Data Loss Prevention

Hey all,

we are adding a load balancer to 4 email prevent servers and the F5 is not able to effectivily talk to the prevent servers over port 25. The status is still red on the F5. We try to telnet to one of the prevent servers on port 25 and it is not completing the 3-way handshake. The firewall is turned off on the prevent server. Is there something that I am missing? 

BTW, the reason we are doing this is we moved from exchange to the google apps environment and need to inspect the mail traffic. So far this is our only solution.

what are your RequestProcessor.serverSocketPort and RequestProcessor.mtaResubmitPort settings? 

both settings are set at 25. Let me know if you need more information.

Thanks,

- Mike

is your downstream mail host accepting connections from the Prevent server?  do a quick test via telnet from the Prevent server over port 25 to the downstream host.  you're not really giving a lot of information here as to what you might have already done to analyze this, so it's going to have to start with the basic checks.  did you recycle the Prevent server after making your config changes?

Sorry it took so long to reply back. Lots of vacations going on recently.

Ok so here is what I have tested and what is going on. Our old exchange environment is still up but not really running. I ran a telnet on 25 to the exchange prevent servers and it came up with the downstream MTA which was our voltage system.

When I run telnet on 25 to the new Prevent servers I have in place I get an error message; 421 4.4.1 Fatal: Forwarding agent unavailable. Closing Connection. Connection to host lost.

So what I tried to do next is change the next hop to our voltage system from the new prevent server since I know this works. I received the same exact error message when I ran telnet.

I have uninstalled and reinstalled the DLP on the prevent server and recycled it several times.

Here is more info on our setup. Our old system went from exchange > prevent > voltage > Postini.

Our new system which is now on google apps runs from google apps > F5 > prevent > Postini.

Any bit of help on this is greatly appreciated.

I think it's likely here that your Postini system is not allowing the Prevent server as an authorized mail host.  It probably (in your old config) allowed Voltage as an authorized mail host, hence the failure when you took Voltage out of the mail flow.  Check your Postini security settings and make sure it's set up to accept mail from the Prevent server.

~Keith

Thanks for the help Keith. My team is working on a few other things right now but I do have a question and maybe you can answer.

How hard would it be to host the Prevent Servers in AWS (amazon) and get them to work effectivily. Since we are using google apps now and the company has decided to start scanning all mail on all of our domains they are now worried about the throughput of email.

But in the meantime I am checking on getting postini to whitelist the prevent boxes.

Thanks,

-Mike

Shouldn't be hard from a technical perspective...Prevent servers are supported in hosted environments, though there are a few things that need to be considered. If that's a cost effective solution for you, then you shouldn't have an issue deploying in that manner.

Thanks Keith.

We are having issues setting up the mail system with google to monitor emails. Gotta love how the C's want cost savings but right now no real way to monitor emails from google apps. We are trying to get mail to flow from google to our postini and trying to see about outbound mail going from postini to the prevent servers for inspection. This is prooving to be a big task.

ok so an update on this.

We are now able to telnet to the the prevent servers but when we try to send emails through we get

421 4.4.2 service timed out.
451 4.4.2 Error: Connection lost to forwarding agent.
500 5.5.2 unrecognized command

This is what our google admins are saying. sorry about the bold. telent we can push messages through just fine. Are there settings within DLP that needs changed or should I look at?