Skip to main content

Microsoft - How to Implement IP Whitelist in Microsoft Exchange 2013 and 2016

  • Updated

This article describes how to configure the Whitelist in Microsoft Exchange 2013 and 2016 on-premise using SMARTFENSE IPs. It covers the allowed IP list, the four transport rules that bypass Clutter, junk mail filtering, and ATP protection, and the complementary configuration to prevent link rewriting when ATP/Links is active.

If simulations arrive at your organization from IPs other than those of SMARTFENSE (because there is an intermediate antispam), configure the Whitelist by Header instead of by IP. See the article Microsoft - How to Implement Whitelist by Header in Microsoft Exchange 2013 and 2016.

SMARTFENSE IPs

IPs to allow: 160.153.250.248, 190.210.135.44, 50.6.200.66 52.16.33.192

The four transport rules in this article use exactly the same condition on these IPs. To keep the source of truth updated, check Settings > Security > Whitelist in your SMARTFENSE instance.

Prerequisites

  • Administrator access to your Exchange mail server portal.
  • Permissions to edit the connection filter and create mail flow rules.
  • Access to the management console (PowerShell) if you decide to configure the IP list via command line.

Summary of rules to create

# Rule Name Header Set Value
1 Bypass Clutter and junk mail filtering by IP address X-MS-Exchange-Organization-BypassClutter true
2 SMARTFENSE - Bypass junk mail filtering X-Forefront-Antispam-Report SFV:SKI;
3 Bypass ATP Links X-MS-Exchange-Organization-SkipSafeLinksProcessing 1
4 Bypass ATP Attachments X-MS-Exchange-Organization-SkipSafeAttachmentProcessing 1

Both header names and their values are case-sensitive.

Configure the allowed IP list

You have two methods available to add SMARTFENSE IPs to the allowed IP list.

Option A — Command line (Exchange 2013)

Use the PowerShell cmdlet Add-IPAllowListEntry. See Microsoft’s official documentation: https://docs.microsoft.com/en-us/powershell/module/exchange/antispam-antimalware/Add-IPAllowListEntry.

Option B — Via portal

  1. Log in to your mail server administration portal.
  2. Go to Admin.
  3. Access the Exchange menu.
  4. Go to Connection Filter (inside Protection).
  5. Click the pencil icon to edit the default policy.
  6. Under Allowed IP Address, click + and add the three SMARTFENSE IPs, one by one.
  7. Click OK and then Save.

Access to create mail flow rules

  1. Go to Admin > Mail > Mail flow.
  2. Click (+) Create new rule.
  3. Click More options.

Important: if you do not see all configuration options, click the More options link inside the New rule screen. Without this option, you cannot apply several of the actions required by the following rules.

Repeat the process for each of the four rules listed below.

Rule 1 — Bypass Clutter and junk mail filtering

  1. Name it Bypass Clutter and junk mail filtering by IP address.
  2. Under Apply this rule if…, select The sender > has an IP address in one of these ranges or exactly matches.
  3. Add the three SMARTFENSE IPs.
  4. Under Do the following…, select Modify the message properties > Set a message header.
  5. Set the header X-MS-Exchange-Organization-BypassClutter with the value true.
  6. Add a second action: Set the spam confidence level (SCL) > Bypass spam filtering.
  7. Click Save.

Rule 2 — Bypass junk mail folder

  1. Name it SMARTFENSE - Bypass junk mail filtering.
  2. Use the same IP condition.
  3. In the action, set the header X-Forefront-Antispam-Report with the value SFV:SKI;.
  4. In the rule properties, assign the priority immediately after the previous rule.
  5. Click Save.

Rules to bypass Advanced Threat Protection

We recommend waiting at least two hours for the rules to propagate to all your users. Test effectiveness with a small group before launching mass campaigns.

Rule 3 — Bypass ATP Links

  1. Name it Bypass ATP Links.
  2. Use the same IP condition.
  3. Set the header X-MS-Exchange-Organization-SkipSafeLinksProcessing with the value 1.
  4. Click Save.

Rule 4 — Bypass ATP Attachments

  1. Name it Bypass ATP Attachments.
  2. Use the same IP condition.
  3. Set the header X-MS-Exchange-Organization-SkipSafeAttachmentProcessing with the value 1.
  4. Click Save.

Bypass link rewriting when using ATP/Links

When ATP/Links is active, the service rewrites links in emails. To prevent this from happening with simulation domains, configure the following exception.

  1. Go to https://security.microsoft.com.
  2. Navigate to Threat Management > Policy > Safe Links.
  3. Edit the existing policy (for example, ATP Link Policy) by clicking Edit policy, or create a new one with Create.
  4. Click Settings.
  5. In the section Do not rewrite the following URLs, add the SMARTFENSE simulation domains in the format *.domain.com/*.
  6. Save the policy.

The simulation domains are kept updated in your SMARTFENSE instance, under Settings > Security > Whitelist. Always check that list at the time of configuring the exception to ensure you include the current domains.

💡 Best Practices

  • Configure the allowed IP list first, and only then the transport rules.
  • Make sure to click More options when creating each rule: without this step, several actions remain hidden and the rule is incomplete.
  • Wait at least two hours after creating the four rules before testing simulations.
  • Launch a test campaign with a small group that includes yourself as administrator.
  • Keep the default values for the rest of the options in each rule, unless explicitly instructed otherwise.
  • If your organization uses ATP/Links, do not omit the configuration in the Do not rewrite the following URLs section: without this exception, simulation links are rewritten and statistics become contaminated.

Related to

Related articles