Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1160
Views
0
Helpful
3
Replies

Setup one IronPort to send to another

oh_ironport
Level 1
Level 1

‎03-03-2009 07:31 PM

We will be setting up 4 IronPort systems and for reasons that I don't want to explain, we will be setting up 2 systems as 'external' and 2 systems as 'internal'. The 'external' systems will accept email from the internet and will use SBRS and LDAP accept. The 'internal' systems will accept email from the 'external' systems and will be used for Spam and Virus filtering.

How would a setup like this be configured for SMTP Routes on the 'external' and RAT on the 'internal'?

The RAT for the 'external' would simply be ourdomain.com. Would the SMTP Route be the IP address of the 'internal' IronPort?

The SMTP Route for the 'internal' would be our email server's IP address. What would be the RAT? Would it be ourdomain.com or would it be the IP address of the 'external'? How would we tell the 'internal' to only accept email from the 'external'?

Labels:
0 Helpful
3 Replies 3

kyerramr
Level 1
Level 1

‎03-05-2009 04:41 AM

The RAT for the 'external' would simply be ourdomain.com. Would the SMTP Route be the IP address of the 'internal' IronPort?

Yes, SMTP route for "yourdomain.com" would be the IP address of the IronPort.


The SMTP Route for the 'internal' would be our email server's IP address. What would be the RAT? Would it be ourdomain.com or would it be the IP address of the 'external'? How would we tell the 'internal' to only accept email from the 'external'?

RAT would be "yourdomain.com", Set up the HAT for the listener such that there is only WHITELIST and delete everything else. List the IP address of the external IronPort's delivery interface in the WHITELIST (make sure there is no throttling). By deleting other sender groups there would be only two sendergroups (WHITELIST and ALL). Set the policy action ACCEPTED to reject, this way messages from your external IronPort would be the only messages accepted by the internal IronPort.

0 Helpful

oh_ironport
Level 1
Level 1

‎03-17-2009 03:29 PM

Thanks to kyerramr for the solution. Works great.

Now that the systems are setup and working, I have another question. Hopefully someone knows a solution/workaround.

When I look at the 'internal' IronPort web interface, going to Monitor, then Incoming Mail by IP address, I only see the IP address of our 'external' IronPort. This is both for Threat and Clean messages.

I would like to see the IP address of the system which connected to our 'external' IronPort. I've tried removing Add Received Header on both IronPorts' listeners and each one separately. This doesn't fix it.

Is there an IronPort setting that ignores the last hop (Received header)?

0 Helpful

rokeeffe265
Level 1
Level 1

‎03-18-2009 05:09 PM

Hi Oh,

I may be sending you down the wrong road here, and if I am I apologise.
I think what you are looking for is in Network>Incoming Relays

Enable this feature and add the IP of the external Ironport, you can also adjust headers here at this stage.
Hope this helps,
R.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents