Setup Cisco ESA C170 / IronPort

Greetings experts,

Just wanted to check to see if anyone had an idea of how long it would be to setup a new Cisco ESA C170 / IronPort device to work with my existing Exchange 2013 environment for e-mail encryption.  This is to transfer health records and such, so it must be encrypted.  We use a hosted solution now, but it is many thousands of dollars a year to cover our entire organization.

Assume you would setup 10 accounts, outlook plug ins, a few policy rules and show me how to setup the rest of the accounts.  I would also assume a small 3 or 4 hour tutorial.  I am firewall technical, so I will be able to catch on quickly.

I have never setup an e-mail encryption device, and not sure what is involved.  I will be outsourcing it, but was looking for an idea on what I'm getting into.  Cisco guys are $200+ an hour in the city, so just want gather any info I can.

Thanks for your help,
Kacey FernSystem EngineerAsked:
Who is Participating?
Dave HoweConnect With a Mentor Software and Hardware EngineerCommented:
It takes less than an hour, given the right information (although no doubt a consultant will expect you to book out an entire day) - I would suggest that, if you are going to buy one of these, have at least a stab at it yourself, it is not difficult and the steps are clearly outlined in the manuals.
If you *do* go with a consultant, then having the information needed already will drastically shorten the time needed to configure the device.

ok, from the top.

1) give the thing an IP home.
That sounds obvious enough, yes? well, no. usually, you have two interfaces, an "outside" which is used to send and receive from the internet and an "inside" which is used to talk to and from your exchange server.
This can be done though the web gui (the devices have a default IP, so you need to fiddle with your network and/or use a crossover cable for this method) or the console (need a serial port on a pc for that)

2) configure CRES
CRES subscription is a recurring charge from cisco, but is required for the default ironport encryption. your cisco account manager can help you with the paperwork for this.

3) Configure routing
You need to configure the "recipient access table" to allow it to recognise the domains you accept mail for, and where your exchange server is for inbound routing. If you want to prevalidate email addresses (usually a good idea) that will require ldap access to your exchange server or AD server's ldap port.  This is a good idea, as it lets the smtp engine reject incoming mail for fake addresses at the point the sending server attempts to send, saving on overhead.

4) Configure inbound email to go via the Ironport's outside interface
Simple changeover for your firewall usually,  may require some fiddling with mx records if you are currently using an external provider.

5) configure outbound mail to go via the Ironport's inside interface
SMTP bridgehead smarthost setting in exchange.

6) configure encryption rules
Ironport doesn't encrypt stuff by default. you can configure it by adding a rule to the outbound rules table that says "if you see certain things, encrypt" - where certain things can include the email address of the sender (if you are limiting crypto to a smaller list than your entire email estate), recipient, words in the content, words in the subject, and so forth.
Here, we use the "sensitivity" option on the email, but also look for certain patterns in the subject line - any subjects with [Confidential] in the subject (for example) are encrypted.

Just so you have a chance to see what your manuals look like, I have attached the standard config one for ESA 7.5 below :)
Kacey FernSystem EngineerAuthor Commented:
Thank ya Dave..
I figured it would take less than a day to set this up.  My consultant quoted out 20 hours plus 4 hours for training at $230 an hr.  

Maybe I'll buy the device and see where I get, if I can't figure it out, I can always have them come in.

Dave HoweSoftware and Hardware EngineerCommented:
That's your best bet. note that the official training course for the device, which makes you a cisco certified expert on it (ok, you have to pass the exam afterwards as well :), runs for two days of 8 hours apiece...

It really isn't that hard, and most stuff can be done via the gui. if you want to do the python scripting, then that gets harder, but only a handful of my customers have ever needed that.
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Dave HoweSoftware and Hardware EngineerCommented:
Pity I don't live closer, I could beat that quote by a fair margin :P
Kacey FernSystem EngineerAuthor Commented:
I might give it a try.. do you have a blog or anything that I can check in with you?  I own an IT company in Manhatan, so I work with people remotely all the time.

Thanks again,
Dave HoweSoftware and Hardware EngineerCommented:
I am sorely neglecting my blog, although I post here fairly often :)
If you want to be able to touch base with me, probably my linkedin profile is going to be your easiest route -
Kacey FernSystem EngineerAuthor Commented:
Thank you for help, it is most appreciated.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.