CE with Ironport

Similar Messages

• Exchange 2007 edge server with ironport

  I currently have a frontend exch 2003 and backend exch 2003 server with ironport. my mx record is the ironport which then forwards into the backend server. The frontend server was only used for owa and using outlook with https connection to exchange.
  With 2007 it has more functionality and the front end server is now called an edge server. Should I have mx go there then to ironport or vice versa? I'm thinking ironport to edge server to hub transport server. Is that correct? will it work?
  anyone have exchange 2007 edge server with ironport? what are you doing?

  well that wouldve been nice to know a little earlier. anyway I have ironport successfully sending mail to the edge server who sends it on to the hub transport server. right now the client access server is on the same as the hub but can be easily moved later. this is for very few people so its not like I need to off load anything as its a powerful dual core server. anyway now with the edge server I can test how effective it is versus the ironport. I'll let everyone know when you can ditch the ironport for msft's edge server. (Don't hold your breath).

• Dmarc - few emails with ironport hostname

  Hi,
  We have published SPF, DKIM and DMARC and now we start getting DMARC Reports. What is strange is that there are few messages that are send with email Ironport hostname? We have some situations when we return mail reject custome message but that message is sent as [email protected] not as ironport.hostname.local. How can we find what message is send with ironport hostname because if we search in message tracking “sender contains ironport.hostname – nothing is found”.
  Example:
  <record>
    <row>
       <source_ip>XXX.XXX.XXX.XXX</source_ip> [this is legit IP adress of MTA]
       <count>3</count>
       <policy_evaluated>
          <disposition>none</disposition>
          <dkim>fail</dkim>
           <spf>fail</spf>
        </policy_evaluated>
      </row>
      <identifiers>
         <header_from>domain.com</header_from>
      </identifiers>
      <auth_results>
        <spf>
           <domain>ironport.hostname.local</domain>
           <result>neutral</result>
         </spf>
     </auth_results>
  </record>
  Beside that do you have some experience with DMARC and when some other companies have some auto forwarder rule - then forwarder does not rewrite sender and then you get DMARC fail results?

  We have this problem as well. 
  I see lines like this from the ironport log:
  Delayed: DCID XXXXXX MID YYYYYY to RID 0 - 4.1.0 - Unknown address error ('450', ['4.1.8 <[email protected]>: Sender address rejected: Domain not found']) []
  I'm guessing from timing and frequency that this is actually the Ironport delivering its DMARC reports to other domains.
  The only place in the config where that name is found is the Ironport host name.

• Replacing MS ISA proxy with IronPort WSA proxy - ISA firewall client?

  Replacing MS ISA proxy with IronPort WSA proxy - what about the ISA firewall client?
  Does Cisco have an equivalent of the Microsoft ISA Firewall Client?
  How does WSA handle complex protocols (such as ftp) through the proxy server?

  We are replacing MS ISA proxy servers with IronPort WSA S370 proxy servers.
  We have several apps that make use the MS firewall client.
  The MS firewall client enables HTTP-tunneling of TCP & UDP through the ISA proxy servers instead of going through firewalls.
  These apps use various ports - and there are rules setup on the ISAs specifially for these apps and their ports.
  Also we have serveral uses of RPD, telnet, and SSH using the firewall client to HTTP-tunnel through the proxy servers -- and these have  specific ISA rules setup for them too.
  I can find HTTP-tunneling software - commercial and freeware - but can't find any that I think will work through the IronPort WSA S370 proxy servers.
  Would like to find someone who has implemented HTTP-tunneling using IronPort WSA 370 proxy servers.
  Thanks again for your input.

• Internal and External Mail Exchange servers server not communicating with IronPort

  Hello Support Community,
  I have setup external mail exchange server and an internal mail exchange server to test out ironport, those two are not communicating via IronPort neither are they both recieving eachothers sent messages in their inbox, i have setup a smart host in both of those servers to point to ironport but thats still of no help. I have two smtp routes setup as well one's recieving domain: dummy.local which is external and its destination host: softheon.local which is internal which means its smart host is pointing to ironport's data 1. Is there something that im missing which is not letting these two mail exchange servers connect to each other as well as connect with the ironport to catch the msgs being sent
  thanks

