Proper TLS Config for IronPort C170

I inherited an infrastructure a little bit ago that uses an IronPort C170 cluster for email security. I have been tasked with configuring TLS connections with our new medical benefits provider and have some issues doing so. We have 3 MX records, let's call them mail1, mail2 and mail3. Mail1 and mail2 are configured normally on our firewall to pass SMTP traffic on port 25 to the MailListener port on the IronPort which is 25. Mail3, however, is configured on the firewall to translate SMTP traffic on port 25 to port 3600 which is sent to the TLS Listener port 3600 on the IronPort. The IronPort MailInterfaces are configured as such (25,3600) Reverse configuration on the firewall takes any port 3600 traffic from the IronPort and translates it to port 25 traffic for the rest of the world.
I configured the IronPort with a new Sender Group named TLS_ACCEPT,  added all the medical provider domain names/IPs to it and assigned it to  the ACCEPTED Mail Flow Policy where TLS is set to Required. Likewise,  for outgoing, I specified the same domain names/IPs within the  Destination Controls to require TLS for sending purposes.
I replaced the guy who originally configured this so I am not too sure how it is setup on the other end for TLS connections already established. We do have a few in place that are active. I am assuming that the other end is configured to send email only to the mail3 MX record. This configuration, however, is not possible with our medical provider so I need an alternative. They have verified that they cannot contact us on mail1 or mail2 via TLS but can with mail3.
The obvious problem is if a sender from these new domains tries to send TLS_required emails to us over the mail1 and mail2 MX IPs, they will receive an NDR. If I configure the firewall to translate mail1 and mail2 incoming connections from port 25 to 3600, any email sent with TLS not prefered/required will get an NDR. This was actually tested and domains like Yahoo and Hotmail could not send to us.
Are there any options for me on the IronPort to allow these connections to be sent from all our MX IPs without having to translate the ports? If not, what would happen if I changed the TLS Listener port on the IronPort to 25 instead of 3600 and disabled all the NAT rules on the firewall for mail3? I am only to assume this translation was another security step added by the previous admin here but am not too sure what would happen if I eliminated it.
Any advice, help, questions, assistance or fun-poking would be greatly appreciated!! Thank you in advance!

Kevin,
OMG there's so much unneeded complication here...You can totally ditch the port translation
Here's what I did:
Under Network/IP interfaces, I have 3 interfaces:  managment, Public, Private.
     Public is exposed to the net, only port 25 allowed in/out, with 1 A  record for a Domain1 which I have a certificate for.
Under Network/Listener I have 2 Listeners: 
     Outbound on the Private interface not really relavent for the rest of this discussion
     Inbound on the Public interface
          listening on port 25
          using an Accept query pointed at my Active Directory (all the various email domains in 1 AD)
          using a cert that matches the hostname on the Public interface
          Mail flow polices in HAT all set to TLS preferred with an address list configed for the "required" ones
Mail Policies/Destination Controls to force sending as TLS
In my external DNS
     Domain1
          A  mail.domain1.com  x.x.x.
          mx domain1.com  mail.domain1.com pref 10 weight 10 TTL 86400
     Domain2-10
          mx domain2.com mail.domain1.com
          mx domain3.com mail.domain1.com
     etc....
Hope that helps...
Ken    

Similar Messages

  • Ironport C170 Config file restore

    Hi Team,
    We have 2 clustered Ironport server with AsyncOS 7.5.2  with site 1 and now we are building new DR site for Exchange 2010 and buiding Ironport on DR site.
    We have one ironport AsyncOS 7.6.2 for Cisco IronPort C170 build 201 at DR site.
    We have to restore configuration file from Site 1 to DR site.
    Can you please provide me the steps to restore the file from site 1 to DR site
    I have removed the one node from ironport cluster from site 1 and taken the backup of the configuration file.
    Regards,
    Pravin

    Pravin -
    You will need to upgrade all appliances to the same revision in order to have the configuration used from site 1 to the DR.  Also, 7.5.2 and 7.6.2 are EOL, and you would be strongly suggested to upgrade to the minimum of 7.6.3-019 for all appliances.
    After that - it would just be a matter of looking at this two ways - while upgrading the appliances at site 1, just save the configuration copy once upgraded as needed to 7.6.3-019.  Make a copy and modify the Network Configuration section: Hostname, Interface <IP>, Routing Table... and then load that copy on the DR site.
    Or - the other way to look at it would be to just join the DR site to the cluster.  That way all configuration is shared among the three appliances.
    I hope this helps!
    -Robert
    (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

  • What is the proper config for the Airport Extreme when a Voice over IP device is between the cable modem and the router.

    What is the proper config for the Airport Extreme when a Voice over IP device is between the cable modem and the router.  Its a VoIPo device. The cable modem is connected to the VoIP WAN port and the LAN port on the device feeds the Airport Extreme.  The VOIP is working fine, and my Mac are getting 10. addresses from the Airport Extreme.  But I do get confict messages and lose my connection periodicaly.  Looking for help.

    Its a VoIPo device.
    Per chance, is this device the Grandstream HT502?

  • BAPI IDoc Config for LSMW

    Hello all,
    I would like to use LSMW to change CRM Business Partner data via BAPI. I have located the correct BAPI to use, but I now need to perform the proper port config, Partner profile setup, etc. Does anyone have straightforward documentation on how to <b>convert this BAPI</b> so that it can be used by LSMW? The Bus. Object is BUS1006005, but it has not yet been prepared for use by LSMW. I have plenty of LSMW experience using BDC, so full LSMW documentation is not necessary. Thanks in advance for your help.
    Kind Regards,
    Jason

    Hi Jason,
    The port config & Partner profile setup, etc. are generally done by basis consulatants. I think bass consultants can help in this as the Ports are beng created one time in a system.
    Ashvender

  • Ironport C170 Relay outgoing Email to External Server

    We have a new Ironport C170 and am only using the appliance for Encryption/DLP.  We wish to have incoming and outgoing Email to flow through this appliance.  All incoming Email will be relayed to our Exchange Server and all outgoing Email will be relayed to our SAAS Email Filtering System for processing and delivery.  The incoming part I believe is configured correctly but am having issues figuring out how to relay all outgoing to a specific domain in the cloud.
    Any assistance would be greatly welcomed,
    Stephen

    Hi Stephen,
    You can control all the outgoing mail from SMTP Route configuration, if is in GUI menu > Netowork > SMTP Route.
    You can define the route to next hop based on destination domain, as for default - all other domains (this is the one that goes to SaaS) you can enter your cloud SMTP address and the port number there.
    Hope this helps.
    Thanks,
    Donny

  • How to install renewed feature key to cluster Ironport C170

                       Our email gateway use two Ironport C170 cluster, recently the feature key expired on both C170 and we are in the process of getting this feature key renewed.
    I am new to this cisco ironport, I would like to know once we get this renewed feature key how can we install it on both Ironport C170. the feature currently expired is: "Centralized Management, IronPort Anti-Spam, Sophos Anti-Virus, Outbreak Filters".
    After the feature key expired several changes has been made to ironport incoming content filters, because the "centralized management" feature expired these changes are made to both C170 ironport, does this have any impact on installing the renewed feature key?
    Thanks.

    Hi Rugang,
    You can manually install the keys via Web UI or CLI.
    In the Web UI, please log in as admin and go to :
    System Administration -> Feature Keys -> Section named: Feature Activation
    Paste the key string you received in the field named: Feature Key: then hit the button Submit key. You may need to accept the User Agreement. After that the system will validate the key and if everything goes well, you will have the feature ready to use.
    In the CLI, please log in ad asmin and run:
    > featurekey
    then run:
    activate
    then paste the string for the key you want to install
    There is no need to commit changes. You can finish the featurekey command by pressing the ENTER key in your keyboard.
    It would be advisable to do not make changes witht he boxes not running Centralized Management due to key expiration, but it seems you already did that. The devices will try to synchronize the settings and it is possible that you will find inconsistencies. You can use the command:
    > clustercheck
    to view/fix the inconsistencies. This command/action can only be executed via CLI.
    I would recommend that you save the configuration from both devices; apply the keys and save the configuration again. Run a diff (linux/unix) or windiff on the files (before and after installing the keys) to see if you find anything which requires your intervention.
    As always, please contact our customer support in case you have any questions or have any issues with the whole process.
    I hope this helps.
    Regards,
    -Valter

  • Cisco Ironport C170

    Hi ,
    I already configure the ironport C170 for incoming , outgoing , Content Filtering and Antispam.
    But Antispam is not working properly. If I send out the email , messsage hearder never show the ironport antispam.
    I can see the Ironport Antivirus header only. How can we test the anti spam is working before we added the incoming
    production domain to ironport? Please see in the pictures. Currently OS running with 8.0.1.Please help me check thanks,
    Thanks,
    infoakh

    Please see the following:
    http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117865-qanda-esa-00.html
    -Robert

  • Ironport C170 Central Management Feature...

    We have a SINGLE Ironport C170 that was set up by an IT Services group here over 6 years ago- before I was hired. We have been getting the following message e-mailed to us recently:
    The Warning message is:
    Your "Centralized Management" key will expire in under 5 day(s).  Please contact your authorized Cisco sales representative.
    Our concern here is this:
    We do not use "Centralized Management"- we only have one office, one E-mail Security appliance. Should we worry about this feature expiring? Is this a Feature Key that we will need to purchase a renewal for? I appreciate any insight into this issue.
    Q.M. Quiney
    Network Admin
    Precision Payroll of America

    Centralized management key was separate (non-free) feature key for connecting multiple appliances in the cluster. Now this license key is included in all newer SW versions in the base license.
    If you're not using multiple appliances you don't need this feature and you can ignore this warning.
    Just to be sure you're not using a single appliance in a cluster check cluster status with CLI->clusterconfig.

  • Forwarding all mail from one ironport C170 to another (C160)

    Good Morning,
    Could someone tell me how to forward all mail which hits my ironport c170 at one site to another c160 at the other please?  I have tried adding SMTP routes but this doesnt seem to work.
    many thanks,
    Dave                  

    Hi,
    Yes we have done this.
    Message tracking log as follows...
    09 Apr 2013 14:58:41 (GMT +01:00)
    Protocol SMTP interface Data 2 (IP x.x.x.x) on incoming connection (ICID 59) from sender IP x.x.x.x. Reverse DNS host None verified no.
    09 Apr 2013 14:58:41 (GMT +01:00)
    (ICID 59) RELAY sender group Incoming Relay match [sendmail_server_ip] SBRS not enabled
    09 Apr 2013 14:58:41 (GMT +01:00)
    Start message 1114 on incoming connection (ICID 59).
    09 Apr 2013 14:58:41 (GMT +01:00)
    Message 1114 enqueued on incoming connection (ICID 59) from [email protected]
    09 Apr 2013 14:58:41 (GMT +01:00)
    Message 1114 on incoming connection (ICID 59) added recipient ([email protected]).
    09 Apr 2013 14:58:41 (GMT +01:00)
    Message 1114 incoming relay (sendmail_server): Header Received found, IP address 127.0.0.1 being used, SBRS not enabled
    09 Apr 2013 14:58:41 (GMT +01:00)
    Message 1114 contains message ID header '<'">201304091358.r39Dwe8Z004098@sendmail_server>'.
    09 Apr 2013 14:58:41 (GMT +01:00)
    Message 1114 (658 bytes) from [email protected] ready.
    09 Apr 2013 14:58:41 (GMT +01:00)
    Message 1114 matched per-recipient policy DEFAULT for outbound mail policies.
    09 Apr 2013 14:58:41 (GMT +01:00)
    Message 1114 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN
    09 Apr 2013 14:58:41 (GMT +01:00)
    Message 1114 scanned by Anti-Virus engine. Final verdict: Negative
    09 Apr 2013 14:58:41 (GMT +01:00)
    Message 1114 queued for delivery.

  • Is the cisco ironport c170 end of sale?

    Hi,
    I was wondering whether the Cisco Ironport C170 is end of sale?, if so what is the replacement?
    Thanks

    Hi Juan,
    As far as I know C170 is not in end of sale.
    You can verify with your Cisco Account contacts for more details.

  • IronPort C170 Redundancy

    Hi All,
    I currently have 2 IronPort C170 appliances. I wanted to ask is it possible to configure them to be in hot-standby configuration? If not, what are my alternatives to provide redundancy?

    Usually, when it comes to email, redundancy is achieved by exposing multiple boxes to the internet on port 25, setting up A records for each one, and setting up mulitple MX records, with disimilar weights if you want to direct most of the traffic to one of them.  The clustering facility afforded you in the Ironrport boxes allows you to manage them from one console, but it has no redundancy/failover implications.
    You could use a network load balancer, and it can detect if one of the boxes is no longer accepting mail and then move the traffic to the other box.
    Hope that helps...
    Ken

  • Config for Production client

    Dear all,
    I'm a new basis and now I'm working in big project ERP. I have a disturbed about config for Production client.
    In scc4 we must set client role is Production and No change allowed for Objects. But in production some time we need do Open and Close Period, or change following business requirement, ... This is not allowed to do in Production client.
    How do we config for Production client to cover this requirements ?
    Do we need a config client for maintain Production client ? Example: Production client is 500, Config client is 100. When we need Open or Close Period or change anything, we do in 100 and transfer request to 500.
    Thank you very much.
    Regards,
    Thanh.
    Do not use text message language, the next time your thread will be deleted.
    Read the "Rules of Engagement"
    Edited by: Juan Reyes on Dec 1, 2010 11:06 AM

    You can customize transaction to be executable although the setting in SCC4 is "productive", this is accomplished by using transaction SOBJ:
    Note 1497640 - Open and close periods in productive client
    You can theoretically put every customizing view there and make it "executable" in a production system.
    Markus

  • How to use the same services-config for the local and remote servers.

    My flex project works fine using the below but when I upload my flash file to the server I doesn't work, all the relative paths and files are the same execpt the remote one is a linux server.
    <?xml version="1.0" encoding="UTF-8"?>
    <services-config>
        <services>
            <service id="amfphp-flashremoting-service"
                class="flex.messaging.services.RemotingService"
                messageTypes="flex.messaging.messages.RemotingMessage">
                <destination id="amfphp">
                    <channels>
                        <channel ref="my-amfphp"/>
                    </channels>
                    <properties>
                        <source>*</source>
                    </properties>
                </destination>
            </service>
        </services>
        <channels>
        <channel-definition id="my-amfphp" class="mx.messaging.channels.AMFChannel">
            <endpoint uri="http://localhost/domainn.org/amfphp/gateway.php" class="flex.messaging.endpoints.AMFEndpoint"/>
        </channel-definition>
        </channels>
    </services-config>
    I think the problem  is the line
            <endpoint uri="http://localhost/domainn.org/amfphp/gateway.php" class="flex.messaging.endpoints.AMFEndpoint"/>
    but I'm not sure how to use the same services-config for the local and remote servers.

    paul.williams wrote:
    You are confusing "served from a web-server" with "compiled on a web-server". Served from a web-server means you are downloading a file from the web-server, it does not necessarily mean that the files has been generated / compiled on the server.
    The server.name and server.port tokens are replaced at runtime (ie. on the client when the swf has been downloaded and is running) not compile time (ie. while mxmlc / ant / wet-tier compiler is running). You do not need to compile on the server to take advantage of this.
    Hi Paul,
    In Flex, there is feature that lets developer to put all service-config.xml file configuration information into swf file. with
    -services=path/to/services-config.xml
    IF
    services-config.xml
    have tokens in it and user have not specified additional
    -context-root
    and this swf file is not served from web-app-server (like tomcat for example) than it will not work,
    Flash player have no possible way to replace token values of service-config.xml file durring runtime if that service-config.xml file have been baked into swf file during compilation,
    for example during development you can launch your swf file from your browser with file// protocol and still be able to access blazeDS services if
    -services=path/to/services-config.xml
    have been specified durring compilation.
    I dont know any better way to exmplain this, but in summary there is two places that you can tell swf  about service confogiration,
    1) pass -services=path/to/services-config.xml  parameter to compiler this way you tell swf file up front about all that good stuff,
    or 2) you put that file on the webserver( in this case, yes you should have replacement tokens in that file) and they will be repaced at runtime .

  • I am trying to find out the proper graphic card for mac.

    I am trying to find out the proper graphic card for imac. The graphic card which is mentioned in the web sit, that Graphic Card is not available in the open market. In open market NVIDIA GeForce GT 750M and NVIDIA GeForce GT 755M is available and this card is not mentioned in web site. So please help to select a proper suitable GPU.

    Are they supportable for After Effects ray-traced 3d renderer.
    I am confused because adobe recommended on the following graphic card.
    Mac OS
    GeForce GTX 285
    GeForce GTX 675MX
    GeForce GTX 680
    GeForce GTX 680MX
    GeForce GT 650M
    Quadro CX
    Quadro FX 4800
    Quadro 4000
    Quadro K5000

  • TS2634 I bought a composite AV cable with 30 pin connector at a proper apple store for my ipad 2 which no longer works now i have updated to ios7 - please advise how to make this work ?

    I bought a composite AV cable with 30 pin connector at a proper apple store for my ipad 2 which no longer works now i have updated to ios7 - please advise how to make this work ?

    I have the same problem.
    Two similar discussions:
    https://discussions.apple.com/message/23081658#23081658
    https://discussions.apple.com/message/23281391#23281391
    I have not yet seen any official response to the question: "Is the Apple AV Composite cable fully supported with 30pin connector devices upgraded with iOS7 - specifically ? - eg. iPad 2, iPhone 4, iPhone 4s"
    If it is not currently supported is that then due to a bug / oversight and in that case is it something that will be fixed in the near future?
    Please let us know what feedback you got from asking Apple support.

Maybe you are looking for

  • Order assignment in PO creation via ME27.

    Hi Team ABAP, i was searching the forum but could only find BAPI related threads about this topic, so i decided to ask. We have a custom program in place, a returns monitor, from which you can do various things. One of the things is that we can trans

  • Printing is mirrored on Brother MFC-210; no print settings in Print Dialog

    I recently purchased a new iMac. I transfered the contents of my Powerbook to the iMac. When I try to print to my Brother MFC-210 printer from any application, the result is reversed (mirrored). On my Powerbook, the Print Dialog box for the MFC-210C

  • Information Broadcasting in BW 3.5

    Hey Everyone, We are currently having an issue with HTML files, unnecessarily changing when the files get updated on a website.  We execute the job in the Reporting Agent, to generate the report, and then execute Download Scheduler to download this r

  • Content server - config?

    Dear all, I am working on DMS with Content server. Particullarly now in CONTENT server CONFIG. Any one could kindly help me out with the procedure and documents. Regards, John.

  • Call history for more than a year (one contact)

    Hi I was wondering if I can get a page that will show my call history for one contact for the past year and a bit? I need it for a visa application for my partner to prove we've been in contact while we weren't living together.  Thanks Laura