Q. What connections are allowed from external ESAs to Cloud SMA and from Cloud ESAs to external SMA
A. Due to security only ports 25 and 587 are allowed inbound to the CES appliances in the datacenters. Outbound connections from the datacenters are not as restricted and hence all the pertinent service ports are allowed.
Note: External refers to any applinces which are not hosted in any of Cisco's datacenters.
An SMA synchronizes with an ESA by establishing a connection using SSH port 22. This means the connection is initialized from the SMA, hence a cloud SMA would be able to synch up with an ESA outside of the CES datacenters.
The centralized services managed between an SMA and ESA are:
1. Reporting (Retrieved by the SMA over the established port 22 connection)
2. Message Tracking (Retrieved by the SMA over the established port 22 connection)
3. Spam Quarantine (Sent from the ESA to the SMA over port 6025)
4. Policy, Virus and Outbreak Quarantine (Sent from the ESA to the SMA over port 7025)
As the SSH port 22 connection is initialized from the SMA within the datacenters, the Reporting and Message Tracking services will be functional as the return traffic from the internet is allowed back into the datacenters.
The Spam Quarantine and Policy, Virus and Outbreak Quarantine connections are initialized from the ESA to the SMA and over ports which are not open from the internet into the datacenters and therefore these two centralized services will not be functional.
To summarize, an external ESA or ESAs can be synchronized with a cloud SMA with only the Reporting and Message Tracking services being supported.
The opposite is totally not supported. This would be cloud ESAs synchronizing with an external SMA. Recall the synchronization is initialized from the SMA on port 22 to establish the connection and since port 22 is not allowed from the internet into the datacenters that connection will never be successful. All outbound ports are open so traffic for the Spam Quarantine service on port 6025 and for the Policy, Outbreak and Virus Quarantine service on port 7025 can be sent from the cloud ESAs to the external SMA but the initial SSH connection would never be established so therefore it would preclude the rest of the functionality.