- Cisco Employee,
On Jan 16th, 2014, Cisco’s Register Envelope Service site failed over to a backup data center. Customers that had configured static IP addresses for their Email Security Appliances to reach the key server res.cisco.com on port 443 have been unable to reach https://res.cisco.com.
By default, Cisco Email Security Appliances use forward and reverse DNS to match against sender groups. Cisco Email Security Appliances also communicate using DNS resolution with the statically configure key server host res.cisco.com when doing envelope encryption.
Environments with strict network access may have configured static IP addresses under the Sender Groups defined in the Host Access Table to control inbound TLS or static IP addresses on their perimeter network devices restricting outbound access to the key server res.cisco.com:443. If you have configured IP-based access control to permit inbound TLS connections from Cisco’s ".res.cisco.com" servers, or outbound port 443 access to res.cisco.com, you will need to modify your rules to support the active and fail over IP ranges that are used by the Cisco Registered Envelope Service.
Cisco Registered Envelope Service uses the following IP address range to initiate SMTP –TLS sessions:
Active ESAs for TLS delivery: 188.8.131.52 to 184.108.40.206
Backup ESAs for TLS delivery: 220.127.116.11 to 18.104.22.168
Reverse DNS name .res.cisco.com
Some customers may also restrict access to Cisco’s CRES Key Server res.cisco.com. The CRES Key Server res.cisco.com has two blocks of VIPs. Please add them to your network devices access rules where appropriate:
Active: 22.214.171.124 to 126.96.36.199 Port 443
Backup: 188.8.131.52 to 184.108.40.206 Port 443
What needs to be done on the ESA?
Add the above listed IP address range and hostname to your existing sender group being used for TLS (Incoming):
1. Login to Admin UI
2. Edit your TLS sender group (naming convention would vary) under Mail Policies > Host Access Table > HAT Overview
3. Add the following IP address range and hostname:
4. Submit and commit changes
Note: It is highly recommended to add the hostname ".res.cisco.com" along with the above IP address range since any future additions will have DNS to do the lookup for the IP address information.