How to create a policy for a group of users in a stand-alone Forefront Online Protection for Exchange environment

Article translations Article translations
Article ID: 2645012 - View products that this article applies to.
Expand all | Collapse all

Summary

This article describes how to create a policy for a group of users in a stand-alone Microsoft Forefront Online Protection for Exchange (FOPE) environment.

When you create a policy for a domain in FOPE, the policy applies to all the users in the domain. There is no option that is available in the FOPE Administration Center to apply a policy to specific users. However, in certain scenarios, you may want to create a policy that applies only to a group of users.

For example, your company has two departments, Sales and Purchase. Management wants all email messages that are sent by the Purchase department that contain the word "invoice" in the subject line to be encrypted. However, the Sales department also uses the word "invoice" in the subject line. Email messages that are sent by the Sales department that contain the word "invoice" in the subject line should not be encrypted.

This article discusses how to use virtual domains in FOPE to create a policy that applies only to specific users in the domain.

Important This article applies only to customers who use FOPE in a stand-alone environment. This article does not apply to customers who use FOPE as part of Microsoft Office 365. Office 365 customers cannot create virtual domains.

More information

Important After a domain is configured as a virtual domain, it cannot be reconfigured as a non-virtual domain.

Virtual domains

Virtual domains are used to apply specific settings to a subset of users in a domain. A virtual domain is formatted like a subdomain and can have its own filtering settings and configurations. The domain to which the virtual domain belongs is called its "parent domain." The virtual domain is not an actual DNS mail domain, and it is used for internal configuration purposes only. For example, for a parent domain that is called contoso.com, you can create a virtual domain that is called marketing.contoso.com.

You can create virtual domains in FOPE to provide different filtering settings for a particular group of users. Virtual domains enable you to apply different configuration settings to users who belong to the same domain. After you create a virtual domain, you can upload a subset of users who belong to the parent domain and then associate them to the virtual domain to customize service settings for that group of users. Users who are assigned to the virtual domain will use the domain settings that are set for the virtual domain.

To create a virtual domain, upload the required users to the virtual domain, and then apply the specific policy to the group of users.

Step 1: Create a virtual domain
  1. In the FOPE Administration Center, click the Administration tab, and then click the Domains tab.
  2. In the Domains list, click the name of the domain that you want to associate as the parent domain to the new virtual domain. You can search for a specific domain name by using the search box.
  3. In the Domain Settings pane, under the Virtual Domains section, click Add.
  4. Type the name for the virtual domain in the Virtual domain name text box.

    Note The virtual domain must be formatted like a subdomain of the parent domain. To add a virtual domain, the parent domain must be validated and enabled. The User List settings on the parent domain must be set to Admin Center or SFTP, and Directory-Based Edge Blocking (DBEB) must be set to Reject or Passive mode.
  5. Because you are using the virtual domain for grouping, click to select the Deliver to original address in parent domain check box.
  6. Click Save.
Step 2: Create a list of users in a CSV file and upload the CSV file to the FOPE Administration Center
To associate user accounts with a virtual domain through the FOPE Administration Center, create a CSV file by using Microsoft Excel, and then upload the file to the FOPE Administration Center. The file should contain a list of user names and other information. Make sure that you specify the target virtual domain in the Choose the virtual domain as this is for user grouping drop-down list to associate the users with the virtual domain.

To create a list of users as a CSV file, follow these steps:
  1. Open Excel.
  2. Enter user information as separate values on the same line in the file, in the following order:
    1. Primary email address (this value is required).
    2. First name.
    3. Last name.
    4. Secondary email addresses.
    5. Instant message addresses. Separate the alias part of the IM address from the IM Provider name by using a forward slash (/). For example, "lukaa/msn" is an IM address. This applies to Exchange Hosted Archive (EHA).
    6. Alternative email addresses. Add the string "alt:" to the beginning of all alternative email addresses for the user. For example, "alt:davidp@fabrikam.com" is an alternative email address. This applies to Exchange Hosted Continuity.
    The following example shows a user file that has two users. The first user, Luka Abrus, has one secondary email address and one instant message address. The second user, David Pelton, has two alternative email addresses.

    Collapse this tableExpand this table
    Primary email addressFirst nameLase nameSecondary message addressInstant message address/Alternative email address
    luka@contoso.comLukaAbruslukaabrus@contoso.comlukaa/msn
    david@contoso.comDavidPeltonalt:davidp@fabrikam.comalt:d.pelton@fabrikam.com
  3. Save the file in CSV format.

To import the CSV file to the FOPE Administration Center, follow these steps:

  1. In the FOPE Administration Center, click the Administration tab, and then click the User tab.
  2. In the Tasks pane, click Import Users From File.
  3. In the Send status notifications to the following e-mail box, type the email address to which you want upload status information sent.
  4. In the Specify the user list file box, locate and then select the CSV file that you created and saved.
  5. To add the users to a virtual domain, in the Choose the Virtual Domain if this is for user grouping list, click the domain.
  6. To disable all the user accounts that are not included in your user file after the user file is successfully uploaded, click to select the Disable all users not specified in the file check box.
  7. Click Save.
Step 3: Apply the policy
You have created a group of users and listed them in a specific domain (virtual domain). Because this is a separate domain, you can now create separate policy rules and apply the rules only to this virtual domain. Because the scope of these rules is limited only to this virtual domain, other users in the parent domain are not affected. External and internal users will continue to send email messages to the previous email addresses and will not be aware that these users have moved to a virtual domain.

Note If a user who is associated with the virtual domain has multiple proxy addresses, only the proxy addresses that belong to the parent domain will have the virtual domain settings applied to them.


References

For more information about virtual and parent domains in FOPE, visit the following Microsoft website:

http://technet.microsoft.com/en-us/library/ff715106.aspx

Properties

Article ID: 2645012 - Last Review: September 4, 2013 - Revision: 10.0
Applies to
  • Microsoft Forefront Online Protection for Exchange
Keywords: 
vkbportal225 KB2645012

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com