06-12-2007 02:54 PM
Our Environment:
Email: Lotus Notes
Content Scanner: Vontu
Encryption: PGP
Currently, our email goes from Lotus Notes to IronPort which then sends it to Vontu to scan for content. Vontu sends it back to IronPort.
IronPort then checks to see if the message has been marked for encryption from Vontu and if it does it sends it to PGP. If not it sends it to the Internet.
Currently, PGP sends the message it receives to the Internet. I would like to send the message back to IronPort and let IronPort send it out just in case we decide at a later date to add another process in there.
First question: In PGP, do I just give the Host name of Outbound mail back to IronPort on a separate port or can it go back on port 25?
Second question: In IronPort, what rule set do I put in to receive the email back from PGP? When I send an email out through PGP currently, I do not see a Source X-Header in the Email I receive. Has anyone tried to do this and use PGP as a policy server?
Zeff Wheelock
06-13-2007 05:56 AM
First question: In PGP, do I just give the Host name of Outbound mail back to IronPort on a separate port or can it go back on port 25?
Second question: In IronPort, what rule set do I put in to receive the email back from PGP? When I send an email out through PGP currently, I do not see a Source X-Header in the Email I receive. Has anyone tried to do this and use PGP as a policy server?
Zeff Wheelock
06-27-2007 06:31 PM
Of course the IP addresses have been changed to protect the innocent company.
As you we wanted IronPort to receive email from the internet if it required encryption then handoff to the PGP server and then have the PGP server send it back to IronPort for Internal Delivery. This required 3 filters and also creation of a relay group. Order of filters is important.
First Filter:
this filters states if IronPort receives a message from any pgp ip address then deliver as it has been processed by pgp to avoid any looping I have implemented 50 for inbound from the internet and 51 virtual or internet destined email (Thus on the same PGP Uni server inbound and outbound connector:
been-pgpd: if (remote-ip == "209.152.183.50") OR (remote-ip == "205.156.183.51") {
deliver();
}
Second Filter:
this filter states if a message has been received from the outbound listener and the sender is a member of the group "PGP" (the group member is specific to my organization we've created an ldap directory and given people authorized to use PGP an attribute stating such IronPort does a lookup to see if they are a member of this group and if so ships to PGP to see if processing is required for the destination domain)
PGP_filter: if recv-listener == "outgoingaigmail" {
if mail-from-group == "PGP" {
alt-mailhost ("209.152.183.51");
}
}
Third Filter:
this filter looks at attachments and determine if there is an encryption within the email content originating on the internet and then sends to PGP Uni server for processing after processed PGP Uni server sends back to IronPort and first filter tells IronPort to deliver.
PGP_Inboundfilter: if recv-listener == "IncomingaigMail" {
if (encrypted) OR (attachment-filename == "\\.pgp$") {
alt-mailhost ("209.152.183.50");
}
Hope this helps
10-04-2007 02:22 PM
Sorry to take so long to respond to this. I was waiting to take the IronPort classes so I understand it better. Now that I have taken the classes, I can better explain/understand what is being said.
OK, here is what I have found. We have enabled port pairing on our C350. We have 3 listeners defined. One that listens on port 25 to receive email from our Lotus Domino servers. One that listens on port 10026 to receive email from our Vontu content scanning system. One that listens to port 10025 to receive messages from PGP (as I cannot redefine port 25 again).
I have 3 filters, one that receives from Domino, one that receives from Vontu and one that receives from PGP that all put in an X-Header stating where it is coming from and the Content filters that direct it to the next place in the hop.
1) Are we limited going one way with port pairing?
2) Are we only able to define one port number per NIC in the listeners?
10-08-2007 09:51 AM
Hi!
I might be missing the point of why you have set up NIC pairing in order to be able to get your PGP scenario to work.
The only thing NIC pairing does is to logically combine two otherwise physically separated network interfaces into a single one, so in case one interface / cable / switch dies your appliance still stays connected to your network and you can fix the problem while the appliance is still working the way it should.
As far as your second question goes, that is not really an Ironport limitation, but rather a networking one. On no network device that exists you will be able to run two different appliations (or listeners) on the same port on the same ip. The appliance would never be able to tell which listener the incoming connection is meant for. Just imagine you would like to deliver a package to someone living in a housing estate, door no. 25 and when you reach the front door you find 3 doorbells for room no. 25, but no names - can't work.
