Solved: Cisco Ironport ESA High availability

cparunga · ‎05-13-2016

According to this link: http://www.cisco.com/c/dam/en/us/td/docs/solutions/SBA/August2012/Cisco_SBA_BN_EmailSecurityUsingESADeploymentGuide-Aug2012.pdf

High Availability
The Cisco IronPort ESA functions as part of the mail transfer chain, and there is a reasonable amount of resiliency built into the system because a mail server in the chain stores a message for some period of time if the destination server is unresponsive. You can achieve additional resiliency by adding a second IronPort ESA.

You should configure the second IronPort ESA the same as the first IronPort ESA, and then add an additional MX record to the Domain Name System (DNS). For any additional devices, you need to add access lists and static Network Address Translation (NAT) rules to the appliance.

Sceraio: There is no concept of redundancy in the Ironport ESA appliances, what I mean is that the 2 ESAs do not work as one Cluster , we should rely on the network to do the failover . For the Outbound mail traffic , in case the ESA at the main site fails down , the Exchange will be configured to point to the ESA at the DR Site which was in Standby State. And for the Inbound traffic, we will rely on the MX-records to route the Inbound traffic to the ESA at the DR Site in case the ESA at the HQ fails.

Question: In such above scenario where the 2 ESAs work in Active/Standby mode but we are relying on the Exchange and MX-records to perform the failover , we still need 1 set of licenses which will be activate on both appliances?

Robert Sherwin · ‎05-25-2016

Info on sharing license:

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118766-technote-esa-00.html

Info on licensing basics is also on the Data Sheet:

http://www.cisco.com/c/en/us/products/collateral/security/email-security-appliance/data-sheet-c78-729751.html

Cheers,
Robert Sherwin

View solution in original post

martin.eppler · ‎05-13-2016

Hello,

the license is tied to the serial number of the appliance, so each appliance will require an individual license here.

Best regards,

Martin

cparunga · ‎05-13-2016

Hello Martin!

Just want to know if we have a solid document for this? I cant find one.

martin.eppler · ‎05-13-2016

Hello,

this is documented in the user guide page 33-4 (http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa9-7/ESA_9-7_User_Guide.pdf):

"For physical appliances, feature keys are specific to the serial number of the appliance and specific to the feature being enabled (you cannot re-use a key from one system on another system)."

Best regards,

Martin

cparunga · ‎05-13-2016

Thanks Martin!

Philippe Boeij · ‎05-13-2016

Indeed you need licenses for the 2 appliances but you can share the license from an existing appliance to a 2nd one via the Cisco Licensing portal....

Or activate an ESA Product Activation Key on 2 serials... Then 2 sets of licenses are generated for the same PAK (the seat count remains the same).

cparunga · ‎05-13-2016

Hi Philippe,

Thanks for the answer. I just want to know. Do you happen to have a document for this?

Robert Sherwin · ‎05-25-2016

Info on sharing license:

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118766-technote-esa-00.html

Info on licensing basics is also on the Data Sheet:

http://www.cisco.com/c/en/us/products/collateral/security/email-security-appliance/data-sheet-c78-729751.html

Cheers,
Robert Sherwin

Ken Stieers · ‎05-13-2016

Something to think about...

once you buy one, you can license as many VMS as you want... for free...

The licenses, are tied to the hardware, but most are sold on a "per seat" basis... so talk to your sales guy...

Jimson Medallon · ‎05-24-2016

I hope their sales guy has a lot of courage to talk to his IT Team.

timothy.wong · ‎03-08-2018

How many license is needed for Cisco ESA Cluster ?

Ken Stieers · ‎03-08-2018

Sold by user count. Keep in mind ESA clustering isn't clustering. It's ONLY configuration replication.