Integrating Forefront Online Protection for Exchange with FPE to create an extra layer of protection


Applies to: Forefront Protection for Exchange

Topic Last Modified: 2010-07-08

Forefront Online Protection for Exchange (FOPE) is an e-mail filtering service that can be used in conjunction with Forefront Protection 2010 for Exchange Server (FPE). FOPE protects your messaging environment by filtering incoming e-mail traffic before it enters your mail system. When used, FOPE receives all incoming e-mail traffic, filters it for spam and viruses, applies custom spam filters, and then forwards the e-mail to your messaging network for additional scanning and delivery. The custom spam filters include:

  • Allow/Block IP Addresses

  • Allow/Block Sender Domains

  • Allow/Block Sender Addresses

  • Allow/Block Recipient Addresses

For more information about these filters and how to configure them, please see Using antispam filtering.

In a typical mail system, mail arrives from the Internet and enters your environment through the Edge Transport server, where it is scanned for malware and spam. It is then passed to a hub server for routing to the proper mailbox server. When you enable FOPE, you add another layer of filtering between the Internet and the Edge Transport server. This layer consists of the FOPE servers pooled in a datacenter.

The FOPE servers are grouped in Microsoft datacenters located around the world. These servers scan your mail for malware and spam before routing the mail to your Edge or Hub servers. The advantages of using FOPE include:

  • Spam filtering eliminates as much as 90% of incoming mail traffic. This reduces the load on your internal mail servers.

  • All mail that arrives at your Edge and Hub servers has already been scanned for viruses.

  • You can modify the antispam configurations locally and they will be synchronized with the antispam and filtering configurations in FOPE.

  • FOPE stamps any mail that it has scanned for viruses, spam, and custom spam filter matches by appending a header to the message that provides information about the status of the message. FPE can use the header to prevent the mail from being re-scanned on the Edge Transport servers.

When mail is identified as spam by FOPE, you have the following options:

  • Keep mail in the FOPE quarantine database. This is the default.

  • Send mail to FPE for processing. FPE either blocks, quarantines, or delivers the mail based on the Spam Confidence Level (SCL) rating assigned to it by FOPE and the antispam configurations in FPE.

For more information about quarantining, please refer to the topic Configuring quarantine options when you integrate FOPE with FPE.

To manage FOPE from the Forefront Protection 2010 for Exchange Server Administrator Console, you must have spam filtering enabled in FPE.

When integrating an on-premises FPE environment with your existing hosted FOPE account, you must keep in mind that policy settings configured in FPE will take precedence over configurations for the same features in the FOPE administration center. These policy settings include:

  • RejectSenderIP

  • AllowSenderIP

  • RejectSenderDomain

  • AllowSenderDomain

  • RejectSenderAddress

  • AllowSenderAddress

  • RejectRecipientAddress

  • AllowRecipientAddress

Any configurations that were pre-existing in the hosted FOPE account that you would like to keep should be exported from FOPE and then imported into the on-premises FPE installation and managed from the on-premise FPE. This will simplify management, and prevent duplicate rules. Any future anti-spam rules controlled by FPE/FOPE, should be controlled via the Forefront Protection 2010 for Exchange Server Administrator Console.

FPE will synchronize with the hosted FOPE account whenever a change is made to on-premises FPE antispam configurations that apply to FOPE. Changes can include, for example, FOPE based account information or antispam rules. Synchronization between FPE and FOPE does not occur on a scheduled basis

FPE communicates with FOPE through the FOPE Gateway. You use the gateway to make changes to the FOPE server's policy settings and synchronize with FPE’s antispam configurations. An automated system manages synchronization of antispam configuration settings that are common to FPE and the FOPE servers by updating the settings on the FOPE servers when a change is made to the FOPE or antispam settings in the FPE Administrator Console and saved.

You must install the FOPE Gateway on a server in your environment that has access to the Internet. This is done separately from the FPE installation. FPE can only interact with a single FOPE Gateway. If you have FPE installed on multiple servers, you must install the FOPE Gateway for each instance of FPE. For installation instructions, refer to Installing the Forefront Online Protection for Exchange Gateway.