Cisco Support Community
Community Member

C170 Configuration behind a firewall help.

Preparing to install a c170 email security appliance behind a Verizon provided firewall. At present, our DNS zone file drives mail (smtp) traffic to an internet facing ip address on the Verizon provided firewall. The firewall redirects this traffic to an internal address ("A") which resides on an Exchange server . This seems to work fine for email and for our mobile users' active sync connections. My first thought was to assign the C170 appliance Address "A" and change our existing Exchange server's address to "B". The C170 would receive all the mail from the firewall and relay it (after processing ) to the Exchange server. And the Exchange server would in turn relay it back out via the C170. That sounds simple enough but I'm not sure what happens to the SSL traffic from mobile devices like smart phones and tablets. They use an SSL port (443) on Address 1. for active sync updates etc. Currently the firewall sends all that traffic to internal Address "A" (where the Exchange server lives now) Can the c170 pass/relay active sync ssl traffic onto the Exchange server? Or do I have to go through the process of changing the dns zone file records at the DNS hosting site and then go through Verizon (nightmare) to make the changes in its firewall for redirecting that to another internal address ("C") for the C170. And then there's the message archiving appliance to figure out ... but I digress. Perhaps I'm over thinking the problem but I should would appreciate some help - Thanks in advance and let me know if I need to clarify anything.
Everyone's tags (2)
Community Member

Mobile Phones with ActiveSync

Mobile Phones with ActiveSync is completly another thing then SMTP data.

If you wanna have maximum security then you need some kind of Proxy with Reverse Proxy for Outlook Web Access and ActiveSync and ESA for Antispam.


So this is how it would looks like


Email data:


Internet -> Firewall (NAT) -> Cisco ESA -> Exchange

Outgoing :

Exchange -> Cisco ESA -> Firewall (NAT to public MX IP) -> Internet


Mobile phones (OWA):


Internet (to public DNS eg -> Firewall (NAT to Proxy) -> reverse Proxy -> Exhange


When user send mail over Active Sync then mail goes -> Exchange -> ESA -> Firewall -> Internet so you have your point of security.


So you have public DNS for

ActiveSync -> A and PTR record

Email -> A, PTR and MX.

You can route with NAT on Firewall port 22 to Cisco ESA and 443 to Revere Proxy if you dont have public IPs.


And remember to create FULL NAT when you route from internet to ESA so ESA can see real MX public IP address beacuse of IP reputation Filtering.

CreatePlease to create content