Export (0) Print
Expand All

Regulated Partner with Forced TLS Scenario

 

Applies to: Office 365 Enterprise, Live@edu, Forefront Online Protection for Exchange

Topic Last Modified: 2011-10-20

Organizations can set up a secure mail flow channel with trusted partners by configuring their mail routing using Forefront Online Protection for Exchange (FOPE) connectors. Some business partners might require an organization to communicate over Transport Layer Security (TLS) or sign in using a third-party validated certificate. Using FOPE connectors, you can configure both forced inbound and outbound TLS using self-signed or CA-validated certificates. TLS is a cryptographic protocol that provides security for communications over the Internet. For more detailed information about using TLS in FOPE, see Understanding Transport Layer Security (TLS) in FOPE.

In this sample scenario, contoso.com has set up a secure mail routing channel with fabrikambank.com. Contoso uses a Microsoft Exchange Online cloud-hosted mail solution to host their mailboxes. When they exchange mail with Fabrikam Bank through FOPE, the mail is secure through TLS encryption in both directions.

Tip: To view a video that describes this scenario and demonstrates the configuration steps for the FOPE connectors, see Regulated Partner With Forced TLS Scenario.

When receiving inbound or outbound mail in the cloud, the regulated partner architecture is as follows:

Business regulated partner scenario

With this scenario, mail flowing between Contoso’s Exchange Online organization and Fabrikam are transferred over a secure wire using forced inbound and outbound TLS. Furthermore, all mail between the two organizations is validated using a CA certificate.

To configure a regulated partner relationship, you must create inbound and outbound FOPE connectors.

To configure a FOPE inbound connector for a regulated partner
  1. In the FOPE Administration Center, click the Administration tab, and then click the Company tab.

  2. In the Connectors section, for the Inbound Connectors, click Add. The Add Inbound Connector dialog box opens.

    The following image shows inbound connector settings for the regulated partner with forced TLS sample scenario.

    Regulated Partner Inbound Connector
  3. In the Name field, enter a descriptive name for the inbound connector.

  4. In the Description field, enter additional descriptive information about the inbound connector.

  5. In the Sender Domains text box enter the domain name of the organization with which you want to establish a secure channel, for example fabrikambank.com.

  6. In the Sender IP Addresses field, enter the IP address or addresses for the partner. IP addresses must be specified in the format nnn.nnn.nnn.nnn, where nnn is a number from 1 to 255. You can also specify Classless Inter-Domain Routing (CIDR) ranges in the format nnn.nnn.nnn.nnn/rr, where rr is a number from 24 to 31. Multiple IP addresses must be separated by a comma. Although it is recommended that you specify IP addresses here, if you do not know the specific IP address or addresses associated with the domain, or if you want to create a broad-scope connector, you can leave this field blank.

  7. Select Add these IP addresses to the safelist and only accept mail from these IP addresses for the domains specified above. This ensures that mail originating from the specified sender domain only comes from the specified sender IP addresses. (If you did not specify sender IP addresses in the previous step, select Add these IP addresses to the safelist for the domains specified above instead.)

  8. In the Connector Settings section, for the Transport Layer Security (TLS) option, select Force TLS. This option forces partners to use a TLS connection when sending email to users hosted in the cloud. If the connection is not TLS-based, FOPE rejects the email message.

    For more detailed information about using TLS in FOPE, see Understanding Transport Layer Security (TLS) in FOPE.

  9. In the Connector Settings section, using the check boxes, you can specify to apply or skip the following Filtering operations. These filtering options are enabled (applied) by default.

    Apply IP reputation filtering—Indicates whether to apply IP reputation filtering on inbound email messages. This option is not functional for this scenario.

    Apply spam filtering—Indicates whether to apply spam filtering on inbound email messages.

    Apply policy rules—Indicates whether to apply policy rules on inbound email messages.

  10. Click Save.

The connector is now listed under Inbound Connectors. You can expand the connector to view its settings. You can click Edit to change the configuration settings for this connector.

To apply this connector configuration to your entire company or for specific domains in your company, or to remove this connector, see Enforcing and Removing FOPE Connector Associations.

To configure a FOPE outbound connector in a regulated partner scenario
  1. In the FOPE Administration Center, click the Administration tab, and then click the Company tab.

  2. In the Connectors section, for the Outbound Connectors, click Add. The Add Outbound Connector dialog box opens.

    The following image shows outbound connector settings for the regulated partner with forced TLS sample scenario.

    Regulated Partner Outbound Connector
  3. In the Name field, enter a descriptive name for the outbound connector.

  4. In the Description field, enter additional descriptive information about the outbound connector.

  5. In the Recipient Domains text box enter the domain name for the organization with which you want to establish a secure channel.

  6. Select the Deliver all messages to the following destination check box, and then specify Fully Qualified Domain Name. In this field, specify the fully qualified domain name to which FOPE should send email (for example, fabrikambank.com).

  7. In the Transport Layer Security (TLS) Settings section, you can select one of several TLS certificate options:

    • Validation against self-signed certificate—Created within an organization, this certificate is used to encrypt the channel.

    • The issuing certificate authority (CA) is trusted by Microsoft—Validates that the recipient certificate is issued by an authorized certificate authority. For example, it validates that the certificate is not expired and that it is authentic.

    • The recipient certificate matches the destination domain—This takes The issuing certificate authority (CA) is trusted by Microsoft option one step further by also validating that the subject alternative name on the certificate matches the recipient domain name.

    • The recipient certificate matches—This takes The issuing certificate authority (CA) is trusted by Microsoft option one step further by also validating that the subject alternative name on the certificate matches what you entered in the text box.

  8. Click Save.

The connector is now listed under Outbound Connectors. You can expand the connector to view its settings. You can click Edit to change the configuration settings for this connector.

To apply this connector configuration to your entire company or for specific domains in your company, or to remove this connector, see Enforcing and Removing FOPE Connector Associations.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft