Outbound Forced TLS Connections

Unanswered Question
Oct 15th, 2009
User Badges:


Before I log a feature request, I was wondering if anyone else has a better suggestion in realtion to Forced Outbound TLS connections.

We currently have Preferred TLS turned on for all Inbound and Outbound conenctions. However for specific 3rd parties we have defined via the Destination controls that TLS must be used.

We are now in the situation that we are getting more and more requests to setup forced TLS conenctiosn to 3rd parties. This means that each time we have to add a new domain into the destination controls list, using the default settings, except for the "Forced" TLS option.

I have been looking for a better way to do this, but I can see anything. It would be nice to have something like the HAT with specific Outbound MFP's that we can just add domains to the Sender Group.

I suppose this is one of those nice to have things, but I am just trying to find a way to make the management of the Forced TLS connections a bit easier from our end.

Has anyone asked this previously, or got a better option?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kyerramr Fri, 10/16/2009 - 07:51
User Badges:

There is an existing feature request # 50836, ability to import/export destination control list which can be edited off the box for bulk upload.

Please contact your sales rep or Cisco IronPort Support to have your request added to the FR.


Jason Meyer Tue, 10/20/2009 - 16:06
User Badges:

I am getting ready to switch our IronPort appliances to use Preferred TLS for all incoming/outgoing connections. Anyone else doing this? Good results?

Wargot_ironport Wed, 10/21/2009 - 08:47
User Badges:


We have been using Prefferred TLS for all Inbound and Outbound messages for the last year.

We have had no issues with it to date, and there was no performance hit on the appliances that we were aware of.

It also helps us to identify conpamies that our users are emailing that could be candidates for then moving to a forced TLS connection.

steven_geerts Fri, 10/30/2009 - 23:45
User Badges:


I can assure you that turning "prefered TLS" on has had no impact on our production traffic at all.


frederic.lens Wed, 11/04/2009 - 10:37
User Badges:

Dear all,

We also have set TLS to preferred since at least a year. No problem so far. The change was completely transparent to all users ! Like Wargot, we had no performance impact.

What we've done, specifically, is to set TLS to preferred for all HAT entries except for the THROTTLED and BLOCKED policies.

Make sure to use publicly trusted certificates (we use Wildcard certificates from Comodo), it will save you a lot of troubles !


Ferdinand Mazon Mon, 06/28/2010 - 10:54
User Badges:

Why would going from a forced TLS setting to a preferred TLS setting increase load?

I have some big banks requiring me to go from preferred to forced for hundreds of their domains.  Has anyone done this?  My concerns are basically load and syntax errors.

Scott Wertz Mon, 07/12/2010 - 07:10
User Badges:

It increases load simply because encryption/decryption requires CPU time.  It's not much for an individual message, but it adds up when you're processing many simultaneously.


This Discussion