two ESAs where the backup hosts the ISQ with CM (KB: 610)
last Tuesday we had a small discussion at the IronPort Partnerday about the Knowledge Base article 610 "Configure two ESAs where the backup hosts the ISQ with Centralized Management".
The main problem with the proposed solution is that you have to break your clustered configuration for HAT/RAT. Which means you need to configure white-/blacklisted Servers and Recipients in the Access table on both machines again. Therefor I would like to suggest a new way of doing this, which leaves me the benefit of the Centralized Managment for the cost of having an idle listener:
Instead of adding the Listener only on one appliance, you add the listener to the Cluster. This will not break anything on the Non-ISQ Box, as there is no traffic routed to this Machine. And don't forget to add the IP Address of the backup ESA into the Incoming Relays list, otherwise you could break your reputation. :)
If you have a special IP Address for the ISQ, you can also add this Interface on the second Box with the same name.
The only unfortunate side-effect of hosting the spam quarantine on one box is that the reporting is wrong again. Any message sent this way is logged as a clean message.
I'm curious about your comment about breaking your reputation. How would this setup affect your reputation? You're not scanning for spam again on the second box, so even if it shares statistics, won't it just report that a lot of clean mail was received from the first box?
Re: two ESAs where the backup hosts the ISQ with CM (KB: 610)
It got pulled, as it had some configuration options set that did more bad then good.
Support has the changed version of the article, it is not published yet, as 5.5 has put some holes in the new workaround again. For those who don't use the safe and block list in 5.5 the version you can get from support, works well.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...