Cisco Support Community
Community Member

Cisco IronPort ESA - C160

hi All,

Cisco Ironport ESA Email Bundle with:

  • AS, AV, Virus Outbreak Filters, encryption and DLP for 1 year (100 mailboxes)

We are not familar with the Cisco IronPort Email, but has experience in deploying the WSA.

Can somebody share the key concerns and dependencies in implementing the ESA?

Eg; AD, Exchange needed? Do we need to know existing customer's exchange ,import over etc? Anything at all?

Any advise greatly appreciated.


Regards: Jocelyn


Re: Cisco IronPort ESA - C160

Hello Jocelyn,

As the Cisco IronPort Email Security Appliance (ESA) is a mail gateway, it does not substitute the backend mail server. It is a good practice and recommended to implement LDAP for recipient validation (to avoid that the ESA is accepting recipients that do not exist on the backend mail server which may result in getting listed at or similar RBLs).

The ESA will be in charge of the emails that are sent to the MX record of the given domain, so it is supposed to face all threats of the internet (spam, phish, viruses, etc) so that they can be filtered. Considered clean mail will be forwarded to the backend mail server which will no longer be exposed to the internet directly. As you're using DLP, also the outgoing mails should no longer be sent from the backend mail server directly to the internet, but to the ESA for compliance verification and handling.

It is not necessary to import data from the backend mail server to the ESA, as the appliance is an SMTP gateway. It will receive mails via SMTP and forwards it via SMTP to the backend mail server (or the internet - for outgoing mails), End users may access the Spam Quarantine via HTTP/HTTPs to manage messages that have been found spam positive or suspect spam (configurable). LDAP queries can be used to allow recipient verification, LDAP based routing, Spam Quarantine & Appliance access authentication and LDAP group queries (for IT policy enforcement based on specific user groups).

So when the ESA is not configured to be end user accessible (i.e. no Spam Quarantine in use), the end users would not even be aware of that an ESA is in place that filters incoming/outgoing mails for the domain. The network routing on site may need to be altered so that the public IP of the MX record is ending up on the ESA and no longer on the (backend) mail server directly. By this, no change of the MX records on the DNS is required and no impact for the mail senders is encountered.

Hope this helps. If not, please let us know.

Thanks and regards,


CreatePlease to create content