This document describes how to create an encryption profile and complete account provisioning for a Cisco Email Security Appliance (ESA) with creation of a Cisco Registered Envelope Service (CRES) account.
Note: There are current differences between Virtual and Hosted ESA and Hardware ESA. These are described in the document.
This article also discusses how to correct the "Unable to provision profile <profile_name> for reason: Cannot find account" error, as this error is normally presented from Virtual and Hosted ESA when you attempt to add an encryption profile. If you receive this error, complete the steps provided in the Virtual and Hosted ESA section.
Ensure that you have the IronPort Email Encryption feature key installed on your ESA. Verify this from the ESA GUI, System Administration > Feature Keys, or on the ESA CLI with featurekey.
There are no specific requirements for this document.
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
CRES Account Provisioning for Virtual and Hosted ESA
Virtual and Hosted ESA encounter this error when they attempt to provision an encryption profile:
Name of account (Specify the exact company name, as you require this to be listed.)
If this is for a Hosted customer account, notate the account name to end as "<Account Name> HOSTED".
Email address(es) to be used for the Account Admin (Specify a corresponding admin email address(es).)
The complete serial number (*) of ESA(s)
Any/all domains for the customer account that should be mapped to the CRES account for administration purposes
(*) Appliance serial numbers can be located from the GUI System Administration > Feature Keys, or appliance CLI if you run the command version.
Note: If there is an already provisioned CRES account, provide the company name or CRES account number previously used. This assures that any new appliance serial numbers are added to the correct account, and avoids any duplication of company information and provisioning.
Note: An appliance serial number can be registered to only one account in CRES. One CRES account might have multiple appliances registered to your company.
Requests sent to email@example.com are handled within one business day, if not sooner. A confirmation email is sent once the serial numbers are registered or new CRES account provisioning is completed. The email address that is used for the admin account receives notification once it is listed as an administrator for the associated account.
If you had already tried to create the encryption profile on the ESA, complete these steps:
From the ESA GUI, navigate to Security Services > Cisco IronPort Email Encryption > Email Encryption Profiles.
Click Re-provision. This then completes as Provisioned.
If it does not, continue to the steps in the next section in order to create the encryption profile on the ESA.
CRES Account Provisioning for Hardware ESA
As of CRES Version 4.2, the hardware ESA has the ability to auto-provision, which means it is no longer necessary to request account creation by email.
For hardware ESA, follow these steps to complete the encryption profile provisioning.
From the ESA GUI, navigate to Security Services > Cisco IronPort Email Encryption, enable the feature, and accept the End User License Agreement (EULA), if not completed already:
Click Edit Settings:
Ensure that you enter an administrative email address for the email address of the encryption account administrator field, and click Submit:
Create an encryption profile with the Add Encryption Profile button:
During profile creation, ensure that you provide a meaningful Profile Name so that you can relate this later to message or content filter(s) created to use encryption:
Click Submit when completed.
Not Provisioned is listed for your newly-created profile. You must commit your changes before you proceed:
After your changes are committed, click Provision in order to complete the provisioning process:
Once the provisioning is completed, you receive a banner notification and the profile provision button changes to Re-provision:
The Encryption Profile is complete. You are now able to successfully encrypt mail from your appliance(s) through CRES.
Account Administrator Notification and Account Verification
Use this section in order to confirm that your configuration works properly.
The email address that was specified earlier for the Email address of the encryption account administrator receives notification of account administrator status:
Once you have received the Account Administration notification, log into the CRES Admin site and verify your account. After you log in, you see the account number created in the Account Summary. Initiate an email request to firstname.lastname@example.org with this information:
Any/all domains for the account that should be mapped to the CRES account for administration purposes
This ensures that your account has full visibility to ALL domain accounts that are registered through CRES.
CRES Account Number Creation
The CRES account number is created based on the contract information tied to the appliance. The account number is generated based on the Global Ultimate (GU) ID and an Account Name is generated based on the Installed At Site Name. In order to review, assure that you have proper Cisco Connection Online (CCO) and entitlement, and check the Cisco Service Contract Center (CSCC).