Recommendations for best practices / checklists on switching e-mail security appliance?
I'm looking into what all needs to be done as far as switching from an existing security appliance for e-mail to a different one, in a mixed Exchange 2010/2007 environment.
The new appliance we'd be switching over to will have a new/different IP address than the existing e-mail security appliance.
At this point, I think what all I need to do is, besides configuring the actual email security appliance itself:
Open minimum ports needed for new security appliance in the DMZ to communicate with on-premise servers (complete)
Setup Receive Connectors on the Hub Transport servers to receive e-mail from the security appliance
Add SPF record to allow the new IP address of the appliance
Change MX record to point to the new appliance's external IP address
Update send connector in Exchange to use the new appliance
anything else I may be missing here?
The new appliance we'd be switching over to will have a new/different IP address than the existing e-mail security appliance.
At this point, I think what all I need to do is, besides configuring the actual email security appliance itself:
Open minimum ports needed for new security appliance in the DMZ to communicate with on-premise servers (complete)
Setup Receive Connectors on the Hub Transport servers to receive e-mail from the security appliance
Add SPF record to allow the new IP address of the appliance
Change MX record to point to the new appliance's external IP address
Update send connector in Exchange to use the new appliance
anything else I may be missing here?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok yeah that's what it was. Applications using the appliance as mail relay.
Some applications use the appliance as mail relay, while other applications use the Hub Transport servers as mail relay.
Kind of hard to know what the best practice is on that one
Some applications use the appliance as mail relay, while other applications use the Hub Transport servers as mail relay.
Kind of hard to know what the best practice is on that one
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Awesome, thanks so much !
ASKER
JJ,
I have a follow up question. How do you do the throttling on the smarthost appliance? is that referred to as throttling or a different feature usually? Is it by server name/IP?
I have a follow up question. How do you do the throttling on the smarthost appliance? is that referred to as throttling or a different feature usually? Is it by server name/IP?
That depends on the functionality of your appliance. On my appliance, there is a throttle policy, which I can apply to a list of IPs/Host names.
-JJ
-JJ
ASKER
Ok thank you
Well our appliance is in the DMZ
So does that make it more of a security risk if we need to open up port 25 in the firewall to the appliance those application servers on the inside to connect to?
Well our appliance is in the DMZ
So does that make it more of a security risk if we need to open up port 25 in the firewall to the appliance those application servers on the inside to connect to?
No, it should be more secure in the DMZ. You can then selectively decide which ports need to be opened and to which systems.
-JJ
-JJ
ASKER
Ok thanks again very much.
Also, any need to use a different port besides 25?? for those applications, from any security standpoint?
Also, any need to use a different port besides 25?? for those applications, from any security standpoint?
ASKER
Ok thanks again very much.
Also, any need to use a different port besides 25?? for those applications, from any security standpoint?
Also, any need to use a different port besides 25?? for those applications, from any security standpoint?
No, I would stick to 25.
-JJ
-JJ
ASKER
I'm wondering then, since I actually have two new appliances, and am cutting over to one, how I would create records to failover to the secondary appliance in the event the main one goes down.
Is the only way there to create a load balancer with a priority?
So we have internal dns setup like smtp.ourdomain.com. We'd have the DNS setup to point that to our main e-mail security appliance, but if it goes down, I guess we'd have to manually update the DNS to point to the failover/secondary appliance?