Data Loss Prevention

Hi Guys,

We have a DLP system that we have setup and one of the components is the Network prevent for Email. The DLP version is 14.0.2.

The setup is as below:

Microsoft Exchange 2010 (192.168.10.40) --------->Network Prevent for Email DLP (192.168.10.50) ----------> Cisco Ironport 1(192.168.10.11)  and Cisco IronPort 2 (192.168.10.12).

We have setup the DLP email in forward mode. We have defined the next hop downstream MTA to be the two Cisco Email Ironports (192.168.10.11) and (192.168.10.12). When we try and send emails, no emails are being transmitted. Also, we get the error below as seen from the DLP logs:

 [INFO] (SMTP_CONNECTION.1201) Connection accepted (tid=30 cid=16 local=192.168.10.50 remote=192.168.10.40:64328)
 [SEVERE] (SMTP_CONNECTION.5203) Forward connection error (tid=34 cid=14 mta=192.168.10.11 reason=null)
 [SEVERE] (SMTP_CONNECTION.5203) Forward connection error (tid=30 cid=16 mta=192.168.10.12 reason=Connection refused: no further information)
[SEVERE] (SMTP_CONNECTION.5210) All forward hosts unavailable (tid=34 cid=<> reason=No available forward hosts)
 [INFO] (SMTP_CONNECTION.1205) Service connection closed (tid=34 cid=14 local=192.168.10.50:25 remote=192.168.10.40:64238 messages=0 time=22.08s)

Kindly assist if in a position to do so.

hello,

 You need to check :

- DLP prevent configuration (servers and ports) ?

- if you use FQDN be sure that DLP prevent servers are able to resolve it ?

- Connection between prevent server and ironport is possible on configured port ?

- do you have an acl in ironport which set list of servers which are allowed to communicate with them ?

 Regards

On the Ironports - for mail flow, did you add the IP address of the DLP server into the RELAYLIST sendergroup under "Mail Policies - HAT Overview"? Additionally, did you make sure that the listener is configured and listening on port 25? Check under "Network - Listeners".

On the CLI check if any connections come in using the topin command. If there is  connections check if they are queued up using the tophosts command. If they are queued up use diagnostic - network - smtpping and test connectivty.

Hello Guys,

Thanks for the responses.

For the Iron Port, I will request access and troubleshoot.

• For the Email DLP we have configured receiving and sending ports to be port 25. (Changed RequestProcessor.ServerSocketPort  and RequestProcessor.MTAResubmitPort  from 10025 and 10026 respectively).
• We are not using FQDN. We have disabled MX Lookup and are using exact  IP addresses of the Iron Ports (192.168.10.11 and 192.168.10.12).

Hi Guys,

I checked the Ironport settings. Under Mail Policies>>HAT Overview the DLP server has been added to the RELAY  and RELAY senders list. The listener for the Ironport is on port 25 under Network>>Listeners.

From the Ironport when I use diagnostics for NETWORK and then SMTPPING to the DLP server it is connecting on the Management interface. The ironport has two interfaces (Public and Management). The Public interface has a public IP address and is outside facing while the management interface is inside facing. It is refusing to conenct on the Public IP interface.

There are also no access lists between DLP and ironPort.

topin and tophosts are not showing any connections from the DLP.

We are still getting the same errors as above

Is telnet from DLP Email Prevent to --> Ironport on port 25 successful?

If the telnet banner appears, we might also want to test with an "HELO" command.

Hi,

We can not telnet from DLP to IronPort. But it seems that Ironport does not allow telnet from any PC, so this is accross all devices. 

Does any body else have other suggestions?

Andrew

hello,

telnet on default port is rejected but telnet on port 25 is equivalent to opening a TCP connection to ironport before sending and email (like DLP does). So you should be able to "telnet" (or any other tool to test connection between two points) on port 25 from DLP mail prevent server to ironport (telnet <ironport Ip address> 25).

If not it usually means you have a network issue (network route between two points blocked by a firewall or any other network device, route between two points not defined,...).

 Regards

We created a new listener in the IronPort and we can now telnet on port 25. However, when we try and send emails we get the erros below:

02/May/17:18:01:41:098+0300 [INFO] (SMTP_CONNECTION.1201) Connection accepted (tid=2da cid=1 local=192.168.10.50:25 remote=192.168.10.40:33458)
02/May/17:18:01:41:098+0300 [INFO] (SMTP_CONNECTION.1203) Forward connection established (tid=2da cid=2 local=192.168.10.50:1965 remote=192.168.10.11:25)
02/May/17:18:01:41:113+0300 [SEVERE] (SMTP_CONNECTION.5204) Peer disconnected unexpectedly (tid=2da cid=2 local=192.168.10.50:1965 remote=192.168.10.11:25 reason=End of stream)
02/May/17:18:01:41:113+0300 [INFO] (SMTP_CONNECTION.1204) Forward connection closed (tid=2da cid=2 local=192.168.10.50:1965 remote=192.168.10.11:25)
02/May/17:18:01:41:113+0300 [INFO] (SMTP_CONNECTION.1205) Service connection closed (tid=2da cid=1 local=192.168.10.50:25 remote=192.168.10.40:33458 messages=0 time=0.01s)

We connect to the Exchange (192.168.10.40) and the Irnport (192.168.10.11) but we are unable to send emails as seen above. What could be the issue?

Guess now that incoming traffic is setup from Ironport to DLP Email Prevent, we might need to add a listener/change configuration on the next hop Ironport/mail hop (possibly 192.168.10.11:25)

DLP Email Prevent is just a Mail Proxy and not an MTA. The actual communication needs to be flowing between the two MTAs before and after DLP. That might be the issue here.

• Ensure the Ironport doesn't require TLS (enforce encryption).
• If you telnet to the DLP Network Prevent for Email server on port 25, and type HELO, it should show you a SMTP banner for the Ironport. To test SMTP using telnet, you also need to be quick as there are timeouts involved.
• If Cisco Firewalls are located between the DLP Network Prevent for Email server and the Cisco Ironport, they can sometime drop SMTP traffic that is initiated via telnet depending on configuration (try test using a mail client like Mozilla Thunderbird).
• If all else fails (and you don't require TLS between DLP and Ironport), remove STARTTLS from RequestProcessor.AllowExtensions in the Advanced Server Settings of each Network Prevent for Email server settings.

Hi Guys,

We manged to solve the problem. The issue was in the Cisco Iron Port (Email Security Appliance).

Routes to the DLP servers had not been added. Once the routes were added to the ESA, the Email Prevent was able to forward messages to the ESA and subsequently scan for email messages.

Thanks all for the suggestions and help.

Hi Guys,

We manged to solve the problem. The issue was in the Cisco Iron Port (Email Security Appliance).

Routes to the DLP servers had not been added. Once the routes were added to the ESA, the Email Prevent was able to forward messages to the ESA and subsequently scan for email messages.

Thanks all for the suggestions and help.

Hi AjMathu 

did you try the reflectiong Mode  ? or only the forwarding mode 

Regards