How to Cluster IronPort C-Series Appliances

This will explain the quick overview of how to cluster two of these devices together to provide an easy way to administer multiple IronPorts on the same network.

1. Login to the IronPort using SSL.  I prefer Putty.

2. Enter CLUSTERCONFIG

3. The CLI will ask if you want to enter cluster mode.  Select Y.

4. You will then see a list of cluster commands.

5. At this point if you have no cluster enter the option to create a cluster.

6. Follow the prompts.  Give it a name, select the ports, etc.  I always recommend setting the cluster to communicate on the internal management IP address.

7. Once the cluster config is complete the IronPort will apply the changes which only takes a minute or so.

8. To add other machines repeat this exact process only selecting the option to join an existing cluster.

9. During the join select the IP address of the first IronPort you put into the cluster.  Follow the prompts and complete the join.

I have found this process very helpful if an IronPort fails because I don't have to take the time to configure the replacement from scratch.  

This setup shares the configs so all you do is bring the replacement IronPort online, give it a static IP address and the same name as the unit you are replacing, login to it via the CLI and join it to the cluster.  

Once you have done that it will copy the configuration  from your cluster and will be ready to run.

Good luck on your cluster setups.

Configure Two Ironport C-Series Devices Where the Backup Hosts the Quarantine

These steps come straight from Cisco and it works like a charm.  This allows the primary device to focus on email filtering and the second device to take care of the quarantine work.  I have another post on how to sync the SLBL on these two devices since users will be getting their information from the backup IronPort.

How to configure two C-Series devices where the backup hosts the Quarantine 

Question: How to configure two C-Series devices where the backup hosts the Quarantine Answer All-in-one-plus-one IronPort Spam Quarantine Configuration

Note: This approach will not work if using Centralized Management.

Many sites will run two IronPort appliances, one that is designated as the "Primary MX" server and processes the majority of mail, and a second appliance as a hot spare that is designated as the "Secondary MX."  If the Primary MX should become unavailable for any reason, then the normal SMTP protocol will redirect traffic to the Secondary MX until the primary is available again.  For sites that wish to deploy the IronPort Spam Quarantine feature for their end-users but do not have enough traffic to justify a dedicated M-Series appliance, we offer the below configuration hints to allow you to configure the Secondary MX system to act as a centralized quarantine for both appliances, and to tell the Primary MX that messages detected as spam should be sent to that central quarantine on the Secondary MX system.

Please note that this configuration should only be used by sites that are not at or near the peak performance throughput on their Primary MX server, or doing equal-weighted load balancing between two appliances, as the additional load of processing end-user quarantined messages could result in reduced throughput in the event of a Primary-to-Secondary fail-over.  For high-volume sites whose multiple appliances are running at or near peak throughput, we recommend deployment of the M-Series appliance to offload quarantine duties from your C-Series appliances.

The second IronPort MGA that will contain the IronPort Spam Quarantine, must be able to identify messages coming from the Primary MTA and force the messages to the Quarantine.  This can be accomplished by using an X-Header once a messages is identified as spam.

To avoid having two IronPort C-Series MGA's scanning the same message be sure to perform the following steps.

Procedure overview:

1. On the Primary

1. Ensure messages received from Primary MX MGA are scanned for Anti-Spam filtering

2. When Spam Positive and/or Suspect Positive, send to the IronPort Spam Quarantine and add X-Header: X-Ironport-Quarantine

2. On the Secondary

1. add a Mail Flow Policy which by-passes Anti-Spam scanning

2. Add a new Sender Group called "Quarantine_From_Primary", set the order # to 1.

3. Configure this Sender Group to accept messages from the Primary appliance

4. Configure this Sender Group to use the Mail Flow Policy created previously

5. Configure the local quarantine on the "secondary" MGA

6. Edit Log Global Settings to monitor the X-header: X-Ironport-Quarantine

3. Test

If this is not setup correctly one message will actually be scanned by both MGA’s before ending up in the quarantine.  

(The following example is using a Sender Group on the secondary MX MGA called "QUARANTINE_FromMail2")

Primary Server

Thu Apr 27 15:05:45 2006 Info: New SMTP ICID 1348 interface Mail (192.168.1.2) address 1.1.1.1 reverse dns host pproxy.gmail.com verified yes

Thu Apr 27 15:05:45 2006 Info: ICID 1348 ACCEPT SG SUSPECTLIST match sbrs[-2.0:-0.5] SBRS -1.4

Thu Apr 27 15:05:45 2006 Info: Start MID 1661 ICID 1348

Thu Apr 27 15:05:45 2006 Info: MID 1661 ICID 1348 From:

Thu Apr 27 15:05:45 2006 Info: MID 1661 ICID 1348 RID 0 To:

Thu Apr 27 15:05:45 2006 Info: Start MID 1661 ICID 1348

Thu Apr 27 15:05:45 2006 Info: MID 1661 ICID 1348 From:

Thu Apr 27 15:05:45 2006 Info: MID 1661 ICID 1348 RID 0 To:

Thu Apr 27 15:05:45 2006 Info: MID 1661 Message-ID '<16ac64320604271305o755483cdx28677153c5e4032@mail.spammer.com>'

Thu Apr 27 15:05:45 2006 Info: MID 1661 Subject 'Fwd: Impotenc-e hellp no doc visilt'

Thu Apr 27 15:05:45 2006 Info: MID 1661 ready 13559 bytes from

Thu Apr 27 15:05:45 2006 Info: MID 1661 matched all recipients for per-recipient policy DEFAULT in the inbound table

Thu Apr 27 15:05:51 2006 Info: MID 1661 using engine: CASE spam positive

Thu Apr 27 15:05:51 2006 Info: EUQ: Tagging MID 1661 for quarantine

Thu Apr 27 15:05:51 2006 Info: MID 1661 antivirus negative

Thu Apr 27 15:05:51 2006 Info: EUQ: Tagging MID 1661 for quarantine (X-Ironport-Quarantine)

Thu Apr 27 15:05:51 2006 Info: MID 1661 queued for delivery

Thu Apr 27 15:05:51 2006 Info: Delivery start DCID 4789 MID 1661 to RID [0] to offbox IronPort Spam Quarantine

Thu Apr 27 15:05:51 2006 Info: Message done DCID 4789 MID 1661 to RID [0]

Thu Apr 27 15:05:51 2006 Info: MID 1661 RID [0] Response 'ok:  Message 22017 accepted'

Thu Apr 27 15:05:51 2006 Info: Message finished MID 1661 done

Secondary Server

Thu Apr 27 15:05:50 2006 Info: New SMTP ICID 121070 interface Mail (192.168.1.2) address 192.168.1.2 reverse dns host unknown verified no

Thu Apr 27 15:05:50 2006 Info: ICID 121070 ACCEPT SG QUARANTINE_FromMail2 match 192.168.1.2 SBRS rfc1918

Thu Apr 27 15:05:50 2006 Info: Start MID 22017 ICID 121070

Thu Apr 27 15:05:50 2006 Info: MID 22017 ICID 121070 From:

Thu Apr 27 15:05:50 2006 Info: MID 22017 ICID 121070 RID 0 To:

Thu Apr 27 15:05:55 2006 Info: ICID 121070 close

Thu Apr 27 15:05:50 2006 Info: Start MID 22017 ICID 121070

Thu Apr 27 15:05:50 2006 Info: MID 22017 ICID 121070 From:

Thu Apr 27 15:05:50 2006 Info: MID 22017 ICID 121070 RID 0 To:

Thu Apr 27 15:05:50 2006 Info: MID 22017 Message-ID '<16ac64320604271305o755483cdx28677153c5e4032@mail.spammer.com>'

Thu Apr 27 15:05:50 2006 Info: MID 22017 Subject '[SPAM] Fwd: Impotenc-e hellp no doc visilt'

Thu Apr 27 15:05:50 2006 Info: MID 22017 ready 13907 bytes from

Thu Apr 27 15:05:50 2006 Info: MID 22017 matched all recipients for per-recipient policy DEFAULT in the inbound table

Thu Apr 27 15:05:50 2006 Info: EUQ: Tagging MID 22017 for quarantine (X-Ironport-Quarantine)