  Are you trying to relay through the appliance, or just email the appliance?
  If trying to relay through the appliance, make sure the IP address of your exchange server is added to the RELAYLIST under the HAT (host access table) located under Mail Policies Tab - Host Access Table.  Click on the RELAYLIST and add the IP - submit and commit changes.
  If you are just trying to email the appliance, you may be getting dropped at the handshake level based on reputation (or lack thereoff).
  From your exchange boxes, open up a command prompt and telnet to the ironport on port 25 and initiate a command line email.
  So:
  telnet IP-OF-IRONPORT 25 (hit enter, you should connect up and see the IronPort banner)
  helo (type helo - from here you'll probably get dropped by the IronPort)
  mail from: [email protected] (if you dont get dropped put in your email address)
  rcpt to: [email protected] (put in the other email address)
  data (type data and hit enter)
  This is a test. (type anything, this is the message body)
  . (when done typing, type a single . (period) and hit enter.  The email should send if you got that far.
  You most likely need to add the IP addresses of your exchagne boxes to the WHITELIST under the HAT to resolve any reputation issues from your test exchange boxes.
  Regards,
  Chris

• Using ACS with Ironport?

  Hello
  In our libraries we use a product called Netloan which authenticates the users using an SQL database. Effectively the users login to the machines with a Username and Pin number and this is authenticated via an SQL database and a session is opened for an hour, allowing the user access of the PC.
  Once authenticated, the user the attempts to access the internet and the traffic is routed through to our Cisco Ironport appliance which provides the Web Filtering. We have no issues with the desktop devices as they are on an Active Directory domain so the Ironport sees thier traffic as authenticates and can provide different levels of filtering.
  The Issue we have is with our Public Wifi users who connect up to an Access Point and authenticate with Netloan using a login page we have created on the wireless controller. Once authenticated however, the ironport does not see them as authenticated because they are using thier own devices....i.e not on the domain so we can only apply a default filtering policy based upon source IP address.
  We need the ironport to provide different levels of filtering for the Public Wifi users, the same as it does for the Desktop ones, even though the Wifi users are using thier own devices..not on an AD domain.
  Hopefully this makes some sort of sense!
  Cheers

  Just re-reading the PIX/ASA 7.2 command reference guide below:
  http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/crt_72.pdf
  It appears some of the above are known issues.
  PASSCODE issue, page 2-17 states:
  We recommend that you use the same username and password in the local database as the
  AAA server because the security appliance prompt does not give any indication which method is being used.
  Failure to LOCAL, page 2-42 states:
  You can have up to 15 server groups in single mode or 4 server groups per context in multiple mode. Each group can have up to 16 servers in single mode or 4 servers in multiple mode. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
  AAA Accounting, page 2-2 states:
  To send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode.
  ASDM issue, page 2-17 states:
  HTTP management authentication does not support the SDI protocol for AAA server group
  So looks like all my issues are known "features" of PIX/ASA integration with ACS, any ideas of how to achieve a "slicker" integration?
  Is there a roadmap to improve this with later versions of the OS?
  Will the PIX/ASA code ever properly support the same features as IOS?
  Would it be better to look at using something like CSM instead of ASDM?

• Fitting Citrix Netscaler with Ironport

  Hello,
  Currently we have Exchange 2010 environment and mail flow as below;
  1 CAS
  2 MBX
  Internet --> Ironport --> CAS --> MBX
  We are planning for Exchange 2010 to 2013 upgrade and I am preparing a plan for it.
  We already have Internet facing Ironport as mentioned above.
  We also have Citrix Netscaler as internet facing for accessing citrix applications.
  Exchange 2013 plan
  2 CAS
  2 MBX
  I want to load balance CAS servers with Citrix Netscaler. 
  How should I fit in Netscaler in the design.
  Please suggest
  Thanks,
  Mihir

  Hi Mihir,
  Unlike previous versions of Exchange, Exchange 2013 no longer requires session affinity at the load balancing layer.
  Generally, there are four scenarios for load balance in Exchange 2013:
  1. Single Namespace / Layer 4 (No Session Affinity)
  2. Single Namespace / Layer 7 (No Session Affinity)
  3. Single Namespace / Session Affinity
  4. Multiple Namespaces / No Session Affinity
  For more information about these, please refer to:
  http://blogs.technet.com/b/exchange/archive/2014/03/05/load-balancing-in-exchange-2013.aspx
  Additionally, there is a reference about Microsoft Exchange 2013
  Citrix NetScaler Deployment Guide:
  http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/microsoft-exchange-2013-citrix-netscaler-deployment-guide.pdf
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please
  make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Regards,
  Winnie Liang
  TechNet Community Support

• ACE working with IronPort WSA server farm

  We have an ACE load balancing a group of Ironport WSA. The WSA are working with the feature IP Spoofing, then the request to WWW has the source ip address of the WSA client and not the WSA itself.
  We follow the documento behind, but it is not working. When the packet coming from Internet having the destination address the WSA client address, the ACE can not delivery the packet even with the mac-sticky configured.
  I read in other forum that ACE needs to have in its arp table or route table the destination IP address for being able to deal with the packet by the encapid.
  But we don't have this entry in the arp table.
  When we configure the WSA with IP spoofing and the source ip address is the WSA itself the configuration works fine.
  Some have this kind of problem in some ocasion?
  Thank you,
  Everaldo

  Hi Jorge,
  The behavior is when we have IP Spoofing configured in the WSAs, the connection is not established. The ACE establishes the connection with the client but the connection with Internet is not established. I captured the packets that arrive in the ACE coming from Internet and I see SYN packets with source address as a public IP (Google) and the destination address as the internal client IP address with no ACK just RST.
  With no IP Spoofing, meaning that the ip source address is tha WSA the connection is established with no RST.
  Follow the output the commands:
  show service-policy WSA-VIPS class-map WSA_VIP_TCP_3128 detail
  Status     : ACTIVE
  Description: -----------------------------------------
  Interface: vlan 304
    service-policy: WSA-VIPS
      class: WSA_VIP_TCP_3128
       VIP Address:                              Protocol:  Port:
       10.10.193.25                              tcp    eq   3128
        loadbalance:
          L7 loadbalance policy: WSA-POLICY
          VIP Route Metric     : 77
          VIP Route Advertise  : ENABLED-WHEN-ACTIVE
          VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
          VIP State: INSERVICE
          VIP DWS state: DWS_DISABLED
          Persistence Rebalance: DISABLED
          curr conns       : 3         , hit count        : 1260
          dropped conns    : 4
          conns per second    : 0
          client pkt count : 19271     , client byte count: 2326106
          server pkt count : 26140     , server byte count: 16572023
          conn-rate-limit      : 0         , drop-count : 0
          bandwidth-rate-limit : 0         , drop-count : 0
          L7 Loadbalance policy : WSA-POLICY
            class/match : class-default
              LB action :
                 primary serverfarm: WSA_FARM
                      state: UP
                  backup serverfarm : -
              hit count        : 1260
              dropped conns    : 0
              compression      : off
        compression:
          bytes_in  : 0                          bytes_out : 0
          Compression ratio : 0.00%
                  Gzip: 0               Deflate: 0
        compression errors:
          User-Agent  : 0               Accept-Encoding    : 0
          Content size: 0               Content type       : 0
          Not HTTP 1.1: 0               HTTP response error: 0
          Others      : 0
  switch/WSA# show probe WSA_TCP_3128
  probe       : WSA_TCP_3128
  type        : TCP
  state       : ACTIVE
     port      : 3128         address   : 0.0.0.0
     addr type : -            interval  : 5       pass intvl  : 10
     pass count: 3            fail count: 30      recv timeout: 10
                  ------------------ probe results ------------------
     associations     ip-address         port porttype probes failed passed health
     ------------ ----------------------+----+--------+------+------+------+------
     serverfarm  : WSA_FARM
       real      : WSA-01[0]
       real      : WSA-02[0]
                            10.10.193.37 3128 PROBE   15076  72     15004  SUCCESS
       real      : WSA-03[0]
       real      : WSA-04[0]
       real      : WSA-05[0]
       real      : WSA-06[0]
       real      : WSA-07[0]
       real      : WSA-08[0]
       real      : WSA-09[0]
       real      : WSA-10[0]
  switch/WSA# show probe WSA_TCP_3128 detail
  probe       : WSA_TCP_3128
  type        : TCP
  state       : ACTIVE
  description :
     port      : 3128         address   : 0.0.0.0
     addr type : -            interval  : 5       pass intvl  : 10
     pass count: 3            fail count: 30      recv timeout: 10
     conn termination : FORCED
     expect offset    : 0         , open timeout     : 3
     expect regex     : -
     send data        : -
                  ------------------ probe results ------------------
     associations     ip-address         port porttype probes failed passed health
     ------------ ----------------------+----+--------+------+------+------+------
     serverfarm  : WSA_FARM
       real      : WSA-01[0]
       real      : WSA-02[0]
                            10.10.193.37 3128 PROBE   15088  72     15016  SUCCESS
     Socket state        : CLOSED
     No. Passed states   : 2         No. Failed states : 1
     No. Probes skipped  : 0         Last status code  : 0
     No. Out of Sockets  : 0         No. Internal error: 0
     Last disconnect err :  -
     Last probe time     : Mon Sep  3 21:06:47 2012
     Last fail time      : Mon Sep  3 20:45:05 2012
     Last active time    : Mon Sep  3 20:45:57 2012
       real      : WSA-03[0]
       real      : WSA-04[0]
       real      : WSA-05[0]
       real      : WSA-06[0]
       real      : WSA-07[0]
       real      : WSA-08[0]
       real      : WSA-09[0]
       real      : WSA-10[0]
  Thank you,
  Everaldo

