Export (0) Print
Expand All
1 out of 1 rated this helpful - Rate this topic

Configuring the FOPE Connectors for a Shared Address Space with On-Premises Relay Scenario (MX Points to On-Premises) – Adding FOPE Filtering

 

Applies to: Office 365 for enterprises, Live@edu, Forefront Online Protection for Exchange

Topic Last Modified: 2012-10-02

importantImportant:
If you are using Exchange on-premises, we highly recommend that you use the Exchange Deployment Assistant (EDA) to perform your hybrid deployment, rather than performing the manual configuration steps in this topic. By doing so, your FOPE settings and on-premises Exchange settings are automatically configured. See Shared Address Space with On-Premises Relay Scenario (MX Points to On-Premises) for more information about how to perform a hybrid deployment with the EDA.
tipTip:
  • If you have an on-premises protection solution and you do not want Forefront Online Protection for Exchange (FOPE) to perform additional spam or policy filtering on inbound mail that has already passed perimeter inspection, skip this topic, and follow the hybrid configuration steps described in the Exchange Deployment Assistant.
  • If you want FOPE to filter email sent inbound to your Exchange Online mailboxes from an external address, after passing through your on-premises organization, you can manually configure FOPE connectors as detailed in this topic after you complete the configuration steps in the EDA and remove the FOPE-connector associations on domains where you want FOPE filtering.

When using Forefront Online Protection for Exchange (FOPE) in a shared address space with on-premises relay scenario (MX points to on-premises), the relationship between the on-premises solution and FOPE is managed with connectors, which you must configure in the FOPE Administration Center. For more information about the shared address space with on-premises relay scenario (MX points to on-premises), see Shared Address Space with On-Premises Relay Scenario (MX Points to On-Premises).

The following procedures show you how to configure company-wide inbound and outbound connectors in a manner that covers all scenarios (inbound, outbound, and intra-organizational). The first two procedures show you how to configure two separate inbound connectors, one that covers mail sent inbound from an external organization, and another that covers mail sent from within your organization (intra-organizational). The third procedure shows you how to configure an outbound connector.

Configure a FOPE Inbound Connector for a Shared Address Space with On-Premises Relay Scenario (External Mail)
  1. In the FOPE Administration Center, click the Administration tab, and then click the Company tab.

  2. In the Connectors section, for the Inbound Connectors, click Add. The Add Inbound Connector dialog box opens. The following image shows inbound connector settings for this scenario when mail is sent inbound to your organization from an external organization.

    Shared address space with on-prem relay inbound
  3. In the Name field, enter a name for the inbound connector.

  4. In the Description field, enter additional information about the inbound connector.

  5. In the Sender Domains field, type the *.* wildcard characters to signify that this inbound connector will be applied to all domains from which FOPE receives email.

  6. In the Sender IP Addresses field, enter the IP address or addresses for the on-premises servers. IP addresses must be specified in the format nnn.nnn.nnn.nnn, where nnn is a number from 1 to 255. You can also specify Classless Inter-Domain Routing (CIDR) ranges in the format nnn.nnn.nnn.nnn/rr, where rr is a number from 24 to 31. Separate multiple IP addresses using a comma. You can also leave this field blank if you do not know the specific IP address or addresses associated with the domain or if you want to create a broad-scope connector, but this is not recommended.

  7. Select Add these IP addresses to the safelist and only accept mail from these IP addresses for the domains specified above. This ensures that mail originating from the specified sender domain only comes from the specified sender IP addresses. If you did not specify sender IP addresses in the previous step, select Add these IP addresses to the safelist for the domains specified above instead.

  8. In the Connector Settings section, for the Transport Layer Security (TLS) Settings, select Force TLS. This lets you enforce a TLS connection when on-premises customers send email to users hosted in the cloud.

    securitySecurity Note:
    When you enforce TLS and the sender does not send messages over TLS (because of an outage, because TLS support is disabled, or for any other reason), their messages will be rejected. However, it is important to note that even if you enforce TLS as the recipient, there is a possibility that the sender’s messages can be transmitted in plain text to FOPE before they are rejected. To ensure that messages securely reach FOPE, the sender must also enforce TLS. For more detailed information about using TLS in FOPE, see Understanding Transport Layer Security (TLS) in FOPE.

    Check Sender certificate matches and then specify the certificate subject name that you configured on the on-premises hybrid server (for example, certificate.contoso.com). You can use the * wildcard character in this field to specify one level of subdomains. For example, if you specify *.domain.com, FOPE will match subdomain1.domain.com but it will not match subdomain2.subdomain1.domain.com.

    noteNote:
    The domain you specify here must match the domain you specified when you created the “Inbound remote domain” in the cloud-based organization earlier.
  9. In the Connector Settings section, for the Filtering options, ensure that the Apply spam filtering and Apply policy rules check boxes are selected.

  10. Click Save.

The connector is now listed under Inbound Connectors. You can expand the connector to view its settings. You can click Edit to change the configuration settings for this connector.

To apply this connector configuration to your entire company or for specific domains in your company, or to remove this connector, see Enforcing and Removing FOPE Connector Associations.

Configure a FOPE Inbound Connector for a Shared Address Space with On-Premises Relay Scenario (Intra-Organizational Mail)
  1. In the FOPE Administration Center, click the Administration tab, and then click the Company tab.

  2. In the Connectors section, for the Inbound Connectors, click Add. The Add Inbound Connector dialog box opens. The following image shows inbound connector settings for this scenario when mail sent from within your organization (intra-organizational).

    Shared address space with on-prem relay intra-org
  3. In the Name field, enter a name for the inbound connector.

  4. In the Description field, enter additional information about the inbound connector.

  5. In the Sender Domains field, enter the domain name for your on-premises server (for example, contoso.com).

  6. In the Sender IP Addresses field, enter the IP address or addresses for the on-premises servers. IP addresses must be specified in the format nnn.nnn.nnn.nnn, where nnn is a number from 1 to 255. You can also specify Classless Inter-Domain Routing (CIDR) ranges in the format nnn.nnn.nnn.nnn/rr, where rr is a number from 24 to 31. Separate multiple IP addresses using a comma. You can also leave this field blank if you do not know the specific IP address or addresses associated with the domain or if you want to create a broad-scope connector, but this is not recommended.

  7. Select Add these IP addresses to the safelist and only accept mail from these IP addresses for the domains specified above. This ensures that mail originating from the specified sender domain only comes from the specified sender IP addresses. (If you did not specify sender IP addresses in the previous step, select Add these IP addresses to the safelist for the domains specified above instead.)

  8. In the Connector Settings section, for the Transport Layer Security (TLS) Settings, select Force TLS.

    securitySecurity Note:
    When you enforce TLS and the sender does not send messages over TLS (because of an outage, because TLS support is disabled, or for any other reason), their messages are rejected. However, it is important to note that even if you enforce TLS as the recipient, there is a possibility that the sender’s messages can be transmitted in plain text to FOPE before they are rejected. To ensure that messages securely reach FOPE, the sender must also enforce TLS. For more detailed information about using TLS in FOPE, see Understanding Transport Layer Security (TLS) in FOPE.

    Check Sender certificate matches and then specify the certificate subject name that you configured on the on-premises hybrid server (for example, certificate.contoso.com). You can use the * wildcard character in this field to specify one level of subdomains. For example, if you specify *.domain.com, FOPE will match subdomain1.domain.com but it will not match subdomain2.subdomain1.domain.com.

    noteNote:
    The domain you specify here must match the domain you specified when you created the “Inbound remote domain” in the cloud-based organization earlier.
  9. In the Connector Settings section, for the Filtering options, disable (clear) the following check boxes.

    Apply IP reputation filtering—Indicates that you want to skip IP reputation filtering on inbound email messages. This option is not functional for this scenario.

    Apply spam filtering—Indicates that you want to skip spam filtering on inbound email messages. This might result in your organization receiving spam mail if the on-premises server sends spam mail.

    Apply policy rules—Indicates that you want to skip policy rules on inbound email messages.

  10. Click Save.

The connector is now listed under Inbound Connectors. You can expand the connector to view its settings. You can click Edit to change the configuration settings for this connector.

To apply this connector configuration to your entire company or for specific domains in your company, or to remove this connector, see Enforcing and Removing FOPE Connector Associations.

Configure a FOPE Outbound Connector for a Shared Address Space with On-Premises Relay Scenario
  1. In the FOPE Administration Center, click the Administration tab, and then click the Company tab.

  2. In the Connectors section, for the Outbound Connectors, click Add. The Add Outbound Connector dialog box opens. The following image shows outbound connector settings for this sample scenario.

    Centralized mail contro loutbound connector
  3. In the Name field, enter a name for the outbound connector.

  4. In the Description field, enter additional information about the outbound connector.

  5. In the Recipient Domains field, type the *.* wildcard characters to signify that this outbound connector will be applied to all domains to which FOPE sends email.

  6. Select the Deliver all messages to the following destination check box, and then specify one of the following options:

    • IP address—Specify FOPE to route email to a single IP address (for example, the IP address of the Contoso on-premises email server).
    • Fully Qualified Domain Name—Specify the fully qualified domain name of the server to which FOPE should send email (for example, contoso.com).
    • Mail Server Multi-SMTP Profile—Using the drop-down list, select an outbound profile if you have previously created one. Outbound multi-SMTP profiles enable you to deliver mail to multiple mail servers in your network by using round-robin load balancing.
      Outbound multi-SMTP profiles work in the same manner, and can be created in a similar way, as inbound multi-SMTP profiles. For more information, see Configuring Inbound Multi-SMTP Profiles.
  7. In the Transport Layer Security (TLS) Settings section, select The recipient certificate matches and in the associated text field, enter the certificate subject name that you configured on the on-premises hybrid server (for example, certificate.contoso.com).

    You also have the option of selecting Opportunistic TLS. If you select Opportunistic TLS, FOPE will attempt a TLS connection, but automatically roll over to a SMTP connection if the receiving email server is not configured to use TLS. You can also select one of several other TLS certificate options:

    • Validation against self-signed certificate—Created within an organization, this certificate is used to encrypt the channel.
    • The issuing certificate authority (CA) is trusted by Microsoft—Validates that the recipient certificate is issued by an authorized certificate authority. For example, it validates that the certificate is not expired, and that it is authentic.
    • The recipient certificate matches the destination domain—This takes The issuing certificate authority (CA) is trusted by Microsoft option one step further by also validating that the subject alternative name on the certificate matches the recipient domain name. This option is not functional for this scenario.
    • The recipient certificate matches—This takes The issuing certificate authority (CA) is trusted by Microsoft option one step further by also validating that the subject alternative name matches what you enter in the text box. This is the recommended option.
  8. Click Save.

The connector is now listed under Outbound Connectors. You can expand the connector to view its settings. You can click Edit to change the configuration settings for this connector.

To apply this connector configuration to your entire company or for specific domains in your company, or to remove this connector, see Enforcing and Removing FOPE Connector Associations.

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.