Cisco Cisco Email Security Appliance C170 Guía Del Usuario
16-7
Cisco AsyncOS 8.0.1 for Email User Guide
Chapter 16 Cisco Email Encryption
Determining Which Messages to Encrypt
Step 19
If you use Cisco Registered Envelope Service, you must take the additional step of provisioning your
appliance. Provisioning the appliance registers the encryption profile with the hosted key service. To
provision the appliance, click the Provision button for the encryption profile you want to register.
appliance. Provisioning the appliance registers the encryption profile with the hosted key service. To
provision the appliance, click the Provision button for the encryption profile you want to register.
Updating to the Latest Version of the PXE Engine
The Cisco Email Encryption Settings page displays the current versions of the PXE engine and the
Domain Mappings file used by your appliance. You can use the Security Services > Service Updates
page (or the
Domain Mappings file used by your appliance. You can use the Security Services > Service Updates
page (or the
updateconfig
command in the CLI) to configure the Cisco appliance to automatically
update the PXE engine. For more information, see
You can also manually update the engine using the Update Now button of the PXE Engine Updates
section of IronPort Email Encryption Settings page (or the
section of IronPort Email Encryption Settings page (or the
encryptionupdate
command in the CLI).
Determining Which Messages to Encrypt
After you create an encryption profile, you need to create an outgoing content filter that determines
which email messages should be encrypted. The content filter scans outgoing email and determines if
the message matches the conditions specified. Once the content filter determines a message matches the
condition, the Cisco Email Security appliance encrypts the message and sends the generated key to the
key server. It uses settings specified in the encryption profile to determine the key server to use and other
encryption settings.
which email messages should be encrypted. The content filter scans outgoing email and determines if
the message matches the conditions specified. Once the content filter determines a message matches the
condition, the Cisco Email Security appliance encrypts the message and sends the generated key to the
key server. It uses settings specified in the encryption profile to determine the key server to use and other
encryption settings.
You can also encrypt messages after they are released after Data Loss Prevention scanning. For more
information, see
information, see
Using a TLS Connection as an Alternative to Encryption
Based on the destination controls specified for a domain, your Cisco appliance can securely relay a
message over a TLS connection instead of encrypting it, if a TLS connection is available. The appliance
decides whether to encrypt the message or send it over a TLS connection based on the TLS setting in the
destination controls (Required, Preferred, or None) and the action defined in the encryption content
filter.
message over a TLS connection instead of encrypting it, if a TLS connection is available. The appliance
decides whether to encrypt the message or send it over a TLS connection based on the TLS setting in the
destination controls (Required, Preferred, or None) and the action defined in the encryption content
filter.
When creating the content filter, you can specify whether to always encrypt a message or to attempt to
send it over a TLS connection first, and if a TLS connection is unavailable, to encrypt the message.
send it over a TLS connection first, and if a TLS connection is unavailable, to encrypt the message.
shows you how an Email Security appliance will send a message based on the TLS settings
for a domain’s destination controls, if the encryption control filter attempts to send the message over a
TLS connection first.
TLS connection first.
Table 16-2
TLS Support on ESA Appliances
Destination Controls TLS Setting
Action if TLS Connection
Available
Available
Action if TLS Connection
Unavailable
Unavailable
None
Encrypt envelope and send
Encrypt envelope and send
TLS Preferred
Send over TLS
Encrypt envelope and send
TLS Required
Send over TLS
Retry/bounce message