ESA POV Best Practices 1510
ESA POV Best Practices 1510
ESA POV Best Practices 1510
Table of Contents
1 Introduction ...........................................................................................................................................3
2 POV Process ............................................................................................................................................3
3 Training ...................................................................................................................................................4
4 Deployment ............................................................................................................................................4
5 Software Download..............................................................................................................................5
6 Installation..............................................................................................................................................6
6.1 Virtual Appliance Install .............................................................................................................................. 6
6.2 Licensing .................................................................................................................................................... 11
6.3 Initial Configuration................................................................................................................................... 14
2
Cisco Email Security Appliance POV Best Practices
1 Introduction
The Cisco Global Security Sales Organization (GSSO) is pleased to announce the FY15 Email Security Appliance
(ESA) Proof of Value (POV) Best Practices guide. Cisco is providing this documentation to help explain the POV
process and accelerate the adoption of content security solutions for web-based applications. This document
provides information on the POV process, training, software download, installation, licensing, initial
configuration, customer deployment, report generation, and device sanitization.
2 POV Process
A POV is a customer engagement that demonstrates unique business value during an on-site engagement. The
POV process requires a scoping exercise to identify win criteria for a customer. Win criteria is used to focus the
on-site engagement on the solution elements that are most important to a particular customer. Appendix A
includes scoping questions to help establish win criteria for ESA POVs.
There are two types of POV, tactical and strategic. One key differentiator between these POV types is that a
tactical POV leverages available hardware, while a strategic POV is designed to address the larger customer
business outcomes and leverages appliances that deliver the desired performance of the customer. Another
key differentiator is that a tactical POV is usually 45-days or less and a strategic POV can be longer as dictated
by customer requirements. Most partner-executed POVs will be tactical, leveraging virtual instances of the ESA
(ESAv). Hardware for the ESAv can either be provided by the customer or partner.
Tactical POVs help to ensure an efficient delivery of a professional evaluation of the solution. Ideally, all
customer configurations should be implemented prior to arriving on site based on pre-defined customer
evaluation data. Customer data includes network, management, span configuration, active directory and rack
and power data. A worksheet to collect this information is available in Appendix B.
The following sections cover system installation and configuration steps for a partner executed POV. Keep in
mind that a successful POV is defined prior to going on-site and win criteria is unique for each customer. This
guide provides general best practices, but you should edit any configuration items as required to establish
unique business value for your customer.
3
Cisco Email Security Appliance POV Best Practices
3 Training
To prepare for a successful ESA POV, we recommend that you work through Stage 4 of the Pre-Sales SE
Development model for Content Threat. Additional Details are available on the following posts.
4 Deployment
For the POV process, there are benefits to deploying the Cisco ESAv. These benefits include the ability to plan
for any number of employees with less concern for limitations on space, electrical power, or features. The
virtual appliance management interface is identical to that of the physical appliance. Increases in mail-flow
capacity are accommodated by turning on more Cisco ESA virtual machines in the Cisco Unified Computing
System (Cisco UCS) or VMware environments. A single license can be shared by multiple Cisco ESA and ESAV
machines, as licensing corresponds to the number of mailboxes being serviced.
4
Cisco Email Security Appliance POV Best Practices
5 Software Download
The instructions that follow demonstrate how to pull down the required software for the ESAv. There are
many possible software requirements and the information below serves as an example of a common
configuration for a partner executed POV. Please adjust the process outlined below as required to match your
hardware specifications.
If you are unable to access any software due to entitlement, engage with your Cisco alliance manager and
associate your CCO account with your company to grant partner-level CCO access. If you are still unable to
access the software, open a case with partner help to request required software through the special file
publish process: https://communities.cisco.com/docs/DOC-55301
For best performance, ESAv requires system software version 8.5 or later. For the purpose of this document,
we will assume your ESAv is running ver. 8.5 or later.
Select Cisco Email Security Virtual Appliance C000V: phoebe-8-5-6-073-C000V.zip or the latest version of
this if a newer version beyond 8.5 is available. You can also choose to download & install the C100V or C300V
models if the customer needs to test those instead, but there are no differences in features between the 3
models, just higher performance with the C100V and C300V.
Click Download and save the C000V.zip file to your local machine.
5
Cisco Email Security Appliance POV Best Practices
6 Installation
The instructions that follow assume you are installing on a VMWare ESXi host. Supported versions are ESXi 5.0
and 5.1. Details of the system requirements for all models of the content security virtual appliances can be
found here:
http://www.cisco.com/c/dam/en/us/td/docs/security/content_security/virtual_appliances/Cisco_Content_Security_Virtu
al_Appliance_Install_Guide.pdf.
Ensure you have connectivity between the ESXi host and the ESA C000V.ova file on your local machine.
Launch the VMware vSphere client and enter its IP address and login credentials.
6
Cisco Email Security Appliance POV Best Practices
Browse to the location of the archive and select the C000V.ova file. The file you are using may be newer than
what is in the screen shot included here.
Click Next to continue deploying the OVF Template. Provide a name for the Virtual Machine and click Next.
7
Cisco Email Security Appliance POV Best Practices
On the next screen, change the selection to Thin Provision. Thick provisioning pre-allocates hard drive space,
but provides no performance benefit over thin provisioning. Thin provisioning does not pre-allocate disk space
which maintains performance while maximizing use of available storage.
Select the appropriate destination network from the inventory and click Next. In this example, we used a
preconfigured network (DATAstore1) on the ESXi host and selected the ESAs management interface. Confirm
the OVF Template settings and click Finish.
The Virtual Machine will deploy in about 5 minutes depending on the ESXi host and client machine hardware
specifications and network connection.
8
Cisco Email Security Appliance POV Best Practices
Once the virtual machine is deployed successfully, select it in the left hand pane and click
. Upon initial startup, the ESAv will go complete the bootstrap and initial
configuration process. Setup takes several minutes. Select the Console tab in your ESXi host to view the
progress.
By default, the ESAv attempts to assign an IP address via DHCP. You can choose to communicate with the ESAv
using the DHCP assigned IP address or you can choose to manually modify the IP address from the console cli
interface using the command >interfaceconfig. For the purpose of this documentation, we utilized a DHCP
server.
To log into the console, use the default login of admin and password of ironport .
To view the DHCP assigned IP address of the management and other interfaces, such as an inbound or
outbound mail interface, enter interfaceconfig at the cli.
9
Cisco Email Security Appliance POV Best Practices
Below example shows the management interface settings. Write down the DHCP assigned IP address of the
management interface, you will need it to launch the web-based management for the ESAv.
Use the edit command to manually configure your interface IP addresses. For the purposes of most PoVs, you
can use the management interface of the ESAv appliance for both management and email security functions.
This is the approach we will use in this document.
After interface configuration is complete, it is helpful to create a snapshot of your ESAv. Snapshots enable an
administrator to revert to a previous state at any time in the future. This is useful so that the ESAv can be
reverted to this clean state after a customer engagement and use it to prepare for the next partner executed
PoV. After the PoV is finished, simply delete the VM and use the baseline one from the snapshot for the next
customer.
Prior to taking snapshots, it is a best practice to power down virtual machines. Use the native OS when
possible to ensure minimum disruption. Once a VM is powered down, use the vSphere client to take a
snapshot. Navigate to Home > Inventory > Inventory and select the appropriate VM. From the toolbar, select
the Take Snapshot button. In the pop-up window enter a Name and click OK. More information about
snapshot best practices is available in VMware documentation.
10
Cisco Email Security Appliance POV Best Practices
Use this snapshot as a clean baseline for ESAv PoVs and create a new snapshot from it, renaming the new one
with the customers name.
This is the ESAv you will actually use on the customers network for the PoV. After the PoV is completed and
youve gathered all the data on the ESAv for the PoV report you will deliver to the customer, you will delete
this VM and use the Baseline VM to create a new VM for the next customer. Each customer PoV will require a
new VM to be created and a new/separate demo license key created and installed. Licensing is described in
the next section.
6.2 Licensing
Before you can use the System Setup Wizard in the web management interface to configure the ESAv, it must
first have a valid license key installed. View the instructions in the guide available here to request POV Licenses
from Partner Help: https://communities.cisco.com/docs/DOC-55301
Upon receiving this case, Partner Help will generate POV license keys. You will receive ESA license keys that
should be saved and unzipped on your local machine and can be loaded using the instructions provided by
partner help. One Customer Opportunity (POV) license extension will be granted per customer. To receive the
extension, open a new partner help case following the process above. Additional details are available on this
post: https://communities.cisco.com/docs/DOC-55301
11
Cisco Email Security Appliance POV Best Practices
Save and unzip the license file to your local machine. You may use either an SSH session or an FTP client to
install the license file. This document uses the SSH method. Below example is using Putty and starts after
connection to the server.
12
Cisco Email Security Appliance POV Best Practices
Copy and paste the XML into the session, hit enter to ensure you are on a blank line, then hit Ctrl-D. Press
Enter and then hit the space key to review/accept each page of the license agreement and enter Yes on the
last page to accept.
After accepting the license agreement, the status of the feature keys can be seen in the console window
shown below on left, and also here in the web UI screen shown on the right. The ESAv now has all the feature
licenses installed from the demo license key.
13
Cisco Email Security Appliance POV Best Practices
Optional Steps
Assigning IP, hostname and gateway
The ESA VM will obtain an address via DHCP if available, however to set a new static IP use the
interfaceconfig , setgateway and sethostname commands
esa-pov.dc.inc> sethostname
[ironport.example.com]> esa-pov.acmeconsulting.com
<Commit Changes>
14
Cisco Email Security Appliance POV Best Practices
[10.20.20.31]> 10.20.20.222
Netmask (Ex: "24", "255.255.255.0" or "0xffffff00"):
[0xffffff00]> 24
Would you like to configure an IPv6 address for this interface (y/n)? [N]> n
Ethernet interface:
1. Data 1
2. Data 2
3. Management
[3]>
Hostname:
[ironport.example.com]> esa-pov.dc.inc
Do you want to enable Telnet on this interface? [Y]> n
Do you want to enable SSH on this interface? [Y]> y
Which port do you want to use for SSH?
[22]>
Do you want to enable FTP on this interface? [N]> y
Which port do you want to use for FTP?
[21]>
15
Cisco Email Security Appliance POV Best Practices
Once in the GUI Interface select System Administration > System Setup Wizard.
Here you can define the email address that system alerts and scheduled reports should go to, as well as to
change the default password, set system time and change the hostname of the virtual appliance.
16
Cisco Email Security Appliance POV Best Practices
Selecting Next will bring you to the Network Configuration screen where you may change any of the network
settings that were previously defined.
Select Next again and you will be on the Message Security option Screen select the options as shown below:
17
Cisco Email Security Appliance POV Best Practices
Select Next one more time and you will be presented with all of your options for review. Verify everything is
correct and then hit Install This Configuration
At this point you will be presented with the Active Directory Wizard, this is an optional step, but recommended
for Active Directory based POVs
18
Cisco Email Security Appliance POV Best Practices
Next enable key services for the PoV (URL filtering, message tracking, marketing, OF) by going to Security
Services > Then selecting the relevant services.
Check the box for enabling each service and click Submit
19
Cisco Email Security Appliance POV Best Practices
Next turn on Message Tracking by going to Security Services > Message Tracking and selecting Edit Settings
Check the box to Enable Message Tracking Service make sure that the Local Tracking radio button is selected
and check the box for Save tracking information for rejected connections then click Submit.
20
Cisco Email Security Appliance POV Best Practices
Set Incoming Mail Policies by going to Mail Policies > Incoming Mail Policies
Create and Anti-Spam policy by clicking the Policy hotlink under Anti-Spam
21
Cisco Email Security Appliance POV Best Practices
Set Enable Marketing Email Scanning to Yes and Prepend the [Marketing] tag to the subject then Submit the
policy
Create an Outbreak Filter Policy by clicking the hotlink under Outbreak Filters
22
Cisco Email Security Appliance POV Best Practices
Click the check box for Enable message modification and then select the enable radio buttons as shown below
Lastly, verify that Advanced Malware Protection is enabled, under Security Services > Advanced Malware
Protection > File Reputation and Analysis.
23
Cisco Email Security Appliance POV Best Practices
Verify that both File Reputation and File Analysis are Enabled. If further settings are needed click Edit Global
Settings.
On this screen you can enable SSL (Port 443) for File Reputation Communication if required, as well as adjust
reputation thresholds and query and processing timeouts.
At this point the POV is ready to run. Show the customer around the Monitoring pages and make sure they
understand what each area does.
24
Cisco Email Security Appliance POV Best Practices
7 Report Generation
After collecting traffic and testing policies during the PoV, there will be ample data to run reports and copy
into a deliverable report you can present to the customer to demonstrate the power and value of the ESA. You
will need to spend some time running various reports and choosing the most relevant ones that will have the
most meaning for the customer.
The first recommended report is found on the Monitor > Overview page. Adjust the time range to the desired
value and select the Printable (PDF) link on the top right to open the new in a new window that can be saved
as a PDF. This provides a useful system overview with additional details about incoming and outgoing mail.
The next recommended report is found on the Monitor > High Volume Mail page. Adjust the time range to the
desired value and select the Printable (PDF) link on the top right to open the new in a new window that can be
saved as a PDF.
The next recommended report is found on the Monitor > Outbreak Filters page. Adjust the time range to the
desired value and select the Printable (PDF) link on the top right to open the new in a new window that can be
saved as a PDF.
25
Cisco Email Security Appliance POV Best Practices
The next recommended report is found on the Monitor > URL Filtering page. Adjust the time range to the
desired value and select the Printable (PDF) link on the top right to open the new in a new window that can be
saved as a PDF.
The final recommended report is found on the Monitor > Advanced Malware Protection page. Adjust the time
range to the desired value and select the Printable (PDF) link on the top right to open the new in a new
window that can be saved as a PDF. This provides information about incoming malware threats.
8 Resources
26
Cisco Email Security Appliance POV Best Practices
Win criteria needs to be defined before a partner executed PoV begins so that you are able to quickly
demonstrate unique business value to the customer during the on-site engagement. This process focuses the
engagement on the solution elements that are most important to the customer. The worksheet below serves
as a starting point to develop win criteria for a Tactical Partner Executed PoV and can be adjusted for a
Strategic POV or as required based on dialogue with your customer.
Circle Yes or No for each Win Criteria below based on your customers response to the question.
Visibility: Do you want to have a better understanding of the users on your network and emails flowing into
and out of your organization? Yes / No
Threat: Are you concerned about bad actors in your environment and the threat that they pose to other
internal systems? Yes / No
Reputation: Do you value a robust reputation service that helps to limit email from known bad senders and
actors on the Internet? Yes / No
Malware Detection: Would you like to implement email malware detection with file reputation, sandboxing,
and retrospection? Yes / No
27
Cisco Email Security Appliance POV Best Practices
Thank you for giving Cisco the opportunity to demonstrate the web security capabilities of the WSA. Please
provide the following information to prepare for the evaluation.
1. Local Time Zone _______________________________________
2. IP Addresses
Management IP for WSAv _____________________
Management IP Address for ESXi Server _____________________
Mail Server IP Address _____________
DNS Servers if local lookup is preferred _____________________ _____________________
Active Directory server for user authentication (optional) _____________________
3. Email Address that alerts and reports should be sent to_____________________________
4. Active Directory Credentials (optional) _________________________________
5. List types of policies required during the PoV -
__________________________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
6. Desired Rack and Power configuration. What type of AC power is required?
7. Length of Evaluation _____________________
28