Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Email Security Quick-links: ESA Product Support | SMA Product Support | Email Submission and Tracking Portal | Cisco SecurityHub
Current General Deployment (GD) Releases:
ESA: 11.0.0-264 WSA: 10.5.1-296 SMA: 11.0.0-115 Email Plug-in (Reporting): 1.0.1-048 Email Plug-in (Encryption): 1.0.0-036

New Member

two ESAs where the backup hosts the ISQ with CM (KB: 610)

Hi,

last Tuesday we had a small discussion at the IronPort Partnerday about the Knowledge Base article 610
"Configure two ESAs where the backup hosts the ISQ with Centralized Management".

The main problem with the proposed solution is that you have to break your clustered configuration for HAT/RAT. Which means you need to configure white-/blacklisted Servers and Recipients in the Access table on both machines again. Therefor I would like to suggest a new way of doing this, which leaves me the benefit of the Centralized Managment for the cost of having an idle listener:

Instead of adding the Listener only on one appliance, you add the listener to the Cluster. This will not break anything on the Non-ISQ Box, as there is no traffic routed to this Machine. And don't forget to add the IP Address of the backup ESA into the Incoming Relays list, otherwise you could break your reputation. :)

If you have a special IP Address for the ISQ, you can also add this Interface on the second Box with the same name.

Any comments welcome,

Adrian Woizik

4 REPLIES
New Member

Re: two ESAs where the backup hosts the ISQ with CM (KB: 610)

I have several systems configured that way, never had a problem with them. You can't sell centralized management if the first thing you need to do is break the cluster config again ;)

I can't seem to find #610 anymore but i remember that some older KB articles said to use a message filter like this to send spam received on the QuarantineListener to the spam quarantine:


if (recv-listener == "QuarantineListener") {
alt-mailhost("the.euq.queue");
}

Don't use that filter because its broken, you won't be able to release messages from the quarantine anymore. Instead I use something like this:

if (recv-listener == "QuarantineListener") {
skip-spamcheck();
skip-viruscheck();
skip-vofcheck();
insert-header("X-Ironport-Quarantine", "Quarantine");
deliver();
}


The only unfortunate side-effect of hosting the spam quarantine on one box is that the reporting is wrong again. Any message sent this way is logged as a clean message.

I'm curious about your comment about breaking your reputation. How would this setup affect your reputation? You're not scanning for spam again on the second box, so even if it shares statistics, won't it just report that a lot of clean mail was received from the first box?

New Member

Try using an outbound listener

Adrian, Bart,

we typically use a configuration similar to yours, but I configure the dedicated ISQ listener as a private (outbound) listener. So the quarantined mails are not counted in the inbound statistic.

Cheers,
Jörg

New Member

Re: two ESAs where the backup hosts the ISQ with CM (KB: 610)

So what happened to KB ID 610?
I would have liked to read this post.

Re: two ESAs where the backup hosts the ISQ with CM (KB: 610)

It got pulled, as it had some configuration options set that did more bad then good.

Support has the changed version of the article, it is not published yet, as 5.5 has put some holes in the new workaround again. For those who don't use the safe and block list in 5.5 the version you can get from support, works well.

Best Regards,

Mark

154
Views
0
Helpful
4
Replies