Cisco ESA Deployment Question

Similar Messages

• Cisco ESA Deployment

  Hello Everyone,
  I have seen deployment guides of Cisco ESA stating that the ESA is to be deployed in the DMZ network
  Can We deploy Cisco ESA and also the internal mail server in the same network ?

  You can, but you need to make sure that email (inbound and outbound) flows through the ESA and nothing is direct to your email server. Putting ESA on the edge does make the deployment and future troubleshooting easier.
  Hope it helps.

• Licensing for Cisco ESA c380

  I am putting a recommendation together for a client to upgrade their existing Cisco ESAs and trying to figure out how the licensing works.
  We are looking at c380s across multiple sites, upgrade from their current models which are c160s. Questions:
  1.) Do the mailbox licenses need to be procured separately for each c380. For e.g., if the total mailbox no. is 20000 across 4 sites, can the mailbox licenses be bought together and 'split' on individual installs of c380s OR they have to be bought separately for each c380.
  2.) If upgrading from the existing ESAs to new, can the licenses be imported from the existing c160s (which will be decommissioned) and exported to the new ESAs?

  1) each hardware appliance is licensed separately.  You'll need to work with account team/reseller to provide the #/size license as appropriate.
  2) If upgrading - yes, you'll just need to transfer the existing "as-is" license from the serial number of the existing appliance to the serial number of the newly purchased appliance.  Should be fairly exact to the RMA steps provided in the following article:
  http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118000-technote-esa-00.html
  I hope this helps!
  -Robert
  (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

• Cisco ISE Deployment suggestion required

  Require Assistance on Cisco ISE Deployment for below scenario
  -- We have Three Cisco ISE Appliances and Client has taken Advance Subscription License for 500 users
  -- Client has DC & DR and needs to deploy the Cisco ISE in one Main Office which connects to DC & DR on MPLS Links
  -- Client suggestion was to deploy one ISE node ( Admin + M&T + Policy Server ) in DC and its Standby Secondary in DR
       and only deploy Policy Server in Main Office.
       Idea behind the design is that ,
       1) If DC fails , Cisco ISE related logs will get generated on DR and any Cisco ISE related request will be taken care by Local Policy Server in Main Office .
        2) If Local Policy Server Fails , then ISE node in DC will act as Secondary backup and DR will act Teritary Backup
        below is view
                                       DC
                          Primary Node with Role
                     [Admin , M&T , Policy Server]
                                                                                                               Main Remote Offic
                                                                                                                Cisco ISE Node ( Only Policy Server) -----------> Network Devices
                                 DR
                         Secondary   Node with Role
                     [Admin , M&T , Policy Server]
  Please let me know is it possible

  Yes, The scenario is quite achievable also please  review the below link for assistance on deployment of ISE.
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_50_ise_deployment_tg.pdf
  http://www.cisco.com/en/US/docs/security/ise/1.0/install_guide/ise10_deploy.pdf

• Cisco ESA reporting on a Nagios monitor ?

  Hi,
  Is it possible to exploit the reporting of ESA on a third-party software like Nagios ? How to get a real-time reporting (material status, queue, quarantine), from Cisco ESA to a monitor of a an administration software like Nagios ?
  Best regards

  hi kishor,
  I am not sure if this helps you, but try using BW statistics info providers.refer this links..
  http://help.sap.com/saphelp_bw30b/helpdata/en/8c/131e3b9f10b904e10000000a114084/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/8c/131e3b9f10b904e10000000a114084/content.htm
  BW Statistics
  Bw statistics
  hope it helps,
  regards,
  Parth.

• One Cisco prime deployment for three physically different Networks

  Can one Cisco prime deployment be used to manage three physically different Networks without creating a bridge between the networks. It is imperative that the networks remain separated but they will be managed by the same team so can you somehow use one Cisco Prime without the networks becoming connected 

  Hi,
  I believe you can manage any device, if it reachable (ICMP/SNMP) to Prime Infrastructure.
  Just make sure all the 3 different network reachable to PI, it's not required they're reachable among them. 
  PI itself do not do any bridging/routing between your 3 different network , therefore PI doesn't know if you can route between them or if they're separated.
  Since 3 different network are not reachable among themselves, use 3 different seed ip while discovering.
  Also, from management point of view, you can create virtual domain, group the devices network wise, & then while logging in PI, you'll the get feel if you're managing 3 different network by same PI.
  But since we know that PI, all the devices of 3 different network, it'll consume the CPU/RAM/Disc space accordingly. therefore need to pay attention for the resources of PI
  Using Virtual Domains to Control Access to Sites and Devices
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/2-0/administrator/guide/PIAdminBook/maint_user_access.html#pgfId-1056197
  - Ashok
  Please rate the post or mark as correct answer as it will help others looking for similar information

• License Cisco ESA in Cluster Configuration

  Guys,
  Do you have any idea about license Cisco ESA in Cluster Configuration
  > If i have two appliance in cluster configuration and i have 1000 user, which option for license i must buy ?
  1. Just one license for two appliance (which in cluster configuration) with 1000 user capacity
  2. Two license with 500 user capacity for each appliance, appliance 1 with 500 user capacity license appliance 2 500  user capacity license
  3. Other license.
  BR

  You only need to buy 1000 user licenses for which ever options or packages you buy. The only option that is not based on the number of users is if you want a Cisco Content Security Management Appliance or SMA for centralized reporting and quarantine. 
  Another good thing to note, is that if you have a virtual environment the hardware appliances are no longer required, and are not nearly as expensive as they were in the past. So depending on your requirements you may be off the ground pretty quick.
  Also make sure to get all your features bundled. I would at least get AMP, Sophos A/V, DLP, and Encryption. This also means you can transfer and copy your license to as many appliances (Physical or Virtual) you need to support your environment. 

• TelePresence Conductor with Cisco TMS Deployment - the missing part

  Hello,
  I am looking at the deployment guides for Telepresence Conductor XC3.0:
  Cisco TelePresence Conductor with Cisco Unified CM Deployment Guide (XC3.0)
  Cisco TelePresence Conductor with Cisco TMS Deployment Guide (XC3.0 with TMS 14.6)
  To setup the TMS, the Conductor and CUCM for scheduled meetings.
  The Doc #2, explains how to add the Telepresence Conductor to the TMS, create the scheduled conference alias and configure the conductor on the TMS
  The Doc #1, explains how to setup the CUCM and the Conductor for ad-hoc and meet-me conference.
  So it looks that there's a part missing. How do we setup the CUCM for the scheduled conferences managed by the Conductor?
  With the Doc#2, I can create my scheduled meetings and get a conference SIP address, but how do my endpoints registered on my CUCM route to them. I guess I have to create a SIP trunk on my CUCM but to where? the main conductor IP ? A new location with a new VIP pointing to the same template as the conference alias ?
  Another strange thing in the Doc #1, on page 87 of the documentation for Conductor XC3.0 it says:
  "Scheduled conferences
  Scheduled conferences are not supported in TelePresence Conductor version XC2.4. It will be supported for Personal Multiparty Advanced in a future version of TelePresence Conductor software."

  Hi Matthieu,
  I guess I have to create a SIP trunk on my CUCM but to where?
  You would use a rendezvous location and build a SIP trunk to that location from CUCM to Conductor.  
  Another strange thing in the Doc #1
  this is specific to the Personal Multiparty Advanced feature, looks like the version wasn't updated in the doc to XC3.0 for this line.
  -Jonathan

• Deploying Cisco ESA without Internal Mail_Server

  Hello Experts,
  We have hosted our company email server  into an External Company (Mail Hosting Company),  and our internal Users are all connecting directly to that external company mail-server for accessing thier emails. we donot have anyother internal  Mail_Relay Server inside our company.
  My Question is can we put any Cisco Ironport Email_Security  in this environment so that we have security for our emails ? without having any internal email-relay server ?                

  I think the answer is yes but it depends.  If the mail hosting includes the Internet mail gateway (your MX records point to the hosting company) then there's not much you can do about inbound protection.  If it is just hosting groupware and your MX records can point to your inhouse IronPort then you can do all the normal inbound protection (anti-spam, anti-virus, content checking, etc) and then pass it to the hosted groupware using SMTP as normal.  You would want to use TLS as you are likely going over the Internet to the hosting company.  Similarly for outbound protection, TLS from the hosted groupware to your inhouse IronPort which can do the normal anti-virus, content checking, encryption, etc.  You would have to factor in the extra bandwidth as all your mail will be flowing to and from the hosted environment.  Basically it is just lke any other installation with IronPort talking to groupware e.g. Exchange over SMTP but in your case that connection would be remote not local so you need to take appropriate steps (such as TLS) to protect the traffic.  But as I said at the start it depends on the hosted environment, what is being hosted and how much control you have over the configuration. Hope this helps.

