in Network>Incoming Relays
Enable this feature and add the IP of the external Ironport, you can also adjust headers here at this stage.
Hope this helps,
R.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide