This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Virtual Email Appliance Clustering

 Hi there,

 

We are looking to cluster a pair of the email virtual appliances.

 

I have the clustering setup and both nodes talking together.

They both have access outbound.

 

What I am after is what needs to be done for the external incoming connections.

I take it this should be load balanced, that's not a problem.

But I need to know what ports need load balancing and what ports need opening up for the incoming connections.

 

I have read the config document and have the list of external ports required but I need to know which of these needs load balancing.

 

Any help would be greatly appreciated.

 

Many thanks,

 

Pete



This thread was automatically locked due to age.
Parents
  • Hi Peter,

    Clustering email appliances allows the appliances to share configuration and the database, so for example any appliance can receive and deliver mail for domain X.  Clustering in no way loadbalances email.  Email that is directed to appliance 25 will be processed and or quarantined by that appliance.  When there is a request to release the email that would goto the cluster master, the clustermaster would in turn direct appliance 25 to release the email.

    Clustering also allows jobs to be run simultaneously and have a higher level of internal communication between members.

    Here is a complete list of ports

    esa.sophos.com/.../index.html

     

    In regards to mail flow and loadbalancing 

     

    Option #1: DNS load balancing (recommended)

    People that do a lot of spx email may have 1 email appliance / exchange send connector that sends all email out that appliance.. then configure firewall rules to direct all inbound port 25 traffic to another appliance that does nothing but incoming email.  Or you could use all appliances bidirectionally or any combination in between. 

     

    to load balance is via an MX record with multiple A records

    IE:

    # dig mx sophos.com

    ; <<>> DiG 9.4.-ESV-R4 <<>> mx sophos.com
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22908
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 8, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;sophos.com. IN MX

    ;; ANSWER SECTION:
    sophos.com. 265 IN MX 10 mx6.sophos.com.
    sophos.com. 265 IN MX 10 mx2.sophos.com.
    sophos.com. 265 IN MX 10 mx4.sophos.com.
    sophos.com. 265 IN MX 10 mx5.sophos.com.
    sophos.com. 265 IN MX 10 mx1.sophos.com.
    sophos.com. 265 IN MX 10 mx3.sophos.com.

    In this case we round robin email across 6 A records, all with a weight of 10.  This essentially load balances all incoming mail across those 6 ips without buying an expensive load balancer.  DNS round robin is highly effective and the best method 99.9% of the time. 

     

    Option #2: Hardware load balancer

    This option would be to have 1 A record with 1 IP address.. the firewall rule would essentially send that traffic to a hardware load balancer.. in turn that would load balance to appliances that are behind it.  In this case there is a concern that most loadbalancers will proxy the incoming mta connection.  In this case mail would look like its originating externally but has an internal IP address. In that case make sure your LB is configured to pass the mta connection IP.  This causes any email appliance to fail RDNS look ups, hence poor spam catch rates. 

Reply
  • Hi Peter,

    Clustering email appliances allows the appliances to share configuration and the database, so for example any appliance can receive and deliver mail for domain X.  Clustering in no way loadbalances email.  Email that is directed to appliance 25 will be processed and or quarantined by that appliance.  When there is a request to release the email that would goto the cluster master, the clustermaster would in turn direct appliance 25 to release the email.

    Clustering also allows jobs to be run simultaneously and have a higher level of internal communication between members.

    Here is a complete list of ports

    esa.sophos.com/.../index.html

     

    In regards to mail flow and loadbalancing 

     

    Option #1: DNS load balancing (recommended)

    People that do a lot of spx email may have 1 email appliance / exchange send connector that sends all email out that appliance.. then configure firewall rules to direct all inbound port 25 traffic to another appliance that does nothing but incoming email.  Or you could use all appliances bidirectionally or any combination in between. 

     

    to load balance is via an MX record with multiple A records

    IE:

    # dig mx sophos.com

    ; <<>> DiG 9.4.-ESV-R4 <<>> mx sophos.com
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22908
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 8, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;sophos.com. IN MX

    ;; ANSWER SECTION:
    sophos.com. 265 IN MX 10 mx6.sophos.com.
    sophos.com. 265 IN MX 10 mx2.sophos.com.
    sophos.com. 265 IN MX 10 mx4.sophos.com.
    sophos.com. 265 IN MX 10 mx5.sophos.com.
    sophos.com. 265 IN MX 10 mx1.sophos.com.
    sophos.com. 265 IN MX 10 mx3.sophos.com.

    In this case we round robin email across 6 A records, all with a weight of 10.  This essentially load balances all incoming mail across those 6 ips without buying an expensive load balancer.  DNS round robin is highly effective and the best method 99.9% of the time. 

     

    Option #2: Hardware load balancer

    This option would be to have 1 A record with 1 IP address.. the firewall rule would essentially send that traffic to a hardware load balancer.. in turn that would load balance to appliances that are behind it.  In this case there is a concern that most loadbalancers will proxy the incoming mta connection.  In this case mail would look like its originating externally but has an internal IP address. In that case make sure your LB is configured to pass the mta connection IP.  This causes any email appliance to fail RDNS look ups, hence poor spam catch rates. 

Children
  • Basically, the way we are looking at setting this up is that the 2 appliances will sit internal of our network.

    We have an existing spam filter sitting externally as a first pass and we will be using the Sophos as a second scan primarily for virus and other and threat scanning box.

    It will be sitting behind our load balancer/firewall and accepting mail from our existing spam filters.

    Is it just port 25 that we need to load balance between the 2 devices?

    As well as making sure the firewall/load balancer passes the mta ( i assume you mean message transfer agent?) ip.

     

    Many thanks.

  • Hi Peter

    Port 25 is all that's required. 

    However multiple spam appliances is not recommended.  

    In your case features like :

    delay queue, SPF, allowed/blocked senders and the blocker service may not function in that environment.  You will also have to configure policy level blocking and ensure upstream hardware is set as a trusted relay as RDNS will not resolve correctly.

    Other issues may include things like false positives between the two and multiple quarantines

     

    You can configure multiple appliances, but your mail flow will need to be squeaky clean and all of your infrastructure will need to be tuned to interact with each other.   You may wish to consult with your account manager and arrange some professional services time.