Working With Virtual and Parent Domains in FOPE
Applies to: Forefront Online Protection for Exchange
Topic Last Modified: 2012-11-30
|To view a video about creating and configuring virtual domains in Forefront Online Protection for Exchange (FOPE), see Virtual Domains in Forefront Online Protection for Exchange (English only).|
In Forefront Online Protection for Exchange (FOPE), a Virtual Domain is formatted like a subdomain, and can have its own filtering settings and configurations. The domain to which the Virtual Domain belongs is called its Parent Domain. The Virtual Domain is not an actual DNS mail domain; it is used for internal configuration purposes only. For example, for a Parent Domain called contoso.com, you can create a Virtual Domain called marketing.contoso.com.
A Virtual Domain allows you to apply different configuration settings to users who belong to the same domain. After creating a Virtual Domain, you can upload a subset of users who belong to the Parent Domain and then associate them to the Virtual Domain in order to customize service settings for that group of users. Users who have been assigned to the Virtual Domain will adhere to the domain settings that are set for the Virtual Domain. In order to disassociate users from a Virtual Domain, you will need to either associate the users with a new Virtual Domain or disable the Virtual Domain. For more information on associating users with a Virtual Domain in the FOPE Administration Center, see Import Multiple Users.
|After a domain has been configured as a Virtual Domain, it cannot be reconfigured as a non-Virtual Domain.|
In order to add a Virtual Domain, you must first validate and enable the Parent Domain. The User List Settings on the Parent Domain must be set to Admin Center or SFTP, and it must have Directory-Based Edge Blocking (DBEB) set to Reject or Passive mode. When a new Virtual Domain is created, it inherits the service settings of the Parent Domain. If the Parent Domain's DBEB setting is changed to something other than Reject or Passive mode, then the Virtual Domain is automatically disabled. If the User List Settings on the Parent Domain is changed to something other than Admin Center or SFTP, then the settings on the Virtual Domain will no longer be applied. If the Parent Domain is disabled, the Virtual Domain will also be disabled.
Edge blocking options are not available for Virtual Domains. Email for a particular Virtual Domain is processed for all email addresses that are included in an upload list for that Virtual Domain, as specified by the settings in the Administration Center. If email is received for an address that is not listed in the upload list for a given Virtual Domain, it is processed according to the edge blocking settings for the Parent Domain.
Special outbound message routing for recipients who are part of a FOPE Virtual Domain may not work if you require matching a FOPE Outbound connector for delivery to the destination domain. This can affect you if you are in a hybrid configuration, with some mailboxes on premises and some in the cloud, because the Outbound connector cannot be matched and applied to a Virtual Domain recipient. |
Virtual Domains are not recommended if you have a hybrid configuration and you want to ensure that your connector settings are enforced.
Using FOPE Connectors to Configure Advanced Email Flow Scenarios provides more details regarding FOPE Inbound connectors and Outbound connectors.