Whitelist TSAT in Cisco Ironport

If you’re using Cisco IronPort for spam filtering, you might want to whitelist/bypass certain sources to ensure important emails and notifications get through to Threatcop’s to end users. This guide will walk you through the process of whitelisting in Cisco IronPort, specifically for TSAT.

Before you start the whitelisting process, you need to know which IP addresses, sender ID (domain) and ‘em’ of ‘SenderID’ to whitelist. For TSAT, you need to whitelist the following:

• Threatcop Ips
• Sender ID - While running the actual phishing simulation, the sender ID associated with that template will be whitelisted.
• Em of Sender ID - 
  The ‘em’ value of a domain can be found in the email headers. Here’s how you can do it:
• Open the Email: Open the email for which you want to find the ‘em’ value.

Show Original: Look for an option to ‘Show Original’, ‘View Source’, or ‘View Message Source’. This option is usually found in the ‘More’ options in the email. Find the ‘em’ Value: In the original message source, look for a line that starts with ‘Received-SPF’. The ‘em’ value is usually found in this line and would look something like “em=domain.com”. Remember, the steps to view the original message source can vary depending on the email client you are using.

• Whitelisting TSAT in Cisco IronPort: To whitelist TSAT in Cisco IronPort, follow these steps:

1. Access the Admin Console: Start by logging into the Cisco IronPort admin console.
2. Navigate to Mail Policies: From the admin console, navigate to the Mail Policies tab.
3. Select HAT Overview: Ensure that Inbound Mail lister is selected. Then, click on HAT Overview.

4. Create WHITELIST: create a new Sender Group through “Add Sender Group”.

5. Add Sender: Click on Add Sender and add the IPs, em, Hostnames of TSAT.

6. Submit and Commit Changes: Click Submit and then Commit Changes.

7. Navigate to the Mail flow Policy and select your group mail policy.

• After following these steps, it’s recommended to set up a test phishing campaign to 1-2 users to ensure your whitelisting was successful. 

• Bypassing Outbreak Filter Scanning

The instructions above do not prevent IronPort’s Outbreak Filter from scanning emails from TSAT’s IPs or hostnames. If you are experiencing issues with emails being quarantined, you may need to set TSAT’s IPs or hostnames to bypass this filter.

To skip Outbreak Filter Scanning, follow these steps:

1. Access the Admin Console: Log into your Cisco IronPort admin console.
2. Navigate to Mail Policies: From the admin console, navigate to the Mail Policies tab
3. Enter IPs or Hostnames: Under the Message Modification section, enter TSAT’s IP addresses or hostnames in the Bypass Domain Scanning table.
4. After adding the bypass Ip and saving the TSAT Ip and Hostname then commit the changes.

• Individual HAT Mail Flow Policy

If the above points don’t work, then follow the below steps.

• Navigate to Mail Policies > HAT Overview.
• Click on Sender Groups. Here you can see the predefined sender groups.
• Click on Add Sender Group to create a new sender group.
• Enter a name for the sender group and add the sender’s IP addresses, Sender ID and ‘em’ Sender ID.
• Click on Mail Flow Policies and then Add Policy to create a new mail flow policy.
• Configure the settings as desired. For example, you can disable Spam Detection and Virus Protection.
• Go back to the Sender Groups page and edit the sender group you created. Assign the new mail flow policy to this sender group.
• Click Submit and then Commit Changes.

• Edit Global Settings: Changing the network Global Settings for smooth connectivity
  
  

1. Access the Admin Console: Start by logging into the Cisco IronPort admin console.

2. Navigate to Network: Under the network section select listener 

3. Navigate to Edit Global setting under the listener section and global setting.

4. Edit the Global setting: change the Maximum Concurrent connection to (Max= 5000) and Maximum Concurrent TLS Connection to (Max= 5000) then submit.

5. When redirected to network section then Commit changes.