Connection filtering procedures on Edge Transport servers
Connection filtering is an antispam feature that's provided by the Connection Filtering agent, which is available only on Edge Transport servers in Exchange Server. Connection filtering enables the following features:
- IP blocklist
- IP blocklist providers
- IP allowlist
- IP allowlist providers
Each of these features can be enabled or disabled separately.
For more information about connection filtering, see Connection filtering on Edge Transport servers.
What do you need to know before you begin?
Estimated time to complete each procedure: 5 minutes.
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Antispam features" entry in the Antispam and anti-malware permissions topic.
You can only use PowerShell to perform this procedure. To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the Exchange Management Shell.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.
Tip
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.
Use the Exchange Management Shell to enable or disable connection filtering
To completely enable or disable connection filtering, you enable or disable the Connection Filtering agent. The change takes effect after you restart the Microsoft Exchange Transport service. When you restart the Microsoft Exchange service on an Edge Transport server, mail flow on the server is temporarily interrupted.
To disable connection filtering, run the following command:
Disable-TransportAgent "Connection Filtering Agent"
To enable connection filtering, run the following command:
Enable-TransportAgent "Connection Filtering Agent"
To make the change take effect, restart the Microsoft Exchange Transport service by running the following command:
Restart-Service MSExchangeTransport
How do you know this worked?
To verify that you successfully enabled or disabled connection filtering, run the following command to verify the Enabled property value.
Get-TransportAgent "Connection Filtering Agent" | Format-List Enabled
IP blocklist procedures
These procedures apply to the IP blocklist that you manually configure. They don't apply to IP blocklist providers.
Use the IPBlockListConfig cmdlets to view and configure how connection filtering uses the IP blocklist. Use the IPBlockListEntry cmdlets to view and configure the IP addresses in the IP blocklist.
Use the Exchange Management Shell to view the configuration of the IP blocklist
To view the configuration of the IP blocklist, run the following command:
Get-IPBlockListConfig | Format-List *Enabled,*Response
Use the Exchange Management Shell to enable or disable the IP blocklist
To disable the IP blocklist, run the following command:
Set-IPBlockListConfig -Enabled $false
To enable the IP blocklist, run the following command:
Set-IPBlockListConfig -Enabled $true
For more information, see Set-IPBlockListConfig.
How do you know this worked?
To verify that you successfully enabled or disabled the IP blocklist, run the following command to verify the Enabled property value.
Get-IPBlockListConfig | Format-List Enabled
Use the Exchange Management Shell to configure the IP blocklist
To configure the IP blocklist, use the following syntax:
Set-IPBlockListConfig [-ExternalMailEnabled <$true | $false>] [-InternalMailEnabled <$true | $false> -MachineEntryRejectionResponse "<Custom response text>"] [-StaticEntryRejectionResponse "<Custom response text>"]
This example configures the IP blocklist with the following settings:
The IP blocklist filters incoming connections from internal and external mail servers. By default, connections are filtered from external mail servers only (ExternalMailEnabled is set to
$true, and InternalMailEnabled is set to$false). Non-authenticated connections and authenticated connections from external partners are considered external.The custom response text for connections that were filtered by IP addresses that were automatically added to the IP blocklist by the sender reputation feature of the Protocol Analysis agent is set to the value "Connection from IP address {0} was rejected by sender reputation."
The custom response text for connections that were filtered by IP addresses that were manually added to the IP blocklist is set to the value "Connection from IP address {0} was rejected by connection filtering."
Set-IPBlockListConfig -InternalMailEnabled $true -MachineEntryRejectionResponse "Connection from IP address {0} was rejected by sender reputation." -StaticEntryRejectionResponse "Connection from IP address {0} was rejected by connection filtering."
For more information, see Set-IPBlockListConfig.
How do you know this worked?
To verify that you successfully configured the IP blocklist, run the following command to verify the property values.
Get-IPBlockListConfig | Format-List *MailEnabled,*Response
Use the Exchange Management Shell to view IP blocklist entries
To view all IP blocklist entries, run the following command:
Get-IPBlockListEntry
Note that each IP blocklist entry is identified by an integer value. The identity integer is assigned in ascending order when you add entries to the IP blocklist and the IP allowlist.
To view a specific IP blocklist entry, use the following syntax:
Get-IPBlockListEntry <-Identity IdentityInteger | -IPAddress IPAddress>
For example, to view the IP blocklist entry that contains the IP address 192.168.1.13, run the following command:
Get-IPBlockListEntry -IPAddress 192.168.1.13
For more information, see Get-IPBlockListEntry.
Note
When you use the IPAddress parameter, the resulting IP blocklist entry can be an individual IP address, an IP address range, or a Classless InterDomain Routing (CIDR) IP. To use the Identity parameter, you specify the integer value that's assigned to the IP blocklist entry.
Use the Exchange Management Shell to add IP blocklist entries
To add IP blocklist entries, use the following syntax:
Add-IPBlockListEntry <-IPAddress IPAddress | -IPRange IP range or CIDR IP> [-ExpirationTime <DateTime>] [-Comment "<Descriptive Comment>"]
This example adds the IP blocklist entry for the IP address range 192.168.1.10 through 192.168.1.15 and configures the IP blocklist entry to expire on July 4, 2018 at 15:00.
Add-IPBlockListEntry -IPRange 192.168.1.10-192.168.1.15 -ExpirationTime "7/4/2018 15:00"
For more information, see Add-IPBlockListEntry.
How do you know this worked?
To verify that you successfully added an IP blocklist entry, run the following command and verify that the new IP blocklist entry is displayed.
Get-IPBlockListEntry
Use the Exchange Management Shell to remove IP blocklist entries
To remove IP blocklist entries, use the following syntax:
Remove-IPBlockListEntry <IdentityInteger>
This example removes the IP blocklist entry that has the Identity value 3.
Remove-IPBlockListEntry 3
This example removes the IP blocklist entry that contains the IP address 192.168.1.12 without using the Identity integer value. Note that the IP blocklist entry can be an individual IP address or an IP address range.
Get-IPBlockListEntry -IPAddress 192.168.1.12 | Remove-IPBlockListEntry
For more information, see Remove-IPBlockListEntry.
How do you know this worked?
To verify that you successfully removed an IP blocklist entry, run the following command and verify that the IP blocklist entry you removed is gone.
Get-IPBlockListEntry
IP blocklist provider procedures
These procedures apply to IP blocklist providers. They don't apply to the IP blocklist.
Use the IPBlockListProvidersConfig cmdlets to view and configure how connection filtering uses all IP blocklist providers. Use the IPBlockListProvider cmdlets to view, configure, and test IP blocklist providers.
Use the Exchange Management Shell to view the configuration of all IP blocklist providers
To view how connection filtering uses all IP blocklist providers, run the following command:
Get-IPBlockListProvidersConfig | Format-List *Enabled,Bypassed*
For more information, see Get-IPBlockListProvidersConfig.
Use the Exchange Management Shell to enable or disable all IP blocklist providers
To disable all IP blocklist providers, run the following command:
Set-IPBlockListProvidersConfig -Enabled $false
To enable all IP blocklist providers, run the following command:
Set-IPBlockListProvidersConfig -Enabled $true
For more information, see Set-IPBlockListProvidersConfig.
How do you know this worked?
To verify that you enabled or disabled all IP blocklist providers, run the following command to verify the value of the Enabled property:
Get-IPBlockListProvidersConfig | Format-List Enabled
Use the Exchange Management Shell to configure all IP blocklist providers
To configure how connection filtering uses all IP blocklist providers, use the following syntax:
Set-IPBlockListProvidersConfig [-BypassedRecipients <recipient1,recipient2...>] [-ExternalMailEnabled <$true | $false>] [-InternalMailEnabled <$true | $false>]
This example configures all IP blocklist providers with the following settings:
IP blocklist providers filter incoming connections from internal and external mail servers. By default, connections are filtered from external mail servers only (ExternalMailEnabled is set to
$true, and InternalMailEnabled is set to$false). Non-authenticated connections and authenticated connections from external partners are considered external.Messages sent to the internal recipients chris@fabrikam.com and michelle@fabrikam.com are excluded from filtering by IP blocklist providers. Note that if you want to add recipients to the list without affecting existing recipients, use the syntax,
@{Add="<recipient1>","<recipient2>"...}.
