If your network is configured as described in Network Planning, incoming mail from the Internet is received by appliances in the outer DMZ. Clean mail is sent along to the mail transfer agent (MTA) (groupware) in the inner DMZ and eventually to the end users within the corporate network.

Spam and suspected spam (depending on your mail flow policy settings) is sent to the spam quarantine on the Security Management appliance. End users may then access the quarantine and elect to delete spam and release messages that they would like to have delivered to themselves. Messages remaining in the spam quarantine are automatically deleted after a configurable amount of time.

Messages that are released from the external quarantine on the Security Management appliance are returned to the originating Email Security appliance for delivery. These messages do not normally pass through the following processes before delivery: HAT and other policy or scanning settings, RAT, domain exceptions, aliasing, incoming filters, masquerading, bounce verification, and the work queue.

An Email Security appliance that is configured to send mail to a Security Management appliance will automatically expect to receive mail released from the Security Management appliance and will not reprocess those messages when they are received back. For this to work, the IP address of the Security Management appliance must not change. If the IP address of the Security Management appliance changes, the receiving Email Security appliance will process the message as it would any other incoming message. You should always use the same IP address for receiving and delivery on the Security Management appliance.

The Security Management appliance accepts mail for quarantining from the IP addresses specified in the spam quarantine settings. To configure the spam quarantine on the Security Management appliance, see the Cisco Content Security Management Appliance User Guide.

Mail released by the Security Management appliance is delivered to the primary and secondary hosts (content security appliance or other groupware host) as defined in the spam quarantine settings (see the Cisco Content Security Management Appliance User Guide). Therefore, regardless of the number of Email Security appliances delivering mail to the Security Management appliance, all released mail, notifications, and alerts are sent to a single host (groupware or content security appliance). Take care not to overburden the primary host for delivery from the Security Management appliance.

If you are currently using the local spam quarantine on an Email Security appliance but would like to migrate to an external spam quarantine hosted on a Security Management appliance — while retaining access to the messages in the local quarantine — you should prevent new messages from entering the local quarantine during the transition.

Consider the following possible strategies:

• Configuring anti-spam settings — Configure the anti-spam settings on your mail policy specifying the Security Management appliance as the alternate host. This action sends new spam to the external quarantine while still allowing access to the local quarantine.
• Setting a shorter expiration time — Configure the Schedule Delete After setting on the local quarantine to a shorter duration.
• Deleting all of the remaining messages — To delete all remaining messages in the local quarantine, disable the quarantine and the click the “Delete All” link on the local quarantines page (see Deleting Messages from the Spam Quarantine). This link only becomes available when a local spam quarantine with messages still contained in it has been disabled.

You should now be ready to enable the external quarantine and disable the local quarantine.

Note	If both the local quarantine and the external quarantine are enabled, the local quarantine is used.

Email Security Appliance Reprocesses Messages Released from External Quarantine

Problem: Messages released from the Security Management appliance are unnecessarily reprocessed by the Email Security appliance.

Solution: This can occur if the IP address of the Security Management appliance has changed. See Mail Flow and the External Spam Quarantine.

You can centralize policy, virus, and outbreak quarantines on a Security Management appliance. Messages are processed by Email Security appliances but are stored in quarantines on the Security Management appliance.

Centralizing policy, virus, and outbreak quarantines offers the following benefits:

• Administrators can manage quarantined messages from multiple Email Security appliances in one location.
• Quarantined messages are stored behind the firewall instead of in the DMZ, reducing security risk.
• Centralized quarantines can be backed up using the standard backup functionality on the Security Management appliance.

For complete information, see the user guide or online help for your Security Management appliance.

When you centralize policy, virus, and outbreak quarantines, existing policy, virus, and outbreak quarantines on your Email Security appliance migrate to the Security Management appliance.

You will configure migration on the Security Management appliance, but migration occurs when you commit the change enabling centralized policy, virus, and outbreak quarantines on the Email Security appliance.

As soon as you commit this change, the following occur:

• Local policy, virus, and outbreak quarantines on the Email Security appliance are disabled. All new messages entering these quarantines will be quarantined on the Security Management appliance.
• Migration of existing non-spam quarantines to the Security Management appliance begins.
• All local policy, virus, and outbreak quarantines are deleted. If you configured a custom migration, any local policy quarantines that you chose not to migrate are also deleted. For effects of deleting policy quarantines, see About Deleting Policy Quarantines.
• A message that was in multiple quarantines before migration will be in the corresponding centralized quarantines after migration.
• Migration happens in the background. The amount of time it takes depends on the size of your quarantines and on your network. When you enable centralized quarantines on the Email Security appliance, you can enter one or more email addresses that will receive notification when migration is complete.
• The settings in the centralized quarantine, not those of the originating local quarantine, apply to the messages. However, the original expiration time still applies to each message.

Note	All centralized quarantines that are automatically created during migration have the default quarantine settings.

When you disable centralized policy, virus, and outbreak quarantines on the Email Security appliance:

• Local quarantines are automatically enabled on the Email Security appliance.
• System-created quarantines and quarantines that are referenced by message filters, content filters, and DLP message actions are automatically created on the Email Security appliance. The Virus, Outbreak, and Unclassified quarantines are created with the same settings that they had before quarantines were centralized, including assigned user roles. All other quarantines are created with default settings.
• Newly quarantined messages go immediately to local quarantines.
• Messages in the centralized quarantine at the time it is disabled remain there until one of the following occurs:
  • Messages are manually deleted or automatically deleted when they expire.
  • Messages are manually or automatically released, if one of the following is also true:

* An alternate release appliance is configured on the Security Management appliance. See the online help or documentation for the Security Management appliance.

* Centralized quarantines are again enabled on the Email Security appliance.

If a Cisco Content Security Management Appliance Goes Out of Service

If Policy, Virus, and Outbreak Quarantines are centralized on a Security Management appliance that goes out of service, you should disable these centralized quarantines on the Email Security appliance.

If you deploy a replacement Security Management appliance, you must reconfigure quarantine migration on the Security Management appliance and on each Email Security appliance. See the table in the “Centralizing Policy Virus, and Outbreak Quarantines” section in the “Centralized Policy, Virus, and Outbreak Quarantines” chapter in the online help or user guide for the Security Management appliance.