Cisco ESA Deployment

Hello Everyone,
I have seen deployment guides of Cisco ESA stating that the ESA is to be deployed in the DMZ network
Can We deploy Cisco ESA and also the internal mail server in the same network ?

You can, but you need to make sure that email (inbound and outbound) flows through the ESA and nothing is direct to your email server. Putting ESA on the edge does make the deployment and future troubleshooting easier.
Hope it helps.

Similar Messages

  • Cisco ESA Deployment Question

    Hello,
    I have a question about the ESA deployment, In case I have 1 ESA deployed in my network with MX record and the public IP is natted to the ESA IP located on the DMZ.
    If the ESA goes down for any reason like power failure, still I can recieve and send email or not? I mean in this case, can the device work in fail-open mode to relay the emals but without applying the policy?
    Or in this case, the mail system will be completly down, and I need to add 2nd MX record (High avaailbility) to ensure that the email system is UP?
    Thanks.
    Ahmad.

    This is very logical for me.
    I had a discussion with Cisco SE and he insists that ESA acts as a proxy not as email server, so the mail server would still deliver email but without any ESA policies applied to it.
    Here, if you point the exchange server to the ESA and the ESA is down, then the recieving and sending will be down, and only the internal emails will be working.
    Thanks.
    Ahmad.

  • Cisco ISE Deployment suggestion required

    Require Assistance on Cisco ISE Deployment for below scenario
    -- We have Three Cisco ISE Appliances and Client has taken Advance Subscription License for 500 users
    -- Client has DC & DR and needs to deploy the Cisco ISE in one Main Office which connects to DC & DR on MPLS Links
    -- Client suggestion was to deploy one ISE node ( Admin + M&T + Policy Server ) in DC and its Standby Secondary in DR
         and only deploy Policy Server in Main Office.
         Idea behind the design is that ,
         1) If DC fails , Cisco ISE related logs will get generated on DR and any Cisco ISE related request will be taken care by Local Policy Server in Main Office .
          2) If Local Policy Server Fails , then ISE node in DC will act as Secondary backup and DR will act Teritary Backup
          below is view
                                         DC
                            Primary Node with Role
                       [Admin , M&T , Policy Server]
                                                                                                                 Main Remote Offic
                                                                                                                  Cisco ISE Node ( Only Policy Server) -----------> Network Devices
                                   DR
                           Secondary   Node with Role
                       [Admin , M&T , Policy Server]
    Please let me know is it possible

    Yes, The scenario is quite achievable also please  review the below link for assistance on deployment of ISE.
    http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_50_ise_deployment_tg.pdf
    http://www.cisco.com/en/US/docs/security/ise/1.0/install_guide/ise10_deploy.pdf

  • Cisco ESA reporting on a Nagios monitor ?

    Hi,
    Is it possible to exploit the reporting of ESA on a third-party software like Nagios ? How to get a real-time reporting (material status, queue, quarantine), from Cisco ESA to a monitor of a an administration software like Nagios ?
    Best regards

    hi kishor,
    I am not sure if this helps you, but try using BW statistics info providers.refer this links..
    http://help.sap.com/saphelp_bw30b/helpdata/en/8c/131e3b9f10b904e10000000a114084/content.htm
    http://help.sap.com/saphelp_nw04/helpdata/en/8c/131e3b9f10b904e10000000a114084/content.htm
    BW Statistics
    Bw statistics
    hope it helps,
    regards,
    Parth.

  • One Cisco prime deployment for three physically different Networks

    Can one Cisco prime deployment be used to manage three physically different Networks without creating a bridge between the networks. It is imperative that the networks remain separated but they will be managed by the same team so can you somehow use one Cisco Prime without the networks becoming connected 

    Hi,
    I believe you can manage any device, if it reachable (ICMP/SNMP) to Prime Infrastructure.
    Just make sure all the 3 different network reachable to PI, it's not required they're reachable among them. 
    PI itself do not do any bridging/routing between your 3 different network , therefore PI doesn't know if you can route between them or if they're separated.
    Since 3 different network are not reachable among themselves, use 3 different seed ip while discovering.
    Also, from management point of view, you can create virtual domain, group the devices network wise, & then while logging in PI, you'll the get feel if you're managing 3 different network by same PI.
    But since we know that PI, all the devices of 3 different network, it'll consume the CPU/RAM/Disc space accordingly. therefore need to pay attention for the resources of PI
    Using Virtual Domains to Control Access to Sites and Devices
    http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/2-0/administrator/guide/PIAdminBook/maint_user_access.html#pgfId-1056197
    - Ashok
    Please rate the post or mark as correct answer as it will help others looking for similar information

  • Licensing for Cisco ESA c380

    I am putting a recommendation together for a client to upgrade their existing Cisco ESAs and trying to figure out how the licensing works.
    We are looking at c380s across multiple sites, upgrade from their current models which are c160s. Questions:
    1.) Do the mailbox licenses need to be procured separately for each c380. For e.g., if the total mailbox no. is 20000 across 4 sites, can the mailbox licenses be bought together and 'split' on individual installs of c380s OR they have to be bought separately for each c380.
    2.) If upgrading from the existing ESAs to new, can the licenses be imported from the existing c160s (which will be decommissioned) and exported to the new ESAs?

    1) each hardware appliance is licensed separately.  You'll need to work with account team/reseller to provide the #/size license as appropriate.
    2) If upgrading - yes, you'll just need to transfer the existing "as-is" license from the serial number of the existing appliance to the serial number of the newly purchased appliance.  Should be fairly exact to the RMA steps provided in the following article:
    http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118000-technote-esa-00.html
    I hope this helps!
    -Robert
    (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

  • License Cisco ESA in Cluster Configuration

    Guys,
    Do you have any idea about license Cisco ESA in Cluster Configuration
    > If i have two appliance in cluster configuration and i have 1000 user, which option for license i must buy ?
    1. Just one license for two appliance (which in cluster configuration) with 1000 user capacity
    2. Two license with 500 user capacity for each appliance, appliance 1 with 500 user capacity license appliance 2 500  user capacity license
    3. Other license.
    BR

    You only need to buy 1000 user licenses for which ever options or packages you buy. The only option that is not based on the number of users is if you want a Cisco Content Security Management Appliance or SMA for centralized reporting and quarantine. 
    Another good thing to note, is that if you have a virtual environment the hardware appliances are no longer required, and are not nearly as expensive as they were in the past. So depending on your requirements you may be off the ground pretty quick.
    Also make sure to get all your features bundled. I would at least get AMP, Sophos A/V, DLP, and Encryption. This also means you can transfer and copy your license to as many appliances (Physical or Virtual) you need to support your environment. 

  • TelePresence Conductor with Cisco TMS Deployment - the missing part

    Hello,
    I am looking at the deployment guides for Telepresence Conductor XC3.0:
    Cisco TelePresence Conductor with Cisco Unified CM Deployment Guide (XC3.0)
    Cisco TelePresence Conductor with Cisco TMS Deployment Guide (XC3.0 with TMS 14.6)
    To setup the TMS, the Conductor and CUCM for scheduled meetings.
    The Doc #2, explains how to add the Telepresence Conductor to the TMS, create the scheduled conference alias and configure the conductor on the TMS
    The Doc #1, explains how to setup the CUCM and the Conductor for ad-hoc and meet-me conference.
    So it looks that there's a part missing. How do we setup the CUCM for the scheduled conferences managed by the Conductor?
    With the Doc#2, I can create my scheduled meetings and get a conference SIP address, but how do my endpoints registered on my CUCM route to them. I guess I have to create a SIP trunk on my CUCM but to where? the main conductor IP ? A new location with a new VIP pointing to the same template as the conference alias ?
    Another strange thing in the Doc #1, on page 87 of the documentation for Conductor XC3.0 it says:
    "Scheduled conferences
    Scheduled conferences are not supported in TelePresence Conductor version XC2.4. It will be supported for Personal Multiparty Advanced in a future version of TelePresence Conductor software."

    Hi Matthieu,
    I guess I have to create a SIP trunk on my CUCM but to where?
    You would use a rendezvous location and build a SIP trunk to that location from CUCM to Conductor.  
    Another strange thing in the Doc #1
    this is specific to the Personal Multiparty Advanced feature, looks like the version wasn't updated in the doc to XC3.0 for this line.
    -Jonathan

  • Deploying Cisco ESA without Internal Mail_Server

    Hello Experts,
    We have hosted our company email server  into an External Company (Mail Hosting Company),  and our internal Users are all connecting directly to that external company mail-server for accessing thier emails. we donot have anyother internal  Mail_Relay Server inside our company.
    My Question is can we put any Cisco Ironport Email_Security  in this environment so that we have security for our emails ? without having any internal email-relay server ?                

    I think the answer is yes but it depends.  If the mail hosting includes the Internet mail gateway (your MX records point to the hosting company) then there's not much you can do about inbound protection.  If it is just hosting groupware and your MX records can point to your inhouse IronPort then you can do all the normal inbound protection (anti-spam, anti-virus, content checking, etc) and then pass it to the hosted groupware using SMTP as normal.  You would want to use TLS as you are likely going over the Internet to the hosting company.  Similarly for outbound protection, TLS from the hosted groupware to your inhouse IronPort which can do the normal anti-virus, content checking, encryption, etc.  You would have to factor in the extra bandwidth as all your mail will be flowing to and from the hosted environment.  Basically it is just lke any other installation with IronPort talking to groupware e.g. Exchange over SMTP but in your case that connection would be remote not local so you need to take appropriate steps (such as TLS) to protect the traffic.  But as I said at the start it depends on the hosted environment, what is being hosted and how much control you have over the configuration. Hope this helps.

  • ESA Deployment

    Hi Community,
    I have a client with an ESA as the first mail server coming from the Internet and last one on the path out.
    This client is a University and the default ESA settings are not stopping much of the spam received.
    What I would like to ask is any recommendations or reference to deploying the ESA in a University where the recipients are just too many and too dynamic to maintain in a list (LDAP), and any guidance or best practices.
    Thank you very much,
    Federico.

    Hi Federico,
    Anti-Spam Best Practices
    Adapted From https://ironport.custhelp.com/app/answers/detail/a_id/493
    Verify that inbound messages are being scanned by the antispam engine. Do a message track on a recent message and check that it was scanned.
    - Go to MONITOR > MESSAGE TRACKING
    - Search for the email in question
    - Click the 'Show Details' link next to the email in question
    Look for the Antispam engine (CASE) verdict. Example:
    Thu Sep 12 13:21:09 2013 Info: MID 2359 interim verdict using engine: CASE spam negative
    Thu Sep 12 13:21:09 2013 Debug: MID 2359 using engine: CASE definitely negative
    Thu Sep 12 13:21:09 2013 Info: MID 2359 using engine: CASE spam negative
    2. Verify that you are receiving anti-spam rule updates
    Check to confirm that the most recent time stamps for updates under Security Services > Anti-Spam are from within the last 2 hours
    3.      Make sure you are taking the desired actions on spam positive messages Check the Inbound Mail Policies for how IronPort Anti-Spam verdicts are handled. Make sure SPAM positive and suspect messages are dropped or quarantined in the default policy, and that all other policies either use the default behavior or deliberately override the default.
    4. Enable LDAP accept and Directory Harvest Attack Protection:
    Many spammers send emails to a high number of invalid addresses, so blocking senders who send to invalid recipients can also decrease spam.
    If LDAP accept is already on, make sure Directory Harvest Protection (DHAP) is also configured for each inbound listener with maximum invalid attempts between 5 and 10 per IP.
    Review the following article on LDAP Accept
    How to use LDAP Accept Query to validate the recipients of inbound messages using Microsoft Active Directory (LDAP)?
    Knowledge Base Answer ID: 156
    http://tools.cisco.com/squish/4680c
    5. Report mis-classified messages to IronPort. Please refer to "How do I report IronPort Anti-Spam false positives or missed spam?", which details how to submit messages and verify that submissions to these addresses are in the correct format (i.e. MIME attachments of complete un-mangled messages with full headers). See "How do I create RFC-822 MIME encoded attachments? " for more details
    6. Review the Daily Management Guides, AsyncOS Configuration Guide and AsyncOS Advanced Guide for additional info
    http://www.cisco.com/en/US/docs/security/esa/esa7.5/ESA_7.5_Daily_Management_Guide.pdf
    http://www.cisco.com/en/US/docs/security/esa/esa7.6/ESA_7.6_Configuration_Guide.pdf
    http://www.cisco.com/en/US/docs/security/esa/esa7.6/ESA_7.6_AdvancedGuide.pdf
    http://www.cisco.com/en/US/docs/security/esa/esa7.6/ESA_7.6_CLI_Reference_Guide.pdf
    Hope this helps.
    Regards,
    Stephan

  • Cisco ACS Deployment

      I proposed New ACS 5.4 Appliance - CSACS-1121-K9 and upgrading current ACS 4.1 to ACS 5.4-CSACS-5.4-VM-UP-K9
    my customer want to do configuration/databse  replication between two ACS.   Is it possible to that ACS in VM can work  with ACS in appliance ?
    thanks
    sompoj

    There should not be any issues. It will work fine.
    ACS distributed deployment.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/introd.html#wp1058054
    ACS 4.x and 5.x replication
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/introd.html#wp1052580
    Regards,
    Jatin Katyal
    - Do rate helpful posts -

  • Manually Patch Cisco ISE Deployment

    Is there a documented process for manually installing patch bundles in ISE? We had a bad experience last spring with deploying Patch 8 through the "fire and forget" patch installation through the GUI. We have held off far too long on patching our 20 node deployment and I will be asked whether the process failure was due to Patch 8, or whether the patching process itself failed. Please let me know if there is a procedure on how one would go about manually patching a deployment via the CLI.
    Thank you

    install a patch from a primary administration node that is part of a distributed deployment, Cisco ISE installs the patch on the primary node and then all the secondary nodes in the deployment. If the patch installation is successful on the primary node, Cisco ISE then continues patch installation on the secondary nodes. If it fails on the primary node, the installation does not proceed to the secondary nodes. However, if the installation fails on any of the secondary nodes for any reason, it still continues with the next secondary node in your deployment. Secondary Cisco ISE nodes are restarted consecutively after the patch is installed on those nodes. While installing a patch on secondary nodes, you can continue to perform tasks on the primary administration node.
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#pgfId-2476373

  • One arm Cisco ASA deployment

    Hello guys,
    Would it be possible to deploy Cisco ASA like Cisco VPN 3000 which connecting only one interface to DMZ interface of the firewall? I?d like to use it for remote access IPSec VPN. I?m looking for any documents regarding this configuration but have not gotten it yet. Could anyone please advice?
    Many thanks,
    Nitass

    I think this doc could help you out...
    http://www.cisco.com/en/US/products/ps6120/products_getting_started_guide_chapter09186a0080686106.html

  • Cisco WAAD Deployment with Allot Netenforcer

    Hi,
    While deploying Cisco waas in inline mode with allot,I am facing interface issues.
    Set up is like  router-->cisco waas-->allot-->l2 switch.
    Can you pleas hep.
    Regards
    Ravi

    Hi Ravi,
    I've had interface issues with inline cards whenever there's a speed difference, ie. 100m vs 1gb, etc, with the LAN/WAN endpoints. I'm not sure what type of interfaces your Netenforcer uses, but the following link may be helpful.
    http://conft.com/en/US/docs/app_ntwk_services/waas/wae/module/inline/installation/guide/17880fru.html#wp39911
    You may need a crossover cable somewhere inline.
    Hope this helps.

  • CISCO NAC deployment with ASA for internal servers (DMZ)

    We have deployed cisco ASA for our clients access to DMZ servers few months ago. Now we want to integrate cisco NAC solution without removing ASA
    from infrastructure. What will be the best deployment mode of cisco NAC so that clients can also pass through cisco ASA access list also for filtering before reaching to dmz servers.
    what gateway clients will use. Plz help.
    Should i use Virtual Gateway or Real Gateway for NAC. Client should first come to NAC(CAS) and then through ASA to reach DMZ servers.

    Hello,
    This should work. Please review the attached PDF for more clarity on this topic: https://supportforums.cisco.com/docs/DOC-9102
    HTH,
    Faisal

Maybe you are looking for

  • Mac Pro will not Boot-Up

    My Mac Pro (Early 2008) will no longer boot-up correctly.  After having been in Sleep Mode for a few hours I tried to wake it up, but it would not wake.  I had to manually turn it off.  Upon rebooting I got to the gray screen with the Apple logo and

  • Help! Final Cut Pro wont Open, I tried to un install and re install but it still didnt work!

    I have a Final Cut Pro Express from 2006 and all was working fine untill i got an external hard drive and moved most of my projects over there. i tried moving them back to no avail and tried uninstalling and reinstalling final cut and it didnt work!

  • Separate document at chapters? Script?

    I'm working on a book for ePub and have a document that has all the chapters in one file. But we want each chapter to start on its own page. The way I know to do this is with the Book feature and new documents for each chapter. How would you handle t

  • CA Expiration and Server Certs

    We finally have all of our Netware servers migrated to OES11SP2. It has been a long process, but everything is working perfectly now. My CA will be expiring in a couple of months though. I cannot remember what happened when the old Netware CA expired

  • Help needed with this scenario

    Hi, This is a scenario to be implemented using workflows. Can you tell me how to go about with this. there is a form on the portal. User enters some details there. Then there is a submit button. when the user presses the submit button, a workflow is