Messaging Gateway

Our client is currently migrating from SBG 7.7 to an  SBG 8.0 appliance. They wanted to make sure that the newer machine is working before letting it run alone in the DMZ. They wanted to test it in series and I want to know which configurations to change for this to happen. Thanks.

Hi,

could you please specify what do you mean by "test it in series"?

Thanks,

Federico

We're going to set it ups so that the new one will filter out incoming emails and then forward it to the old one. And for out going emails, if they wished to do so, will pass through the new one forwarding it to the old one or just use the old one for outgoing emails.

I agree that this is the best solution. Forward to your existing antispam gateway and just tag the mails.

If you tag the e-mail and forward it to the old box, that box won't have the correct IP information for message and the spam IP-based reputation filters will be incorrect. You'll need to add a policy on the 2nd box that takes action based on the header the 1st box added.

Also, if may find the 2nd box decided that it has too many connections from the new box and black lists it.

Hey Guys,

I would suggest putting the new box in front of the old box. On the old box, you'll be best off defining the IP('s) of the new box as an Internal Mail Host, this will avoid any issues with traffic shaping or black lists for the traffic to go from the new box to the old box.

Kevin 

I'm thinking of just setting up the new box in front of the old one and just activate the logging capability or maybe modify some of the policies to not append any additional text in the subject. Actually, their policies are similar so maybe if the email is treated in the first (new) machine, it will no longer be processed by the old one.

But one of the managers doesn't want the new box in front of the old one, he said something about them working side by side with the new box going to a different mail server. I'm still figuring out how emails will pass through. Maybe configuring the route as a switch or hub where the packets are broadcasted to everything but the 'from' address.

Hi, our client decides to just test it in the production environment.
We'll be using the IP settings of the production appliance meaning that at one point in time, both appliances would be having the same IP address.

I'm planning on doing this by changing the IP address of the new machine via the terminal. Using ifconfig command and agentconfig and just swap the cables as fast as possible. Any comment/feedback is greatly appreciated.

Hi,

One comment about changing the interface IP address: You should be able to change the IP address from the admin account by using the ifconfig command but it won't be a permanent change. The previous IP address will come back as soon as the host is rebooted (with a WARNING entry during the boot).

Federico
 

@fferaboli: Read your post a little too late. Learned it hard way. :D

Anyway, we got the configuration done. We did it by accessing the server via another PC with a cross cable.Then restarted the service via the terminal.
Didn't proceed as planned since I left my flashdrive containing the license file at home. Will do it again next week. Cheers.

So the configuration is for the IP of the the old box be used as the inbound of the new one and the outbound of the new one will send emails to the old one.

At the moment, there isn't much compliance policies setup and I've already copied all the policies from the old to the new. Maybe just add another temorary policy to ignore all the emails that the first one has already treated or just log it.

Hi mon_raralio


If I had to SBG boxes, I would configure it as follows (as one of the managers mentioned a side-by-side configuration):

A. If Inbound and Outbound mail filtering is required
1. New box (suppose has more resource - CPU, RAM, HDD)
 - Configured as  a Control Center (CC) and Scanner would be filtering inbound mail
 - As it is configured as CC, would also handle the Quarantine, Compliance Folders, configuration settings etc. - in other words what a CC is designed to do.

2. Old box
 - Configured as a Scanner only would scan the outbound mail-flow, connected to the CC component on the new box for manageability.

B. If only inbound mail filtering is required.
1. New box (suppose has more resource - CPU, RAM, HDD)
 - Configured as  a Control Center (CC) and Scanner would be filtering inbound mail.

2. Old box
 - Configured as a Scanner only would also scan inbound mail, connected to the CC component on the new box for manageability.

In this scenario, MX based load balancing* or redundancy** would be implemented.
*  - both MX records (each pointing to one Scanner IP address) with the same priority 10.
** - One priority 10, the other priority 20 MX record.

For testing just use telnet or an external mail account (like hotmail or gmail)
For spam and suspected spam testing use these documents:
 - suspected spam
 - spam

We're only doing this for testing purposes to make sure that the new server is working before we remove the old one. And I want to keep it as simple as possible, meaning, as little changes to the network configuration as possible. I just learned that their routing is coded in their firewall which includes the MAC address of the server as a requirement.

Anyway, we'd like to have both of them filter the same inbound and outbound traffic. And if it works remove the old one as easily as possible.