Cisco Cisco Email Security Appliance C170 사용자 가이드
17-2
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 17 The Cisco IronPort M-Series Security Management Appliance
Network Planning
The Cisco IronPort M-Series appliance lets you separate the end user interfaces (mail applications, etc.)
from the more secure gateway systems residing in your various DMZs. Using a two-layer firewall can
provide you with flexibility in network planning so that end users will not connect directly to the outer
DMZ (see
from the more secure gateway systems residing in your various DMZs. Using a two-layer firewall can
provide you with flexibility in network planning so that end users will not connect directly to the outer
DMZ (see
).
Figure 17-1
Typical Network Configuration Incorporating the Cisco IronPort M-Series Appliance
Large corporate data centers can share one Cisco IronPort M-Series appliance acting as an external Cisco
IronPort Spam quarantine for one or more Cisco IronPort C- or X-Series appliances. Further, remote
offices can be set up to maintain their own local Cisco IronPort appliance quarantines for local use (using
the local Cisco IronPort Spam quarantine on C- or X-Series appliances).
IronPort Spam quarantine for one or more Cisco IronPort C- or X-Series appliances. Further, remote
offices can be set up to maintain their own local Cisco IronPort appliance quarantines for local use (using
the local Cisco IronPort Spam quarantine on C- or X-Series appliances).
shows a typical network configuration incorporating the Cisco IronPort M-Series appliance
and multiple DMZs. Incoming mail from the Internet is received by the Cisco IronPort appliances in the
outer DMZ. Clean mail is sent along to the MTA (groupware) in the inner DMZ and eventually to the
end users within the corporate network.
outer DMZ. Clean mail is sent along to the MTA (groupware) in the inner DMZ and eventually to the
end users within the corporate network.
Spam and suspected spam (depending on your mail flow policy settings) is sent to the Cisco IronPort
M-Series appliance’s Spam quarantine. End users may then access the quarantine and elect to delete
spam and release messages they would like to have delivered to themselves. Messages remaining in the
Cisco IronPort Spam quarantine are automatically deleted after a configurable amount of time (see the
“Quarantines” chapter in the Cisco IronPort AsyncOS for Email Daily Management Guide).
M-Series appliance’s Spam quarantine. End users may then access the quarantine and elect to delete
spam and release messages they would like to have delivered to themselves. Messages remaining in the
Cisco IronPort Spam quarantine are automatically deleted after a configurable amount of time (see the
“Quarantines” chapter in the Cisco IronPort AsyncOS for Email Daily Management Guide).
Mail Flow and the Cisco IronPort M-Series Appliance
Mail is sent to the Cisco IronPort M-Series appliance from other Cisco IronPort (C- and X-Series)
appliances. A Cisco IronPort appliance that is configured to send mail to a Cisco IronPort M-Series
appliance will automatically expect to receive mail released from the M-Series appliance and will not
re-process those messages when they are received back — messages will bypass the HAT and other
policy or scanning settings and be delivered. For this to work, the IP address of the Cisco IronPort
M-Series appliance must not change. If the IP address of the Cisco IronPort M-Series appliance changes,
the receiving C- or X-Series appliance will process the message as it would any other incoming message.
You should always use the same IP address for receiving and delivery on the Cisco IronPort M-Series
appliance.
appliances. A Cisco IronPort appliance that is configured to send mail to a Cisco IronPort M-Series
appliance will automatically expect to receive mail released from the M-Series appliance and will not
re-process those messages when they are received back — messages will bypass the HAT and other
policy or scanning settings and be delivered. For this to work, the IP address of the Cisco IronPort
M-Series appliance must not change. If the IP address of the Cisco IronPort M-Series appliance changes,
the receiving C- or X-Series appliance will process the message as it would any other incoming message.
You should always use the same IP address for receiving and delivery on the Cisco IronPort M-Series
appliance.
Internal Users
Outer DMZ
Inner DMZ
C-Series Appliance
Groupware
C-Series Appliance
C-Series Appliance
M-Series Appliance
Corporate
Network