Installation Planning
Review Information That Impacts Planning Decisions
- If you are configuring a virtual appliance, please see the Cisco Content Security Virtual Appliance Installation Guide before continuing with this chapter.
- If you are configuring an M-Series Cisco Content Security Management appliance , please see Centralizing Services on a Cisco Content (M-Series) Security Management Appliance.
- We recommend reviewing Understanding the Email Pipeline before installing, as some features and functions may affect the placement of the appliance within your infrastructure.
Plan to Place the Email Security Appliance at the Perimeter of Your Network
Your appliance is designed to serve as your SMTP gateway, also known as a mail exchange (MX). For best results, some features require the appliance to be the first machine with an IP address that is directly accessible to the Internet (that is, it is an external IP address) for sending and receiving email.
The per-recipient reputation filtering, anti-spam, anti-virus, and Virus Outbreak Filter features (see SenderBase Network Participation, IronPort Anti-Spam Filtering, Sophos Anti-Virus Filtering, and Outbreak Filters) are designed to work with a direct flow of messages from the Internet and from your internal network. You can configure the appliance for policy enforcement (Overview of Defining Which Hosts Are Allowed to Connect) for all email traffic to and from your enterprise.
Ensure that the appliance is both accessible via the public Internet and is the “first hop” in your email infrastructure. If you allow another MTA to sit at your network’s perimeter and handle all external connections, then the appliance will not be able to determine the sender’s IP address. The sender’s IP address is needed to identify and distinguish senders in the Mail Flow Monitor, to query the SenderBase Reputation Service for the sender’s SenderBase Reputation Score (SBRS), and to improve the efficacy of the Anti-Spam and Outbreak Filters features.
![]() Note |
If you cannot configure the appliance as the first machine receiving email from the Internet, you can still exercise some of the security services available on the appliance . For more information, see Determining Sender IP Address In Deployments with Incoming Relays. |
When you use the appliance as your SMTP gateway:
- The Mail Flow Monitor feature (see Using Email Security Monitor) offers complete visibility into all email traffic for your enterprise from both internal and external senders.
- LDAP queries (see LDAP Queries) for routing, aliasing, and masquerading can consolidate your directory infrastructure and provide for simpler updates.
- Familiar tools like alias tables (see Creating Alias Tables), domain-based routing (The Domain Map Feature), and masquerading (Configuring Masquerading) make the transition from Open-Source MTAs easier.
Register the Email Security Appliance in DNS
Malicious email senders actively search public DNS records to hunt for new victims. In order to utilize the full capabilities of Anti-Spam, Outbreak Filters, McAfee Antivirus and Sophos Anti-Virus, ensure that the applianceis registered in DNS.
To register the appliance in DNS, create an A record that maps the appliance's hostname to its IP address, and an MX record that maps your public domain to the appliance's hostname. You must specify a priority for the MX record to advertise the appliance as either a primary or backup MTA for your domain.
In the following example, the appliance (ironport.example.com) is a backup MTA for the domain example.com, since its MX record has a higher priority value (20). In other words, the higher the numeric value, the lower the priority of the MTA.
|
|
|
By registering the appliance in DNS, you will attract spam attacks regardless of how you set the MX record priority. However, virus attacks rarely target backup MTAs. Given this, if you want to evaluate an anti-virus engine to its fullest potential, configure the appliance to have an MX record priority of equal or higher value than the rest of your MTAs.
Installation Scenarios
You can install your appliance into your existing network infrastructure in several ways.
Most customers’ network configurations are represented in the following scenarios. If your network configuration varies significantly and you would like assistance planning an installation, please contact Cisco Customer Support (see Cisco Customer Support).
Configuration Overview
The following figure shows the typical placement of the appliance in an enterprise network environment:

In some scenarios, the appliance resides inside the network “DMZ,” in which case an additional firewall sits between the appliance and the groupware server.
The following network scenarios are described:
- Behind the Firewall: two listeners configuration (Figure - Behind the Firewall Scenario / 2 Listeners Configuration)
Choose the configuration that best matches your infrastructure. Then proceed to the next section, Preparing for System Setup.
Incoming
- Incoming mail is accepted for the local domains you specify.
- All other domains are rejected.
- External systems connect directly to the appliance to transmit email for the local domains, and the appliance relays the mail to the appropriate groupware servers (for example, Exchange™, Groupwise™, Domino™) via SMTP routes. (See Routing Email for Local Domains.)
Outgoing
- Outgoing mail sent by internal users is routed by the groupware server to the appliance .
- The appliance accepts outbound email based on settings in the Host Access Table for the private listener. (For more information, see Working with Listeners.)
Ethernet Interfaces
Only one of the available Ethernet interfaces on the appliance is required in these configurations. However, you can configure two Ethernet interfaces and segregate your internal network from your external Internet network connection.
For more information about assigning multiple IP addresses to the available interfaces, see Configuring Mail Gateways for all Hosted Domains Using Virtual Gateway™ Technology and Assigning Network and IP Addresses.
Hardware Ports
The number and type of ports on your hardware appliance depend on the model:
Ports |
Type |
C190 |
C390 |
C690 |
C690F |
C195 |
C395 |
C695 |
C695F |
---|---|---|---|---|---|---|---|---|---|
Management |
Ethernet |
0 |
1 |
1 |
1 |
0 |
1 |
1 |
1 |
Data |
Ethernet |
2* |
5 |
5 |
3 |
2* |
5 |
5 |
3 |
Console |
Serial |
RJ-45 |
RJ-45 |
RJ-45 |
RJ-45 |
RJ-45 |
RJ-45 |
RJ-45 |
RJ-45 |
Remote Power Management (RPC) |
Ethernet |
Y |
Y |
Y |
Y |
Y |
Y |
Y |
Y |
* For appliances without a dedicated management port, use the Data1 port for management purposes.
For more information about ports, see the Hardware Installation Guide for your appliance model.
Related Topics
Advanced Configurations
In addition to the configurations shown in Figure - Behind the Firewall Scenario / 2 Listeners Configuration and Figure One Listener Configuration, you can also configure:
- Multiple appliances using the Centralized Management feature. See Centralized Management Using Clusters
- Redundancy at the network interface card level by “teaming” two of the Ethernet interfaces on appliances using the NIC Pairing feature. See Advanced Network Configuration
Firewall Settings (NAT, Ports)
SMTP and DNS services must have access to the Internet. Other services may also require open firewall ports. For details, see Firewall Information.