Transitioning to Forefront Online Protection for Exchange (FOPE) (Part 1)

by [Published on 23 May 2013 / Last Updated on 22 Aug. 2013]

In this article series, we are going over the steps required to move your mail traffic from on-premises to Microsoft FOPE.

If you would like to read the other parts in this article series please go to:

Nowadays, the most common word out there for IT professionals is the cloud. A cloud solution comes in different shapes and forms and it is up to you and your company to decide how much you want to use. There are several solutions, such as Office 365, Azure, backups being moved to the cloud and so forth.

However for the message administrators, the term cloud when we talk about SMTP traffic is nothing new and it has been out there for a while. Microsoft offers an interesting solution called FOPE (Microsoft Forefront Online Protection for Exchange) which is the central topic of our article series.

The FOPE architecture is shown in Figure 01 and using FOPE your company takes advantage of all these key features;

  • It’s a global solution and provides high availability among several datacenters and Microsoft provides 99.999% uptime
  • By FOPE documentation, they state that FOPE service is able to block more than 98% of unwanted e-mail and 100% of known viruses; also 1 message in each 250k may be a false positive
  • Your SMTP servers won’t be exposed on the Internet
  • FOPE will filter all spam/virus on their datacenters and then only the valid messages will arrive to your organization and by just doing that you save in bandwidth and performance of your servers
  • Easy administration where everything is web-based with powerful tools to help the messaging administrator
  • Protection for the outbound messages where they can be validated by FOPE servers before going to external recipients
  • Allows end-user quarantine in the cloud
  • Integrates with your Active Directory and synchronizes not just your SMTP information but also safe senders to help identify valid senders
  • Disaster Recovery. In case of an outage on your on-premises environment, FOPE will hold your messages for up to 5 days and you will not have messages lost for that period.

Image
Figure 01: This diagram is part of the official Microsoft documentation (http://technet.microsoft.com/en-us/library/ff715134.aspx)

If you haven’t had a chance yet, now is the time to check out the article written by my fellow MSExchange.org Author Jaap Wesselius where he gives us a great summary about the solution in this article. We will start from that point to build our transition process from an on-premises exchange environment to FOPE services.

In this series, we are going to cover a series of the FOPE components to make sure that we are ready for the transition and our article series will be composed of these following articles:

  • Part 1: In this article we will cover the MX and Inbound traffic
  • Part 2: Outbound traffic and Reporting
  • Part 3: We will cover the Microsoft Directory Synchronization Tool
  • Part 4: Security (Filters, Bulk email campaings, ASE) and etc
  • Part 5: Managing Auditing, Spam, spam quarantine, and notifications
  • Part 6: Time to take the plunge and organize the final steps and start the transition

Before we start…

If you are interested in the solution, you can take a trial using the following link. The trial period is for 60 days and that gives you plenty of time to go over all features of the solution.

After having an account with FOPE, the address that you will use to manage FOPE is https://admin.messaging.microsoft.com.

Understanding your MX records…

First things first, let’s understand how your company is configured and how you receive e-mails on your exchange organization. A simple way to find that out is to use the www.MXToolbox.com website and type in your domain and a list of all your MX records will be listed.

Let’s use a domain that we all know very well and we can see that our domain here at MSExchange.org (Figure 02) is hosted on the mail.techgenix.com and the process to migrate this kind of scenario is pretty straight forward because the domain has a single MX record

Image
Figure 02

When you have more than one MX record the priority is an important point where the lowest numbers are used first and in case they are unavailable then the other ones will be used. A good example could be any large company, and since I’ve just watched the Avengers movie, then I’m going to use the domain marvel.com (Figure 03) to show an example of a domain with several MX records.

Image
Figure 03

Based on the number of MX records of your domain you can develop your migration strategy, when you have several it becomes simpler, you can switch Microsoft FOPE for the last priority and then start performing tests and then start consolidating your MX records.

From the MX perspective, a good idea for your company is to have a single MX record pointing out to Microsoft FOPE services.

Managing Inbound Traffic

The process of configuring inbound mail flow is extremely easy with the FOPE console, as a matter of fact, we can use all the current infrastructure and start testing right away without affecting the current mail flow.

Let’s assume that you have a single Public IP that receives all mail from the Internet. In that case we just need to go to the FOPE Admin page, then click on Administration tab, and then Company and click on Add located on the mail Server Multi-SMTP Profiles section. In the new page displayed (Figure 04) we need to add the IP address of your(s) Public IPs that are responsible for receiving Internet mail traffic and an MX priority should be assigned to them.

Note:
You can also use a profile name, and in case you have several domains in the future you can always reference a set of servers by that profile name.

Image
Figure 04

As soon as you do that, any message that goes through FOPE will be delivered to your organization based on the IPs that you configured in the previous page. Isn’t that easy?

Well, we are curious by nature and we must test a new thing to make sure that it works, right? The test process is using the same thing that we have been using for years.. Yes! You are right, a simple telnet on 25 port!

These following commands can be used to test your FOPE deployment:

telnet mail.messaging.microsoft.com <enter>

ehlo test.ca <enter>

mail from: yourname@test.ca <enter>

rcpt to: YourMailbox@YourDomain.xx <enter>

data <enter>

Subject: Subject String <enter>

<enter>

Message body <enter>

. <enter>

Quit <enter>

A summary of the commands above can be seen in the figure 05. If you look at the headers of the message that just arrived to your Inbox or Junk E-mail you will notice on the first line that your server received the message from Microsoft (bigfish.com) which means that the mail flow is working like a charm!

Image
Figure 05

FOPE Support

In case you have any questions about how to use a feature, validate mail flow or even perform a test to validate if your firewall settings are working properly based on FOPE recommendations, you have the support that can be used right from the console. If you want to create a new case, just click on your name on the right side, and then click on Get Help Now and follow the wizard to open your ticket.

Image
Figure 06

Conclusion

In this first article of our series we saw a brief summary of the benefits that the FOPE solution can bring to your organization. We also went over the articles road map for our series and in the last one we will do a recap of all key points covered during the series to finish up the transition.

If you would like to read the other parts in this article series please go to:

Featured Links