Larry Brouwer

... just my personal technology sandbox

Connect

Configuring Mailprotector CloudFilter with Windows SBS2011 Exchange 2010 “SkipMXConfig”

By Leave a Comment

Over the past several months spam has been getting out of control, so I decided to try out Mailprotector (a cloud-based email filtration solution). The specific product that I’m evaluating is their CloudFilter Total Email Security product. Configuring it was relatively easy, I just followed the instructions listed here.

I did run into a couple bumps along the way that I wanted to share with you. My first hurdle was adding users to the domain. Mailprotector has the capability to do an LDAP sync with Active Directory. However, to do this requires knowing the exact connection strings. Mailprotector does have a tutorial on the subject found here. I followed the instructions, and made a few stabs at a correct connection string. However, after several failed attempts, I searched the web, and chatted with support. Support was friendly enough, however, they didn’t have much knowledge of the subject. So I continued to work this out on my own. Searching uncovered the LDAP dsquery command. I logged onto the SBS server, and opened an Administrative command prompt. At the prompt, I issued the following command:

dsquery user ou=MyBusiness,dc=trl,dc=local

At this point, I have a list of all the users defined in the Active Directory. The user that I’m mainly interested in is the Network Manager account:

“CN=Network Manager,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=trl,DC=local”

This is the User Distinguished Name that I need to use for authentication within Mailprotector. To test out the connection string, I opened a console window on my Mac and issued the following command:

ldapsearch –h my.ip.add.ress:389 –x –D “CN=Network Manager,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=trl,DC=local” –b “DC=trl,DC=local” –W

This yielded a list of users defined in Active Directory, which is just what I wanted to see.

With this in hand, I was able to set up the LDAP sync with Active Directory into my SBS2011 Exchange 2010 Server. One thing to keep in mind is to be sure to keep the “double quotes” around the Distinguished Name string. My first attempt didn’t have the double quotes, and it didn’t work. The second parameter needed is the search base. Here I just used the default format as shown in the tutorial:

DC=trl,DC=local

Here’s screen shot of my configurations:

image

After adding users to the domain, the next step is to configure the domain by changing MX records to point to Mailprotectors CloudFilter server. This usually has to be done with your domain registrar. In my case this is GoDaddy. Mailprotector has a tutorial on doing this here. The update process was supposed to be relatively easy. Just log into GoDaddy and delete the existing MX record, and add in the 4 new MX records that Mailprotector provided. In my case the 4 records are:

image

Here’s the configuration within GoDaddy:

image

Looks easy enough, right? Well this is where the second bump in the road occurred. Upon saving, the new MX records seemed to be there for a few minutes, and then would go away, and return back to the original MX record. After a few attempts with the same result, I decided to start searching for an answer. It wasn’t very long before I ran across this post which led me to this post. I vaguely remember when originally configuring SBS2011, something about having all the DNS records automatically configured by the server, and that GoDaddy was one of the domain registrars that it worked with.

In any case, the fix involves adding a new registry DWORD (32-bit) Value, “SkipMXConfig”, with a value of 1 located at: HKEY_LOCAL_MACHINE\Software\Microsoft\SmallBusinessServer\Networking\Services

image

Once I put this in place, I rebooted the server to make sure the new setting took effect. This solved the issue, and Mailprotector started filtering email.

Mailprotector also recommends locking down the network and configuring exchange to only accept email from the Mailprotector server. The instructions are found here. I am deferring this task for the moment and will update this post as I get time to do so.

… A couple days later. I’m still getting a ton of spam, so I’m now continuing on with configuring the Exchange server to only accept email from Mailprotector. The tutorial can be found here. The examples don’t show Exchange 2010, however, it’s pretty much the same as Exchange 2007. Here’s a screen shot of my configuration changes:

image

That’s pretty much it for the initial configuration! I will continue to update this post as I gain more knowledge and experience with Mailprotector’s CloudFilter product.