We have one C170 in one data center.  We can either add a second C170 and cluster it in the same data center or else put the new C170 in a second data center.  If we cluster 1 C170s in the same data center, it seems like there is no point to a M170 since the cluster would be managed like a single device already. 

We don't want to confuse users by having them deal with multiple separate email quarantines to check.

If you have multiple C170s spread across a WAN in different data centers. will adding an M170 allow users to receive a single SPAM quarantine link and manage all their quarantined email in one place or is the M170 limited to central management by the ESA administrator?

Hello,

A cluster of ESAs will allow it to share and sync the configuration against each other, strictly only for configuration syncing.

Having two C170's using it's own spam quarantine, will generate seperate two seperate quarantine notification emails, as the Centralized Management Cluster does not mean it creates a centralized point for quarantines, strictly only for configuration sync.

Adding an M170 will allow you to centralize the quarantines, reporting data and tracking data for admins, and also for end users to have 1 notification email, 1 access point where the spam quarantine is.

Regards,

Matthew

Does the M170 also do configuration sync if we put both C170s is separate data centers (which I assume prevents them from being clustered)?

Nope.

M170 only creates a centralized point for the quarantines, reporting and tracking.

ESA Cluster (Centralized Management) only creates a cluster to allow configuration to be syncced across devices connected.

Regards,

Matthew

Can you sync configuration across different data centers or do they need to be on the same LAN to cluster?

How would we combine centralizing configuration and centralizing quarantines and administration? 

They can be synced anywhere as long as you can ensure that the port you're using for sync has been opened on the firewall and proper network routes are available.

it's not location restricted nor requiring the same LAN connection.

Typically clusters communicate on port 22 with eachother, as long as firewall and network routes permits, it will operate and sync.

To generate a cluster, once you're on 8.5+ or have the key available, it's used in the Command line. CLI > Clusterconfig

Centralize quarantines is configured on the ESA to point to the SMA (M170) devices. (This setting can be shared at the ESA cluster).

M170 devices need to be able to communicate with your ESA's on port 22 bi-directional.

Regards,

Matthew

OK. So for best redundancy, easiest management admins and with minimal hardware investment, I have this plan to upgrade our single C170 ESA located in a nearby external data center.

1.  Install a second ESA in another data center in a different city and add an MX record with a lower weight than our current MX record.

2,  Cluster the new C170 to our existing C170 across the WAN.

3.  Add an M170 on our local office LAN to manage the C170s and centralize the quarantines.

Does that sound like a good plan?

Yep.  That's what I'm going to do...

Yep that sounds good.

Key points to note:

Port 22 and SSH protocol must be able to go through uninspected.

If anything is capable of SSH key proxy, this needs to be disabled.

The main protocol and port for this requirement is SSH and 22 to allow communication.

But remember if you enable services like centralized spam quarantine and policy quarantines from ESA to SMA (M170).

Port 6025, Port 25 and 7025 will be required as well for SMTP transfers.

The M series centralizes all of the quarantines and message tracking. 

Configuration is only centralized by clustering.