Load Balancer FAQ

Cisco Secure Email Cloud Gateway

Load Balancer Model

Where should I point my MX records?

The best practice is to point to the two A records provided in the welcome letter with equal priorities.

An example from test allocation “hc1234-49” in US data centers:


Inside each of those two A records are two IPs. They point to two Inbound VIPs, one per data center.

The full suffix is customer-specific, [allocation].[regional suffix], so please fill in accordingly.

Which records does outbound mail come from?

Mail will come from the generic name 'esa.allocation.iphmx.com.' In fact, the reverse DNS for all IPs will be 'esa.allocation.iphmx.com.'

NAT Gateway IPs (Outbound VIPs) are provided in the Login & Service Information letter sent during activation.

What if we have a separate outbound interface for O365 or Gmail?

The Office 365 interface (ESA Data 2) will also be behind a load balancer. There will be two O365 VIPs that distribute evenly to the ESAs, with one O365 VIP per data center. When the ESA delivers to the next hop, all delivery is done through the NAT gateway and will appear as 'esa.allocation.iphmx.com.'

What should my SPF record be?

SPF is the same as the standard configuration. The best practice is to use the SPF wildcard for your allocation. This SPF wildcard is provided during activation.

Example of the SPF wildcard:

v=spf1 exists:%{i}.spf.hc1234-49.iphmx.com ~all

How does SenderBase (SBRS) work if the LB is in front of the CES systems?

SBRS is unchanged. The external IP is passed to the ESAs. Reputation lookups and associated responses proceed as normal.

What is the method of load balancing?

Using the least connection algorithm.

Migrating to the load balancer model

What is the process if we want our cluster to be migrated to the load balancer?

Contact TAC Support and file a request to assess qualification for the migration to the load balancer.

What are the minimum requirements for migrating?

Minimum four ESAs total with two per data center.

Are our IPs going to change?

No, IPs are selected based on your existing ESA IPs. The total IP count for your allocation will be reduced. You will not have to add any IPs to your firewalls to migrate to the LB, however, you may need to adjust any external services to point to the mx1/mx2 A records if they were previously using either IP or individual ESA hostnames. You may also want to remove any previously allocated IP addresses that will no longer be used after the migration from any associated configurations such as firewalls or on-premises MTAs. The IPs will be provided as part of the migration letter to allow customers some advanced notice of these selections.

How many IPs would the cluster have after migration?

Clusters regardless of size will have two for inbound, two for outbound, and optionally two for Office365.

Do I need to change my SPF record if I'm being moved behind the LB?

You will want to evaluate your SPF record to ensure it will continue to work as expected after migration, but if using the wildcard, no changes are required.

Would I need to change my signed certificate for TLS?

Cisco provides signed SAN certificates through Hydrant for free. The Hydrant signed certs are adjusted automatically during migration. If using a SAN cert not provided by Cisco, the recommendation is to add the esa.allocation.iphmx.com SAN entry before migrating. If the signed certificate is a wildcard certificate *.allocation.iphmx.com, no changes are needed.

Other considerations

Review your MX and SPF records for any hardcoded ESA hostnames or IPs.

Review your ESA configuration for any hardcoded ESA hostnames or IPs. Examples: HAT, RAT, message filters, content filters, SMTP Routes.