Exchange IP whitelisting

Hello experts,

I have a client who is looking to white-list IP addresses, for some reason.

After some reading, it seems like we can white-list IPs in Exchange through Receive connector or using IP list providers as per link below

https://technet.microsoft.com/en-us/library/bb123964%28v=exchg.141%29.aspx

My client does not have edge server, instead has multiple HUBs cas, and MBXs in a DAG, a relay server [third party application]

As per link above, MS does not recommend to apply list providers on HUBs,

Can you please indicate all steps to whitelist IP addresses in Exchange 2010 using both methods, and  indicate your preferred one? what are the best practices for companies that do not have edge servers

What about the scenario for EXCHANGE 2013 servers? 2 CAS/ 2MBX in a DAG

Please, consider both exchange versions, and all options to white-list IP addresses, pros and cons
Jerry SeinfieldAsked:
Who is Participating?
 
Jian An LimSolutions ArchitectCommented:
just to summary your question

1. you want to know to whitelist using receive connector and IP provider.

receiveconnector method
http://exchangeserverpro.com/how-to-add-remote-ip-addresses-to-existing-receive-connectors/
IP provider method
install antispam on hub then follow IP Allow List section
- http://johanveldhuis.nl/tutorials/exchange/anti-spam-agents-installeren-op-de-hub-transport-server/


2. you want to know which one prefered for exchange environment without edge server.
OK. this is a design question.
Without knowing the full picture, it is very hard to recommend something.
I will first ask what is your inbound strategic? what is your antispam strategic?
 if you don't have any then you don't worry about them.

the best recommendation is actually have a 3rd party edge outside your environment. (mailguard.com.au, symantec cloud or others)
Reason why? because the 3rd party provide MX redundancy, and you are hiding your MX record from the public.

Even given you have 2 hub/CAs server, you don't have 2 seperate IP address (which i assume), so there are single point of failure. let's say you have 2 seperate IP address, do they using 2 seperate modem? (another singapore point of failure)

Further, when there is a mail relay attack, your MX record is not being published to internet so no one will able to hit you directly. further, you always trust a range IP address, i.e. IP from the provider. so you will be much safer.

Again, other consideration like the SPAM and virus are taken care before it reach your network, internet usage will be lower (you don't need to receive the whole email before you reject it and etc)


Some will say install an on-premise solution (which plentiful as well), but the idea is your exchange server  will not be your 1st hop in from internet.

Of course, this is one of the general recommendation, it might not suit your case
0
 
Thomas GrassiSystems AdministratorCommented:
Yes with Exchange you must use EMC or shell commands

I installed ORF Fusion on my Exchange 2010 server

That whitelists email addresses ip addresses ip address range domain name etc

Very nice product

check it out   http://vamsoft.com/
0
 
Radhakrishnan RSenior Technical LeadCommented:
Hi,

You need to either contact the other domain owners (who is rejecting your mails) and send a request to unblock your IP or you need to change your exchange server's IP address.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.