Set-IPBlockListProvidersConfig -BypassedRecipients chris@fabrikam.com,michelle@fabrikam.com -InternalMailEnabled $true
For more information, see Set-IPBlockListProvidersConfig.
How do you know this worked?
To verify that you successfully configured all IP blocklist providers, run the following command to verify the property values:
Get-IPBlockListProvidersConfig | Format-List *MailEnabled,Bypassed*
Use the Exchange Management Shell to view IP blocklist providers
To view the summary list of all the IP blocklist providers, run the following command:
Get-IPBlockListProvider
To view the details of a specific provider, use the following syntax:
Get-IPBlockListProvider <IPBlockListProviderIdentity>
This example shows the details of the provider named Contoso IP blocklist Provider.
Get-IPBlockListProvider "Contoso IP blocklist Provider" | Format-List Name,Enabled,Priority,LookupDomain,*Match,*Response
For more information, see Get-IPBlockListProvider.
Use the Exchange Management Shell to add an IP blocklist provider
To add an IP blocklist provider, use the following syntax:
Add-IPBlockListProvider -Name "<Descriptive Name>" -LookupDomain <FQDN> [-Priority <Integer>] [-Enabled <$true | $false>] [-AnyMatch <$true | $false>] [-BitmaskMatch <IPAddress>] [-IPAddressesMatch <IPAddressStatusCode1,IPAddressStatusCode2...>] [-RejectionResponse "<Custom Text>"]
This example creates an IP blocklist provider named "Contoso IP blocklist Provider" with the following options:
FQDN to use the provider: rbl.contoso.com
Bitmask code to use from the provider: 127.0.0.1
Add-IPBlockListProvider -Name "Contoso IP blocklist Provider" -LookupDomain rbl.contoso.com -BitmaskMatch 127.0.0.1
Note
When you add a new IP blocklist provider, it's enabled by default (the value of Enabled is $true), and the priority value is incremented (the first entry has the Priority value 1).
For more information, see Add-IPBlockListProvider.
How do you know this worked?
To verify that you successfully added an IP blocklist provider, run the following command and verify that the new IP blocklist provider is displayed.
Get-IPBlockListProvider
Use the Exchange Management Shell to enable or disable an IP blocklist provider
To enable or disable a specific IP blocklist provider, use the following syntax:
Set-IPBlockListProvider <IPBlockListProviderIdentity> -Enabled <$true | $false>
This example disables the provider named Contoso IP blocklist Provider.
Set-IPBlockListProvider "Contoso IP blocklist Provider" -Enabled $false
This example enables the provider named Contoso IP blocklist Provider.
Set-IPBlockListProvider "Contoso IP blocklist Provider" -Enabled $true
For more information, see Set-IPBlockListProvider.
How do you know this worked?
To verify that you successfully enabled or disabled an IP blocklist provider, run the following command to verify the value of the Enabled property:
Get-IPBlockListProvider | Format-Table -Auto Name,LookupDomain,Priority,Enabled
Use the Exchange Management Shell to configure an IP blocklist provider
The configuration options that are available on the Set-IPBlockListProvider cmdlet are identical to those on the Add-IPBlockListProvider cmdlet.
To configure an existing IP blocklist provider, use the following syntax:
Set-IPBlockListProvider <IPBlockListProviderIdentity> -Name "<Descriptive Name>" -LookupDomain <FQDN> [-Priority <Integer>] [-AnyMatch <$true | $false>] [-BitmaskMatch <IPAddress>] [-IPAddressesMatch <IPAddressStatusCode1,IPAddressStatusCode2...>] [-RejectionResponse "<Custom Text>"]
For example, to add the IP address status code 127.0.0.1 to the list of existing status codes for the provider named Contoso IP blocklist Provider, run the following command:
Set-IPBlockListProvider "Contoso IP blocklist Provider" -IPAddressesMatch @{Add="127.0.0.1"}
For more information, see Set-IPBlockListProvider.
How do you know this worked?
To verify that you successfully configured an IP blocklist provider, run the following command to verify the property values. Be sure to replace <IPBlockListProviderIdentity> with the name of the IP blocklist provider.
Get-IPBlockListProvider <IPBlockListProviderIdentity> | Format-List
Use the Exchange Management Shell to test an IP blocklist provider
To test an IP blocklist provider, use the following syntax:
Test-IPBlockListProvider <IPBlockListProviderIdentity> -IPAddress <IPAddressToTest>
This example tests the provider named Contoso IP blocklist Provider by looking up the IP address 192.168.1.1.
Test-IPBlockListProvider "Contoso IP blocklist Provider" -IPAddress 192.168.1.1
For more information, see Test-IPBlockListProvider.
Use the Exchange Management Shell to remove an IP blocklist provider
To remove an IP blocklist provider, use the following syntax:
Remove-IPBlockListProvider <IPBlockListProviderIdentity>
This example removes the IP blocklist provider named Contoso IP blocklist Provider.
Remove-IPBlockListProvider "Contoso IP blocklist Provider"
For more information, see Remove-IPBlockListProvider.
How do you know this worked?
To verify that you successfully removed an IP blocklist provider, run the following command and verify that the IP blocklist provider you removed is gone.
Get-IPBlockListProvider
IP allowlist procedures
These procedures apply to the IP allowlist that you manually configure. They don't apply to IP allowlist providers.
Use the IPAllowListConfig cmdlets to view and configure how connection filtering uses the IP allowlist. Use the IPAllowListEntry cmdlets to view and configure the IP addresses in the IP allowlist.
Use the Exchange Management Shell to view the configuration of the IP allowlist
To view the configuration of the IP allowlist, run the following command.
Get-IPAllowListConfig | Format-List *Enabled
For more information, see Get-IPAllowListConfig.
Use the Exchange Management Shell to enable or disable the IP allowlist
To disable the IP allowlist, run the following command:
Set-IPAllowListConfig -Enabled $false
To enable the IP allowlist, run the following command:
Set-IPAllowListConfig -Enabled $true
How do you know this worked?
To verify that you successfully enabled or disabled the IP allowlist, run the following command to verify the value of the Enabled property:
Get-IPAllowListConfig | Format-List Enabled
Use the Exchange Management Shell to configure the IP allowlist
To configure the IP allowlist, use the following syntax:
Set-IPAllowListConfig [-ExternalMailEnabled <$true | $false>] [-InternalMailEnabled <$true | $false>
This example configures the IP allowlist to filter incoming connections from internal and external mail servers. By default, connections are filtered from external mail servers only (ExternalMailEnabled is set to $true, and InternalMailEnabled is set to $false). Non-authenticated connections and authenticated connections from external partners are considered external.
Set-IPAllowListConfig -InternalMailEnabled $true
For more information, see Set-IPAllowListConfig.
How do you know this worked?
To verify that you successfully configured the IP allowlist, run the following command to verify the property values:
Get-IPAllowListConfig | Format-List *MailEnabled
Use the Exchange Management Shell to view IP allowlist entries
To view all IP allowlist entries, run the following command:
Get-IPAllowListEntry
Note that each IP allowlist entry is identified by an integer value. The identity integer is assigned in ascending order when you add entries to the IP blocklist and the IP allowlist.
To view a specific IP allowlist entry, use the following syntax:
Get-IPAllowListEntry <-Identity IdentityInteger | -IPAddress IPAddress>
For example, to view the IP allowlist entry that contains the IP address 192.168.1.13, run the following command:
Get-IPAllowListEntry -IPAddress 192.168.1.13
For more information, see Get-IPAllowListEntry.
Note
When you use the IPAddress parameter, the resulting IP allowlist entry can be an individual IP address, an IP address range, or a Classless InterDomain Routing (CIDR) IP. To use the Identity parameter, you specify the integer value that's assigned to the IP allowlist entry.
