Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco Register Envelope Service (CRES) Jan. 16th failover/outage & CRES IP address info


Tue, 03/25/2014 - 07:35
Mar 12th, 2014
User Badges:
  • Cisco Employee,

On Jan 16th, 2014, Cisco’s Register Envelope Service site failed over to a backup data center.  Customers that had configured static IP addresses for their Email Security Appliances to reach the key server res.cisco.com on port 443 have been unable to reach https://res.cisco.com

By default, Cisco Email Security Appliances use forward and reverse DNS to match against sender groups. Cisco Email Security Appliances also communicate using DNS resolution with the statically configure key server host res.cisco.com when doing envelope encryption.

Environments with strict network access may have configured static IP addresses under the Sender Groups defined in the Host Access Table to control inbound TLS or static IP addresses on their perimeter network devices restricting outbound access to the key server res.cisco.com:443.  If you have configured IP-based access control to permit inbound TLS connections from Cisco’s ".res.cisco.com" servers, or outbound port 443 access to res.cisco.com, you will need to modify your rules to support the active and fail over IP ranges that are used by the Cisco Registered Envelope Service.
Cisco Registered Envelope Service uses the following IP address range to initiate SMTP –TLS sessions:
    Active ESAs for TLS delivery: to
    Backup ESAs for TLS delivery: to
    Reverse DNS name .res.cisco.com

Some customers may also restrict access to Cisco’s CRES Key Server res.cisco.com.  The CRES Key Server res.cisco.com has two blocks of VIPs.  Please add them to your network devices access rules where appropriate:
    Active: to Port 443
    Backup: to Port 443

What needs to be done on the ESA?

Add the above listed IP address range and hostname to your existing sender group being used for TLS (Incoming):

1. Login to Admin UI
2. Edit your TLS sender group (naming convention would vary) under Mail Policies > Host Access Table > HAT Overview
3. Add the following IP address range and hostname: .res.cisco.com .res.cisco.com
4. Submit and commit changes

Note: It is highly recommended to add the hostname ".res.cisco.com" along with the above IP address range since any future additions will have DNS to do the lookup for the IP address information.



This Blog

Related Content