Setup one IronPort to send to another

Unanswered Question
Mar 3rd, 2009

We will be setting up 4 IronPort systems and for reasons that I don't want to explain, we will be setting up 2 systems as 'external' and 2 systems as 'internal'. The 'external' systems will accept email from the internet and will use SBRS and LDAP accept. The 'internal' systems will accept email from the 'external' systems and will be used for Spam and Virus filtering.

How would a setup like this be configured for SMTP Routes on the 'external' and RAT on the 'internal'?

The RAT for the 'external' would simply be ourdomain.com. Would the SMTP Route be the IP address of the 'internal' IronPort?

The SMTP Route for the 'internal' would be our email server's IP address. What would be the RAT? Would it be ourdomain.com or would it be the IP address of the 'external'? How would we tell the 'internal' to only accept email from the 'external'?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kyerramr Thu, 03/05/2009 - 04:41

The RAT for the 'external' would simply be ourdomain.com. Would the SMTP Route be the IP address of the 'internal' IronPort?

Yes, SMTP route for "yourdomain.com" would be the IP address of the IronPort.


The SMTP Route for the 'internal' would be our email server's IP address. What would be the RAT? Would it be ourdomain.com or would it be the IP address of the 'external'? How would we tell the 'internal' to only accept email from the 'external'?

RAT would be "yourdomain.com", Set up the HAT for the listener such that there is only WHITELIST and delete everything else. List the IP address of the external IronPort's delivery interface in the WHITELIST (make sure there is no throttling). By deleting other sender groups there would be only two sendergroups (WHITELIST and ALL). Set the policy action ACCEPTED to reject, this way messages from your external IronPort would be the only messages accepted by the internal IronPort.

oh_ironport Tue, 03/17/2009 - 15:29

Thanks to kyerramr for the solution. Works great.

Now that the systems are setup and working, I have another question. Hopefully someone knows a solution/workaround.

When I look at the 'internal' IronPort web interface, going to Monitor, then Incoming Mail by IP address, I only see the IP address of our 'external' IronPort. This is both for Threat and Clean messages.

I would like to see the IP address of the system which connected to our 'external' IronPort. I've tried removing Add Received Header on both IronPorts' listeners and each one separately. This doesn't fix it.

Is there an IronPort setting that ignores the last hop (Received header)?

rokeeffe265 Wed, 03/18/2009 - 17:09

Hi Oh,

I may be sending you down the wrong road here, and if I am I apologise.
I think what you are looking for is in Network>Incoming Relays

Enable this feature and add the IP of the external Ironport, you can also adjust headers here at this stage.
Hope this helps,
R.

Actions

This Discussion