Use the Exchange Management Shell to add IP allowlist entries
To add IP allowlist entries, use the following syntax:
Add-IPAllowListEntry <-IPAddress IPAddress | -IPRange IP range or CIDR IP> [-ExpirationTime <DateTime>] [-Comment "<Descriptive Comment>"]
This example adds the IP allowlist entry for the IP address range 192.168.1.10 through 192.168.1.15 and configures the IP allowlist entry to expire on July 4, 2018 at 15:00.
Add-IPAllowListEntry -IPRange 192.168.1.10-192.168.1.15 -ExpirationTime "7/4/2018 15:00"
For more information, see Add-IPAllowListEntry.
How do you know this worked?
To verify that you successfully added an IP allowlist entry, run the following command and verify that the new IP allowlist entry is displayed.
Get-IPAllowListEntry
Use the Exchange Management Shell to remove IP allowlist entries
To remove IP allowlist entries, use the following syntax:
Remove-IPAllowListEntry <IdentityInteger>
This example removes the IP allowlist entry that has the Identity value 3.
Remove-IPAllowListEntry 3
This example removes the IP allowlist entry that contains the IP address 192.168.1.12 without using the Identity integer value. Note that the IP allowlist entry can be an individual IP address or an IP address range.
Get-IPAllowListEntry -IPAddress 192.168.1.12 | Remove-IPAllowListEntry
For more information, see Remove-IPAllowListEntry.
How do you know this worked?
To verify that you successfully removed an IP allowlist entry, run the following command and verify that the IP allowlist entry you removed is gone.
Get-IPAllowListEntry
IP allowlist provider procedures
These procedures apply to IP allowlist providers. They don't apply to the IP allowlist.
Use the IPAllowListProvidersConfig cmdlets to view and configure how connection filtering uses all IP allowlist providers. Use the IPAllowListProvider cmdlets to view, configure, and test IP allowlist providers.
Use the Exchange Management Shell to view the configuration of all IP allowlist providers
To view how connection filtering uses all IP allowlist providers, run the following command:
Get-IPAllowListProvidersConfig | Format-List *Enabled
For more information, see Get-IPAllowListProvidersConfig.
Use the Exchange Management Shell to enable or disable all IP allowlist providers
To disable all IP allowlist providers, run the following command:
Set-IPAllowListProvidersConfig -Enabled $false
To enable all IP allowlist providers, run the following command:
Set-IPAllowListProvidersConfig -Enabled $true
For more information, see Set-IPAllowListProvidersConfig.
How do you know this worked?
To verify that you enabled or disabled all IP allowlist providers, run the following command to verify the Enabled property value:
Get-IPAllowListProvidersConfig | Format-List Enabled
Use the Exchange Management Shell to configure all IP allowlist providers
To configure how connection filtering uses all IP allowlist providers, use the following syntax:
Set-IPAllowListProvidersConfig [-ExternalMailEnabled <$true | $false>] [-InternalMailEnabled <$true | $false>]
This example configures all IP allowlist providers to filter incoming connections from internal and external mail servers. By default, connections are filtered from external mail servers only (ExternalMailEnabled is set to $true, and InternalMailEnabled is set to $false). Non-authenticated connections and authenticated connections from external partners are considered external.
Set-IPAllowListProvidersConfig -InternalMailEnabled $true
For more information, see Set-IPAllowListProvidersConfig.
How do you know this worked?
To verify that you successfully configured all IP allowlist providers, run the following command to verify the property values:
Get-IPAllowListProvidersConfig | Format-List *MailEnabled
Use the Exchange Management Shell to view IP allowlist providers
To view the summary list of all the IP allowlist providers, run the following command.
Get-IPAllowListProvider
To view the details of a specific provider, use the following syntax:
Get-IPAllowListProvider <IPAllowListProviderIdentity>
This example shows the details of the provider named Contoso IP allowlist Provider.
Get-IPAllowListProvider "Contoso IP allowlist Provider" | Format-List Name,Enabled,Priority,LookupDomain,*Match
For more information, see Get-IPAllowListProvider.
Use the Exchange Management Shell to add an IP allowlist provider
To add an IP allowlist provider, use the following syntax:
Add-IPAllowListProvider -Name "<Descriptive Name>" -LookupDomain <FQDN> [-Priority <Integer>] [-Enabled <$true | $false>] [-AnyMatch <$true | $false>] [-BitmaskMatch <IPAddress>] [-IPAddressesMatch <IPAddressStatusCode1,IPAddressStatusCode2...>]
This example creates an IP allowlist provider named "Contoso IP allowlist Provider" with the following options:
FQDN to use the provider: allow.contoso.com
Bitmask code to use from the provider: 127.0.0.1
Add-IPAllowListProvider -Name "Contoso IP allowlist Provider" -LookupDomain allow.contoso.com -BitmaskMatch 127.0.0.1
Note
When you add a new IP allowlist provider, it's enabled by default (the value of Enabled is $true), and the priority value is incremented (the first entry has the Priority value 1).
For more information, see Add-IPAllowListProvider.
How do you know this worked?
To verify that you successfully added an IP allowlist provider, run the following command and verify that the new IP allowlist provider is displayed.
Get-IPAllowListProvider
Use the Exchange Management Shell to enable or disable an IP allowlist provider
To enable or disable a specific IP allowlist provider, use the following syntax:
Set-IPAllowListProvider <IPAllowListProviderIdentity> -Enabled <$true | $false>
This example disables the provider named Contoso IP allowlist Provider.
Set-IPAllowListProvider "Contoso IP allowlist Provider" -Enabled $false
This example enables the provider named Contoso IP allowlist Provider.
Set-IPAllowListProvider "Contoso IP allowlist Provider" -Enabled $true
For more information, see Set-IPAllowListProvider.
How do you know this worked?
To verify that you successfully enabled or disabled an IP allowlist provider, run the following command to verify the Enabled property value:
Get-IPAllowListProvider | Format-Table -Auto Name,LookupDomain,Priority,Enabled
Use the Exchange Management Shell to configure an IP allowlist provider
The configuration options that are available on the Set-IPAllowListProvider cmdlet are identical to those on the Add-IPAllowListProvider cmdlet.
To configure an existing IP allowlist provider, use the following syntax:
Set-IPAllowListProvider <IPAllowListProviderIdentity> -Name "<Descriptive Name>" -LookupDomain <FQDN> [-Priority <Integer>] [-AnyMatch <$true | $false>] [-BitmaskMatch <IPAddress>] [-IPAddressesMatch <IPAddressStatusCode1,IPAddressStatusCode2...>]
For example, to add the IP address status code 127.0.0.1 to the list of existing status codes for the provider named Contoso IP allowlist Provider, run the following command:
Set-IPAllowListProvider "Contoso IP allowlist Provider" -IPAddressesMatch @{Add="127.0.0.1"}
For more information, see Set-IPAllowListProvider.
How do you know this worked?
To verify that you successfully configured an IP allowlist provider, run the following command. Be sure to replace <IPAllowListProviderIdentity> with the name of the IP allowlist provider.
Get-IPAllowListProvider <IPAllowListProviderIdentity> | Format-List
Use the Exchange Management Shell to test an IP allowlist provider
To test an IP allowlist provider, use the following syntax:
Test-IPAllowListProvider <IPAllowListProviderIdentity> -IPAddress <IPAddressToTest>
This example tests the provider named Contoso IP allowlist Provider by looking up the IP address 192.168.1.1.
Test-IPAllowListProvider "Contoso IP allowlist Provider" -IPAddress 192.168.1.1
For more information, see Test-IPAllowListProvider.
Use the Exchange Management Shell to remove an IP allowlist provider
To remove an IP allowlist provider, use the following syntax:
Remove-IPAllowListProvider <IPAllowListProviderIdentity>
This example removes the IP allowlist provider named Contoso IP allowlist Provider.
Remove-IPAllowListProvider "Contoso IP allowlist Provider"
For more information, see Remove-IPAllowListProvider.
How do you know this worked?
To verify that you successfully removed an IP allowlist provider, run the following command and verify that the IP allowlist provider you removed is gone.
Get-IPAllowListProvider