Exempt distribution lists in Forefront Online Protection RRS feed

  • Question

  • Hello,

    I don't want all my distribution groups uploaded to FOPE. How do I exempt them. I believe there is a way via OU?

    We have email enabled distribution lists that have a # to make them not work on the internet but I just found out that FOPE allows these to be emailed too and that's a problem for us.


    Saturday, April 21, 2012 5:13 AM

All replies

  • Here is what I did, but I am having issues.

    I ran the DST tool as a user account. I then did a Full Deny on the OU that housed all internal lists.

    Now they are not syncing as expected but I can still send emails to them. I have deleted them out of the Forefront internet database.

    Any ideas?



    Saturday, April 21, 2012 8:21 PM
  • Simply create a policy deny rule in FOPE's Administration Center, in order to do this follow the below

    Log into the Administration Center

    Click the Administraiton tab and select "Policy Rules"

    Under tasks on right side click New Policy Rule

    Domain Scope: All domains
    Traffic Scope: Inbound Messages
    Action: Reject

    Click the recipient drop down lower on the page,  and enter the addresses you wish to be blocked.  Pay close attention to the Recipient options availabel on this field.  if you have many of these DL's you can also upload it to a dictionairy and just tell the policy rule to use that.

    After filling out all forms simply save the rule, wait about 1-1.5 hours for it to fully replicate to all of the filtering servers and you should no longer get mail to those accounts from the internet, despite being on your Directory Services list

    Wednesday, May 9, 2012 6:23 PM
  • I found an easier way.  In Exchange I take off the "automatic" stamp of SMTP and manually put the SMTP address as something@mydomain.local    That way even though FOPE will still see it no email will ever land on it as its not a valid external address.  FOPE should be smart enough to see the ACL on Distribution lists but its not.
    Wednesday, June 13, 2012 10:02 PM
  • Hello,

    If you dont want FOPE to allow emails intended to DL's, make sure the DL addresses are not present in Users list in FOPE.

    Set the Directory Based Edge Blocking(DBEB) to Reject Mode. This mode will reject emails for the addresses which are not present in the users list.



    Tuesday, June 19, 2012 10:59 PM
  • Since OP is talking about OUs he is most likely using the dirsynch tool.  Aarthy your solution isn't really feasbile since the dirsynch will repopulate users even if you delete them in FOPE.  At least, it did that for me.
    Tuesday, June 19, 2012 11:02 PM