Cluster - ESA

Similar Messages

• MX LB / HA / Cluster ESA 380

  We go to deploy our new ESA (2 devices) as per mentioned below plan,
  ESA01 is primary for company A and ESA02 is primary for company B.
  If ESA01 is down ESA02 will receive mail for company A using MX load balance. The same method for company B.
  We are very confused on cluster with MX load balance on above scenario.
  Like Two different ESA configurations devices can able include on single cluster. Since we have different policies for both companies and both companies have email server .
  We need some explanation on above.
  Please clarify on this

  "Cluster" in ESA just means the configuration gets replicated.
  So if you cluster them and want different policies for each company, you just go to Mail Polices/Incoming Mail Policies and create one for each company.
  Add each domain you receive mail for to Mail Polices/Recipient Access Table
  Add a route to each mail server for each domain under Network/SMTP routes
  If you want separate "Host Access Tables" you can create separate listeners for each company (under Network/Listeners), and you may want to put them on separate IP interfaces, but you don't have to do this... one HAT may work just fine...

• How many license do I need with a cluster of 2x ESA?

  Hi there,
  I would like to implement a cluster of 2x Cisco IronPort ESA appliances in an Active/Active manner.
  It requires 4000 mail users, so how many license on each ESA appliance do I need to install? I suppose 2000 on each ESA.
  When one of the ESA fails, is it possible for the remaining one to handle the load of 4000 users?
  I am pretty new to this field. Please help.
  Thanks and Regards,
  Tuan, CCIE #26930

  Dear Tuan,
  For 4000 user size, you can purchase a dual appliance bundle with 1, 3 or 5 year license with 4000 mailbox licenses. You will be given 2 x C370 with Centralized Management license (together with licenses of your bundled feature set).
  You can run both in active/active configuration. With centralized management license, both can be formed as a cluster and you can manage the cluster configuration over web interface of one of the appliances.
  Regarding whether one unit can handle the load, it will depend on your traffic load (peak message per hour, average message size, antispam, antivirus, outbreak filter, DLP, encryption, content filters, etc.). In my experience, one C370 should be able to handle traffic of similar size enterprise.
  With SenderBase reputation filtering, you should already throttle/block 90+% of bad traffic coming from poor/bad reputation IP hosts. You can also make sure of the new AsyncOS 7.6 'rate limit for envelope sender' to throttle mass mailing attack of same sender (also internal outbreak emails).
  Please get in touch with your partner for the details and they can also show you a demo. You can also get a evaluation unit from our partner to put it live. We can configure IronPort to be almost transparent on top of your existing mail gateway/server to prove its performance, antispam efficacy and other email security features.
  Cheers,
  Tommy

• License Cisco ESA in Cluster Configuration

  Guys,
  Do you have any idea about license Cisco ESA in Cluster Configuration
  > If i have two appliance in cluster configuration and i have 1000 user, which option for license i must buy ?
  1. Just one license for two appliance (which in cluster configuration) with 1000 user capacity
  2. Two license with 500 user capacity for each appliance, appliance 1 with 500 user capacity license appliance 2 500  user capacity license
  3. Other license.
  BR

  You only need to buy 1000 user licenses for which ever options or packages you buy. The only option that is not based on the number of users is if you want a Cisco Content Security Management Appliance or SMA for centralized reporting and quarantine. 
  Another good thing to note, is that if you have a virtual environment the hardware appliances are no longer required, and are not nearly as expensive as they were in the past. So depending on your requirements you may be off the ground pretty quick.
  Also make sure to get all your features bundled. I would at least get AMP, Sophos A/V, DLP, and Encryption. This also means you can transfer and copy your license to as many appliances (Physical or Virtual) you need to support your environment. 

• ESA c160 and c170 in one cluster?

    Heelo Community,
  is there something that I should take care about if I want to run a c160 and a c170 in one management-cluster?

  Raph,
  In order to successfully create cluster, both appliances (ESA - Email Security Appliances) must be running the exact same version and build. So, to answer your question, no, that will not work.
  It is interesting tough, that your devices cannot see the same version.
  Either you please send us the serial number (only the digits after the hifen will do it) or you open a TAC case and ask for assistance.
  I hope this helps and if it does, please mark the question as answered.
  Regards,
  -Valter

• Replace Faulty IronPort ESA in a Cluster

  I have a cluster of 2 IronPort ESA appliances and one of these is faulty and will not boot. I am awaiting a replacement from Cisco.
  I cannot find an exact guide that explains how to re-instate the new appliance to cluster and therefore am making an assumption that the easiest way to do this is as follows:-
  1) Physically connect the new device.
  2) Login with console and ensure the new device has centralised management feature and all other keys.
  3) Configure the management interface with the original machine level IP address from the old configuration of the faulty device.
  4) Use Clusterconfig command to join new device to cluster.
  The only thing I am concerned about is licensing and serial numbers. I seem to remember that the primary cluster device will check the serial number at some point and therefore if its a new device then it will not join the cluster. If this is the case then I assume we would have to remove the orignal device from cluster and add the new one as a brand new one. This would mean all other machine level configuration would be lost such as IP addresses of Data interfaces and DNS names etc.
  Can anyone clarify please. Also can anyone point me to which configuration is required for machine level only.
  Regards
  Paul Tribe

  So - to help out - yes... it would be pretty much...
  1) Once you get the RMA appliance, rack and cable the appliance, and bring it online with the quickstart guide.  We'll call this ESA3.
  2) Once ESA3 is online - you'll need to make sure that you get the RMA on the same matching AsyncOS version as ESA1.  (*This may mean you'll need to upgrade ESA1 to get a compairible revision running...)  Also, just go ahead and make the IP and hostname the same as you had for ESA2... if not done @ quickstart.
  3) Once the version is matching - just transfer over the license/feature keys from the old ESA2 to your new ESA3 (RMA unit):
  http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118000-technote-esa-00.html
  4) Once licnesing is completed - just join to cluster.  (*If you are running 8.5.6 --- clustering is included in the release --- just run clusterconfig on the CLI to assure operation.)  From ESA1, running clusterconfig and removemachine - choosing ESA2.  From ESA3, clusterconfig and join cluster:
  http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118174-technote-esa-00.html
  I hope this helps!
  -Robert
  (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

• Update issues when ESA Virtual replacing C170 Appliance in Cluster Config

  I have opened a TAC ticket on this one but was curious if any others experienced the same issue.
  I have C170s in Centralized ClusterConfig. I recently learned about the Virtual ESAs after reading about the EOL for C170s in a few years. I think the Virtual ESAs will add a lot of flexibility. The only issue I've noticed was trying to join Virtual ESAs to our Cluster are updates so far. 
  The first virtual ESA I brought up I was able to initially update it so it could join the cluster. I thought maybe I messed up the network config somewhere. So after messing with it over the Weekend and opening a TAC case with Cisco. I thought I would try configuring the second Virtual ESA. Sure enough updates are working, and no errors. Hooked it up enough to do some quick testing to make sure the listeners were working. Feeling pretty good about it, I join the cluster. Everything copied over configuration wise, I also setup a new ClusterGroup for the Virtual ESAs so I could customize the listeners and interfaces. Before I got too crazy I quickly realized that my updates stop working on the second virtual appliance.
  So just curious if there are some configuration compatibility issues between appliance hardware and Virtual we should be aware of. I found some great information from the Forums about forcing updates and reading the tail of the updater_logs, which produced the following:
  Info: Dynamic manifest fetch failure: Received invalid update manifest response
  I found the fix for non-cluster configured Virtuals for this Update error:
  http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118065-maintainandoperate-esa-00.html
  But  this does not for for clusterconfig.
  So is my best course of action to:
  run the clusterconfig on one of my virtuals, 
  Remove Virtual from ClusterConfig after config is migrated
  Apply CLI fix to point post-cluster config Virtual so it now points to the right update servers
  Create new cluster with the now fully Updating Virtual-Uno ESA
  Join Remaining virtuals to the newly created cluster and phase out the old physical cluster?
  Obviously I left out all the fine details about MX records, IP addresses, Central Reporting and Spam and outbreak reporting. Just want to make sure I'm not missing something, maybe tare down the old clusterconfig first, set it to point to the update servers in the article above. Then I can phase out my old physicals later on down the line as they break down over time and avoid configuring two clusters for every rule change.

  So it looks like I have found the answer to my own question. Looks like the fix in the following article does apply to Virtual ESA in a cluster. 
  http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118065-maintainandoperate-esa-00.html
  Some things I'd like to figure out is, will this change stick, will new virtual nodes pick up the incorrect update URL when I join them to the cluster? I made the changes and all my hosts seem to be updating fine. Will wait and see how well they do over the next few days and let them bake in a little before I push e-mail through them.
  Step by Step how it looks with a cluster config from the CLI:
  (Machine esa1.yourcompany.com)> updateconfig
  Service (images):
  Update URL:                                  
  Feature Key updates
  http://downloads.ironport.com/asyncos        
  RSA DLP Engine Updates
  Cisco IronPort Servers                       
  PXE Engine Updates
  Cisco IronPort Servers                       
  Sophos Anti-Virus definitions
  Cisco IronPort Servers                       
  IronPort Anti-Spam rules
  Cisco IronPort Servers                       
  Outbreak Filters rules
  Cisco IronPort Servers                       
  Timezone rules
  Cisco IronPort Servers                       
  Enrollment Client Updates (used to fetch certificates for URL Filtering)
  Cisco IronPort Servers                       
  Cisco IronPort AsyncOS upgrades
  Cisco IronPort Servers                       
  Service (list):
  Update URL:                                  
  RSA DLP Engine Updates
  Cisco IronPort Servers                       
  PXE Engine Updates
  Cisco IronPort Servers                       
  Sophos Anti-Virus definitions
  Cisco IronPort Servers                       
  IronPort Anti-Spam rules
  Cisco IronPort Servers                       
  Outbreak Filters rules
  Cisco IronPort Servers                       
  Timezone rules
  Cisco IronPort Servers                       
  Enrollment Client Updates (used to fetch certificates for URL Filtering)
  Cisco IronPort Servers                       
  Service (list):
  Update URL:                                  
  Cisco IronPort AsyncOS upgrades
  Cisco IronPort Servers                       
  Update interval: 5m
  Proxy server: not enabled
  HTTPS Proxy server: not enabled
  Choose the operation you want to perform:
  - SETUP - Edit update configuration.
  - CLUSTERSET - Set how updates are configured in a cluster
  - CLUSTERSHOW - Display how updates are configured in a cluster
  []>dynamichost
  Enter new manifest hostname:port
  [update-manifests.ironport.com:443]>update-manifests.sco.cisco.com:443
  Choose the operation you want to perform:
  - SETUP - Edit update configuration.
  - CLUSTERSET - Set how updates are configured in a cluster
  - CLUSTERSHOW - Display how updates are configured in a cluster
  []> 
  (Machine esa1.yourcompany.com)> commit

• "An application fault occurred" with AsyncOS 8.0.1 on multiple ESAs

  Ever since upgrading to AsyncOS 8.0.1-023, we have been getting the following application fault intermittently but it has been triggering constantly this morning on all 4 appliances in a cluster and 2 others in a separate cluster:
  An application fault occurred: ('egg/coro_ssl.py _non_blocking_retry|140', "<class 'sslip.Error'>", "(336195711, 'error:1409F07F:SSL routines:SSL3_WRITE_PENDING:bad write retry')", '[egg/smtp_client.py run|885] [egg/smtp_client.py _run|964] [egg/coro_ssl.py close|238] [egg/coro_ssl.py shutdown|218] [egg/coro_ssl.py _non_blocking_retry|140]')
  The only thread I see regarding this is that is an known bug with the OS version.  Is there a way to temporarily correct this and is there a known cause to this such as a corrupt message?  We do not want to keep receiving this alert until a fix is released and do not want to be forced to turn off the alerting.
  https://supportforums.cisco.com/discussion/12071286/cscug73383-ironport-esa-version-801-023

  The same for our 2 ESA C370, Version: 8.0.1-023 AND a similiar message for our M670 Version: 8.1.1-013. They were upgraded vom V 7.x last weekend.
  Suprisingly we drive 2 ESA C360, 1 M670 and 1 M160 for another customer without this error. Tose machines were upgraded to the same 8.x versions mentioned above in December last year! Looks a bit strange to me ...
  The Critical message is (on M670):
  An application fault occurred: ('navigation/HelpBarYUI.py my_tasks_list_submenu|462', "<type 'exceptions.KeyError'>", "'varstore'", '[util/Aquarium.py screenLoop|408] [util/InternalLibrary.py inverseExtend|328] [util/InternalLibrary.py __call__|769] [layout/Bare.py __call__|578] [util/InternalLibrary.py __call__|769] [layout/CssAndJavaScript.py __call__|451] [util/InternalLibrary.py __call__|769] [layout/Sparse.py __call__|1483] [Cheetah/NameMapper.py valueFromSearchList|250] [Cheetah/NameMapper.py _valueForName|229] [layout/Sparse.py doTop|851] [Cheetah/NameMapper.py valueFromSearchList|250] [Cheetah/NameMapper.py _valueForName|229] [layout/Sparse.py doHelpBar|795] [util/InternalLibrary.py call|280] [navigation/HelpBar.py __call__|154] [Cheetah/NameMapper.py valueFromSearchList|250] [Cheetah/NameMapper.py _valueForName|229] [navigation/HelpBarYUI.py options_and_help_yui_menubar|217] [Cheetah/NameMapper.py valueFromSearchList|250] [Cheetah/NameMapper.py _valueForName|229] [navigation/HelpBarYUI.py my_tasks_mainmenu|275] [Cheetah/NameMapper.py valueFromSearchList|250] [Cheetah/NameMapper.py _valueForName|229] [navigation/HelpBarYUI.py my_tasks_list_submenu|462]')
  Version: 8.1.1-013

• Inaccessible IronPort c670 appliance from both GUI and CLI. Can I tunnel-in from other c670 appliance in the cluster?

  I am unable to access one of the 6 IronPort appliances. Also, got an error that the appliance has got disconnected from the cluster. Is there any CLI command I can use to possibly tunnel-into the faulty appliance from another appliance in the cluster to reboot?

  No.  Normally, from 'clustermode' you can then access machine level on the different appliance(s) in cluster.  But, if this is disconnected, then that command is not going to work.
  If you cannot SSH/telnet to the appliance in question, and do not have some form of remote console or access pre-configured, you will need to connect directly to the appliance, or hard boot the appliance in order to attempt to regain connectivity.  
  Please see the C670 quick start guide for assistance:
  http://www.cisco.com/c/dam/en/us/td/docs/security/esa/hw/C670_QSG.pdf
  Setup and Management
  •• For access by Ethernet™, connect to the Management Network
  Port. Use a browser to access the web-based interface on the
  default IP address 192.168.42.42. You can also access the
  command line interface by SSH or terminal emulation software
  on the same IP address. (The netmask is /24.)
  •• Or, for Serial access, connect to the Serial Port. Access the command
  line interface by a terminal emulator using 9600 bits, 8 bits, no parity,
  1 stop bit (9600, 8, N, 1), flowcontrol = Hardware.
  I hope this helps!
  -Robert
  (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

• Need guidance of ESA C680 and M680

  Hi All,
  I am totally new for Cisco Ironport and due to some needs of present scenario I am engage to implement Cisco Email Security Appliance C680 as cluster with M680 for centralize management of ESA. 
  Could you please help me out to understand the basic installation help to basic configuration guide.
  Current Infrastructure
  1. Already using Ironport C670 & C3xx in cluster
  2. Rough diagram as per my understanding attached.
  Requirement:
  1. Want to replace with new model C680 in cluster.
  2. Need to configure  M680 for centralize management of ESA.
  3. To enable all new features and tighten the email security.
  4. Separation of internal and external traffic.
  5. Ip addressing to configure the two nos of C680 and one M680. (Management, communication etc etc)
  6. To redesign as per the best practice.
  Thanks in advance!

  Hey Goutam,
  This reply will be a high-level response as for concerns where you need to have infrastructure re-design to cater to new requirements, I believe your Cisco Systems(sales) engineers can be of better assistance as they will be able to provide details to assist in this regard.
  With replacing existing models to the new C680
  Best approach i would recommend.
  Apply a temporary IP to your C680 devices and upgrade them to the same version as devices in the existing cluster so you can add them in.
  If the C680 is in a newer version; then you may need to schedule an upgrade timing for existing clustered systems to match that of the C680 for an easier cluster integration process.
  To configure ESA's to point to the M680 device, you need to ensure network routes on port 22 and SSH protocols are allowed between the IP interfaces that will be used to reach each other.
  Ensure no SSH key fingerprint exchange interruption or proxying is happening as this will break the communication.
  Configuring the SMA (M series) to talk to the ESA would require enabling the centralized services on the ESA ( GUI > Security Services > Centralized Tracking/Reporting and anything else) then go to the SMA (M series) and go to Management > Security Appliances, add the ESA's IP that will be communicated to and establish a connection
  Once this is done, they're centralzied.
  TO enable all new features, depending on which features you're seeking on -- some features require purchase of feature keys (thus your Cisco Sales/Systems engineer is the best person to approach to sort this) -- then general instructions are available through the Systems Online help guide on implementation and use of the features (GUI > Help and Support > Online Help)
  Seperation of internal and external traffic, this is generally tied to Listeners -- if only using 1 Listener, then sendergroups will seperate inbound to outbound traffic.
  If you device to wish to change from 1 listener to 2 for more seperation, network routes need to be configured from the devices on port 25, IP interface configured on ESA and new private/public listener setup to use the IP for seperation of traffic.
  IP addressing for communication, GUI > Network > IP interfaces > Enable ports you want to allow for the management, communication is generally on port 22 between devices
  Redesign best practises; as a TAC engineer myself, I cannot really comment on this.
  Thanks
  Matty

• ESA service in CAF : Exception

  I have implemented an ESA service in CAF which has an Application Service with 5 operations.
  All the 5 operations have been tested successfully with the Test UI of CAF.
  Each operation of the Application has also been exposed as a webservice.
  2 webservices already work fine and give proper output when tested using wsnavigator.
  However When I test the 3rd wsdl using wsnavigator I get an exception as follows
  com.sap.engine.services.ejb.exceptions.BaseRemoteException: Exception in method readDisb_R.
       at com.sap.is.cmp.loan.disbursementbl.appsrv.disburseloan.disburseLoanObjectImpl0.readDisb_R(disburseLoanObjectImpl0.java:310)
       at com.sap.is.cmp.loan.disbursementbl.appsrv.disburseloan.disburseLoan_Stub.readDisb_R(disburseLoan_Stub.java:168)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at com.sap.engine.services.ejb.session.stateless_sp5.ObjectStubProxyImpl.invoke(ObjectStubProxyImpl.java:187)
       at $Proxy172.readDisb_R(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at com.sap.engine.services.webservices.runtime.EJBImplementationContainer.invokeMethod(EJBImplementationContainer.java:126)
       at com.sap.engine.services.webservices.runtime.RuntimeProcessor.process(RuntimeProcessor.java:157)
       at com.sap.engine.services.webservices.runtime.RuntimeProcessor.process(RuntimeProcessor.java:79)
       at com.sap.engine.services.webservices.runtime.servlet.ServletDispatcherImpl.doPost(ServletDispatcherImpl.java:92)
       at SoapServlet.doPost(SoapServlet.java:51)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
  Caused by: java.lang.ClassCastException
       at com.sap.is.cmp.loan.disbursementbl.appsrv.datatypes.loanDisbReqRead_R.fromLocalInstance(loanDisbReqRead_R.java:259)
       at com.sap.is.cmp.loan.disbursementbl.appsrv.disburseloan.disburseLoanBean.readDisb_R(disburseLoanBean.java:229)
       at com.sap.is.cmp.loan.disbursementbl.appsrv.disburseloan.disburseLoanObjectImpl0.readDisb_R(disburseLoanObjectImpl0.java:259)
       ... 32 more
  ; nested exception is:
       java.lang.ClassCastException
  I have tried to debug the service when testing on wsnavigator and have found no propblems in the operation that has been implemented.
  The errors are generated when the output is sent to the client.
  Hope somebody knows and shares how to get the desired output. Any information on the exception will be useful.
  Thanks and Regards,
  Madhusudhan

  Hi Madusudhan,
  You have a ClassCastException at line no. 259
  Caused by: java.lang.ClassCastException
  at com.sap.is.cmp.loan.disbursementbl.appsrv.datatypes.loanDisbReqRead_R.fromLocalInstance(loanDisbReqRead_R.java:259)
  What is the code at this line ? Please check if you have taken care of the casting properly.
  Regards,
  Anish

• Upgrading ESA C100V appliance

  Hi,
  We are trying to uprade our ESA to build 106.
  And we still get the following error:
  The following errors occurred during upgrade:
  Download error: http://updates.ironport.com/asyncos/phoebe-8-5-6-106/hints/default/1
  Upgrade exited without success.
  Please attempt the upgrade again after clearing the error.
  I have cleared the error for several times, but it still exists.
  In the log directory i saw the following error:
  DownloadError url=http://updates.ironport.com/asyncos/phoebe-8-5-6-106/hints/default/1 reason=>
  But there was no reason mentioned.
  I checked the DNS and everything seems to be allright.
  How can i solve this issue?
  Regards,
  Ronald Pastoor

  Do you have a proxy in place?  Is appliance in cluster with hardware appliances?
  Also - can you assure that you are pointing to update-manifest.sco.cisco.com:443 for your updateconfig settings?
  http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118065-maintainandoperate-esa-00.html
  -Robert

• Ironport Cluster

  Hi,
  I'm aware this is not the correct section to log this question. But I have two IronPort ESA C160 devices and would like to cluster them for redundancy. My question is:
  When the devices are clustered, is there a cluster IP address (not an interface on either device) which is created which emails from Exchange can be routed to? Since only 1 of the 2 devices will be active at any given time, how can Exchange distingiush which Ironport device to route to?
  I read a post where a user wanted to know how to upgrade a machine in a cluster and he stated that he had a cluster IP address. I'm not sure where this is as I haven't seen anything about this during the cluster creation.
  Any assistance would be greatly appriciated.
  Cheers,
  Shelton

  Hi
  IronPort Clusters are not the same as for example Microsoft Clusters i.e. does not have a shared cluster address.  The easiest way to do this is to use a load balancer (for example Cisco ACE) and let the load balancer take care of it.  Point the Exchange servers at a load balanced address configured on the load balancer.
  Regards
  Paul

• ESA Centralized Management License

  Hi all,
  my customer provides single ESA Appliance and would like to produce another one (either physical or virtual). I can see there is no Centralized management license on existing single ESA (wiht dual ESA it was automaticaly added in the past). Can somebody point me, how to obtain (order) centralized management license for existing ESA to be able to make configuration cluster with future ESA?
  As I understand it right way, there should be no problem to provide configuration cluster with hybrid ESA (Physical and virtual) - Is it true?
  Thank you for any help.

  You may request the license be provided for your serial number by contacting our Global Licensing team.  They will provide you the availability of the Centralized Management feature key based on your contract and appliance.
  Please contact our Global Licensing Operations team:
  https://tools.cisco.com/SWIFT/LicensingUI/Home
  Licensing FAQ
  Phone: 1-800-553-2447, opt 3 (You may request to have a case opened for GLO/Licensing.)
  Their email directly is: [email protected]
  For the virtual appliance - you will need to assure that they build the centralized management feature key into the license XML, and re-provide a fresh XML for your vESA, based on the VLN associated to the vESA.  To get this information - please run 'showlicense' on the CLI.
  I hope this helps!
  -Robert
  (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

• Script automated ESA version 8.5.6 configuration backup.

  I have automated script to:
  1) SSH into ESA
  2) Generate configuration file
  3) Back it up.
  The script works fine until I did the upgrade in the past weekend, what I found is that now on version 8.5.6, the command "saveconfig no" is restricted to "cluster mode", and I need to find a way to insert "y" into my script,
  here is my script, any suggestion to fix it? thanks.
  FILENAME=`ssh -l xxx -i /home/xxx/.ssh/id_rsa $HOSTNAME "saveconfig no" | grep xml | cut -f 3 -d " "`
  scp -i /home/xxx/.ssh/id_rsa xxx@$HOSTNAME:./configuration/$FILENAME /usr/tftpboot/tftp/ironport
  Leo Song

  Hi
  i fixed this Problem with:
  ... $HOSTNAME "clustermode cluster; saveconfig no"
  Regards
  Martin Annen