hi guys, this is my first post :) and my first time to work with ironport :)
im trying to deploy the C-150 box for first time as demo for customer, and im not sure what is the best way to deploy it...
first of all i dont want to affect the production mailing flows, thats mean i will go to the option of evaluation mode (add a secondary mx record) and try doing some testing in front of the customer (this is what i read from the documentation)
my concern if i added the mx record in the dns server that means i will not be able to see any incomming or outgoing mails !! as its lower prioority !!
please guys, i have a demo for customer and im trying to finf any document that can be useful..
im sure 90% of the customer will start implementing the ironport box on such a similar situation of what i have,, so i think its common scenario...
Unfortunately, there is not much that you can evaluate if all email is still processed by the existing mail servers. Setting up the Ironport MGA as a higher priority MX record in DNS will ensure that the existing mail server receives all traffic. The Ironport MGA will receive some amount of email from spammers, since spammers tend to target secondary/higher priority MX records.
If Ironport is configured to handle production email, you could configure it in a pass through mode. You could have Ironport receive email directly from the internet, or have the existing mail server hand over inbound email to the Ironport. Ironport can then be configured in a fashion such that email is not dropped and smtp connection are not blocked/throttled. Some of the things you could do in this regard would be to disable SBRS blocking, tag and deliver spam, tag and quarantine/deliver viruses etc.
As jgill suggested the best method of deployment for evaluation is for the IronPort to be the first hop for production mail.
However, I have also used the IronPort as the secondary MX record either with a higher weight, or with an equal weight and configured the appliance to to use SenderBase Reputation Filtering for tagging messages only (using the Accept Mail Flow Policy for all Sender Groups).
Other options might be:
Put the IronPort into production for a few hours and evaluate the mail processing for that period. Once you and the customer are comfortable with how mail was processed then you can transition it into production.
Put the IronPort as the first hop (but no SBRS, Anti-Spam, and AV) and then configure SMTP routes to send mail to their current solution. This way, the IronPort is configured as the main gateway to handle the mail flow, but their current solution will still process and handle mail as it did. After some time, you can then work with the customer to add Incoming Mail Flow Policies for a few recipients and only those policies use Anti-Spam or AV (while the bulk of the recipients do not). This will give you a very focused group of test users that are willing to have the IronPort scan their messages.
You might be able to think of other options, but keep in mind that the IronPort is most effective when it's the first hop and can see the IP of the sending MTA. Getting the IronPort into the mail flow is the first step. Then you can have the IronPort simply route the mail to their previous gateway devices without scanning or blocking messages. At this point, you can then turn on some of the features of the IronPort either for test groups, or single users and evaluate the strengths of Anti-SPAM. Or you can use reputation filtering to block only the most negative of senders (-10 to -7 for example) while accepting mail for the rest.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...