Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2011-03-19

When the IP Allow List feature is enabled on a computer, the Connection Filter agent analyzes all messages that come through all Receive connectors on that computer and it routes all messages from the addresses in the IP Allow list without additional processing by other anti-spam agents.

This topic explains how to use the EMC or the Shell to manage the IP Allow List.

Note:
Connection filtering is part of the suite of anti-spam features in Exchange. The anti-spam features are only available on Edge Transport servers by default. You can enable anti-spam features on a Hub Transport server even though it isn't recommended. To learn more about enabling anti-spam features on a Hub Transport server, see Enable Anti-Spam Functionality on a Hub Transport Server. The procedures listed in this topic are for configuring anti-spam functionality on an Edge Transport server, but the process is identical on Hub Transport servers.

What Do You Want to Do?

Use the EMC to manage the IP Allow list

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Anti-spam features" entry in the Transport Permissions topic.

  1. In the console tree, click Edge Transport.

  2. In the result pane, click the Edge server you want to configure and then select the Anti-spam tab in the work pane.

  3. Right click IP Allow List and then select Properties.

  4. The General tab displays the following information about the IP Allow List feature.

    • Status   Shows whether the IP Allow List feature is enabled or disabled.

    • Modified    Shows the date and time when IP Allow list properties were last modified.

    • Description    Provides a brief description of the IP Allow List feature.

  5. Use the Allowed Addresses tab to create and manage a list of IP addresses that are explicitly allowed. The Connection Filter agent will route all inbound messages from these IP addresses without additional processing by other anti-spam agents.

    • Add - IP Address   To enter an IP address without a subnet mask, or to specify the subnet mask by using Classless Interdomain Routing (CIDR) notation, click Add or the drop-down arrow located next to Add and select IP Address. In the Add Allowed IP Address - CIDR dialog, enter the IP address directly or specify a subnet using the CIDR notation. For example, if you enter 192.168.1.1, only that host will be added to the IP Allow list, but if you specify 192.168.1.0/24, the entire class C subnet of 192.168.1.0 will be added to the IP Allow list.

      Add - IP and Mask   To enter an IP address or subnet together with a subnet mask in dotted decimal notation, click the drop-down arrow located next to Add and select IP and Mask. In the Add Allowed IP Address - IP and Mask dialog, specify the IP address and the subnet mask.

      Add - IP Range   To specify an IP address range by using the first IP address and the last IP address in the range, click the drop-down arrow located next to Add and select IP Range. In the Add Allowed IP Address - IP Range dialog, specify the start and end addresses of the IP range.

    • Remove   To remove an existing entry from the IP Allow list, select the entry, and then click Remove icon.

Use the Shell to manage the IP Allow list

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Anti-spam features" entry in the Transport Permissions topic.

You use the Add-IPAllowListEntry and Remove-IPAllowListEntry cmdlets to manage the addresses in the IP Allow list. You can specify individual IP addresses, IP subnets using the CIDR notation, or IP ranges.

The following example adds the IP address 192.168.0.100 to the IP Allow list.

Copy Code
Add-IPAllowListEntry -IPAddress 192.168.0.100

The following example adds the IP subnet 192.168.1.1/24 to the IP Allow list.

Copy Code
Add-IPAllowListEntry -IPRange 192.168.1.1/24

The following example adds the IP range 10.0.0.100-10.0.0.255 to the IP Allow list.

Copy Code
Add-IPAllowListEntry -IPRange 10.0.0.100-10.0.0.255

As you add entries to the IP Allow list, Exchange automatically assigns IDs to the entries. To remove an address from the IP Allow list using the Shell, you must specify this ID. However, an easier way to remove an address is to pipeline the output of the Get-IPAllowListEntry cmdlet to the Remove-IPAllowListEntry cmdlet. For example, if you want to remove the IP address 192.168.0.100 from your IP Allow list, run the following command:

Copy Code
Get-IPAllowListEntry -IPAddress 192.168.0.100 | Remove-IPAllowListEntry

If you want to remove a range, specify an IP address that is within that range for the IPAddress parameter of the Get-IPAllowListEntry cmdlet. The following example shows how you can remove the subnet 192.168.1.1/24:

Copy Code
Get-IPAllowListEntry -IPAddress 192.168.1.1 | Remove-IPAllowListEntry

When using the Shell to add an address to the IP Allow list, you can also specify an expiration date and time. After the specified date and time, messages received from the specified address receive no preferential treatment. The following example adds the IP address 10.0.10.25 to the IP Allow list and configures it to expire on January 1, 2010 at 10:00 AM.

Copy Code
Add-IPAllowListEntry -IPAddress 10.0.10.25 -ExpirationTime "1/1/2010 10:00"

For detailed syntax and configuration information, see the following topics: