Ironport Cluster

Hi,
I'm aware this is not the correct section to log this question. But I have two IronPort ESA C160 devices and would like to cluster them for redundancy. My question is:
When the devices are clustered, is there a cluster IP address (not an interface on either device) which is created which emails from Exchange can be routed to? Since only 1 of the 2 devices will be active at any given time, how can Exchange distingiush which Ironport device to route to?
I read a post where a user wanted to know how to upgrade a machine in a cluster and he stated that he had a cluster IP address. I'm not sure where this is as I haven't seen anything about this during the cluster creation.
Any assistance would be greatly appriciated.
Cheers,
Shelton

Hi
IronPort Clusters are not the same as for example Microsoft Clusters i.e. does not have a shared cluster address.  The easiest way to do this is to use a load balancer (for example Cisco ACE) and let the load balancer take care of it.  Point the Exchange servers at a load balanced address configured on the load balancer.
Regards
Paul

Similar Messages

  • Ironport Cluster Load Balancing

    Anyone knows if it is possible to configure a load balancing of two C100 in a cluster.
    I configured the second machine in the cluster two weeks ago. when I look in the stats, the second machine does nothing. the first machine is on 3% CPU and whe have about 120000 mail per day.
    is there any way to configure the cluster that the two machine share their work ? or is the cluster only for fail-safe ?

    Hello,
    Most mail admins know how to use MX records for load balancing (and redundancy) on their mail servers.
    Less people know you can use MX also for your outgoing mail traffic.
    Just add a MX record to your local DNS and specify a name for the record. (i.e. outgoingMX.local.domain) put the IP's or hostnames of your internal Ironport card in the data and configure your internal mail system to deliver it’s outgoing mail to smarthost outgoingMX.local.domain
    Works for most mail systems. I'm sure it is working for Exchange (5.5. and higher) and Domino (5 and higher)
    Regards, Steven

  • SNMP configuration in Ironport Cluster

    Hi everyone, 
    I have 2 Ironport appliances X series in a cluster configuration, I want to configurate SNMP in both appliances but if I run the command snmpconfig it only allows me to configure snmp for the cluster, in this way I only can "ask" for status to 1 interface  on behalf of the entire cluster and I dont know if a high cpu trap or high memory trap on the other appliance can be send to my snmp manager.
    I tried to configure snmp in every machine (not cluster mode) but the appliance sends me an strange error and kick me out of the cli.
    Anyone of you had configure snmp in a cluster environment? Can you guys tell me how can I do this?
    Best Regards!

    The term cluster is a misnomer. It is more of a centralize configuration. Both appliances will send traps individually and will share the same configurations. Basically both appliances act on their own, and don't share IP addresses or failover (the beauty of email is failover is built into MX records and transport configurations). There are instances when it makes sense to have separate configurations for a group of systems in the "Configuration Cluster". For SNMP this can be done at the Cluster or "Cluster Group" Level.
    In my example I wanted to have a different SNMP Location for two sets of appliances:
    What I had to do for SNMP, was to configure a Cluster Group for each location. This way I could say Appliance A & B are at location 1, and Appliances C & D are at location 2.So in the CLI, you will need to create the groups, and then assign your appliances to each group. Then Change your cluster mode in the CLI to the appropriate group and make the SNMP changes. Repeat for your other group.
    Please let me know if this was helpful, I would be happy to go into more details.

  • Cisco Ironport Cluster feature

    Hi all,
    i have 2x ESA and thinking about clutering them. Version is 8.5.6 so no need of feature key to cluster the configuration.
    My doubt is that my ESA are alredy configured as per mail flow policies, sender groups, routing smtp routes and so on.
    What is the impact of activating the cluster feature with the clusterconfig commmand and create a cluster? Do i loose all the configuration alredy done?
    More my 2xESA are already centralized to an SMA for reporting, pov and spam quaratines. Any impact?
    thanks
    smaikol

    Correct - as of 8.5, the cluster configuration is available without need for the additional license/feature key.  You should simply be able to log in on the CLI and run clusterconfig.
    When you create the cluster --- you'll create on ESA_A.  Once you join ESA_B to ESA_A in cluster, it will overwrite the configuration on ESA_B --- and will have matching configuration of ESA_A.  On ESA_B, if you had special routing, mail flow policies, or other configuration differences, you would need to go back through and re-configure those at machine level.
    As for ESA > SMA, it would not have any impact.  ESA_A and ESA_B will still report individually to the SMA.
    -Robert

  • 2xC350 in High Availability Mode (Cluster Mode)

    Hello all,
    first of all, i`m a newbie in ironport. So Sorry for my basic questions, but i can`t find anything in the manuals.
    I want to configure the two boxes in High Availability Mode (Cluster Mode) but i don`t understand the ironport cluster architecture.
    1) in machine mode i can configure IP-Adresses -> OK
    2) in Clustermode i can configure listeners and bind them to a IP-Address -> OK
    But how works the HA?
    A) Should i configure on both boxes the same IP to use one MX Record? And if one box is down the other takes over?
    B) Or should i configure different IPs and configure two MX Records?
    And if one box is down the second MX will be used.
    Thanks in advance
    Michael

    The ironport clustering is for policy distribution only - not for smtp load mgmt.
    A) Should i configure on both boxes the same IP to use one MX Record? And if one box is down the other takes over?
    Could do - using NAT'ing on the f/w but few large business take this approach today.
    Many/most large businesses use a HW loadbalancer like an F5, Foundry ServerIron, etc. The appliances themselves would be set up on seperate IP addresses. Depending on the implementation requirements, the internal IP address could be a public IP or a private IP.
    B) Or should i configure different IPs and configure two MX Records?
    And if one box is down the second MX will be used.
    If you set up two boxes, even with a different MX preference, mail will be delivered to both MX records. There are broken SMTP implementations that get the priority backwards, and many spammers will intentionally attempt to exploit less-restrictive accept rules on secondary MX recievers and will send to them first.

  • How does IronPort assist in load balancing?

    There are plans to put a load balancer in front of an IronPort cluster of 6. As of now, we have Mx record priority (Round robin) based load balancing.
    Does an ESA has the intelligence to automatically reject incoming connections if other ESAs in the cluster is idol? Or, in other way, does ESA has the intelligence to reject incoming connections if it sees a series of connection attempts from the same source? Or, does it have intelligence to reject incoming connections if it is devoid of any resource to process any new messages?
    Thanks,
    Chandan

    No.  The ESA will still act in the same stand alone fashion - so, it will act independently with the traffic that is presented.  Other appliances in cluster would not recognize the other appliance's traffic or status for handling mail that is processed --- remember, with the ESA, in cluster - the only thing that is shared is the configuration between cluster appliances.
    The traffic handling and load balancing aspect would be based on the 3rd party software/appliance sitting in front of the appliances --- then control the pool of appliances that you have set from there.
    I hope this helps!
    -Robert
    (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

  • Ironport C170 Config file restore

    Hi Team,
    We have 2 clustered Ironport server with AsyncOS 7.5.2  with site 1 and now we are building new DR site for Exchange 2010 and buiding Ironport on DR site.
    We have one ironport AsyncOS 7.6.2 for Cisco IronPort C170 build 201 at DR site.
    We have to restore configuration file from Site 1 to DR site.
    Can you please provide me the steps to restore the file from site 1 to DR site
    I have removed the one node from ironport cluster from site 1 and taken the backup of the configuration file.
    Regards,
    Pravin

    Pravin -
    You will need to upgrade all appliances to the same revision in order to have the configuration used from site 1 to the DR.  Also, 7.5.2 and 7.6.2 are EOL, and you would be strongly suggested to upgrade to the minimum of 7.6.3-019 for all appliances.
    After that - it would just be a matter of looking at this two ways - while upgrading the appliances at site 1, just save the configuration copy once upgraded as needed to 7.6.3-019.  Make a copy and modify the Network Configuration section: Hostname, Interface <IP>, Routing Table... and then load that copy on the DR site.
    Or - the other way to look at it would be to just join the DR site to the cluster.  That way all configuration is shared among the three appliances.
    I hope this helps!
    -Robert
    (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

  • Easy way to export Ironport settings on Prod box and import

    We have a production C30 box that handles all of our Inbound/Outbound mail.
    We have also purchased a C10 that will eventually work in an Ironport cluster with the C30.
    However, I currently have the need to migrate the C30 from our existing DMZ to a new DMZ. It has been decided that the best way to do this is to setup the C10 in the new DMZ and set it up with the same settings as the C30 (with the IPs being different). This would allow both boxes to receive inbound mail for the production domain while the new DNS MX record propogates throughout the Internet.
    The question is, is there an easy way to export the C30 settings and import them into the C10 so that I do not need to go page by page to copy the settings?
    Thanks,
    -Matt

    I tried to do the export/import.
    However I keep getting:
    Invalid data format.
    The certificate and key do not match.
    Value was: ('*****', '*****')
    Parsing failed. Aborting.
    So I opened a support case.
    -Matt

  • Configuring SNMP Alerts

    Does anyone have any experience with configuring SNMP alerts on C-Series appliances?  I'm interested in receiving alerts when there's a certain amount of emails in the workqueue.  Is this possible?
    We experienced an issue the other day where we received an exorbitant amount of email at one time from one specific sender and the workqueue was backed up.  It would have been nice to receive alerts on this so we could more effectively eliminate the issue.  If anyone has another suggestion to receiving notification through SNMP alerts on a high amount of messages in the workqueue please let me know.  I'm open to other ideas.  I just thought this might be the most effective way.
    Thanks!
    Mike

    Thanks Viquar, maybe you can help me with the issue that I'm dealing with.
    We have roughly 4000 internal SMTP servers that send e-mail to the internet via our IronPort cluster.  These IPs are everything from USB temperature gauges to an Exchange org. with 20K mailboxes.   Every once in a while something goes haywire and a lot of e-mail gets generated internally.  Either a virus generating a lot of e-mail, an application getting stuck in a loop, or a user configuring an Outlook Rule to send all mail to an external address that is being bounced back to them.
    What I'm looking for is some kind of alert when e-mail volume or maybe e-mail rate goes through the roof.
    One of the things that I've been researching is implementing rate limiting on outbound e-mail by IP address.  The problem is that all of these 4,000 internal SMTP servers are allowed access due to a 10.* entry in our HAT today.  So to get rate limiting going I would have to identify all of those servers and then determine the rate that would be good for each of them that would allow normal traffic but stop at the right point when an issue is occurring.  Due to the work that would take I was hoping for something along the lines of an alert when overall mail rate on the IronPort cluster goes higher than X, not knowing what X is yet...   Probably configure it something high and then slowly change it to a lower setting until I started getting alerts.
    Anything like that exist?
    Jason Meyer

  • Exchange 2008 w/o Edge or Hub transport servers

    We are moving to Exchange 07 for somewhere between 5-10K users. I've already talked management into using IronPort instead of MS Edge Transport servers. Would anyone who is currently doing this like to comment on how it is working?
    More importantly, it seems to me that IronPort can also do the job of the Hub Transport servers. However, I've been told that Exchange 07 cannot run without them. We are currently using LDAP accept and LDAP routing on IronPort (with AD). Can't that take the place of the Hub servers for Exchange?

    We are moving to Exchange 07 for somewhere between 5-10K users. I've already talked management into using IronPort instead of MS Edge Transport servers. Would anyone who is currently doing this like to comment on how it is working?
    More importantly, it seems to me that IronPort can also do the job of the Hub Transport servers. However, I've been told that Exchange 07 cannot run without them. We are currently using LDAP accept and LDAP routing on IronPort (with AD). Can't that take the place of the Hub servers for Exchange?
    I have been looking long time similar solution. If You have more information, please let me know. IronPort and Microsoft support didn't know is this possible.
    We are using Exchange 2007 as internal mail server and Exchange
    2007 uses for outgoing (public internet) traffic IronPort cluster as mail (anti spam/anti
    virus) gateway, so for example if some our [email protected] sends email to
    [email protected], the message goes true external mail gateway.
    But when AD/MS domain and Outlook users sending messages between themselves, like
    [email protected] > [email protected], the messages does not goes true external
    mail gateway right now.
    This seems to be Hub Transport Server default behavior.
    But as in IronPort we are using a a lot different content filters to remove headers, add
    headers, drop specific attachment, look into archives encrypt and decrypt, notify,
    quarantine, message tracking etc, so I'd like to route every single message true IronPort
    but can't find any way to do it.
    As far I know Hub Transport Servers can run specific software, like Forefront etc which
    intercept the local traffic.
    So So basically IronPort should act as external security appliance for Hub Transport Servers.

  • Inaccessible IronPort c670 appliance from both GUI and CLI. Can I tunnel-in from other c670 appliance in the cluster?

    I am unable to access one of the 6 IronPort appliances. Also, got an error that the appliance has got disconnected from the cluster. Is there any CLI command I can use to possibly tunnel-into the faulty appliance from another appliance in the cluster to reboot?

    No.  Normally, from 'clustermode' you can then access machine level on the different appliance(s) in cluster.  But, if this is disconnected, then that command is not going to work.
    If you cannot SSH/telnet to the appliance in question, and do not have some form of remote console or access pre-configured, you will need to connect directly to the appliance, or hard boot the appliance in order to attempt to regain connectivity.  
    Please see the C670 quick start guide for assistance:
    http://www.cisco.com/c/dam/en/us/td/docs/security/esa/hw/C670_QSG.pdf
    Setup and Management
    •• For access by Ethernet™, connect to the Management Network
    Port. Use a browser to access the web-based interface on the
    default IP address 192.168.42.42. You can also access the
    command line interface by SSH or terminal emulation software
    on the same IP address. (The netmask is /24.)
    •• Or, for Serial access, connect to the Serial Port. Access the command
    line interface by a terminal emulator using 9600 bits, 8 bits, no parity,
    1 stop bit (9600, 8, N, 1), flowcontrol = Hardware.
    I hope this helps!
    -Robert
    (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

  • Ironport c160 cluster problems

    Hi!
    I have two Ironport C160 in cluster mode, tonight one of them has stopped working, and I can not access this on, but it responds to ping.
    In the system log I found only the following line:
    Mon Mar 12 15:30:39 2012 Warning: Error connecting to cluster machine xxxxx (Serial#: xxxxxx-xxxxxx) at IP xx.xxx.xxx.x - Operation timed out - Timeout connecting to remotehost cluster
    Mon Mar 12 15:31:09 2012 Info: Attempting to connect via IPxxxxx toxxxxxxxx port 22 (Explicitly configured)
    My version is:6.5.3-007
    What I can log to find the cause of the problem?
    How I can find out what the problem?
    How can you solve?
    Thank you very much

    Well, "queuereset" is not a valid command, what you mean is "resetqueue", which I would strongly not recomment  to use without having a very good reason.Because this command removes all messages from the workqueue, delivery queues, and quarantines. There are usually less destructive ways to fix a cluster problem.
    BTW, version 5.5 has long been gone, so we won't need to reference any bugs from there any more.
    Regards,
    Andreas

  • Replace Faulty IronPort ESA in a Cluster

    I have a cluster of 2 IronPort ESA appliances and one of these is faulty and will not boot. I am awaiting a replacement from Cisco.
    I cannot find an exact guide that explains how to re-instate the new appliance to cluster and therefore am making an assumption that the easiest way to do this is as follows:-
    1) Physically connect the new device.
    2) Login with console and ensure the new device has centralised management feature and all other keys.
    3) Configure the management interface with the original machine level IP address from the old configuration of the faulty device.
    4) Use Clusterconfig command to join new device to cluster.
    The only thing I am concerned about is licensing and serial numbers. I seem to remember that the primary cluster device will check the serial number at some point and therefore if its a new device then it will not join the cluster. If this is the case then I assume we would have to remove the orignal device from cluster and add the new one as a brand new one. This would mean all other machine level configuration would be lost such as IP addresses of Data interfaces and DNS names etc.
    Can anyone clarify please. Also can anyone point me to which configuration is required for machine level only.
    Regards
    Paul Tribe

    So - to help out - yes... it would be pretty much...
    1) Once you get the RMA appliance, rack and cable the appliance, and bring it online with the quickstart guide.  We'll call this ESA3.
    2) Once ESA3 is online - you'll need to make sure that you get the RMA on the same matching AsyncOS version as ESA1.  (*This may mean you'll need to upgrade ESA1 to get a compairible revision running...)  Also, just go ahead and make the IP and hostname the same as you had for ESA2... if not done @ quickstart.
    3) Once the version is matching - just transfer over the license/feature keys from the old ESA2 to your new ESA3 (RMA unit):
    http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118000-technote-esa-00.html
    4) Once licnesing is completed - just join to cluster.  (*If you are running 8.5.6 --- clustering is included in the release --- just run clusterconfig on the CLI to assure operation.)  From ESA1, running clusterconfig and removemachine - choosing ESA2.  From ESA3, clusterconfig and join cluster:
    http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118174-technote-esa-00.html
    I hope this helps!
    -Robert
    (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

  • How to install renewed feature key to cluster Ironport C170

                       Our email gateway use two Ironport C170 cluster, recently the feature key expired on both C170 and we are in the process of getting this feature key renewed.
    I am new to this cisco ironport, I would like to know once we get this renewed feature key how can we install it on both Ironport C170. the feature currently expired is: "Centralized Management, IronPort Anti-Spam, Sophos Anti-Virus, Outbreak Filters".
    After the feature key expired several changes has been made to ironport incoming content filters, because the "centralized management" feature expired these changes are made to both C170 ironport, does this have any impact on installing the renewed feature key?
    Thanks.

    Hi Rugang,
    You can manually install the keys via Web UI or CLI.
    In the Web UI, please log in as admin and go to :
    System Administration -> Feature Keys -> Section named: Feature Activation
    Paste the key string you received in the field named: Feature Key: then hit the button Submit key. You may need to accept the User Agreement. After that the system will validate the key and if everything goes well, you will have the feature ready to use.
    In the CLI, please log in ad asmin and run:
    > featurekey
    then run:
    activate
    then paste the string for the key you want to install
    There is no need to commit changes. You can finish the featurekey command by pressing the ENTER key in your keyboard.
    It would be advisable to do not make changes witht he boxes not running Centralized Management due to key expiration, but it seems you already did that. The devices will try to synchronize the settings and it is possible that you will find inconsistencies. You can use the command:
    > clustercheck
    to view/fix the inconsistencies. This command/action can only be executed via CLI.
    I would recommend that you save the configuration from both devices; apply the keys and save the configuration again. Run a diff (linux/unix) or windiff on the files (before and after installing the keys) to see if you find anything which requires your intervention.
    As always, please contact our customer support in case you have any questions or have any issues with the whole process.
    I hope this helps.
    Regards,
    -Valter

  • Ironport C350's in cluster, have to search both to find email's to release

    I have two c350's in Cluster on os 7.3. When a user asks to have a email released (quarantined) I have to search both units to find it. For example it could be on ironport01 or ironport02. There is a spam search, but these are not spam emails, these are ones that have been quarantined and I released them, for example audio file attachments. If this is just the way it is, thats all I need to know. Maybe in cluster they have to be the same name?
    Thanks

    Greetings Parnell,  Are these messages already in Policy Quarantine? If yes, then you as an administrator can only release them for the user. In future for new emails, if you want users to release them the messages when hit by a content filter, you can divert the messages using a content or message filter to IronPort Spam Quarantine.   Here are the KB articles you can refer to for this information:  Can a Content Filter divert messages to the IronPort Spam Quarantine? http://tinyurl.com/coebj3  Can a Message Filter divert messages to the IronPort Spam Quarantine? http://tinyurl.com/s2eql  Hope this information helps. Please let us know if you have any questions.   Thanks, Jyothi Gandla Customer Support Engineer

Maybe you are looking for