Switching to FOPE from Google Postini, the Barracuda Spam and Virus Firewall, or Cisco IronPort
Applies to: Forefront Online Protection for Exchange
Topic Last Modified: 2012-09-14
This topic explains the steps involved when switching from another messaging protection solution to Forefront Online Protection for Exchange (FOPE). It provides a high-level understanding of the process and will point you to resources that contain more detailed instructions.
If you are using a cloud-based protection solution, such as Google Postini or McAfee Email Protection, your organization’s MX record, which controls where mail is sent, most likely points to the solution provider’s service. On the other hand, you might be using an appliance for messaging protection, such as the Barracuda Spam and Virus Firewall or Cisco IronPort. An appliance is a hardware device that provides messaging security at various capacity levels. They typically reside on the customer’s premises, requiring both power and space. If you are using a protection appliance, your MX record typically points to it and messages are filtered before reaching other parts of your network. In either case, email messages sent to recipients in your organization are routed to your protection solution before they reach your mail server.
The primary steps for implementing FOPE in place of your current solution include signing up for FOPE and changing your MX record to point to FOPE, so that messages sent to recipients in your organization are processed by FOPE before being sent to your mail server.
|If you are using an on-premises protection appliance to enforce policy rules (custom filtering rules that enable you to enforce specific company policies), and you would like to replace the appliance, Microsoft recommends that you implement FOPE in a phased manner. The following steps in this topic touch on specific considerations for this process, so that your organization’s policy rules or other custom settings remain in force during your transition to FOPE.|
Initiate a request to activate the FOPE filtering service.
Visit the Forefront Online Protection for Exchange website and complete the steps to provide Microsoft with your domain information. Microsoft will verify your domain, inbound IP address, and outbound IP address. (The video Activating Your Paid Forefront Online Protection for Exchange Service walks you through the sign-up process for FOPE and answers questions about licensing, providing your domain information, and signing in to the FOPE Administration Center.)
Note: The IP address that FOPE sends mail to after inbound mail processing is typically the IP address of your mail server. However, if you have an on-premises protection appliance that performs custom policy-rule enforcement, leave the appliance in place during your initial FOPE implementation and specify the protection appliance’s IP address as the inbound IP address.
Activate the FOPE filtering service.
For information on completing FOPE activation, see FOPE Setup and Provisioning and its subtopic, First Time Log on to the FOPE Administration Center, in the TechNet library. Additionally, the video Forefront Online Protection for Exchange: Activating Your Filtering Service shows you how to sign in to the FOPE Administration Center and activate the filtering service by validating and enabling your domain.
Perform any remaining FOPE setup steps.
This includes updating your MX record to point to FOPE, as described in Set up Inbound Email Filtering. Optionally, you can setup outbound messages filtering. Outbound filtering checks for outbound spam sent from computers within your organization, and it also provides virus scanning and policy-filter matching. These checks protect your partners as well as your organization’s email-sender reputation. See Set up Outbound Email Filtering for instructions on how to set up outbound filtering. The video Forefront Online Protection for Exchange: Configuring Your Filtering Service also shows the steps for updating an MX record and setting up filtering.
If you leave your protection appliance in place during your FOPE implementation, be sure to configure it to accept mail from the IP addresses that the FOPE data centers use to send mail, so that inbound messages sent from FOPE to the appliance are not blocked. These IP addresses can be found in the FOPE Administration Center by clicking the Information tab, and then clicking Configuration in the Welcome pane.
After you have updated your MX record and configured inbound and outbound filtering, it is recommended that you verify that FOPE is working properly by performing the steps specified in Verify the FOPE Setup.
- If you leave your protection appliance in place during your FOPE implementation, be sure to configure it to accept mail from the IP addresses that the FOPE data centers use to send mail, so that inbound messages sent from FOPE to the appliance are not blocked. These IP addresses can be found in the FOPE Administration Center by clicking the Information tab, and then clicking Configuration in the Welcome pane.
Create and test FOPE policy rules.
For details about policy rule settings, syntax, and processing, see Policy Rules. Microsoft recommends that you create and test policy rules in FOPE, rather than migrating or importing rules directly from another solution, because settings for email protection solutions can vary. If you have kept your protection appliance in place during your FOPE implementation, and you have created and tested policy rules in FOPE to match policy rules and custom settings enforced by your appliance, you can remove the appliance and configure your email filtering so that mail is routed directly from FOPE to your mail server.