[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Setup Cisco ESA C170 / IronPort

Posted on 2013-01-23
Medium Priority
Last Modified: 2013-01-28
Greetings experts,

Just wanted to check to see if anyone had an idea of how long it would be to setup a new Cisco ESA C170 / IronPort device to work with my existing Exchange 2013 environment for e-mail encryption.  This is to transfer health records and such, so it must be encrypted.  We use a hosted solution now, but it is many thousands of dollars a year to cover our entire organization.

Assume you would setup 10 accounts, outlook plug ins, a few policy rules and show me how to setup the rest of the accounts.  I would also assume a small 3 or 4 hour tutorial.  I am firewall technical, so I will be able to catch on quickly.

I have never setup an e-mail encryption device, and not sure what is involved.  I will be outsourcing it, but was looking for an idea on what I'm getting into.  Cisco guys are $200+ an hour in the city, so just want gather any info I can.

Thanks for your help,
Question by:kaceyjames
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 33

Accepted Solution

Dave Howe earned 2000 total points
ID: 38813771
It takes less than an hour, given the right information (although no doubt a consultant will expect you to book out an entire day) - I would suggest that, if you are going to buy one of these, have at least a stab at it yourself, it is not difficult and the steps are clearly outlined in the manuals.
If you *do* go with a consultant, then having the information needed already will drastically shorten the time needed to configure the device.

ok, from the top.

1) give the thing an IP home.
That sounds obvious enough, yes? well, no. usually, you have two interfaces, an "outside" which is used to send and receive from the internet and an "inside" which is used to talk to and from your exchange server.
This can be done though the web gui (the devices have a default IP, so you need to fiddle with your network and/or use a crossover cable for this method) or the console (need a serial port on a pc for that)

2) configure CRES
CRES subscription is a recurring charge from cisco, but is required for the default ironport encryption. your cisco account manager can help you with the paperwork for this.

3) Configure routing
You need to configure the "recipient access table" to allow it to recognise the domains you accept mail for, and where your exchange server is for inbound routing. If you want to prevalidate email addresses (usually a good idea) that will require ldap access to your exchange server or AD server's ldap port.  This is a good idea, as it lets the smtp engine reject incoming mail for fake addresses at the point the sending server attempts to send, saving on overhead.

4) Configure inbound email to go via the Ironport's outside interface
Simple changeover for your firewall usually,  may require some fiddling with mx records if you are currently using an external provider.

5) configure outbound mail to go via the Ironport's inside interface
SMTP bridgehead smarthost setting in exchange.

6) configure encryption rules
Ironport doesn't encrypt stuff by default. you can configure it by adding a rule to the outbound rules table that says "if you see certain things, encrypt" - where certain things can include the email address of the sender (if you are limiting crypto to a smaller list than your entire email estate), recipient, words in the content, words in the subject, and so forth.
Here, we use the "sensitivity" option on the email, but also look for certain patterns in the subject line - any subjects with [Confidential] in the subject (for example) are encrypted.

Just so you have a chance to see what your manuals look like, I have attached the standard config one for ESA 7.5 below :)

Author Comment

ID: 38814533
Thank ya Dave..
I figured it would take less than a day to set this up.  My consultant quoted out 20 hours plus 4 hours for training at $230 an hr.  

Maybe I'll buy the device and see where I get, if I can't figure it out, I can always have them come in.

LVL 33

Expert Comment

by:Dave Howe
ID: 38814568
That's your best bet. note that the official training course for the device, which makes you a cisco certified expert on it (ok, you have to pass the exam afterwards as well :), runs for two days of 8 hours apiece...

It really isn't that hard, and most stuff can be done via the gui. if you want to do the python scripting, then that gets harder, but only a handful of my customers have ever needed that.
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

LVL 33

Expert Comment

by:Dave Howe
ID: 38814575
Pity I don't live closer, I could beat that quote by a fair margin :P

Author Comment

ID: 38828551
I might give it a try.. do you have a blog or anything that I can check in with you?  I own an IT company in Manhatan, so I work with people remotely all the time.

Thanks again,
LVL 33

Expert Comment

by:Dave Howe
ID: 38828795
I am sorely neglecting my blog, although I post here fairly often :)
If you want to be able to touch base with me, probably my linkedin profile is going to be your easiest route - http://www.linkedin.com/pub/dave-howe/3/567/76b

Author Closing Comment

ID: 38829000
Thank you for help, it is most appreciated.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question