Multiple-appliance deployments

Deployment and Installation Center | Email Security Solutions | Version 7.8.x

Applies to:

In this topic

Email Security Gateway and Email Security Gateway Anywhere, v7.8.x

Email Security Gateway Anywhere appliance cluster

Multiple standalone appliances

Multiple appliance deployments can be implemented when message volume warrants having greater processing capacity. When the deployed appliances are all in standalone mode, the appliances can be a mix of V10000 G2, V10000 G3, or V5000 G2 machines. An appliance cluster usually cannot contain a mix of appliance platforms. However, a V10000 G2 appliance may be deployed in a cluster with a V10000 G3 appliance. Contact Websense Technical Support for more information.

An X-Series modular chassis may include multiple blade servers running Email Security Gateway.

Email Security Gateway Anywhere appliance cluster

Multiple V-Series appliances are configured in Email Security Gateway Anywhere as a cluster for this deployment scenario. You may also consider multiple X10G blade servers for this scenario. This Email Security Gateway Anywhere environment includes the Email Security hybrid service "in the cloud" filtering. See Email Security Gateway Anywhere single appliance for information about the email hybrid service.

You may want to use a third-party load balancer with a V-Series appliance cluster, to distribute email traffic among your appliances. Appliances in a cluster all have the same configuration settings, which can streamline a load balancing implementation.

Personal Email Manager traffic load balancing may be accomplished via cluster configuration. After a cluster is created, designate the Personal Email Manager access point in Settings > Personal Email > Notification Message, in the Personal Email Manager Portal section. Personal Email Manager traffic is routed to this designated IP address. This appliance then passes the traffic on to other appliances in the cluster via the round robin forwarding mechanism.

To create a cluster, add an appliance to the Email Security appliances list on the Settings > General > Email Appliances page, then configure these appliances in a cluster on the Settings > General > Cluster Mode page. See the Email Security Gateway Manager Help for details.

A primary appliance in a cluster may have up to 7 secondary (or auxiliary) appliances. Configuration settings for any cluster appliance are managed only on the primary appliance Email Appliances page (Settings > General > Email Appliances).

Cluster appliances must all be running in the same security mode (Email Security only mode or dual Email Security/Web Security mode). The Email Security Gateway management server (TRITON console) and all cluster appliance versions must all match for cluster communication to work properly.

In order to protect the messages stored in Email Security queues, appliances added to a cluster must have the same message queue configuration as the other cluster appliances. For example, an administrator-created queue on appliance B must be configured on primary cluster appliance A before appliance B is added to the cluster. Message queue records may be lost if this step is not performed before cluster creation.

Multiple standalone appliances

A multiple standalone V-Series appliance or X-Series blade server deployment might be useful if each appliance must have different configuration settings. Two standalone scenarios are described in this section:

Using domain-based routing

Using DNS round robin

These Email Security Gateway Anywhere environments include the Email Security hybrid service "in the cloud" filtering. See Email Security Gateway Anywhere single appliance for information about the email hybrid service.

Using domain-based routing

You can configure domain-based delivery routes so that messages sent to recipients in specified domains are delivered to a particular appliance. Configuring a delivery preference for each SMTP server facilitates message routing.

Configure the domain groups for which you want to define delivery routes in the Settings > Users > Domain Groups > Add Domain Groups page. See the Email Security Gateway Manager Help for information about adding or editing domain groups:

Managing domain groups

Configuring delivery routes

To set up a domain-based delivery route on the Settings > Inbound/Outbound > Mail Routing page:

Click Add in the Domain-based Routes section to open the Add Domain-based Route page.

Enter a name for your route in the Name field.

Select an order number from the Route order drop-down list to determine the route's scanning order.

Select a destination domain from the pre-defined domains in the Domain group drop-down list. Default is Protected Domain. Information about the selected domain group appears in the Domain details box.

If you want to add a new domain group to the list, navigate to Settings > Users > Domain Groups and click Add.

If you want to edit your selected domain group, click Edit to open the Edit Domain Group page.


	Important The Protected Domain group defined in the Settings > Users > Domain Groups page should not be used to configure Email Security Gateway delivery routes if you need to define domain-based delivery routes via multiple SMTP servers. Create domain groups that contain subsets of the Protected Domain group for mail routing purposes.

Select the SMTP server IP address delivery option to open the SMTP Server List:

Click Add to open the Add SMTP Server dialog box.

Enter the SMTP server IP address or host name and port.

Mark the Enable MX lookup check box to enable the MX lookup function.

Important

If you entered an IP address in the previous step, the MX lookup option is not available.

If you entered a host name in the previous step, this option is available.

Mark the Enable MX lookup check box for message delivery based on the host name MX record.

If you do not mark this check box, message delivery is based on the host name A record.

Enter a preference number for this server (from 1 - 65535; default value is 5).

If a single route has multiple defined server addresses, Email Security attempts to deliver mail in order of server preference. When multiple routes have the same preference, round robin delivery is used.

You may enter no more than 16 addresses in the SMTP Server List.

Select any desired security delivery options.

Select Use Transport Layer Security (TLS) if you want email traffic to use opportunistic TLS protocol.

Select Require authentication when you want users to supply credentials. Enter the appropriate user name and password in the Authentication Information box. You must use the SMTP server IP address delivery method when you want users to authenticate.

Using DNS round robin

Email traffic distribution among multiple standalone appliances can be accomplished by using the domain name system (DNS) round robin method for distributing load.

With Email Security hybrid service configured and running, set up the round robin system as follows:

Enter the SMTP server domain in the Delivery Route page of the hybrid service configuration wizard used for registering Email Security Gateway with the hybrid service (Settings > Hybrid Service > Hybrid Configuration).

If hybrid service is not enabled, you need to modify your MX records to allow round robin load balancing. Ask your DNS manager (usually your Internet service provider) to replace your current MX records with new ones for load balancing that have a preference value equal to your current records.