Multiple-appliance Forcepoint Email Security deployments

Applies to:
  • Forcepoint Email Security, v8.5.x

Multiple-appliance deployments can be implemented when message volume warrants having greater processing capacity. When the deployed appliances are all in standalone mode, the appliances can be a mix of V Series machines and virtual appliances. An appliance cluster usually cannot contain a mix of appliance platforms.

An X Series modular chassis may include multiple blade servers running Forcepoint Email Security.

Email appliance cluster with Email Security Hybrid Module

Multiple V Series appliances are configured in a cluster for this deployment scenario. You may also consider multiple virtual appliances or X10G blade servers for this scenario. This email protection environment includes the Email Security Hybrid Module in-the-cloud analysis. See Single email appliance with Email Security Hybrid Module, for information about the email hybrid service.

You may want to use a third-party load balancer with an appliance cluster, to distribute email traffic among your appliances. Appliances in a cluster all have the same configuration settings, which can streamline a load balancing implementation.

Personal Email Manager traffic load balancing may be accomplished via cluster configuration. After a cluster is created, designate the Personal Email Manager access point on the page Settings > Personal Email > Notification Message, in the Personal Email Manager Portal section. Personal Email Manager traffic is routed to this designated IP address. This appliance then passes the traffic on to other appliances in the cluster via the round robin forwarding mechanism.

To create a cluster, add an appliance to the email appliances list on the page Settings > General > Email Appliances, then configure these appliances in a cluster on the page Settings > General > Cluster Mode. See Configuring an appliance cluster in the Forcepoint Email Security Administrator Help for details.

A primary appliance in a cluster may have up to seven secondary (or auxiliary) appliances. Configuration settings for any cluster appliance are managed only on the primary appliance Email Appliances page (Settings > General > Email Appliances).

Cluster appliances must all be running in the same security mode. The Forcepoint Security Manager and all cluster appliance versions must all match for cluster communication to work properly.

In order to protect the messages stored in the email message queues, appliances added to a cluster must have the same message queue configuration as the other cluster appliances. For example, an administrator-created queue on appliance B must be configured on primary cluster appliance A before appliance B is added to the cluster. Message queue records may be lost if this step is not performed before cluster creation.

Multiple standalone email appliances

A multiple standalone V Series or virtual appliance or X Series blade server deployment might be useful if each appliance must have different configuration settings. Two standalone scenarios are described in this section:
  • Using domain-based routing
  • Using DNS round robin

These environments include the Forcepoint Email Security Hybrid Module in-the-cloud filtering. See Single email appliance with Email Security Hybrid Module, for information about the email hybrid service.

Using domain-based routing

You can configure domain-based delivery routes so that messages sent to recipients in specified domains are delivered to a particular appliance. Configuring a delivery preference for each SMTP server facilitates message routing.

Configure the domain groups for which you want to define delivery routes on the page Settings > Users > Domain Groups > Add Domain Groups. See the Administrator Help for Forcepoint Email Security for information about adding or editing domain groups:
To set up a domain-based delivery route on the page Settings > Inbound/Outbound > Mail Routing:
  1. From the section Domain-based Routes, click Add. The Add Domain-based Route page displays.
  2. In the field Name, enter a name for your route
  3. From the Route order drop-down list, select a route order to determine the route’s scanning order.
  4. From the Domain group drop-down list, select a destination domain from the pre-defined domains. The default is Protected Domain. Information about the selected domain group appears in the Domain details box.

    To add a new domain group to the list, navigate to Settings > Users > Domain Groups and click Add.

    To edit your selected domain group, click Edit to open the Edit Domain Group page.
    Important:

    The Protected Domain group defined on the page Settings > Users > Domain Groups should not be used to configure email delivery routes if you need to define domain-based delivery routes via multiple SMTP servers.

    Create domain groups that contain subsets of the Protected Domain group for mail routing purposes.

  5. Select the SMTP server IP address delivery option to open the SMTP Server List:
    1. Click Add to open the Add SMTP Server dialog box.
    2. Enter the SMTP server IP address or hostname and port.
    3. Mark the Enable MX lookup check box to enable the MX lookup function.
      Important:

      If you entered an IP address in the previous step, the MX lookup option is not available.

      If you entered a hostname in the previous step, this option is available.
      • Mark the Enable MX lookup check box for message delivery based on the hostname MX record.
      • If you do not mark this check box, message delivery is based on the hostname A record.
    4. Enter a preference number for this server (from 1–65535; default value is 5).

      If a single route has multiple defined server addresses, mail delivery is attempted in the order of server preference. When multiple routes have the same preference, round robin delivery is used. You may enter no more than 16 addresses in the SMTP Server List.

  6. Select any desired security delivery options.
    1. Select Use Transport Layer Security (TLS) if you want email traffic to use opportunistic TLS protocol.
    2. Select Require authentication when you want users to supply credentials. Enter the appropriate user name and password in the Authentication Information box. You must use the SMTP server IP address delivery method when you want users to authenticate.

Using DNS round robin

Email traffic distribution among multiple standalone appliances can be accomplished by using the domain name system (DNS) round robin method for distributing load.

With the email hybrid service configured and running, set up the round robin system as follows:
  1. Enter the SMTP server domain in the Delivery Route page of the email hybrid service configuration wizard used for registering the email protection system with the email hybrid service (Settings > Hybrid Service > Hybrid Configuration).
  2. Register the IP addresses of the appliances you want subject to the round robin method in the SMTP domain.

If email hybrid service is not enabled, you need to modify your MX records to allow round robin load balancing. Ask your DNS manager (usually your Internet service provider) to replace your current MX records with new ones for load balancing that have a preference value equal to your current records.