Setup Cisco ESA C170 / IronPort

Posted on 2013-01-23
Last Modified: 2013-01-28
Greetings experts,

Just wanted to check to see if anyone had an idea of how long it would be to setup a new Cisco ESA C170 / IronPort device to work with my existing Exchange 2013 environment for e-mail encryption.  This is to transfer health records and such, so it must be encrypted.  We use a hosted solution now, but it is many thousands of dollars a year to cover our entire organization.

Assume you would setup 10 accounts, outlook plug ins, a few policy rules and show me how to setup the rest of the accounts.  I would also assume a small 3 or 4 hour tutorial.  I am firewall technical, so I will be able to catch on quickly.

I have never setup an e-mail encryption device, and not sure what is involved.  I will be outsourcing it, but was looking for an idea on what I'm getting into.  Cisco guys are $200+ an hour in the city, so just want gather any info I can.

Thanks for your help,
Question by:kaceyjames
  • 4
  • 3
LVL 33

Accepted Solution

Dave Howe earned 500 total points
ID: 38813771
It takes less than an hour, given the right information (although no doubt a consultant will expect you to book out an entire day) - I would suggest that, if you are going to buy one of these, have at least a stab at it yourself, it is not difficult and the steps are clearly outlined in the manuals.
If you *do* go with a consultant, then having the information needed already will drastically shorten the time needed to configure the device.

ok, from the top.

1) give the thing an IP home.
That sounds obvious enough, yes? well, no. usually, you have two interfaces, an "outside" which is used to send and receive from the internet and an "inside" which is used to talk to and from your exchange server.
This can be done though the web gui (the devices have a default IP, so you need to fiddle with your network and/or use a crossover cable for this method) or the console (need a serial port on a pc for that)

2) configure CRES
CRES subscription is a recurring charge from cisco, but is required for the default ironport encryption. your cisco account manager can help you with the paperwork for this.

3) Configure routing
You need to configure the "recipient access table" to allow it to recognise the domains you accept mail for, and where your exchange server is for inbound routing. If you want to prevalidate email addresses (usually a good idea) that will require ldap access to your exchange server or AD server's ldap port.  This is a good idea, as it lets the smtp engine reject incoming mail for fake addresses at the point the sending server attempts to send, saving on overhead.

4) Configure inbound email to go via the Ironport's outside interface
Simple changeover for your firewall usually,  may require some fiddling with mx records if you are currently using an external provider.

5) configure outbound mail to go via the Ironport's inside interface
SMTP bridgehead smarthost setting in exchange.

6) configure encryption rules
Ironport doesn't encrypt stuff by default. you can configure it by adding a rule to the outbound rules table that says "if you see certain things, encrypt" - where certain things can include the email address of the sender (if you are limiting crypto to a smaller list than your entire email estate), recipient, words in the content, words in the subject, and so forth.
Here, we use the "sensitivity" option on the email, but also look for certain patterns in the subject line - any subjects with [Confidential] in the subject (for example) are encrypted.

Just so you have a chance to see what your manuals look like, I have attached the standard config one for ESA 7.5 below :)

Author Comment

ID: 38814533
Thank ya Dave..
I figured it would take less than a day to set this up.  My consultant quoted out 20 hours plus 4 hours for training at $230 an hr.  

Maybe I'll buy the device and see where I get, if I can't figure it out, I can always have them come in.

LVL 33

Expert Comment

by:Dave Howe
ID: 38814568
That's your best bet. note that the official training course for the device, which makes you a cisco certified expert on it (ok, you have to pass the exam afterwards as well :), runs for two days of 8 hours apiece...

It really isn't that hard, and most stuff can be done via the gui. if you want to do the python scripting, then that gets harder, but only a handful of my customers have ever needed that.
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

LVL 33

Expert Comment

by:Dave Howe
ID: 38814575
Pity I don't live closer, I could beat that quote by a fair margin :P

Author Comment

ID: 38828551
I might give it a try.. do you have a blog or anything that I can check in with you?  I own an IT company in Manhatan, so I work with people remotely all the time.

Thanks again,
LVL 33

Expert Comment

by:Dave Howe
ID: 38828795
I am sorely neglecting my blog, although I post here fairly often :)
If you want to be able to touch base with me, probably my linkedin profile is going to be your easiest route -

Author Closing Comment

ID: 38829000
Thank you for help, it is most appreciated.

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
how to create the monitoring for Spiceworks 2 24
migrate cisco cat configs 3 36
Static Route on Cisco ISR 4431's 4 35
Data encryption options between SQL DBs 3 32
Encryption for Business Encryption ( ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question