Solved

Setup Cisco ESA C170 / IronPort

Posted on 2013-01-23
7
3,739 Views
Last Modified: 2013-01-28
Greetings experts,

Just wanted to check to see if anyone had an idea of how long it would be to setup a new Cisco ESA C170 / IronPort device to work with my existing Exchange 2013 environment for e-mail encryption.  This is to transfer health records and such, so it must be encrypted.  We use a hosted solution now, but it is many thousands of dollars a year to cover our entire organization.

Assume you would setup 10 accounts, outlook plug ins, a few policy rules and show me how to setup the rest of the accounts.  I would also assume a small 3 or 4 hour tutorial.  I am firewall technical, so I will be able to catch on quickly.

I have never setup an e-mail encryption device, and not sure what is involved.  I will be outsourcing it, but was looking for an idea on what I'm getting into.  Cisco guys are $200+ an hour in the city, so just want gather any info I can.

Thanks for your help,
Kacey
0
Comment
Question by:kaceyjames
  • 4
  • 3
7 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
Comment Utility
It takes less than an hour, given the right information (although no doubt a consultant will expect you to book out an entire day) - I would suggest that, if you are going to buy one of these, have at least a stab at it yourself, it is not difficult and the steps are clearly outlined in the manuals.
If you *do* go with a consultant, then having the information needed already will drastically shorten the time needed to configure the device.

ok, from the top.

1) give the thing an IP home.
That sounds obvious enough, yes? well, no. usually, you have two interfaces, an "outside" which is used to send and receive from the internet and an "inside" which is used to talk to and from your exchange server.
This can be done though the web gui (the devices have a default IP, so you need to fiddle with your network and/or use a crossover cable for this method) or the console (need a serial port on a pc for that)

2) configure CRES
CRES subscription is a recurring charge from cisco, but is required for the default ironport encryption. your cisco account manager can help you with the paperwork for this.

3) Configure routing
You need to configure the "recipient access table" to allow it to recognise the domains you accept mail for, and where your exchange server is for inbound routing. If you want to prevalidate email addresses (usually a good idea) that will require ldap access to your exchange server or AD server's ldap port.  This is a good idea, as it lets the smtp engine reject incoming mail for fake addresses at the point the sending server attempts to send, saving on overhead.

4) Configure inbound email to go via the Ironport's outside interface
Simple changeover for your firewall usually,  may require some fiddling with mx records if you are currently using an external provider.

5) configure outbound mail to go via the Ironport's inside interface
SMTP bridgehead smarthost setting in exchange.

6) configure encryption rules
Ironport doesn't encrypt stuff by default. you can configure it by adding a rule to the outbound rules table that says "if you see certain things, encrypt" - where certain things can include the email address of the sender (if you are limiting crypto to a smaller list than your entire email estate), recipient, words in the content, words in the subject, and so forth.
Here, we use the "sensitivity" option on the email, but also look for certain patterns in the subject line - any subjects with [Confidential] in the subject (for example) are encrypted.

Just so you have a chance to see what your manuals look like, I have attached the standard config one for ESA 7.5 below :)
ESA-7.5-Configuration-Guide.pdf
0
 

Author Comment

by:kaceyjames
Comment Utility
Thank ya Dave..
I figured it would take less than a day to set this up.  My consultant quoted out 20 hours plus 4 hours for training at $230 an hr.  

Maybe I'll buy the device and see where I get, if I can't figure it out, I can always have them come in.

Kacey
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
That's your best bet. note that the official training course for the device, which makes you a cisco certified expert on it (ok, you have to pass the exam afterwards as well :), runs for two days of 8 hours apiece...

It really isn't that hard, and most stuff can be done via the gui. if you want to do the python scripting, then that gets harder, but only a handful of my customers have ever needed that.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
Pity I don't live closer, I could beat that quote by a fair margin :P
0
 

Author Comment

by:kaceyjames
Comment Utility
I might give it a try.. do you have a blog or anything that I can check in with you?  I own an IT company in Manhatan, so I work with people remotely all the time.

Thanks again,
Kacey
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
I am sorely neglecting my blog, although I post here fairly often :)
If you want to be able to touch base with me, probably my linkedin profile is going to be your easiest route - http://www.linkedin.com/pub/dave-howe/3/567/76b
0
 

Author Closing Comment

by:kaceyjames
Comment Utility
Thank you for help, it is most appreciated.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now