• Cisco IDSM2 Deployment Scenario Question

  Hello,
  I have this scenario:
  There are several user VLANs and one server farm VLAN in a network.
  The requirement is to deploy a new Cisco IDSM-2 module inline on the core/distribution 6509 switch such that user traffic destined to servers is subjected to application inspection and prevention.
  The inline mode and inline-vlan-pair modes seem to allow one-to-one VLAN mapping only. However, I am interested in mapping several user VLANs to the single server farm VLAN on the IDSM monitoring port(s).
  What design or configuration approach can I use in this scenario? Thanks.
  Felix

  You can send traffic from all user vlans destined to the server vlan to a dummy vlan, and then you can pair this dummy vlan for the IDSM in inline vlan pair mode.

• ESA Deployment

  Hi Community,
  I have a client with an ESA as the first mail server coming from the Internet and last one on the path out.
  This client is a University and the default ESA settings are not stopping much of the spam received.
  What I would like to ask is any recommendations or reference to deploying the ESA in a University where the recipients are just too many and too dynamic to maintain in a list (LDAP), and any guidance or best practices.
  Thank you very much,
  Federico.

  Hi Federico,
  Anti-Spam Best Practices
  Adapted From https://ironport.custhelp.com/app/answers/detail/a_id/493
  Verify that inbound messages are being scanned by the antispam engine. Do a message track on a recent message and check that it was scanned.
  - Go to MONITOR > MESSAGE TRACKING
  - Search for the email in question
  - Click the 'Show Details' link next to the email in question
  Look for the Antispam engine (CASE) verdict. Example:
  Thu Sep 12 13:21:09 2013 Info: MID 2359 interim verdict using engine: CASE spam negative
  Thu Sep 12 13:21:09 2013 Debug: MID 2359 using engine: CASE definitely negative
  Thu Sep 12 13:21:09 2013 Info: MID 2359 using engine: CASE spam negative
  2. Verify that you are receiving anti-spam rule updates
  Check to confirm that the most recent time stamps for updates under Security Services > Anti-Spam are from within the last 2 hours
  3.      Make sure you are taking the desired actions on spam positive messages Check the Inbound Mail Policies for how IronPort Anti-Spam verdicts are handled. Make sure SPAM positive and suspect messages are dropped or quarantined in the default policy, and that all other policies either use the default behavior or deliberately override the default.
  4. Enable LDAP accept and Directory Harvest Attack Protection:
  Many spammers send emails to a high number of invalid addresses, so blocking senders who send to invalid recipients can also decrease spam.
  If LDAP accept is already on, make sure Directory Harvest Protection (DHAP) is also configured for each inbound listener with maximum invalid attempts between 5 and 10 per IP.
  Review the following article on LDAP Accept
  How to use LDAP Accept Query to validate the recipients of inbound messages using Microsoft Active Directory (LDAP)?
  Knowledge Base Answer ID: 156
  http://tools.cisco.com/squish/4680c
  5. Report mis-classified messages to IronPort. Please refer to "How do I report IronPort Anti-Spam false positives or missed spam?", which details how to submit messages and verify that submissions to these addresses are in the correct format (i.e. MIME attachments of complete un-mangled messages with full headers). See "How do I create RFC-822 MIME encoded attachments? " for more details
  6. Review the Daily Management Guides, AsyncOS Configuration Guide and AsyncOS Advanced Guide for additional info
  http://www.cisco.com/en/US/docs/security/esa/esa7.5/ESA_7.5_Daily_Management_Guide.pdf
  http://www.cisco.com/en/US/docs/security/esa/esa7.6/ESA_7.6_Configuration_Guide.pdf
  http://www.cisco.com/en/US/docs/security/esa/esa7.6/ESA_7.6_AdvancedGuide.pdf
  http://www.cisco.com/en/US/docs/security/esa/esa7.6/ESA_7.6_CLI_Reference_Guide.pdf
  Hope this helps.
  Regards,
  Stephan

• Wireless Deployment question

  Good Morning,
  I am in need of some help. We are looking to deploy wireless to one of our retail locations. The site is currently under remodel so the time is now to put in a better solution.
  We currently have Cisco Small Business AP541n deployed and we lose connectivity on our iDevices when they go into the kitchen area. The kitchen area is surrounded by refrigerators and we have stainless steel between the serving area and the kitchen. We ASLO have a Planar video wall (Cat 6 shielded is powering the video panels). Well this stuff seems to be causing interference but i dont have any numbers around that.
  I dont have any tools to perform a WLAN survey prior to redeploying wireless. Well my question is:
  The area is rougly 800 - 900 square feet and i was thinking of installing two 3602 clean air AP's to combat what i can only assume is heavy interference and noise. Would it cause issues with 2 AP's that close together?
  Is this a recommended deployment or should I have a single AP with clean air trying to work best in that environment. Oh the environment is in a major (like the largest) metropolitan area in the world.                   

  If your going to go with 3 you might want to look at going with four.  Only reason being if your using RRM the TPC Alogrithm uses the 3rd highest neighbor to set levels.  So a total of 4 AP's needed. Odd justification to put up yet another AP but figured I'd throw it out there for you to think about. 
  Transmit Power Control Algorithm
  The TPC algorithm, run at a fixed ten minute interval by default, is used by the RF Group Leader to determine the APs’ RF proximities and adjust each band’s transmit power level lower to limit excessive cell overlap and co-channel interference.
  Note: The TPC algorithm is only responsible for turning power levels down. The increase of transmission power is a part of the Coverage Hole Detection and Correction algorithm’s function, which is explained in the subsequent section.
  Each AP reports an RSSI-ordered list of all neighboring APs and, provided an AP has three or more neighboring APs (for TPC to work, you must have a minimum of 4 APs), the RF Group Leader will apply the TPC algorithm on a per-band, per-AP basis to adjust AP power transmit levels downward such that the third loudest neighbor AP will then be heard at a signal level of -70dBm (default value or what the configured value is) or lower and the TCP hysteresis condition is satisfied. Therefore, the TCP goes through these stages which decide if a transmit power change is necessary:
  Determine if there is a third neighbor, and if that third neighbor is above the transmit power control threshold.
  Determine the transmit power using this equation: Tx_Max for given AP + (Tx power control thresh – RSSI of 3rd highest neighbor above the threshold).
  Compare the calculation from step two with the current Tx power level and verify if it exceeds the TPC hysteresis.
  If Tx power needs to be turned down: TPC hysteresis of at least 6dBm must be met. OR
  If Tx power needs to be increased: TPC hysteresis of 3dBm must be met.
  An example of the logic used in the TPC algorithm can be found in the Transmit Power Control Algorithm Workflow Examplesection.

• WSA deployment question

  We currently have and inline content filter we are upgrading to a Cisco WSA.  I am in the final stages and I have a couple of questions in regards to the deployment of the device.  I would like to use WCCP to do this and I have a few questions.
  Currently we have four sites all connected via MPLS and Internet at the main site.  All sites have a layer three termination on a 4507 with multiple interface VLANs.  Everything feeds back to the main site ASA cluster for internet. 
  My question is can I deploy the WSA cluster at the main site and use WCCP? Can I config WCCP on the ASA for filtering for everything?   In the deployment guides it says that the hosts have to be layer 2 adjacent to the WCCP redirector.  So according to that should I put WCCP on all the 4507 VLAN interfaces back to the WSA at the main site?    
  I have not used WCCP and trying to get an idea of how it all works the guides are a little confusing to me.  Thanks.

  Josh,
  My question is can I deploy the WSA cluster at the main site and use WCCP? Yes
  Can I config WCCP on the ASA for filtering for everything? Yes
  In the deployment guides it says that the hosts have to be layer 2 adjacent to the WCCP redirector. So according to that should I put WCCP on all the 4507 VLAN interfaces back to the WSA at the main site?  No need to do this, you can just use the WCCP off of the ASA.  You DO have to make sure that its adjacent to the port that you're running the WCCP on (eg if its the inside port, it has to be adjacent to that port, you can't put the WSA in the DMZ)
  One way to think about WCCP is a publish/subscribe model.  The ASA is publishing, but it doesn't send traffic to anyone unless it has subscribers.  You can limit the subscribers access lists...
  A couple of things:
  What version ASA are you running?  Pre 8.2 there were some WCCP issues that made it unstable.
  How many WSA's do you have?  If you have more than 1, you need to add access entries so that outbound traffic from one WSA doesn't get WCCP'd over to the second WSA... (see this article https://ironport.custhelp.com/app/answers/detail/a_id/1603/kw/wccp)
  Hope that helps.
  Ken

