4 Replies Latest reply on Mar 25, 2014 1:41 PM by eplossl

    Does failover and Scanner MEG sends SMTP traffic?

    kyokiyota

      Hi everybody,

       

      I´ve some experience with MEG clustering but a mcafee provider told me something none sense for me.

       

      "In a cluster environment (Master, Failover, Scanner) all the appliances sends SMTP traffic"

       

      Is that true?

       

      the scenario he propose is this:

       

      The 3 appliances must have a Public IP (NAT) assigned for outbound SMTP traffic becouse the Master does a traffic balance to the failover and the scanner.

       

      The Inbound traffic goes to the NAT to the cluster VIP..........

       

       

      I´ve installed some MEG clusters (Master, failover and Scanner) and the only IP with an inbound/outbound NAT is the cluster virtual IP. That´s it and everything is working.

       

      The master and failover with "Enable scanning on this appliance" checked AND there´s when I understands the master does a load balancing but just for the scanning.

       

      The master still does the SMTP inbound and outbound traffic until it fail overs to the secondary MEG.

       

      I had a lot of discutions with a fellow working partners and we want to know the truth.

       

      Who´s right? is there a  kb or mcafee´s document about this?

       

       

      Best Regards

        • 1. Re: Does failover and Scanner MEG sends SMTP traffic?
          eplossl

          The answer to that question is perhaps a little less simple than it appears.  My answer would be both yes and no.  Let me explain.

           

          When a message comes into the MEG cluster, the traffic comes to the VIP which is serviced by whatever appliance is in charge of the cluster at the moment.  If the Master is up, the master will service the vip.  If the master is dead, the failover has control and would service the VIP.  The device in charge checks the scanners in the cluster and picks one to which to hand off the connection.  That device now handles the rest of the conversation directly, after a fashion.  When it decides to send the message onwards, it opens the connection to the onward server and delivers the message.  That said, it's a bit more complicated than that.

           

          When digging through packet captures, it can be seen that, when sending mail to an external device, the scanner device creates a TCP/IP packet with the remote server's destination IP and port and its own IP and port as the source.  A moment later, the master sends the exact same packet with its IP and port as the source IP.  Digging down to the physical level, however, this becomes a bit clearer.  When the scanner sends the message, it sends the packets with a destination MAC address of the Master MEG appliance, not the default gateway.  For all intents and purposes, the cluster scanners treat the master as their default gateway.  The master then adjusts the source IP so that the traffic comes back to itself and then sends it on its way.

           

          The reason I say that both yes and no are valid answers is because sometimes, firewalls/routers don't pay attention to the fact that the destination MAC isn't itself.  Rather they work their way in to the IP layer and see the destination IP and go ahead and try to deliver it onward.  They shouldn't, but that doesn't always stop them.

          • 2. Re: Does failover and Scanner MEG sends SMTP traffic?
            kyokiyota

            Thank you eplossl

             

            Its more cleear now 

             

            Regards

            • 3. Re: Does failover and Scanner MEG sends SMTP traffic?
              feeeds

              So in your two server cluster scenario, how did you end up setting the NAT on the Firewall? When we look at our outbound test messages, they are coming from the actual IP of the primary, not the VIP. Our primary is .100, failvover is .101 and VIP is .102 all on the same subnet.

              • 4. Re: Does failover and Scanner MEG sends SMTP traffic?
                eplossl

                The master's IP will need a NAT, as will the Failover's.  The traffic will go out from the real IP of the master and the failover, whereas the VIP takes all inbound traffic.  As long as the master is up and running the traffic should all go out from the master's IP, but if it dies for some reason the traffic will all come out from the failover's real IP.