Installation Planning
Review Information That Impacts Planning Decisions
- If you are configuring a virtual email gateway, please see the Cisco Content Security Virtual Appliance Installation Guide before continuing with this chapter.
- If you are configuring an M-Series Cisco Secure Email and Web Manager, please see Centralizing Services on a Cisco Secure Email and Web Manager (M-Series).
- We recommend reviewing Understanding the Email Pipeline before installing, as some features and functions may affect the placement of the email gateway within your infrastructure.
Plan to Place the Email Gateway at the Perimeter of Your Network
Your email gateway is designed to serve as your SMTP gateway, also known as a mail exchange (MX). For best results, some features require the email gateway to be the first machine with an IP address that is directly accessible to the Internet (that is, it is an external IP address) for sending and receiving email.
The per-recipient reputation filtering, anti-spam, anti-virus, and Virus Outbreak Filter features (see IronPort Anti-Spam Filtering, Sophos Anti-Virus Filtering, and Outbreak Filters) are designed to work with a direct flow of messages from the Internet and from your internal network. You can configure the email gateway for policy enforcement (Overview of Defining Which Hosts Are Allowed to Connect) for all email traffic to and from your enterprise.
Ensure that the email gateway is both accessible via the public Internet and is the “first hop” in your email infrastructure. If you allow another MTA to sit at your network’s perimeter and handle all external connections, then the email gateway will not be able to determine the sender’s IP address. The sender’s IP address is needed to identify and distinguish senders in the Mail Flow Monitor, to query the IP Reputation Service for the sender’s IP Reputation Score, and to improve the efficacy of the Anti-Spam and Outbreak Filters features.
Note |
If you cannot configure the email gateway as the first machine receiving email from the Internet, you can still exercise some of the security services available on the email gateway. For more information, see Determining Sender IP Address In Deployments with Incoming Relays. |
When you use the email gateway as your SMTP gateway:
- The Mail Flow Monitor feature (see Using Email Security Monitor) offers complete visibility into all email traffic for your enterprise from both internal and external senders.
- LDAP queries (see LDAP Queries) for routing, aliasing, and masquerading can consolidate your directory infrastructure and provide for simpler updates.
- Familiar tools like alias tables (see Creating Alias Tables), domain-based routing (The Domain Map Feature), and masquerading (Configuring Masquerading) make the transition from Open-Source MTAs easier.
Register the Email Security Appliance in DNS
Malicious email senders actively search public DNS records to hunt for new victims. In order to utilize the full capabilities of Anti-Spam, Outbreak Filters, McAfee Antivirus and Sophos Anti-Virus, ensure that the email gatewayis registered in DNS.
To register the email gateway in DNS, create an A record that maps the email gateway's hostname to its IP address, and an MX record that maps your public domain to the email gateway's hostname. You must specify a priority for the MX record to advertise the email gateway as either a primary or backup MTA for your domain.
In the following example, the email gateway (ironport.example.com) is a backup MTA for the domain example.com, since its MX record has a higher priority value (20). In other words, the higher the numeric value, the lower the priority of the MTA.
|
|
|
By registering the email gateway in DNS, you will attract spam attacks regardless of how you set the MX record priority. However, virus attacks rarely target backup MTAs. Given this, if you want to evaluate an anti-virus engine to its fullest potential, configure the email gateway to have an MX record priority of equal or higher value than the rest of your MTAs.
Installation Scenarios
You can install your email gateway into your existing network infrastructure in several ways.
Most customers’ network configurations are represented in the following scenarios. If your network configuration varies significantly and you would like assistance planning an installation, please contact Cisco Customer Support (see Cisco Customer Support).
Configuration Overview
The following figure shows the typical placement of the email gateway in an enterprise network environment:
In some scenarios, the email gateway resides inside the network “DMZ,” in which case an additional firewall sits between the email gateway and the groupware server.
The following network scenarios are described:
- Behind the Firewall: two listeners configuration (Figure - Behind the Firewall Scenario / 2 Listeners Configuration)
Choose the configuration that best matches your infrastructure. Then proceed to the next section, Preparing for System Setup.
Incoming
- Incoming mail is accepted for the local domains you specify.
- All other domains are rejected.
- External systems connect directly to the email gateway to transmit email for the local domains, and the email gateway relays the mail to the appropriate groupware servers (for example, Exchange™, Groupwise™, Domino™) via SMTP routes. (See Routing Email for Local Domains.)
Outgoing
- Outgoing mail sent by internal users is routed by the groupware server to the email gateway.
- The email gateway accepts outbound email based on settings in the Host Access Table for the private listener. (For more information, see Working with Listeners.)
Ethernet Interfaces
Only one of the available Ethernet interfaces on the email gateway is required in these configurations. However, you can configure two Ethernet interfaces and segregate your internal network from your external Internet network connection.
For more information about assigning multiple IP addresses to the available interfaces, see Configuring Mail Gateways for all Hosted Domains Using Virtual Gateway™ Technology and Assigning Network and IP Addresses.
Hardware Ports
The number and type of ports on your hardware appliance depend on the model:
Ports |
Type |
C190 |
C390 |
C690 |
C690F |
C195 |
C395 |
C695 |
C695F |
---|---|---|---|---|---|---|---|---|---|
Management |
Ethernet |
0 |
1 |
1 |
1 |
0 |
1 |
1 |
1 |
Data |
Ethernet |
2* |
5 |
5 |
3 |
2* |
5 |
5 |
3 |
Console |
Serial |
RJ-45 |
RJ-45 |
RJ-45 |
RJ-45 |
RJ-45 |
RJ-45 |
RJ-45 |
RJ-45 |
Remote Power Management (RPC) |
Ethernet |
Y |
Y |
Y |
Y |
Y |
Y |
Y |
Y |
* For appliances without a dedicated management port, use the Data1 port for management purposes.
For more information about ports, see the Hardware Installation Guide for your appliance model.
Related Topics
Advanced Configurations
In addition to the configurations shown in Figure - Behind the Firewall Scenario / 2 Listeners Configuration and Figure One Listener Configuration, you can also configure:
- Multiple email gateways using the Centralized Management feature. See Centralized Management Using Clusters
- Redundancy at the network interface card level by “teaming” two of the Ethernet interfaces on email gateways using the NIC Pairing feature. See Advanced Network Configuration
Firewall Settings (NAT, Ports)
SMTP and DNS services must have access to the Internet. Other services may also require open firewall ports. For details, see Firewall Information.