At point 8, create a outgoing content filter. Which conditions and actions should be applied for this outgoing content filter??
One more quesiton: I don't understand the header X-IronPort-SkipCF and . What does it stand for?
I want to apologize for posting out all the steps below, but felt it was easier if all the steps were in this thread so folks didn't have to jump around.
Here is the procedure/steps from KB Answer ID 897. What is not clear in the steps below? If you can point out the instruction that is unclear or doesn't make sense, we can try to clarify.
-----------------------------------------------------------------------------
The following solution assumes that a centralized management cluster, comprised of two C-series appliances (for example, AP1, AP2), has been configured. AP1 is the appliance that will hold the common quarantine.
Steps:
1. AP1, machine level: Activate local spam quarantine. See IronPort Support KnowledgeBase article 751 for instructions.
2. Cluster level: Configure the IP address of AP2 in a relay policy (for reporting reasons). Add mail flow policy for relay, then add sender group on top to use this relay policy with the IP address of AP2.
3. Set up the Ironport appliance to relay your outbound mail. To do this:
o Choose Mail Policies > Mail Flow Policies
o Click Add Policy
o From the Connection Behavior drop-down list, select Relay
4. Create a new SenderGroup in your HAT. To do this:
o Choose Mail Policies > HAT Overview
o Click Add Sender Group
o Change the order to "1"
o Assign your new Relay Policy to the new SenderGroup.
+ Select Mail Policies > HAT Overview
+ Open the Sender Group from the table
+ Click Edit Settings
+ From the Policy drop-down list, select the Relay Policy you created above
o Click Submit and Add Senders
o In the Sender field add your mail servers
o Click Submit and Commit
5. Cluster level: Add a message filter to strip the headers in the previous steps, if they exist. (See IronPort Support KnowledgeBase article 627 for instructions on how to create message filters.)
RemoveHeaders:
if (header('X-IronPort-Quarantine') and header('X-IronPort-SkipCF'))
{
strip-header('X-IronPort-Quarantine');
strip-header('X-IronPort-SkipCF');
}
6. Cluster level: Add the following message filter:
ClusterQuarantine:
if(remote-ip == '') and (header('X-IronPort-CQ') == 'true')
{
skip-spamcheck();
skip-viruscheck();
skip-vofcheck();
insert-header('X-IronPort-Quarantine', 'true');
insert-header('X-IronPort-SkipCF', 'true');
}
7. Cluster level: Create the external quarantine. To do this:
o Choose Monitor > External Quarantine > Add Quarantine
o Enter a name, set the IP address to that of AP1, and set the port to 25 (or to the port where AP1 is listening for incoming mail)
8. Cluster level: Add outgoing content filter with order 1. For information on how to create a new content filter see the Async OS User Guide (Email Security Manager chapter, Content Filters overview).
Enable this content filter for all mail policies.
9. Cluster level: In mail policies adjust the spam settings as follows:
o Choose Mail Policies (either Incoming or Outgoing)
o In the Anti-Spam column, click the link for either Disabled or Enabled (for the policy you want to change)
o In the Anti-Spam Settings section, enable Anti-Spam
o Under Positively-Identified Spam Settings > Apply This Action to Message select IronPort Spam Quarantine
o Click Advanced in the same section and in the Add Customer Header field add "X-IronPort-CQ" with the value "true"
Note: The solution described also works with larger clusters.
Can anyone explain the procedure of creating common external quarantine in KB Answer ID:897??