• Block and Unblock the .zip and .rar files based on doamin or user account base on incoming mails with ironport email security.

  Hi All,
  Request you all to help me out in blocking/dropping only the attachments with the extension .rar and .zip in incoming mails for particular users or domains.
  as of now I have did for all the domains or users.However, I want to unblock it only for some particular/specific users and for rest it should block.
  kindly help me with the steps to do the configuration.
  Thanks a ton in advance
  Regards,
  LRN

  It sounds like you just need to use different incoming mail policies per group of individuals you want to block/drop .rar and .zip and those which you don't want this to happen.
  The fact that you want a specific group to be allowed receipt of these and everyone else should have these blocked I would recommend creating an additional incoming mail policy that does NOT have a content filter that performs this blocking.  Add the appropriate users to this incoming mail policy.  Then create a incoming content filter that does this dropping of .rar and .zip files and apply this to the Default Incoming Mail Policy.
  The content filter in this situation would not need a condition, just a action of strip attachments by file info , filename contains  .rar or .zip
  Here is a useful regex for the content filter action:  (?i)\.(zip|rar)
  Hope this helps!
  Steve

• Noticeably increased amount of spam with Ironport

  Hello,
  We are using Ironport C170 for several clients. All the clients have a lot more untagged spam emails during last two weeks. Is it expected? Maybe there is some new known bot-net activity on the Internet?
  Thanks,
  Nikolay

  Hello Nikolay,
  bot activities should not result in the numbers of spam increasing significantly, of course at the beginning of a campaign there will always be something slipping through, but this should not be a permanent issue. I'd suggest that you check your system monitor, in the inbound section the number of messages blocked by reputation filtering should be in the 85 to 90 (or higher) range, if not then maybe there is something wrong.
  Also, use message tracking to figure out which sendergroups the missed spam has been hitting, often the reason for that is a host that is whitelisted in the HAT and does not get scanned by IPAS.
  Hope that helps,
  Andreas

• How to change email routing in IronPort C360

  Hi All,
  I am new with IronPort. I would like to reconfigure my IronPort especially in its mail routing. The following are current and proposed config.
  current config
  Exchange <----> Mail antivirus Server <-----> IronPort <------> Internet  <------> External user
  Proposed Config
  Exchange <-------> IronPort <-------> Internet <--------> External User
  What parameter in Iron Port should i change to allow the proposed config running well?
  Cheers,
  Andi

  Hi Tommy,
  Let say we have the following existing config:
                              |-------- Servers
                              |
  Exchange <----> Mail Anti VirusServer -<----> IronPort <-----> Internet ---- external usere
                              |
                              |<--------->  Exchange (sister company exchange, different domain)
  Proposed:
  Exchange <-------> IronPort <-------> Internet <--------> External User
                               |
                Servers----|
  * Beside the requirements i mentioned earlier, the mail antivirus server also serve mail flow to/from other sister company.
  * The mail flow for sister company is:  user --- exchange ---- mail anti virus server --- sister company. and also vice versa.
  * Email from sistem company can only received from Mail Anti virus server, (IronPort after migration).
  * Some servers inside relay email using Mail Antivirus server, and then will use Iron Port after migration.
  Is there any additional change in the configof IronPort? Please advise.
  Cheers,
  Andi

• How to add X-authenticated header with SMTP-auth

  I have smtp-auth working here. I also have normal mail header to see what ip the message is coming from. But I'd like to add X-authenticated to signature the mail is authenticated by end user.
  Can I do that? What parameter i can use for message filter?
  Many thanks.
  Chris

  Currently you can't ; however, you should open a case with IronPort and request that feature - the more that request the feature the better the chance for it to get implemented. My company has already requested this feature. We asked for a variable and a condition that we could use in filters.

