AMI Deployment with AWS EC2 NLB

Placing Cisco Secure Email Gateway Virtual (AMI) behind Amazon NLB

Introduction

This document provides the basics for deploying Cisco Secure Email Gateway Virtual appliance(s) in AWS and configuring a Network Load Balancer (NLB) in AWS to automatically distribute incoming traffic across multiple targets (ie, ESA).

Prerequisite(s)

  • You should already have requested the AMI image provisioning for Cisco Secure Email Gateway Virtual
  • Already have available a Virtual License Number (VLN) for your Cisco Secure Email Gateway Virtual
  • Cisco recommends that you have knowledge of these topics:
    1. Cisco Secure Email Gateway configuration and administration
    2. Amazon AWS administration, including:
    • Amazon AWS EC2 + AMI deployment
    • Amazon AWS Elastic IP allocation and association

AMI deployment with NLB

AWS

  1. From AWS > EC2, deploy two (or more) Cisco Secure Email Gateway Virtual AMI

    ✏️ For the purpose of this document we will call these ESA1 and ESA2.

  2. Pay special attention to your Instance configuration/template

    ❗ Assure that you know the Availability Zone and Security Group settings when deploying

  3. (Optional) Once the Instance(s) are deployed, allocate and associate Elastic IPs for both ESA1 and ESA2
  4. In AWS > Route 53 (or your DNS provider) create an A record for your ESA1.example.com and ESA2.example.com with the Public IPv4 address for both
  5. For the Security Group that your ESA are deployed in, please assure the Inbound Rules are updated to include SSH/22 for the Private IP address of ESA1 and ESA2
Why do I need to open SSH/22?

See Cluster Requirements on Cisco Secure Email Gateway.

ESA(s)

Connect to the CLI for ESA1 and ESA2:

  1. Perform basic installation and configuration steps on ESA1 and ESA2:
    • Set a new admin password: 'passwd'
    • Load your VLN (XML): 'loadlicense'
  2. (Optional) Upgrade both ESA1 and ESA2 to an appropriate release, both on the same version of AsyncOS.

Connect to the GUI for ESA1:

  1. Network > Listener > Add Listener...
    • Configure a Public Listener (SMTP/25)
  2. Mail Policies > Recipient Access Table (RAT) > Add Recipient...
    • Add an Accept action for your recipient address of your domain
  3. Network > SMTP Routes > Add Route...
    • and any needed SMTP Routes for the domains defined in the RAT
  4. Remember to Submit and Commit your configuration changes!
  5. Test to confirm mail flow and receipt of mail through ESA1

Connect to the CLI for ESA1 and ESA2:

  1. On ESA1, create a new cluster by running the CLI command 'clusterconfig':
    • Select "2. Create a new cluster"
    • For "Should all machines in the cluster communicate with each other by hostname or by IP address?", select "1. Communicate by IP address"
  2. On ESA2, join the newly created cluster by running the CLI command 'clusterconfig':
    • Select "3. Join an existing cluster over SSH."
    • Do NOT enable Cluster Communication Service (CCS) when prompted
    • Enter the Private IP address of ESA1 when prompted
    • Enter the admin password when prompted

At this time ESA1 and ESA2 are clustered.

What is a "cluster" on Cisco Secure Email Gateway?

See Overview of Centralized Management Using Clusters on Cisco Secure Email Gateway.

AWS EC2 Load Balancing

Prior to creating the load balancer, allocate an Elastic IP that will be used for your NLB:

  1. From AWS > EC2, select Elastic IPs
  2. Click Allocate Elastic IP address from the upper-right corner
  3. No changes needed for the request... click Allocate

You are ready to created your load balancer:

  1. From AWS > EC2, select Load Balancers
  2. Click Create Load Balancer
  3. From the Select load balancer type screen, click Create in Network Load Balancer
  4. Provide a name for your new NLB
  5. Leave the Scheme as Internet-facing
  6. Leave the IP address type as IPv4
  7. Select the Virtual Private Cloud (VPC) that your ESA AMI are deployed in
  8. Mappings: As advised earlier In AWS configuration we advised to know the Availability Zone and Security Group - select the Zone that your ESA AMI are deployed in
    • In the IPv4 settings, change the dropdown from "Assigned by AWS" to "Use an Elastic IP address"

      This will set the Elastic IP you allocated prior to creating your NLB

  9. Listeners and routing: Set to Port 25 (SMTP) and then Create target group
    • On the Specify group details page...
      • Provide a Target group name
      • Set to Port 25 (SMTP)
      • Click Next
    • On the Register targets screen...
      • Select your ESA1 and ESA2
      • Use 25 for Ports for the selected instances
      • Click Include as pending below
      • Click Create target group
    • You can close the tab/page that was opened to create the target group
  10. Return to the "Create Load Balancer" tab and click the refresh icon next in the Listeners and routing section
  11. Select your newly created target group
  12. Click Create load balancer

The NLB will be created at this time. Click the View load balancer to go to the NLB.

✏️ The State should show as Provisioning and will remain this way until it has completed.

After a few minutes, refresh the screen. Once the State is Active you are ready to proceed with testing!

Testing

  1. From AWS > EC2 > Load Balancers, select the NLB you have just created
  2. Use the "Copy" icon next to the DNS name -or- in the Availability Zones use the Elastic IP address you allocated and configured
  3. Use this as the server/host to send email to test and confirm mail flow and receipt of mail through both ESA1 and ESA2

Connect to the CLI for ESA1 and ESA2:

  1. Run the CLI command 'tail mail_logs' to watch the mail flow in real-time

Now that mail flow has been monitored and you see your test mails alternating through ESA1 or ESA2, the DNS name -or- Elastic IP can be used as your MX record for mail flow.

Troubleshooting

  • If you add new/additional ESA to AWS and your NLB, assure that you check the Availability Zone and Subnet associated. These may need edited in the Basic Configuration of the NLB in order to allow SMTP traffic to reach the new ESA(s) in the VPC.
  • Likewise, if you have new/additional ESA, assure that you have also added them as registered targets in your group associated to the NLB. You can visit this from AWS > EC2 > Target Groups and select the name of the group, then select the Targets tab below. Any new ESA can be added by clicking Register targets.

Reference