Thu Apr 27 15:05:50 2006 Info: MID 22017 queued for delivery

Thu Apr 27 15:05:54 2006 Info: RPC Delivery start RCID 10882 MID 22017 to local IronPort Spam Quarantine

Thu Apr 27 15:05:54 2006 Info: EUQ: Quarantined MID 22017

Thu Apr 27 15:05:54 2006 Info: RPC Message done RCID 10882 MID 22017

Thu Apr 27 15:05:54 2006 Info: Message finished MID 22017 done

Detailed Steps for Primary Server

1. Ensure messages received from Primary MX MGA are scanned for Anti-Spam filtering

1. Ensure that Anti-Spam scanning is enabled

2. Configure the appropriate Anti-Spam policies on the Incoming Mail Policies page to send Positive and/or Suspect spam to the IronPort Spam Quarantine (now hosted on the Secondary MX appliance)

1. (Mail Policies -> Email Security Manager -> Incoming Mail Policies)

2. Configure the default Mail Policies: Anti-Spam settings ; Positively-Identified Spam Settings actions also to include additional X-header:

1. Header Name: X-Ironport-Quarantine

2. header Text: offbox (any text value will work)

3. If desired, repeat the above for Suspected Spam Settings

4. Setup an External Quarantine

1. Designate the Secondary MX appliance as an External Quarantine host by navigating to Monitor -> Quarantines -> External Quarantines 

2. Click the "Add Quarantine..." button

3. Enter a descriptive name so you know you are routing to your Secondary MX appliance

4. Enter the IP address of the Secondary MX appliance

5. Change the default port from 6025 to 25

6. Submit

7. Commit changes

Detailed Steps for Secondary Server

1. On IronPort that will host the Quarantine (Secondary) add a Mail Flow Policy

1. Select the Mail Flow Policies, beneath the HAT Overview

2. Click the Add Policy, button

3. Name the policy, example: SpamQuarantine 

4. Connection Behavior set to Accept    

5. In the Security Features, turn off Virus Protection and Spam Protection

6. Turn Off Sender Verification

7. Select  Submit

2. Add a new Sender Group called "Quarantine_From_Primary", set the order # to 1.

1. Open the HAT Overview, add a new Sender Group

2. Click Add Sender Group

3. Name: Quarantine_From_Primary

4. Set Order to 1

5. Add comments

6. Select the new Policy created, example SpamQuarantine

7. Leave other fields, unchecked

8. Click the Submit and Add Senders, at the bottom right.

9. Enter the IP of the Primary IronPort.

10. Add comments

11. Check Submit

12. Configure Local Quarantine

13. Enable Local quarantines 

14. Monitor-> Quarantines-> Local Quarantines

3. Edit Log Settings

1. System Administration > Log Subscriptions -> "Global Settings" box,

2. click "Edit Settings..."

3. In the "Headers (Optional)" text box add: X-Ironport-Quarantine

4. Test 

1. Send messages that have spam (use X-header: X-Advertisement: spam)

2. Send messages that do not contain spam

3. Review the logs

Backup SLBL on IronPort C160 Devices

How do I backup and restore my safelist / blocklist?

Making a backup of the safe list, block list:

1. Go to the Configuration File option under the System Administration tab on the GUI.
2. Near the bottom of this screen you will find the section labeled: End-User Safelist/Blocklist Database (IronPort Spam Quarantine).
3. Press the button labeled "Backup Now". This will save a copy as a .csv file in the configuration directory on your appliance.

Note: If this feature is not enabled, you can enable it by choosing Monitor > Quarantines.
Moving the backup to another box:

1. Make certain that you have the FTP service enabled on one of your network interfaces. This would typically be the management interface. You can check this in the IP Interfaces section under the Network tab on the GUI.
2. From your file server, FTP to the IronPort appliance on the above mentioned interface.
3. Login as an admin user.
4. The backup file you made earlier should be right there in the root directory.

Restoring the backup:

1. This is basically the reverse procedure of the backup.
2. FTP the file from your file server back to the IronPort appliance in the configuration directory.
3. Go back into the Configuration File section under the System Administration tab.
4. Press the "Select File to Restore" button.
5. Select from the list of valid backup files.