Enable management of the FOPE gateway in FPE

  • Article

 

Applies to: Forefront Protection for Exchange

In order to use Forefront Online Protection for Exchange (FOPE) as a filter for your mail stream and to manage your FOPE configuration through the Forefront Protection 2010 for Exchange Server Administrator Console, you must follow these steps to prepare your Exchange environment and enable management of the FOPE gateway in FPE:

  • Register with FOPE and create an account.

  • Install the FOPE Gateway. If you did not install the gateway during the Forefront Protection 2010 for Exchange Server install, you will need to install it using the instructions provided in the topic Installing the Forefront Online Protection for Exchange Gateway.

  • Configure the FOPE settings in FPE and retrieve the FOPE datacenter IP addresses.

  • Redirect your mail to the FOPE datacenter by changing your Mail Exchange (MX) records.

  • Configure your firewall rules and Exchange Edge receive connector information. This will ensure that only mail that has been filtered by FOPE is accepted into your organization.

Registering with FOPE and creating an account

To use FOPE for mail filtering, you will need to go to the FOPE web site (https://go.microsoft.com/fwlink/?LinkId=128194) to register your account. While configuring your profile, note all profile credential information for use later when configuring the FOPE settings in the Forefront Protection 2010 for Exchange Server Administrator Console. This includes the company name and user credentials.

Configuring FOPE in the FPE Administrator Console

To enable FOPE management through the FPE Administrator Console, you will need to enable the FOPE gateway management option, enter the domain administrator credentials for the gateway server and the FOPE credentials you created when you registered with FOPE, and retrieve the IP addresses for the FOPE datacenter servers to update your firewall and Exchange receive connectors. If your Internet traffic passes through a proxy server, you will also need to enter the proxy server information so that the FOPE Gateway can connect to the Internet.

To enable FOPE Gateway Management

  1. In the FPE Administrator Console  Policy Management tree view, expand Online Protection, and then click Configure.

  2. In the Online Protection - Configure pane, in the Forefront Online Protection for Exchange Gateway Management area, select Enable Forefront Online Protection for Exchange Gateway Management.

  3. Enter the Gateway server name. This is the name of the server on which you installed the gateway.

  4. Click the Edit Credentials button to enter the user name and password of a user who has access to the server on which the gateway is installed. Click OK after entering the user name and password.

Note

If the FOPE Gateway is on a domain controller, domain administrator credentials are required and should be entered in the following format: DOMAIN\USERNAME. If the FOPE Gateway is not installed on a domain controller, local administrator credentials are acceptable and should be entered in the following format: MACHINENAME\USERNAME.

To enter your FOPE credentials

  1. In the Online Protection - Configure pane, in the Forefront Online Protection for Exchange Service Credentials area, enter the company name you used to register with FOPE in the Company text box.

  2. Click Edit Credentials and enter the user name and password you created when you registered with FOPE. Click OK after you enter the credentials.

  3. Click Save at the top of the pane.

To enter proxy server information

  1. In the Online Protection - Configure pane, in the Proxy Server area, select the Enable proxy server box.

  2. Enter the IP address of the proxy server in the Proxy Server text box and the appropriate port number in the Port text box.

  3. Click the Edit Credentials button and enter the appropriate credentials for the proxy server. Click OK after you enter the credentials.

  4. Click Save at the top of the pane.

Redirecting your mail to the FOPE datacenter and allowing incoming mail only from FOPE servers

Once you have registered with FOPE and configured the FOPE settings in FPE, you must redirect all incoming mail to the FOPE datacenter by changing your MX records to point to the FOPE datacenter. You must also change your firewall rules and Exchange edge receive connector settings to allow incoming mail only from the FOPE servers.

Tip

Microsoft Office 365 and FOPE support hosting a portion of your mailboxes in the cloud. To learn more about cross-premises (hybrid) mail routing, see Using FOPE Connectors to Configure Advanced Email Flow Scenarios.

To retrieve the IP addresses of the FOPE servers

  1. In the Online Protection - Configure pane, click Save at the top of the panel to ensure that the FOPE and FOPE gateway credentials are properly saved and accepted.

  2. In the Datacenter IP Addresses area, click the Get Addresses button. FPE will retrieve the IP addresses for the FOPE servers and display them. Note the addresses for use when you change your firewall settings.

To redirect your mail to the FOPE servers

  • Update the MX record on your external DNS server so that it directs mail to the FOPE datacenter.

    Your DNS server should have a single MX record that points to: mail.messaging.microsoft.com

  • Optionally, if you are routing your outbound mail through FOPE, specify the Sender Policy Framework (SPF) record for your domain as follows:

    v=spf1 include: spf.messaging.microsoft.com –all

    The SPF record prevents spam by allowing FOPE to verify your sender IP information. List all of your outbound mail server IP addresses. These IP addresses are required to ensure mail delivery to other clients of FOPE. Each IP address should be added with an ip4: statement. For example, to include 127.0.0.1 as an accepted outbound sending IP, add ip4:127.0.0.1 to your SPF record. If you know all of the authorized IPs, they should be added using the –all (Fail) qualifier. If you are not sure that you have the complete list of IPs, use the ~all (SoftFail) qualifier.

    For example: v=spf1 include: spf.messaging.microsoft.com ip4:127.0.0.1 –all

    Note

    SPF record changes are only needed if you are routing your outbound mail through FOPE.

If you are uncertain about how to make these changes, consult your domain controller administrator.

To configure your firewall and Exchange Edge receive connectors

  • Update your firewall rules and Exchange Edge Receive Connectors to accept only SMTP connections from IP addresses of the FOPE datacenter. These are the IP addresses you retrieved using the Get Addresses button in the Datacenter IP Addresses area of the Online Protection – Configure pane.

Note

To ensure mail continuity, the MX record changes described in the previous step should be done 72 hours before making the firewall and edge receive connector changes.

Note

To access the FOPE on-line administrator, select Administration Center in the Actions pane.

See Also

Concepts

Disabling Forefront Online Protection for Exchange