Messaging Gateway

hi
in my company we are running 3 SBG gateways to filiter spam and antivirus. i need some more information on how the symantec global sender reputation works. recently we received lots of spam from one gateway where as the other two gateways had rejected the mails on the basis of symantec global bad sender list. if i search in ip reputation for the spam mails we received, on two gateways it is listed in symantec global bad sender list where as the one gateway it does not show. i thought the third gateway is not able to query the symantec gloabl list. firewall ports opened on all of the three gateways are same and all the appliances are running with 9.0 version.

regards
NPP

Are all of these boxes independant scanner/control sender boxes or are they 3 scanners that have one or more control centers that are seperate?

JDavis, 
the installation manual states that AV updates are on port 80 outbound, but don't mention the spam filter port.  Install Guide, page 94. Are the spam filters on the 80/443 as well?  Documentation update?

Web addresses & Port  Symantec Brightmail Gateway uses
URL Protocol Port Description
swupdate.brightmail.com TCP 443 Used to retrieve new software
register.brightmail.com TCP 443 Used to register the appliance
aztec.brightmail.com TCP 443 Used to retrieve filters
liveupdate.symantecliveupdate.com TCP 80 Default automatic antivirus updates
liveupdate.symantec.com TCP 80 Default automatic antivirus updates
relay.msg.yahoo.com TCP 80 Yahoo file transfer
definitions.symantec.com TCP 80 Rapid response antivirus updates

The antispam updates come through port 443 as listed there, aztec is the server we get them from. You can turn off the global bad senders detection though in the 'secret menu' I can't really atlk about on the forums.

 all the 3 gateways in our org are standalone CC+scanner. they dont talk to each other. i am not sure why only on one appliance the Symantec Global sender is not working properly. this feature is working really great on other two servers and drops about 90% of the spam mails at the connection level. But on the first gateway it does not detect these IPs under symantec global bad senders and uses its CPU and Memory resources to scan and find them as SPAM. it would be great if it can drop these connections during the connection time on this server as it is happening on other two servers.

Why are they all independant? It doesn't make sense to have 3 quarantines and 3 places to go to look for message audit logs.

You should consider calling in to support so we can go through your settings peice by peice.

It might make sense if they were in different regions (Europe/North America/Asia), but that's about the only reason that makes sense to me.

.
NPP - I have 4 - 8380's at the edge of my network and a single control center managing them.  The 4 boxes are in two different buildings.
Having so many CC's will become a management issue as you try to keep configuration, policies, etc sync'd

My edge boxes handle about 8.5 million raw messages per day and this is what the CC traffic looks like (from SNMP monitors).  So the average is around 4 Kb/s (bits). My CC does NOT process e-mail.

The

Paul is right!

As long as the boxes are "well connected" 10Mbps or better you should use one CC.

If you have limited connections between where you have your CC and scanners pulling audit logs will mot work well and you have to use the one to one CC / scanner.

Mark

thanks for all the infomations. all the servers are live, can i still make one of them CC and remove the scanner role, and from other two remove the CC and make them only scanners. or do i need to start from begininig.

NPP

Rebuilding won't solve the Symantec global bad sender update issue.  You should go to the command line on the box that is not updating and verify that it can reach each of the hosts listed above using CURL.  Login as admin, enable the support account (set-support). Login as support and then verify connectivity. e.g.

    curl https://aztec.brightmail.com

If you get OK back, then connectivity is working.  If it fails, verify that DNS is working correctly on the box.

----------------------------

I don't think you can remove the CC role w/o rebuilding.

Chose a CC/scanner that will become your Control Center.

Remove one of the scanners from your MX and set the box to reject connections. Wait for traffic to fade away - how long this takes is dependent on the TTL of your DNS records.

Once all queues have drained, rebuild using the OS-Restore

Supply the IP address of the permanent CC during the build.

Go back to the CC and add the rebuilt scanner.