last Tuesday we had a small discussion at the IronPort Partnerday about the Knowledge Base article 610
"Configure two ESAs where the backup hosts the ISQ with Centralized Management".
The main problem with the proposed solution is that you have to break your clustered configuration for HAT/RAT. Which means you need to configure white-/blacklisted Servers and Recipients in the Access table on both machines again. Therefor I would like to suggest a new way of doing this, which leaves me the benefit of the Centralized Managment for the cost of having an idle listener:
Instead of adding the Listener only on one appliance, you add the listener to the Cluster. This will not break anything on the Non-ISQ Box, as there is no traffic routed to this Machine. And don't forget to add the IP Address of the backup ESA into the Incoming Relays list, otherwise you could break your reputation. :)
If you have a special IP Address for the ISQ, you can also add this Interface on the second Box with the same name.
Any comments welcome,