What we usually do is define two IP interfaces for the incoming / outgoing connections with a listener on port 25 each, and then another "Encryption" interface that handles all the communication coming from / going to the PGP Universal GW (one listener on 25, another on 8025). Works like a charm and gives us all the high flexibility we need.
On a side note, we had to find out through a lot of trial-and-error testing that the "encrypted" rule in the filters wouldn't catch all the encrypted incoming messages for various reasons, so we had to set up our own. You might want to take a closer look into this.
Cheers.
Torsten
10-11-2007 05:27 PM
I might be missing the point of why you have set up NIC pairing in order to be able to get your PGP scenario to work.
The only thing NIC pairing does is to logically combine two otherwise physically separated network interfaces into a single one, so in case one interface / cable / switch dies your appliance still stays connected to your network and you can fix the problem while the appliance is still working the way it should.
As far as your second question goes, that is not really an Ironport limitation, but rather a networking one. On no network device that exists you will be able to run two different appliations (or listeners) on the same port on the same ip. The appliance would never be able to tell which listener the incoming connection is meant for. Just imagine you would like to deliver a package to someone living in a housing estate, door no. 25 and when you reach the front door you find 3 doorbells for room no. 25, but no names - can't work.
What we usually do is define two IP interfaces for the incoming / outgoing connections with a listener on port 25 each, and then another "Encryption" interface that handles all the communication coming from / going to the PGP Universal GW (one listener on 25, another on 8025). Works like a charm and gives us all the high flexibility we need.
On a side note, we had to find out through a lot of trial-and-error testing that the "encrypted" rule in the filters wouldn't catch all the encrypted incoming messages for various reasons, so we had to set up our own. You might want to take a closer look into this.
Cheers.
Torsten
10-12-2007 10:44 AM
I have also read that you can configure paired data ports as both inbound and outbound. You define the Inbound through the RAT and the Outbound through the HAT.
How can you write a message filter to act upon an outbound email and another filter to act upon an inbound email?
Do most people use each data port as a separate interface and if a NIC goes down, fail over to another box?
10-12-2007 01:50 PM
1) One Incoming IP interface, one Incoming Listener (Port 25)
2) One Ougoing IP interface, one Outgoing Listener (Port 25)
3) One Encryption IP interface, two Listeners (In Port 25, Out Port 8025)
4) One Management IP interface running all the management services (ssh, ftp, https)
10-12-2007 02:07 PM
You need to be careful when you are talking about interfaces.
The C350 has, by default, 3 physical interfaces. Data1, Data2, Management.
But there are also LOGICAL IP interfaces that are technically in no way limited, only by "license". On the C150 for example you can have a maximum of 4 IP interfaces. I am note sure about the C350/C650. I think it used to be something like 16/32 or 32/64, but I am not 100% sure anymore and too lazy to look it up.
Now what you want to do is:
1) Set up NIC Pairing on the device (through the CLI) and name your pair PAIR01. Hook up both NICs to your switch(es).
2) Configure your first IP interface (Network -> IP Interface -> New) and set your IP, Netmask, Hostname AND... the ethernet port to PAIR01
3) Configure your second IP interface (Network -> IP Interface -> New) and set your IP, Netmask, Hostname AND... the ethernet port to PAIR01
4) Configure your third IP interface (Network -> IP Interface -> New) and set your IP, Netmask, Hostname AND... the ethernet port to PAIR01
Do you notice a pattern? That way all IP interfaces will be bound to the same NIC pair you created before and all communication to the unit will use a single ethernet port (or pair).
Again, this is only an example and may be different on your side.
Torsten
10-12-2007 02:40 PM
1) Set up NIC Pairing on the device (through the CLI) and name your pair PAIR01. Hook up both NICs to your switch(es).
2) Configure your first IP interface (Network -> IP Interface -> New) and set your IP, Netmask, Hostname AND... the ethernet port to PAIR01
3) Configure your second IP interface (Network -> IP Interface -> New) and set your IP, Netmask, Hostname AND... the ethernet port to PAIR01
4) Configure your third IP interface (Network -> IP Interface -> New) and set your IP, Netmask, Hostname AND... the ethernet port to PAIR01
10-12-2007 03:44 PM
Data1 could be the outbound connector from Domino
Data2 could be the PGP connector
Data3 could be the inbound connector from the Internet
Each of those could have port 25 defined if I am understanding you correctly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide