cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1070
Views
0
Helpful
4
Replies

I set up/configured two C190 ESA in a cluster, but now what?

CP2
Level 1
Level 1

Hi folks. I was tasked with setting this device up, but I'm not really well versed in e-mail security. I did set up the C190s by way of import from our old device, but we are on our way to take that device down and have the new cluster do the job. What am I supposed to on the server/host end to make sure the mail is going through the ESA? I was given some surface knowledge on what to do, but it wasn't clear to me. I am supposed to alter an MX record and what else?

4 Replies 4

SriramV
Cisco Employee
Cisco Employee

Cluster In ESA means sharing and updating security Config's between ESA.

In ESA except basic config like Interface config and all other config are moved form one ESA to Another ESA after successful cluster setup. No need to alter the Mx record as ESA's still work as individual entity. 

 

Follow the Cisco ESA Cluster Guide to config cluster. 

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200885-ESA-Cluster-Requirements-and-Setup.html

 

Hope this answers your question.

So with the settings being mirrored, I am having issues getting messages through the 2nd ironport. It seems we cannot connect to port 25. The funny thing is the listener on the 2nd IronPort is the listener for the 1st ironport. Does this mean I should break the cluster in order to utilize the two devices? Also, what am I to do with DNS? all of our hosts use mail.mymail.com in the DNS. I changed the DNS record Cname to reflect mail.mymail.com = ironport1.mymail.com. In Microsoft server I can only make one cName. So if I wanted the mail load split between the two, could I do it in DNS? Or does this have to be done at the network load balancer level? Thanks for the help in advance!

dmccabej
Cisco Employee
Cisco Employee

Hello,

 

You'll want to make sure that the Interface Name on each ESA is exactly the same (including capitalization).

 

IE:

ESA1 = Management

ESA2 = management

 

The above scenario will cause the listener on ESA2 to not start successfully because of the lowercase 'm', and you would need to set the name to Management and Submit/Commit the changes. 

 

Also, an easy answer to your latter question could be to just create two A records for ironport1.mymail.com pointing to the separate ESA/s, but the downside is that DNS round-robin load balancing is not going to be nearly as efficient as using an actual LB product.

 

Thanks!

-Dennis M.

Thanks for the input. So I named both of the interfaced the same thing. And it seems the 2nd ironport is now passing traffic. The issue now is that is seems that the internal sender address on outgoing mail is the actual ironport itself. So does that mean the 1st ironport is passing messages to the 2nd ironport to then get it to its destination? Overall it SEEMS like the job is getting done, but on the daily and weekly reports the 2nd ironport will only be reporting from one sender....itself hahaha.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: