Solved

Setup Cisco ESA C170 / IronPort

Posted on 2013-01-23
7
4,026 Views
Last Modified: 2013-01-28
Greetings experts,

Just wanted to check to see if anyone had an idea of how long it would be to setup a new Cisco ESA C170 / IronPort device to work with my existing Exchange 2013 environment for e-mail encryption.  This is to transfer health records and such, so it must be encrypted.  We use a hosted solution now, but it is many thousands of dollars a year to cover our entire organization.

Assume you would setup 10 accounts, outlook plug ins, a few policy rules and show me how to setup the rest of the accounts.  I would also assume a small 3 or 4 hour tutorial.  I am firewall technical, so I will be able to catch on quickly.

I have never setup an e-mail encryption device, and not sure what is involved.  I will be outsourcing it, but was looking for an idea on what I'm getting into.  Cisco guys are $200+ an hour in the city, so just want gather any info I can.

Thanks for your help,
Kacey
0
Comment
Question by:kaceyjames
  • 4
  • 3
7 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 38813771
It takes less than an hour, given the right information (although no doubt a consultant will expect you to book out an entire day) - I would suggest that, if you are going to buy one of these, have at least a stab at it yourself, it is not difficult and the steps are clearly outlined in the manuals.
If you *do* go with a consultant, then having the information needed already will drastically shorten the time needed to configure the device.

ok, from the top.

1) give the thing an IP home.
That sounds obvious enough, yes? well, no. usually, you have two interfaces, an "outside" which is used to send and receive from the internet and an "inside" which is used to talk to and from your exchange server.
This can be done though the web gui (the devices have a default IP, so you need to fiddle with your network and/or use a crossover cable for this method) or the console (need a serial port on a pc for that)

2) configure CRES
CRES subscription is a recurring charge from cisco, but is required for the default ironport encryption. your cisco account manager can help you with the paperwork for this.

3) Configure routing
You need to configure the "recipient access table" to allow it to recognise the domains you accept mail for, and where your exchange server is for inbound routing. If you want to prevalidate email addresses (usually a good idea) that will require ldap access to your exchange server or AD server's ldap port.  This is a good idea, as it lets the smtp engine reject incoming mail for fake addresses at the point the sending server attempts to send, saving on overhead.

4) Configure inbound email to go via the Ironport's outside interface
Simple changeover for your firewall usually,  may require some fiddling with mx records if you are currently using an external provider.

5) configure outbound mail to go via the Ironport's inside interface
SMTP bridgehead smarthost setting in exchange.

6) configure encryption rules
Ironport doesn't encrypt stuff by default. you can configure it by adding a rule to the outbound rules table that says "if you see certain things, encrypt" - where certain things can include the email address of the sender (if you are limiting crypto to a smaller list than your entire email estate), recipient, words in the content, words in the subject, and so forth.
Here, we use the "sensitivity" option on the email, but also look for certain patterns in the subject line - any subjects with [Confidential] in the subject (for example) are encrypted.

Just so you have a chance to see what your manuals look like, I have attached the standard config one for ESA 7.5 below :)
ESA-7.5-Configuration-Guide.pdf
0
 

Author Comment

by:kaceyjames
ID: 38814533
Thank ya Dave..
I figured it would take less than a day to set this up.  My consultant quoted out 20 hours plus 4 hours for training at $230 an hr.  

Maybe I'll buy the device and see where I get, if I can't figure it out, I can always have them come in.

Kacey
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 38814568
That's your best bet. note that the official training course for the device, which makes you a cisco certified expert on it (ok, you have to pass the exam afterwards as well :), runs for two days of 8 hours apiece...

It really isn't that hard, and most stuff can be done via the gui. if you want to do the python scripting, then that gets harder, but only a handful of my customers have ever needed that.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 33

Expert Comment

by:Dave Howe
ID: 38814575
Pity I don't live closer, I could beat that quote by a fair margin :P
0
 

Author Comment

by:kaceyjames
ID: 38828551
I might give it a try.. do you have a blog or anything that I can check in with you?  I own an IT company in Manhatan, so I work with people remotely all the time.

Thanks again,
Kacey
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 38828795
I am sorely neglecting my blog, although I post here fairly often :)
If you want to be able to touch base with me, probably my linkedin profile is going to be your easiest route - http://www.linkedin.com/pub/dave-howe/3/567/76b
0
 

Author Closing Comment

by:kaceyjames
ID: 38829000
Thank you for help, it is most appreciated.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question