Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Setup one IronPort to send to another

We will be setting up 4 IronPort systems and for reasons that I don't want to explain, we will be setting up 2 systems as 'external' and 2 systems as 'internal'. The 'external' systems will accept email from the internet and will use SBRS and LDAP accept. The 'internal' systems will accept email from the 'external' systems and will be used for Spam and Virus filtering.

How would a setup like this be configured for SMTP Routes on the 'external' and RAT on the 'internal'?

The RAT for the 'external' would simply be ourdomain.com. Would the SMTP Route be the IP address of the 'internal' IronPort?

The SMTP Route for the 'internal' would be our email server's IP address. What would be the RAT? Would it be ourdomain.com or would it be the IP address of the 'external'? How would we tell the 'internal' to only accept email from the 'external'?

3 REPLIES
New Member

Re: Setup one IronPort to send to another

The RAT for the 'external' would simply be ourdomain.com. Would the SMTP Route be the IP address of the 'internal' IronPort?

Yes, SMTP route for "yourdomain.com" would be the IP address of the IronPort.


The SMTP Route for the 'internal' would be our email server's IP address. What would be the RAT? Would it be ourdomain.com or would it be the IP address of the 'external'? How would we tell the 'internal' to only accept email from the 'external'?

RAT would be "yourdomain.com", Set up the HAT for the listener such that there is only WHITELIST and delete everything else. List the IP address of the external IronPort's delivery interface in the WHITELIST (make sure there is no throttling). By deleting other sender groups there would be only two sendergroups (WHITELIST and ALL). Set the policy action ACCEPTED to reject, this way messages from your external IronPort would be the only messages accepted by the internal IronPort.

New Member

Re: Setup one IronPort to send to another

Thanks to kyerramr for the solution. Works great.

Now that the systems are setup and working, I have another question. Hopefully someone knows a solution/workaround.

When I look at the 'internal' IronPort web interface, going to Monitor, then Incoming Mail by IP address, I only see the IP address of our 'external' IronPort. This is both for Threat and Clean messages.

I would like to see the IP address of the system which connected to our 'external' IronPort. I've tried removing Add Received Header on both IronPorts' listeners and each one separately. This doesn't fix it.

Is there an IronPort setting that ignores the last hop (Received header)?

New Member

Re: Setup one IronPort to send to another

Hi Oh,

I may be sending you down the wrong road here, and if I am I apologise.
I think what you are looking for is in Network>Incoming Relays

Enable this feature and add the IP of the external Ironport, you can also adjust headers here at this stage.
Hope this helps,
R.

306
Views
0
Helpful
3
Replies