Messaging Gateway

Hi everyone.

 

I have a content policy rule to route certain messages to a Voltage encryption appliance, the action uses the IP address to route messages to.

 

We now have two Voltage encryption appliances for redundancy.  How can I make the Route Action work with two IPs?

 

Can I use the "use MX Lookup" option? How?

 

For example if I have two hosts voltage01.company.com and voltage02.company.com...How do I turn this into MX-based solution?

 

Or do I need to create a DNS zone voltage.company.com and then create MX records for it that would be voltage01.voltage.company.com and voltage02.voltage.company.com?    And then make the Route Action use "voltage.company.com" with MX Loopup option?

The first option would be to get a hardware load balancer. The second is to do what you described by making a dns mx record. You would want to give them identical weights to avoid overloading one device.

Hello,

You can use "check mx record" option when you're routing the mail and for the dns records you can give same priority for DNS round robin. But as JDavis said the best option for it to using a load balancer front of your encryption appliances.

 

Regards,

Oykun 

Thanks. We actually started heading in the Load Balancer direction (Cisco LB). But encountered a wrinkle:

- currently our network team was only able to provide a Source NAT -based solution for Load Balancing. This means that the Voltage appliances will see the IP address of the Load Balancer rather than the individual Brightmail scanners' IP addresses.   This means that we have to allow the Load Balancer IP address to relay mail via the Voltage appliances. And this in turn means that Anyone will be able to hit the Voltage VIP and relay mail...   We like to have more control over who can relay.

 

P.S. we have been using Round Robin DNS with A record resolving to two different Voltage appliances, but that is a very poor solution.

What would happen if you created a local domain in SBG (e.g. SBGVoltage.company.com) and added the two voltage hosts to that  In the policy reference SBGVoltage.company.com.  Would SBG look at the local domain table 1st before doing a DNS lookup?  It would be an SBG implemented round robin.

 

But I agree a LB would be best.  Can the Cisco LB apply inbound connection policies?

I was trying to think of something like this (local domain with two hosts), but the idea wasn't crystallizing in my head...

Thank you for bringing this up because I just thought about it again and I think I will be able to concoct something like that.

I've confirmed SBG looks at it's domain table before doing resolution.

Hello Andrey,

As Cricket said that Cisco ACE(Load Balancer)'s have some policy options to filter connections.

So you just do a configuration to accept 25 connections only for Brightmail.

 

Regards,

Oykun 

I have set up a domain CompanyVoltageEncrypt.com with two destination hosts (IP addresses of each Voltage appliance), each with cost = 1.

***I have tried setting up the domain as either local domain or remote domain.

I then configured the rule/action to Route matching messages to CompanyVoltageEncrypt.com:25

Tried to send a few test messages.

They all got stuck in the Delivery queue with "421 4.4.0 [internal] no MXs for this domain could be reached at this time"

I don't think SBG understands what I am trying to achieve  :)

Or I am missing something.

will have to talk to our network team about applying connection policies

However we also need an HA solution for traffic coming back from Voltage to Brightmail scanners, and with the LB VIP Brightmail sees connections coming from the LB's IP address instead of physical source IPs.

Now Brightmail accepts connections from many other hosts besides Voltage... so that is going to be somewhat an admin overhead to list Cisco connection policies for Brightmail  :)  :(

Hello Andrey,

For testing companyvoltageencrypt.com, login Brightmail from SSH,

then try to ping to domain and try to resolve that domain.

Check you DNS settings, you need configure an internal dns for it.

 

Regards,

 

Oykun

Yeah... I was hoping we could fake it by defining a domain in the Control Center GUI

I asked our DNS guys to create two subzones, each one with its own MX records:

VoltageEncrypt.Company.com

     Encrypt01.VoltageEncrypt.Company.com - MX 10

     Encrypt02.VoltageEncrypt.Company.com - MX 10

 

VoltageDecrypt.Company.com

     Decrypt01.VoltageDecrypt.Company.com - MX 10

     Decrypt02.VoltageDecrypt.Company.com - MX 10

 

Now I can update the rule action to Route mail to VoltageEncrypt.Company.com and use MX Lookup - and it is working!