• Basic NAC deployment question

  Hi,
  Am I right in assuming that at a minimum, a NAC deployment must consist of 2 appliances - one server and one manager? or is the manager an application that can run on a Windows server? can the manager run on the same appliance as the server?
  My second question regards Cisco Trust Agent and Clean Access Agent. Has CTA effectively been succeeded by CAA? from what I can see, CTA was part of the old NAC framework before they started using appliances.
  Many Thanks in advance,
  Dom

  Both manager and server can run on two PCs or Cisco appliances, which are actually HP ProLiant DL140 G3 or HP ProLiant DL360 G5 PCs ;) You'll need two devices in any case.
  As to second question - nobody knows what will happen with the whole technology in the future. Will it be completely replaced by MS NAP? Will the NAC Framework be canceled? Both Cisco solutions are not perfect. What customers actually need is to have all the NAC appliance features to run directly on Cisco switches and routers. No Clean Access Server will be needed in this case, only Manager! And OOB mode which is difficult to configure, support and troubleshoot will gone away. NAC framework is run directly on Cisco devices, but it is not as feature-reach as NAC Appliance.

• ESA deployment in an ISP environment

  Hi All,
  I am to deloy an ESA in for an ISP and some questions came up since i mostly deploy in enterprises/offices with a firewall (DMZ) which is very straight forward. For an ISP however, i am having trouble understanding how mail flows from their clients to the ISP then to the internet and back. Can anyone explain how this would be done:
  1. the ISP want mail from their clients (who host their own MTAs) to be passed through spam filters (hosted by the ISP) before going out to the internet to avoid the client IPs being blacklisted all the time due to sending spam.
  2. ISP wants incoming mail for their clients to go through the ESA before being forwarded to the clients MTAs, which as i said before, are hosted in the clients LAN.
  Questions:
  1. Where in the ISP network will the ESA sit (is it in a LAN just behind the core router or in the ISP internal LAN behind a firewall?)
  2. Does the ISP have to do some kind of re-direction for SMTP traffic to pass through the Ironport ESA before going to the clients (for incoming mail)
  3. Does the client and/or ISP need to change their MX records.
  I would reaally appreciate a breakdown of how this deployment would be done.
  Thanks.

  Henry,
  I would also recommend that MX records be changed to allow inbound smtp traffic to pass through your boxes. In the absence of a hardware load balancer you can use two equally weighted MX records, one pointing to each box.
  On the inbound side you will end up with recipient validation issues. Spammers and others can and WILL send messages to a lot of bad addresses. If you can't validate them at the edge on the way in then you will get stuck with them on your appliances and they can clog up queues if not managed carefully.
  Your options for outbound are limited:
  1) Transparent proxy in "stealth" mode
  A transparent proxy that would capture SMTP to any address is not a function of an Ironport ESA but you could potentiallty set one up that forwarded everything to the Ironport appliances.
  A transparent proxy gets complicated in an ISP environment. Customers may not be so happy with "hidden" traffic manipulation. You would have to turn off Received headers which is not RFC-compliant for edge systems and eventually customers would figure out that the IP where other systems see the mail coming from is not correct. This would make troubleshooting rather complicated. Not to mention that it is a bit heavy-handed.
  2) Transparent proxy with headers getting added
  3) Block direct outbound so they will be forced to relay through you
  Many ISPs do this for residential customers but it tends to be less commonly applied to business customers running their own MTA.
  4) Make relaying optional
  If customers are going to be looking to you for help with blacklist and delivery issues then optional might not be the best method unless you SWIP networks to your customers (non-portable) so they become the contact of record.
  Be aware that MS Exchange can spit out a lot of cruft that will add to your load. Things like Out-Of-Office replies and bounces from email sent to bad addresses can be a measureable percentage of the total email traffic. You can even see things like bounces including a copy of original attachments (WHY?). Just watch your undelivered recipients so that it doesn't get too high.