With the increase in cloud adoption, many organizations are looking to or are in the process of migrating their on-premise email security solution to cloud email security. Cisco provides a best practice migration plan including a hybrid email security license to ensure smooth migration from on-premise Cisco® Email Security Appliance (ESA) to Cisco Cloud Email Security (CES).
About this document
This document provides a detailed step-by-step plan to migrate from on-premise ESA to CES.
This document covers:
● Training resources
● Next steps
Here are some training resources that you can review to familiarize yourself with Cisco Email Security, including user guides, support forums, and tech notes to answer all your questions:
● YouTube Cisco Security Chalk Talks
● Cisco Email Security TechNotes
● Cisco Email Security Support Forums
● Cisco Email Security White Papers
● Cisco Email Security User Guide
● Cisco Email Security Release Notes
● DMARC, DKIM and SPF information
● Cisco Email Security Instructor-Led Training
When your Cisco CES order has been processed, a CES activation engineer will be assigned to assist you. Most of the settings in this migration plan would have already been completed for you. Therefore, you may find that only a couple of hours are required to complete the migration into production. All highlighted items throughout this document will require your action.
In preparation for the production cutover from on-premise Cisco ESA to Cisco CES, here is a list of activities to be completed prior:
Activity 1 — If you are an O365 customer, you should review this integration guide (approximately 30 minutes):
Activity 2 — The following NAT/port forwarding, and firewall rules are required for traffic flow between your dedicated CES IP addresses and your on-premise mail and directory servers:
● Port 25 (bi-directional to and from on-premise mail servers)
● Port 3269 or 636 (inbound to AD or LDAP servers) — optional
Activity 3 — Download a copy of your on-premise ESA configuration to share with your CES activation engineer.
Activity 4 — Please provide information from checklist below to share with your CES activation engineer to ensure a close-to-matching CES capacity:
1. Existing ESA models and number of appliances.
Existing SMA models, number of appliances and SMA role (Reporting, Tracking, Quarantine or combined for all) for each appliance.
2. On-premise peak mail volume (peak day[s] and peak month[s]).
3. On-premise storage or disk usage for quarantine, reporting, and tracking.
4. Any deviation from best practice that has been deployed to existing on-premise environment that the CES activation team should know, especially if resolution has been done in the past to resolve a performance issue.
Step 1 — Contact your CES activation engineer at email@example.com to discuss:
● If your email is hosted on O365, as Cisco will add a second interface for O365.
● If you require IPv6 addresses. Note: IPv6 is not typical.
● An email address that you would like CES alerts to be sent to. Note: Cisco recommends a team alias.
● An email address for “AMP Info”–level alerts (AMP Verdict Updates). O365 customers can optionally configure Mailbox Auto Remediation (MAR).
● If EUQ (End User Quarantine) safelist or blocklist is used, the activation engineer can import the file.
● Providing the public IP addresses that will send outbound traffic through CES to the Internet.
● Providing the public IP addresses that CES will use to deliver messages to your mail server(s).
● Providing the public IP addresses and port that CES will use to perform LDAP lookups.
● Any additional information that you believe will be beneficial for the activation engineer to know or discuss further to ensure smooth migration. Example: load balancer being used within the on-premise environment or additional on-premise ESA being deployed from recommended sizing due to email campaigns.
● Lastly confirming that the on-premise ESA configuration has been migrated successfully to CES.
Step 2 — Log in to CES ESA1 and SMA1 and change the password. A strong password is enforced.
Step 3 — Under System Administration à Time Zone: configure your time zone (for example, Americas region or United States). This setting will compensate for daylight savings time in reports, while GMT offset does not.
Step 4 — Under System Administration à Users: configure any additional admin accounts required.
Step 5 — Under System Administration à Feature Keys: confirm that the list includes each feature you have ordered.
Note: Advanced Malware Protection (AMP) will be listed as “File Reputation” and “File Analysis.”
Step 6 — Under Security Services à AMP Reputation and File Analysis: click “Edit Global Settings” to confirm that all file types are enabled.
Step 7 — Under Security Services à Cisco IronPort Email Encryption: confirm an encryption profile exists and it has been “provisioned.”
Step 8 — Under Mail Policies à Incoming Mail Policies: confirm the settings for each security feature meet your requirements. Positive spam, viruses, and malware should be set to drop.
Step 9 — Under Mail Policies à Dictionaries à FED or Executive Names dictionary: delete “placeholder” and add executives or any names worth protecting.
In the internal_domains dictionary, delete “placeholder,” and add your domain names. Use regex or dnstwist to expand protection to look-alike (cousin) domains.
Step 10 — Under Mail Policies à Incoming Content Filters: confirm the selected actions meet your requirements for malicious URLs, SPF and DKIM failures, Executive Spoof, and Domain Spoof.
Step 11 — Under Mail Policies à Outgoing Content Filters: confirm the filter for keyword encryption meets your requirements and is enabled on Outgoing Mail Policies.
Step 12 — Under Mail Policies à Destination Controls: confirm the default is set to enable TLS Preferred. If requested, confirm the table was imported. Also confirm the correct signing certificate is selected.
Step 13 — Under Network à Listeners: click each listener and confirm the correct certificate is selected for TLS. Cisco will provide CA-signed certificates on request through the Cisco Technical Assistance Center (TAC).
Step 14 — Under Mail Policies à Mail Flow Policies: for policies with “Accept” behavior, confirm that TLS Preferred and verification for SPF, DKIM, and DMARC are enabled (not Signing).
For DMARC, confirm that “Send Aggregate Reports” is enabled.
Step 15 — Under Mail Policies à DMARC: confirm that the organization name and an appropriate email address are entered (for example, firstname.lastname@example.org).
Step 16 — Under Mail Policies à Signing Keys: generate a new key. Under Signing Profiles: create a profile, assign the new key, and use a new selector. Update the DNS record. Enable DKIM Signing only on the Relayed Mail Flow Policy.
On the global settings: enable From header signing.
Step 17 — Confirm your DMARC record in DNS still reflects your current requirement for policy (p=) and for reports (rua= and ruf=).
Step 18 — Under Mail Policies à DLP Policy Customizations: confirm that Default specifies how to handle DLP violations. Note: Cisco recommends Enable Encryption, “Only use message encryption if TLS fails.”
Step 19 — Under Mail Policies à DLP Policies: select the policies to enable and set the action for the given severity condition. Enable DLP policies on Outgoing Mail Policies.
Step 20 — Under Mail Policies à Host Access Table (HAT): confirm your table was imported with no duplicates.
Click RELAYLIST and add the public IP address or publicly resolvable hostname of any servers you allow to send outbound mail to the Internet.
Step 21 — Under Mail Policies à Recipient Access Table (RAT): ensure your email domains are showing one domain per line.
Step 22 — Under Networks à SMTP Routes: confirm each of your domains and their destination mail server(s) is displayed. Ensure the use of public IP address or publicly resolvable hostname.
Step 23 — Confirm your firewall, mail server(s), and directory server can accept inbound connections from the IP Addresses listed in your CES Welcome message for ports 25 (SMTP) and 3269 (AD over SSL/TLS) or 636 (LDAP/S).
Step 24 — Under System Administration à LDAP: configure directory integration. Note: specify the public IP address of your directory.
Step 25 — On SMA à Management tab à Centralized Services à Spam Quarantine: click “Edit Settings,” enable “End User Quarantine Access,” and select the authentication type.
Step 26 — Prior to sending any messages outbound:
● Update your SPF record with your new CES IP addresses, or add the following script to your SPF record (where NNNN-NN is assigned by CES):
● Update your DKIM record.
Step 27 — To test outgoing mail flow, under System Administration à Configuration File: send yourself the configuration file by email. Select “Encrypt Passwords” (not masked).
Step 28 — To test incoming mail flow, send a message using command line SMTP.
Step 29 — Prior to changing MX records, let your activation engineer knows.
Step 30 — When changing MX records, disable SPF checks in O365. SPF verification is already enabled in CES:
● Security and Compliance Center à Threat Management à Policy tab: disable antispoof.
● Exchange Admin console à Advanced Options: set SPF Record Hardfail to “off.”
Step 31 — Once you have successfully validated mail flow in both directions, edit your MX records to add CES at a higher priority (lower number) than your old mail route.
If you have any issue that you can’t quickly resolve, reverse the priority order to favor your old route.
Once you confirm that the old MX route is no longer required, remove it to prevent abuse and block the old route at the firewall. In O365, configure CES to be the only route from the Internet.
In conclusion, we hope that this guide has provided a detailed migration best practice guide from on-premise ESA to CES. If in doubt, please do not hesitate to contact your assigned CES activation engineer.
For detailed information on Cisco Email Security, go to https://www.cisco.com/c/en/us/products/security/email-security/index.html.