This document describes how to access the CLI of your Cloud Email Security (CES) devices utilizing SSH on either the Windows or Linux/macOS platform.
There are two stages that need to be completed in order to access the Command Line Interface (CLI) of your CES Email Security Appliance (ESA) or Security Management Appliance (SMA), both of which are discussed in detail.
Note: These directions cover the bulk of operating systems used in the wild; however, if what you are using is not listed or you still need assistance, please contact Cisco TAC for support and for specific instruction. These are just a small snippet of the tools and clients available that can be used to accomplish this task.
Please familiarize yourself with some of the terminologies that are used in this article.
These are the CES SSH proxy servers you use to initiate the SSH connection to your CES instance. You need to utilize a proxy server specific to the region your device is located in. For example, if your login hostname is esa1.test.iphmx.com, you would use one of the iphmx.com proxy servers in the US region.
This is the non-proxy hostname of your CES ESA or SMA and starts with something like esa1 or sma1, and can be found in the top-right of the web page when you go to log in to the Web User Interface (WUI). The format can be: esa[1-20].<allocation>.<datacenter>.com or sma[1-20].<allocation>.<datacenter>.com.
In order to get started on accessing your CES devices, the first thing you need to do is generate a private/public SSH key pair and then provide the public key to Cisco TAC. Once Cisco TAC has imported your public key, you can then proceed to the next steps.
Note: Do not share your private key.
For either steps listed, the key type can be RSA with a standard bit length of 2048.
PuTTYgenor a similar tool can be used for generating key pairs. You can also follow the instructions listed if you utilize the Windows Subsystem for Linux (WSL).
From a new terminal window, you can run ssh-keygen to create a key pair.
Example:
ssh-keygen -t rsa -b 2048 -f ~/.ssh/mykey
Where:
ssh-keygen -t <key type> -b <bit length> -f <filename>
Once an SSH key pair has been created, please provide your public key to Cisco TAC for import and then proceed to client configuration.
You use PuTTY for this example, so please note that steps can need to be modified slightly if using a different client. Also, please make sure that whichever client you are using has been updated to the most recently available version.
Windows - Step One - Connect to SSH Proxy and Open Forwarding Port
Windows - Step Two - Connecting to the CLI of Your CES Device
Linux/macOS - Step One - Connect to SSH Proxy and Open Forwarding Port
ssh -i ~/.ssh/id_rsa -l dh-user -N -f f4-ssh.iphmx.com -L 2200:esa1.test.iphmx.com:22
Where:
ssh -i <your private key> -l dh-user -N -f <proxy server for your allocation> -L <source port>:<login hostname>:22
This opens a port on your local client to be forwarded to the given host and port on the remote side.
Linux/macOS - Step Two - Connecting to the CLI of Your CES Device
ssh dmccabej@127.0.0.1 -p 2200
Where:
ssh <your CES username>@127.0.0.1 -p <source port for forwarding assigned in previous step>
| Revision | Publish Date | Comments |
|---|---|---|
2.0 |
01-Jul-2026
|
Updated Title, Introduction, Machine Translation, Style Requirements, and Formatting to Comply with Cisco's Guidelines for Externalization. |
1.0 |
09-Apr-2019
|
Initial Release |