Export (0) Print
Expand All

Configuring the FOPE Connectors for a Shared Address Space with On-Premises Relay Scenario (MX Points to FOPE)

 

Applies to: Office 365 for enterprises, Live@edu, Forefront Online Protection for Exchange

Topic Last Modified: 2012-09-14

importantImportant:
If you are using Exchange on-premises, we highly recommend that you use the Exchange Deployment Assistant (EDA) to perform your hybrid deployment, rather than performing the manual configuration steps in this topic. By doing so, your Forefront Online Protection for Exchange (FOPE) settings and on-premises Exchange settings are automatically configured. See Shared Address Space with On-Premises Relay Scenario (MX Points to FOPE) for more information about how to perform a hybrid deployment with the EDA.

When using FOPE in a shared address space with on-premises relay scenario (for more information, see Shared Address Space with On-Premises Relay Scenario (MX Points to FOPE)), the relationship between the on-premises solution and FOPE is managed with connectors, which you must configure in the FOPE Administration Center. The following procedures show how to configure company-wide inbound and outbound connectors in a manner that covers the various types of mail flow (inbound, outbound, and intra-organizational). You must configure an inbound connector for intra-organizational mail and inbound mail. You must also configure an outbound connector for outbound mail.

To Configure a FOPE Inbound Connector for a Shared Address Space with On-Premises Relay Scenario (MX points to FOPE)
  1. In the FOPE Administration Center, click the Administration tab, and then click the Company tab.

  2. In the Connectors section, for the Inbound Connectors, click Add. The Add Inbound Connector dialog box opens. The following image shows inbound connector settings for this scenario when mail is sent inbound to your organization from an external organization, or sent from an on-premises user in your organization to an Exchange Online user in your organization (intra-organizational).

    FOPE Inbound Connector
  3. In the Name field, enter a name for the inbound connector.

  4. In the Description field, enter additional descriptive information about the inbound connector.

  5. In the Sender Domains field, type the *.* wildcard characters to signify that this inbound connector will be applied to all domains from which FOPE receives email.

  6. In the Sender IP Addresses field, enter the IP address or addresses for the on-premises servers. IP addresses must be specified in the format nnn.nnn.nnn.nnn, where nnn is a number from 1 to 255. You can also specify Classless Inter-Domain Routing (CIDR) ranges in the format nnn.nnn.nnn.nnn/rr, where rr is a number from 24 to 31. Multiple IP addresses must be separated by a comma. Although it is recommended that you specify IP addresses here, if you do not know the specific IP address or addresses associated with the domain, or if you want to create a broad-scope connector, you can leave this field blank.

  7. Select Add these IP addresses to the safelist and only accept mail from these IP addresses for the domains specified above. (If you did not specify sender IP addresses in the previous step, select Add these IP addresses to the safelist for the domains specified above instead.)

  8. In the Connector Settings section, select Opportunistic TLS.

    When selecting Opportunistic TLS, FOPE tries a TLS connection but automatically rolls over to a SMTP connection if the sending email server is not configured to use TLS. (Force TLS is not a supported option for this scenario.)

    For more detailed information about how to use TLS in FOPE, see Understanding Transport Layer Security (TLS) in FOPE.

  9. In the Connector Settings section, do not check any of the available Filtering settings.

  10. Click Save.

The connector is now listed under Inbound Connectors. You can expand the connector to view its settings. You can click Edit to change the configuration settings for this connector.

To apply this connector configuration to your whole company or for specific domains in your company, or to remove this connector, see Enforcing and Removing FOPE Connector Associations.

To Configure a FOPE Outbound Connector for a Shared Address Space with On-Premises Relay Scenario (MX Points to FOPE)
  1. In the FOPE Administration Center, click the Administration tab, and then click the Company tab.

  2. In the Connectors section, for the Outbound Connectors, click Add. The Add Outbound Connector dialog box opens. The following image shows outbound connector settings for the scenario.

    FOPE Outbound Connector to On Premises
  3. In the Name field, enter a descriptive name for the outbound connector.

  4. In the Description field, enter additional descriptive information about the outbound connector.

  5. In the Recipient Domains field, type the *.* wildcard characters to signify that this outbound connector will be applied to all domains to which FOPE sends email.

  6. Select the Deliver all messages to the following destination check box, and then specify IP address, which indicates that FOPE shall route email to a single IP address (in this example, the IP address of the Contoso on-premises email server).

  7. In the Transport Layer Security (TLS) Settings section, the following options appear:

    Opportunistic TLS—FOPE attempts a TLS connection, but automatically rolls over to an SMTP connection if the receiving email server is not configured to use TLS. There are also several TLS Certificate Options:

    • Validation against self-signed certificate—Created in an organization, this certificate is used to encrypt the channel. This option provides sufficient protection, is relatively easy to configure, and is the recommended option.
    • The issuing certificate authority (CA) is trusted by Microsoft—Validates that the recipient certificate is issued by an authorized certification authority. For example, it validates that the certificate is not expired, and that it is authentic.
    • The recipient certificate matches the destination domain—This takes The issuing certificate authority (CA) is trusted by Microsoft option one additional step by also validating that the subject alternative name on the certificate matches the recipient domain name. This option is not functional for this scenario.
    • The recipient certificate matches—This takes The issuing certificate authority (CA) is trusted by Microsoft option one more step by also validating that the subject alternative name matches what you enter in the text box.
  8. Click Save.

The connector is now listed under Outbound Connectors. You can expand the connector to view its settings. You can click Edit to change the configuration settings for this connector.

To apply this connector configuration to your whole company or for specific domains in your company, or to remove this connector, see Enforcing and Removing FOPE Connector Associations.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft