two ESAs where the backup hosts the ISQ with CM (KB: 610)

Unanswered Question
May 24th, 2007


last Tuesday we had a small discussion at the IronPort Partnerday about the Knowledge Base article 610
"Configure two ESAs where the backup hosts the ISQ with Centralized Management".

The main problem with the proposed solution is that you have to break your clustered configuration for HAT/RAT. Which means you need to configure white-/blacklisted Servers and Recipients in the Access table on both machines again. Therefor I would like to suggest a new way of doing this, which leaves me the benefit of the Centralized Managment for the cost of having an idle listener:

Instead of adding the Listener only on one appliance, you add the listener to the Cluster. This will not break anything on the Non-ISQ Box, as there is no traffic routed to this Machine. And don't forget to add the IP Address of the backup ESA into the Incoming Relays list, otherwise you could break your reputation. :)

If you have a special IP Address for the ISQ, you can also add this Interface on the second Box with the same name.

Any comments welcome,

Adrian Woizik

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Bart_ironport Mon, 06/11/2007 - 13:34

I have several systems configured that way, never had a problem with them. You can't sell centralized management if the first thing you need to do is break the cluster config again ;)

I can't seem to find #610 anymore but i remember that some older KB articles said to use a message filter like this to send spam received on the QuarantineListener to the spam quarantine:

if (recv-listener == "QuarantineListener") {

Don't use that filter because its broken, you won't be able to release messages from the quarantine anymore. Instead I use something like this:

if (recv-listener == "QuarantineListener") {
insert-header("X-Ironport-Quarantine", "Quarantine");

The only unfortunate side-effect of hosting the spam quarantine on one box is that the reporting is wrong again. Any message sent this way is logged as a clean message.

I'm curious about your comment about breaking your reputation. How would this setup affect your reputation? You're not scanning for spam again on the second box, so even if it shares statistics, won't it just report that a lot of clean mail was received from the first box?
jloehler_ironport Mon, 06/11/2007 - 23:12

Adrian, Bart,

we typically use a configuration similar to yours, but I configure the dedicated ISQ listener as a private (outbound) listener. So the quarantined mails are not counted in the inbound statistic.


Eisenhafen Wed, 10/31/2007 - 15:50

So what happened to KB ID 610?
I would have liked to read this post.

Mark [CSE]_ironport Thu, 11/01/2007 - 13:30

It got pulled, as it had some configuration options set that did more bad then good.

Support has the changed version of the article, it is not published yet, as 5.5 has put some holes in the new workaround again. For those who don't use the safe and block list in 5.5 the version you can get from support, works well.

Best Regards,



This Discussion