Email Security: Split Architecture Configuration
03/26/2020 1109 12127
In the Split configuration there is one Control Center and one or more Remote Analyzers. The Control Center, in addition to acting as the control center for all the Remote Analyzers, acts as a central administration and quarantine server. Remote Analyzers are SMTP proxies placed in the email flow. They judge whether email is good or junk. Good email is routed to its intended destination, and junk email is routed immediately to the Control Center and qurantined there; it is not quarantined on the Remote Analyzers. Remote Analyzer machines can be configured to handle inbound email messages, outbound email messages, or both. Users can log in to the Control Center to change their settings; they never log in to Remote Analyzers. The most common reason for deploying in a Split mode is to support multiple physical data centers, where any settings made by an administrator or end user automatically takes effect in multiple remote locations.
The IP addresses used in this example:
220.127.116.11 Control Center
18.104.22.168 Remote Analyzer
22.214.171.124 Remote Analyzer
Part 1: Set up a Remote Analyzer
To set up a Remote Analyzer, install on the machine to be used as a Remote Analyzer and follow the steps below:
1. Log in to the web interface using the Administrator name and password (the default is admin / password).
2. Make This Server a Remote Analyzer:
- Select System | Network Architecture.
- Select the This server is: Split radio button.
- Select the If split, this machine is a: Remote Analyzer Server radio button.
- Click the Apply button.
The interface will immediately change into the Remote Analyzer simplified interface with fewer menus on the left side of the screen.
Click the Add Server button to identify this Remote Analyzer's Control Center
Part 2: Set Up A Control Center
To set up a Control Center, install on the machine to be used as a Control Center, then follow these steps:
Log in to the web interface using the Administrator name and password (the default is admin / password).
Make This Server a Control Center
- Select System | Network Architecture.
- Select the This Server Is: Split radio button.
- Select If Split, this machine is a: Control Center Quarantine Server.
- Click the Apply button.
Once you click Apply, the interface changes to the more complex Control Center interface.
The Control Center name is automatically filled out to be the current hostname
Part 3: Add a Remote Analyzer:
- Click the Add Server button under Inbound/Outbound Remote Analyzer Paths.
- Enter the IP address of a Remote Analyzer that is controlled by this Control Center.
After configuring a server as a Control Center, any changes made to the Control Center are automatically propagated to all the Remote Analyzers listed on this page. You can monitor the status of these Remote Analyzers on the Reports page for the Control Center.
Click the Test Connectivity button to make sure all the Remote Analyzer is responding.
If you log in on the remote analyzer the test connectivity to control center will also return the success
You can add now further remote analyzers repeating the steps described in part I and III
Part 4: Configure Email Flow through Remote Analyzers from the Control Center
All configuration of the entire Split deployment is done from the Control Center, including setting up the email flow through the Remote Analyzers.
Follow these steps to configure one of the Remote Analyzers such that the IP address and port number accept SMTP traffic and pass SMTP traffic downstream.
1. Log in to the Control Center (do not log in to the Remote Analyzer).
2. Choose which Remote Analyzer to configure. In the Network Architecture page on the Control Center, select the checkbox indicating which Remote Analyzer Server to configure. This is found near the bottom of the page, in the box labeled Inbound/Outbound Remote Analyzer Paths.
3. Add an SMTP Upstream and Downstream server. Click the Add Path button to the right of the Remote Analyzer Server name you have selected. In the Split configuration, you can specify a different SMTP flow for each Remote Analyzer.
Once created you can also edit and reconfigure the path
Here are the settings you shall choose depending on your architecture
1. Source IP Contacting Path
In this section you can specify the IP addresses of sending email servers that are allowed to connect to and relay through this path.
Any source IP address is allowed to connect to this path - Use this setting if you want any sending email server to be able to connect to this path and relay messages. Warning: using this option could make your server an open relay.
Any source IP address is allowed to connect to this path but relaying is allowed only for specified domains - Use this setting if you want any sending email servers to connect to this path, but you want to relay messages only to the domains specified. Enter domains for which you are willing to relay email messages by adding one domain per line.
Only these IP addresses can connect and relay - Use this setting if you know the sending email server IP addresses and you do not want any other servers to connect. Separate multiple IP addresses with a comma.
2. Path Listens On
In this section, you can specify the IP addresses and port number on which this path listens for connections.
Listen on all IP address on this port - Use this setting if you want this path to listen for all IP addresses on the specified port. It is a common practice to listen for incoming email on port 25.
Listen only on this IP address and port - Use this setting if you want this path to listen in on traffic coming through a specific IP address and port.
3. Destination of Path
In this section, you can specify the destination server for the email messages in this path.
This is a proxy. Pass all email to destination server - Use this setting if you want this path to act as a proxy and relay messages to a downstream email server. Enter the host name or IP address of the downstream email server and the port on which it should be contacted. If the downstream server is unavailable, incoming messages will not be accepted or queued.
This is an MTA. Route email using SmartHost to destination server - This setting is the same as the proxy option above, except that the incoming messages will be accepted and queued if the downstream server is unavailable.
This is an MTA. Route email using SmartHost with load balancing to pass email to the following multiple destination servers - This setting is same as the MTA option immediately above, except that the incoming messages can be routed to multiple servers. If round robin is chosen, email is load-balanced by sending a portion of the email flow through each server listed in the text box. If fail over is chosen, email will be sent to the servers listed in the text box only if the downstream server is unavailable. Email will be queued if all of the servers listed are unavailable.
This is an MTA. Route email using MX record routing - Use this setting to configure this path to route messages by standard MX (Mail Exchange) records. To use this option, your DNS server must be configured to specify the MX records of your internal mail servers that need to receive the email. Email will be queued if necessary.
This is an MTA. Route email using MX record routing with these exceptions - Use this setting to configure the path to route messages by standard MX (Mail Exchange) records, except for the specified domains. For the specified domains, route messages directly to the IP address corresponding to the domain. Email will be queued if necessary.
4. Advanced Settings
Use this text instead of a host name in the SMTP banner - If you do not want the host name of the server running to appear in the banner for the path, specify the text you want to use here. If this field is left blank, the host name will be used.
Action for messages sent to email addresses that are not in your LDAP server - Select the action you want to take when this path receives messages for recipients not listed in your LDAP server. It is strongly recommended that you select the "Adhere to corporate setting" option and configure DHA protection on the Connection Management page. Change this setting in the unusual circumstance when an administrator needs to configure DHA differently depending on the path.
Reserve the following port - Specify a port that can use for miscellaneous internal "localhost to localhost" communication between components. Most Administrators will not need to change the default value.
Enable StartTLS on this path - Enable email communication over an encrypted socket. Click the Configure StartTLS button to configure the way handles encrypted email communications.