Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Outbound Forced TLS Connections

Guys

Before I log a feature request, I was wondering if anyone else has a better suggestion in realtion to Forced Outbound TLS connections.

We currently have Preferred TLS turned on for all Inbound and Outbound conenctions. However for specific 3rd parties we have defined via the Destination controls that TLS must be used.

We are now in the situation that we are getting more and more requests to setup forced TLS conenctiosn to 3rd parties. This means that each time we have to add a new domain into the destination controls list, using the default settings, except for the "Forced" TLS option.

I have been looking for a better way to do this, but I can see anything. It would be nice to have something like the HAT with specific Outbound MFP's that we can just add domains to the Sender Group.

I suppose this is one of those nice to have things, but I am just trying to find a way to make the management of the Forced TLS connections a bit easier from our end.

Has anyone asked this previously, or got a better option?

9 REPLIES
New Member

Re: Outbound Forced TLS Connections

There is an existing feature request # 50836, ability to import/export destination control list which can be edited off the box for bulk upload.

Please contact your sales rep or Cisco IronPort Support to have your request added to the FR.

Best,
Kishore

New Member

Preferred TLS

I am getting ready to switch our IronPort appliances to use Preferred TLS for all incoming/outgoing connections. Anyone else doing this? Good results?

New Member

Re: Outbound Forced TLS Connections

Jason

We have been using Prefferred TLS for all Inbound and Outbound messages for the last year.

We have had no issues with it to date, and there was no performance hit on the appliances that we were aware of.

It also helps us to identify conpamies that our users are emailing that could be candidates for then moving to a forced TLS connection.

New Member

Re: Outbound Forced TLS Connections

Thanks Wargot, it's on my list of changes to make.

New Member

Re: Outbound Forced TLS Connections

Hello,

I can assure you that turning "prefered TLS" on has had no impact on our production traffic at all.

Steven

New Member

Re: Outbound Forced TLS Connections

Dear all,

We also have set TLS to preferred since at least a year. No problem so far. The change was completely transparent to all users ! Like Wargot, we had no performance impact.

What we've done, specifically, is to set TLS to preferred for all HAT entries except for the THROTTLED and BLOCKED policies.

Make sure to use publicly trusted certificates (we use Wildcard certificates from Comodo), it will save you a lot of troubles !

Cheers,
Fred

New Member

Re: Outbound Forced TLS Connections

Thanks for the input Fred.

New Member

Re: Outbound Forced TLS Connections

Why would going from a forced TLS setting to a preferred TLS setting increase load?

I have some big banks requiring me to go from preferred to forced for hundreds of their domains.  Has anyone done this?  My concerns are basically load and syntax errors.

New Member

Re: Outbound Forced TLS Connections

It increases load simply because encryption/decryption requires CPU time.  It's not much for an individual message, but it adds up when you're processing many simultaneously.

569
Views
0
Helpful
9
Replies
CreatePlease to create content