How to Add IP Addresses to the IP Allow List and IP Block List

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

This topic explains how to use the Exchange Management Console or the Exchange Management Shell to add IP addresses to the IP Allow list and IP Block list for connection filtering in Microsoft Exchange Server 2007. The Connection Filter agent is an anti-spam agent that is enabled on computers that have the Edge Transport server role installed.

IP Block lists and IP Allow lists are administrator-defined lists that specify IP addresses and IP address ranges that are acted on by the Connection Filter agent. The Connection Filter agent disconnects the Simple Mail Transfer Protocol (SMTP) session after all MAIL FROM: headers in the message are processed if the following conditions are true:

  • The Edge Transport server is connected directly to the Internet.

  • An originating IP address matches an IP address or IP address range on the IP Block list.

When an originating IP address matches an IP address or IP address range on the IP Allow list, the Connection Filter agent sends the message to the destination without additional processing by other anti-spam agents.

You can also specify a day and time when the IP Block list entry that you create will expire. If you specify a time only, and not a date, the current day is assumed. When you enter a specific date, use the short date format that is defined in the Regional Options settings that are configured on the local computer. For example, if your computer is configured to use the short date format mm/dd/yyyy hh:mm:ss, to set the expiration time at 11:00 A.M. January 3, 2007, enter the following information, enclosed in double quotation marks: "1/3/2007 11:00".

Before You Begin

To perform the following procedures on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.

Also, before you perform these procedures, confirm the following:

  • You have reviewed Anti-Spam and Antivirus Functionality to understand the general strategy for configuring all anti-spam agents so that they work together efficiently for your organization.

  • You have read Configuring Connection Filtering.

  • Make sure that the IP Allow list that you want to add does not contain more than 1,000 entries. The IP allow list cannot contain more than 1,000 entries because of a limitation in byte size that applies to this field. Instead, use IP address ranges if more than 1,000 entries are required.

Procedure

The steps in this section specifically refer to adding IP addresses to the IP Block list. However, the concepts for adding IP addresses to the IP Allow list are the same for the IP Block list. You can apply these steps to the IP Allow list.

Note

In Exchange 2007 Service Pack 1 (SP1), you manage the IP Allow list and IP Block list on the Anti-Spam tab of the Hub Transport node under Server Configuration in the Exchange Management Console. You manage other anti-spam agent functionality, such as enabling and disabling the IP Allow lists and IP Block lists, and IP Allow List providers and IP Block List providers on the Anti-Spam tab of the Hub Transport node under Organization Configuration in the Exchange Management Console.

To use the Exchange Management Console to add IP addresses to the IP Block list

  1. In the Exchange Management Console, click Edge Transport.

  2. In the work pane, click the Anti-Spam tab, and then select IP Block List.

  3. In the action pane, click Properties, and then click the Blocked Addresses tab.

  4. Click the drop-down arrow on the Add button, and select one of the following options:

    • IP Address   To add an IP address and subnet mask by using classless interdomain routing (CIDR), use the following format: 192.168.0.1/24.

    • IP and Mask   To add an IP address and subnet mask, use the following format: IP Address: 192.168.0.1; and IP Mask: 255.255.255.0.

    • IP Range   To add an IP range, use the following format: Start Address: 192.168.0.1; End Address: 192.168.0.254.

      Note

      If Exchange 2007 Service Pack 1 (SP1) is deployed on a computer that is running Windows Server 2008, you can enter IP addresses and IP address ranges in the Internet Protocol Version 4 (IPv4) format, Internet Protocol Version 6 (IPv6) format, or both formats. A default installation of Windows Server 2008 enables support for IPv4 and IPv6. For more information about Exchange 2007 SP1 support for IPv6 addresses, see IPv6 Support in Exchange 2007 SP1 and SP2.

  5. To configure an expiration date and time for the IP Block List entry, select the Block until date and time option, and then set the date and time.

  6. To configure the IP address to never expire, select the Never expire this address option.

    Note

    You can't configure an expiration date and time for the IP Allow list in the Exchange Management Console. Use the Exchange Management Shell to configure the expiration date and time for the IP Allow list.

  7. Click OK to close the dialog box.

To add IP addresses to the IP Allow list and IP Block list by using the Exchange Management Shell, see Add-IPAllowListEntry and Add-IPBlockListEntry.

To use the Exchange Management Shell to add IP addresses to the IP Block list

  • To add an IP address to the IP Block list and include an expiration date and time, run the following command:

    Add-IPBlockListEntry -IPAddress <IPAddress> [-ExpirationTime <DateTime>]
    

    For example, to add the IP address 192.168.0.1 and include an expiration date and time, run the following command:

    Add-IPBlockListEntry -IPAddress 192.168.0.1 -ExpirationTime "1/3/2007 23:59"
    
  • To add an IP address range and include an expiration date and time, run the following command:

    Add-IPBlockListEntry -IPRange <IPRange> [-ExpirationTime <DateTime>]
    

    For example, to add the IP address 192.168.0.1 - 192.168.0.254 by using a specific expiration date and time, run the following command:

    Add-IPBlockListEntry -IPRange 192.168.0.1-192.168.0.254 -ExpirationTime "1/3/2007 23:59"
    
  • To add an IP address and subnet mask by using CIDR, run the following command:

    Add-IPBlockListEntry -IPRange <IPRange>
    

    For example, to add the IP address 192.168.0.1 with the subnet mask 255.255.255.0 by using CIDR, run the following command:

    Add-IPBlockListEntry -IPAddress 192.168.0.1/24
    

For More Information

For more information about how to configure connection filtering, see the following tasks: