cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18853
Views
0
Helpful
8
Replies

Configuring IronPort to use TLS

We have never used TLS before and havent got ant certs/keys C650

Is there a checklist of everything needed to set up TLS between our company and a external company that requires it?

I know there is information in the Advanced user guide but I need a dummy guide!

8 Replies 8

kluu_ironport
Level 2
Level 2

Hi John,

Here's a great KB article that can help you get up and running and become more familiar with how the Ironport intergrates with TLS.

The KB article contains links to additional kb articles and should be a good starting point. If you need further assistance, you can post more questions here or contact Support.


TLS Configuration Frequently Asked Questions

http://tinyurl.com/g6c3m


We have never used TLS before and havent got ant certs/keys C650

Is there a checklist of everything needed to set up TLS between our company and a external company that requires it?

I know there is information in the Advanced user guide but I need a dummy guide!

kluu_ironport
Level 2
Level 2

Also, I wanted to note that the Ironport appliance does not currently have the functionality to generate the Certificate Signing Request(CSR) itself. The CSR has to be created by a third party application.

Here are some useful kb links that may be helpful


1. How do I create a certificate request on Windows using OpenSSL?
http://tinyurl.com/344xfh

2. Generating a Certificate Signing Request (CSR)
http://tinyurl.com/25a9x2

3. How to create new certificate signing request on Microsoft IIS server?
http://tinyurl.com/2n5z3a

We have never used TLS before and havent got ant certs/keys C650

Is there a checklist of everything needed to set up TLS between our company and a external company that requires it?

I know there is information in the Advanced user guide but I need a dummy guide!

Thanks folks.

Do companies normally set their public listners to preffered for default MFP? Is there a perceived performance hit in activating for all?

If we create MFP for thoses companies who require TLS I presume this just generates NDR?

Thanks John.

kluu_ironport
Level 2
Level 2

Yeah, you probably don't to require/prefer all inbound connections to have to go through a TLS check as this can hamper performance.

A common method is to create a new Sendergroup(SG) and Mail flow policy(MFP) that either prefers or requires TLS to be established before transfer of information on a "as needed basis".

For example, call the new sendergroup, "TLS_Required" and position it above the Whitelist SG. Assign this new "TLS_Required" SG to the new MFP called "Accepted_TLS" for example. Then, add the IP, hostname, or partial hostnames (ie. .bankofamerica.com) to the new SG.

This is one way of doing it. How have other companies that put a lot of importantance on TLS receiving and delivery done it? Anyone?

Also, remember that HAT Overview/MFP are for receiving. In other words, when other incoming hosts connect to your Ironport appliance.

"Mail Policies > Destination Controls", is for when your Ironport appliance delivers mail to hosts on the Internet. You probably don't want to make TLS Prefer/Require as the default. Likewise, you should create corresponding destination host entries for the domains that need the connections to be secure. However, if you're a banking institution and it's vital that all transactions between you and the Internet be made securely, then you may need to enable it on the Default.

Hope that helps.

Thanks folks.

Do companies normally set their public listners to preffered for default MFP? Is there a perceived performance hit in activating for all?

If we create MFP for thoses companies who require TLS I presume this just generates NDR?

Thanks John.

Erich_ironport
Level 1
Level 1

As far as a performance impact you will find that TLS doesn't add a significant load. I have worked with several large and small IronPort customers who have turned on "Preferred TLS" for all inbound and outbound without an added performance load.

Erich

Has anyone got views on the Pros and Cons of using TLS for most MFPs?

From my point of view I would like to switch on 'preferred' to all conections inbound and outbound. If the TLS handshake is good the security has got to be improved. However does this give you a false sense of security of was is more secure.

Without constantly monitoring the logs you dont know who is sending via TLS and thoses who would be at risk

Has anyone got experience of turing on TLS required and then not been able to negotiate? Do you bounce or is a queue formed?

As far as a performance impact you will find that TLS doesn't add a significant load.  I have worked with several large and small IronPort customers who have turned on "Preferred TLS" for all inbound and outbound without an added performance load.

I'd doubt that's true in all cases, given what Ironport KB 387 says:
As a rough estimate, a single TLS connection requires the same amount of server resources as ten clear text conversations. The actual impact to your IronPort appliance will vary based on how many simultaneous TLS connections it must handle. To mitigate the performance impact, there is a limit to the number of TLS connections the IronPort appliance will allow. Currently the limit is 100 inbound and 100 outbound TLS connections.

If the connection limit is reached for outbound connections, AsyncOS will negotiate a clear text conversation with partners whose MTA (message transfer agent) allows it. Where the partner has TLS required, the IronPort appliance will simply wait and try the connection again later.

We have large message volumes here and enabling a feature that has the potential to sap resources at 10x normal levels is not something we'd undertake without giving it serious consideration, FWIW.

Thanks everyone, there are quite a few steps to get TLS working and this old thread really helped.  After my most recent install, I put together a few articles documenting the different ways one can setup TLS on the IronPort (outbound, inbound, all domains, specific domains only).  I didn't want to have to look it all up again on my next install..

General overview of setting up TLS on IronPort:

http://enterpriseit.co/ironport/setup-tls-ironport/

Setting up TLS for specific incoming mail domains:

http://enterpriseit.co/ironport/tls-incoming-mail-specific-domains/

I hope these help others,

Chris Harris

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: