I was wondering if it were possible to have a rule set up on the second box to basically act on failed TLS requests for outbound messages and use CRE encryption?
Currently, The IronPort is not able to turn over a failed TLS connection to another mechanism.
Another option I was looking at was setting TLS to required and then setting up a rule to notify the internal sender of failed TLS.
You can configure a workaround of sorts by creating specific bounce profiles for domains that require TLS, and setting these profiles to bounce messages within a short period of time 9 say 2 minutes or less). That way, if the message is in the delivery queue and a TLS connection cannot be verified to the recipient host, the message would bounce. The bounce would contain a 5.4.7 error message stating that TLS was unavailable. This workaround would depend on how savvy your users are at reading/understanding bounce messages.
My third option ( and the one I think I'll end up having to use) is to set the filters up to use CRE encryption instead.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...