• How to convince Externals IronPort is safe to send confidental emails?

  Please can some one in Cisco help me
  I need to put together a nice docuement peferable with nice graphics if available to explain that Cisco IronPort is a secure means of sending email data and that Iron port uses industry standard high levels of encyption and just how secure that is.
  This will mean basicly that any one that needs to send a confidental email to me, will be able to evaluate how strong IRONPORT is and know they are following good practise and remaining correct to their data policys for transit.
  Please can I have some good links or some aleady detailed documention that explains the security of IronPort send secure?

  If data management and persons wishing to be secure regarding the way they send data to their customers or vendors and currently rely on simple password protected files.
  What is more secure? a word docuement intercepted with a five chracter all lower case password or a non password protected word docuement but sent over Ironport Encryption Appliance?
  If a word file with a simple password is intercepted in transit, it would be security risk compared to this same file being sent with no password and over cisco's ironport solution.
  Where is this information.
  How many bits is secure mail, it is HTTPS but that in conjunction with Ironport is how secure.
  How can customers know they can rely on Ironport to both send and receive emails via  “Ironport Encryption Appliance”.
  Please can some one dirrect me in the correct dirrection ?

• Nation members - share your feedback on IronPort Anti-Spam!

  IronPort Anti-Spam customers,
  On a monthly basis, we like to collect information on customer satisfaction levels with IronPort’s spam defenses. If possible, please click on the below link and fill out the brief, IronPort survey.
  Benefits include:
  • All respondents are entered into a raffle to receive $100 in cash
  • This survey shouldn’t take more than 1 minute to fill out.
  • The feedback you provide goes a long way in helping us understand customer needs and concerns.
  Please be sure to complete this brief survey by no later than Thursday, June 7th.
  Please DO NOT complete this survey if you are running Brightmail Anti-Spam.
  Thanks in advance!
  Dave Mayer, IronPort Anti-Spam Product Manager
  https://www.surveymonkey.com/s.aspx?sm=w7b1FUslBFlsAPcaSLPTlw%3d%3d

  Who is Dave Mayer? Is this a real invitation from IronPort?
  Hi Pat,
  Dave M. is a product manager here at IronPort, and yes, the survey is real.
  Thanks!
  Garrett (IronPort Technical Publications)

• How to create anti-spoof rules with exception

  Hello all,
  I'm a beginner with Ironport and I need to create rules for specific cases.
  I manage many mail domains and I want to create an anti-spoof rule with message filter. Easy to do with a dictionnary containing all my mail domains.
  But I have some mail addresses with external applications that need to be send with my mail domains.
  For example, I receive acknowledge mails sent with [email protected] address and example.com is an domain accepted and managed by my enterprise. So if I activate my anti-spoof rule, all external [email protected] mail will be dropped.
  For example I tried this rule with no success :
  Filter_AntiSpoofing: if (recv-listener == "IncomingMail") AND (mail-from-dictionary-match("My_Domains", 1)) AND (mail-from-dictionary-match("Bypass_Sender", 0)){
  drop();
  I tried this rule too :
  Filter_AntiSpoofing: if (recv-listener == "IncomingMail") AND (mail-from-dictionary-match("My_Domains", 1)) AND ((mail-from !="^[email protected]$") OR (mail-from !="^[email protected]$") OR (mail-from !="@ack.mydomain.com$")){
  drop();
  Have you got any tips or advice to answer my funny case ?

  Hello,
  We use the following message filter to ear-mark spoofed messages with an X-Header (which we later use for reporting since we told Ironport to log this specific header)
  Spoofed_Email_Filter: if (recv-listener == "IncomingMail") AND (mail-from-dictionary-match("dict_internaldomains", 1)) {
  insert-header("X-Spoofed", "from[$EnvelopeFrom]_To[$EnvelopeRecipients]_IP[$RemoteIP]_rep[$Reputation]");
  The one drawback is that we need to maintain the Dictionary "dict_internaldomains". If we forget to add a new domain to this list it will never be detected as spam.
  A good new message filter functionality would be to be able to do a "mail-from-rat-match" which would allow you to use the RAT tables(s) as dictionary.
  We plan to solve this by moving the RAT to LDAP and query that same LDAP as dictionary. (If only I had time to test it) :D
  Good luck,
  Steven