Enabling TLS connections between a Cisco Email Security Appliance with Network Prevent for Email in Forward Mode
search cancel

Enabling TLS connections between a Cisco Email Security Appliance with Network Prevent for Email in Forward Mode

book

Article ID: 221731

calendar_today

Updated On:

Products

Data Loss Prevention Network Prevent for Email Data Loss Prevention

Issue/Introduction

Symantec Data Loss Prevention (DLP) Network Prevent for Email server can integrate with downstream mail transfer agents (MTA) such as the Cisco Email Security Appliance (ESA), also known as Cisco IronPort. The following guide may help you enable TLS connections between the DLP Email Prevent server and the Cisco ESA.

Cause

TLS is required for the sending of mail through your DLP email detection server.

Resolution

1. Export the certificate from the ESA

Refer to Cisco's documentation for this procedure

2. Convert the ESA keystore file into a Java keystore file:

keytool -importkeystore -srckeystore ./theExportedFile -storepass thePassword -destkeystore ./cisco.jks

3. Extract the public certificate from the ESA Java keystore file

keytool -exportcert -rfc -file ./cisco.pem -keystore ./cisco.jks -storepass thePassword

4. Create a self-signed certificate for the Email Prevent server and store it in the prevent.ks keystore

keytool -genkeypair -dname "cn=yourDetectionServerHostName" -alias smtp_prevent -keyalg RSA -validity 365 -storepass protect -keystore ./prevent.ks

5. Import the public certificate of the ESA into the prevent.ks keystore

keytool -importcert -alias cisco -file ./cisco.pem -keystore ./prevent.ks -trustcacerts -storepass protect

6. Set the password for the prevent.ks file in Enforce

System > Servers and Detectors > Overview > click on the Email Prevent Server > Configure > update the keystore password on the Inline SMTP tab

7. Configure the AllowExtensions setting to enable TLS connections

System > Servers and Detectors > Overview > click on the Email Prevent Server > Server Settings > Add STARTTLS to the RequestProcessor.AllowExtensions setting

8. Recycle the detection server service, send a test email through the system, then check the DLP Email Prevent server logs and Cisco ESA logs to determine if the message was routed through a TLS connection.

Additional Information

This guide makes the following assumptions:

  • The Email Prevent server's prevent.ks file does not exist; skip step 4 if the file exists and already contains a certificate
  • The prevent.ks keystore password is not set in Enforce; skip step 6 if the password is already configured in the Enforce console
  • The prevent.ks file's default location:
    • Linux: /var/Symantec/DataLossPrevention/DetectionServer/{version}/keystore/prevent.ks
    • Windows: C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\{version}\keystore\prevent.ks
  • The file paths are given using the syntax for Linux; substitute paths for Windows as appropriate
Powered by Wolken Software