In order to use Forefront Online Protection for Exchange (FOPE) as a filter for your mail stream and to manage your FOPE configuration through the Forefront Protection 2010 for Exchange Server Administrator Console, you must follow these steps to prepare your Exchange environment and enable management of the FOPE gateway in FPE:

Registering with FOPE and creating an account

To use FOPE for mail filtering, you will need to go to the FOPE web site (http://go.microsoft.com/fwlink/?LinkId=128194) to establish your account. While configuring your profile, note all profile credential information for use later when configuring the FOPE settings in the Forefront Protection 2010 for Exchange Server Administrator Console. This includes the company name and user credentials.

Configuring FOPE in the FPE Administrator Console

To enable FOPE management through the FPE Administrator Console, you will need to enable the FOPE gateway management option, enter the domain administrator credentials for the gateway server and the FOPE credentials you created when you registered with FOPE, and retrieve the IP addresses for the FOPE datacenter servers to update your firewall and Exchange receive connectors. If your Internet traffic passes through a proxy server, you will also need to enter the proxy server information so that the FOPE Gateway can connect to the Internet.

To enable FOPE Gateway Management
  1. In the FPE Administrator Console  Policy Management tree view, expand Online Protection, and then click Configure.

  2. In the Online Protection - Configure pane, in the Forefront Online Protection for Exchange Gateway Management area, select Enable Forefront Online Protection for Exchange Gateway Management.

  3. Enter the Gateway server name. This is the name of the server on which you installed the gateway.

  4. Click the Edit Credentials button to enter the user name and password of a user who has access to the server on which the gateway is installed. Click OK after entering the user name and password.

Note:
If the FOPE Gateway is on a domain controller, domain administrator credentials are required and should be entered in the following format: DOMAIN\USERNAME. If the FOPE Gateway is not installed on a domain controller, local administrator credentials are acceptable and should be entered in the following format: MACHINENAME\USERNAME.
To enter your FOPE credentials
  1. In the Online Protection - Configure pane, in the Forefront Online Protection for Exchange Service Credentials area, enter the company name you used to register with FOPE in the Company text box.

  2. Click Edit Credentials and enter the user name and password you created when you registered with FOPE. Click OK after you enter the credentials.

  3. Click Save at the top of the pane.

To enter proxy server information
  1. In the Online Protection - Configure pane, in the Proxy Server area, select the Enable proxy server box.

  2. Enter the IP address of the proxy server in the Proxy Server text box and the appropriate port number in the Port text box.

  3. Click the Edit Credentials button and enter the appropriate credentials for the proxy server. Click OK after you enter the credentials.

  4. Click Save at the top of the pane.

Redirecting your mail to the FOPE datacenter and allowing incoming mail only from FOPE servers

Once you have registered with FOPE and configured the FOPE settings in FPE, you must redirect all incoming mail to the FOPE datacenter by changing your MX records to point to the FOPE datacenter. You must also change your firewall rules and Exchange edge receive connector settings to allow incoming mail only from the FOPE servers.

To retrieve the IP addresses of the FOPE servers
  1. In the Online Protection - Configure pane, click Save at the top of the panel to ensure that the FOPE and FOPE gateway credentials are properly saved and accepted.

  2. In the Datacenter IP Addresses area, click the Get Addresses button. FPE will retrieve the IP addresses for the FOPE servers and display them. Note the addresses for use when you change your firewall settings.

To redirect your mail to the FOPE servers
  • Update the MX record on your external DNS server so that it directs mail to the FOPE datacenter.

    Your DNS server should have a single MX record that points to: mail.messaging.microsoft.com

    The Sender Policy Framework (SPF) record for your domain should be defined as: v=spf1 include: spf.messaging.microsoft.com -all

Note:
SPF record changes are only needed if you are routing your outbound mail through FOPE.

If you are uncertain about how to make these changes, consult your domain controller administrator.

To configure your firewall and Exchange Edge receive connectors
  • Update your firewall rules and Exchange Edge Receive Connectors to accept only SMTP connections from IP addresses of the FOPE datacenter. These are the IP addresses you retrieved using the Get Addresses button in the Datacenter IP Addresses area of the Online Protection – Configure pane.

Note:
To ensure mail continuity, the MX record changes described in the previous step should be done 72 hours before making the firewall and edge receive connector changes.
Note:
To access the FOPE on-line administrator, select Administration Center in the Actions pane.

Related Topics