Testing edge blocking in Forefront Online Protection for Exchange using Powershell

Recently for a customer, as part of migrating from a competing solution to Forefront Online Protection for Exchange, we implemented Directory-Based Edge Blocking, the feature that synchronises the on-premises Exchange Server recipients with the FOPE service.

Due to the large number of recipients, I thought it would be worthwhile, in addition to other tests, to have a script that can verify that these addresses would in fact be accepted before changing Edge Blocking from Test Mode and/or changing the MX (Mail Exchanger) records over from the old service to FOPE.

On a manual basis you can test individual addresses by using telnet to connect to port 25 (SMTP) on the FOPE mail exchanger address and testing the recipient name.

Below you’ll see what happens if I input an address that doesn’t exist:

And here’s the results from an address that does:


To perform this across a few thousand recipients isn’t really practical, so I whipped up a quick PowerShell script that does this and records the results to a CSV file. It’s not perfect, but the process is as follows:

  • Export all recipients from Exchange to a file
  • Copy that file to a workstation connected that will attempt to connect to FOPE from a different IP address to the ones that are used to relay through FOPE – for example an ADSL line used for testing.
  • Run the script using the recipients file as input to the script, specifying the domain you wish to test.
  • Examine the results from the file to check for any that should be accepted, but aren’t.

First up, let’s look at how to export the recipients. What we want to do is get all Exchange recipients, and store the resulting PowerShell object as a file that can be re-used:

Get-Recipient -ResultSize Unlimited | Export-Clixml .\recipients.xml

Once that file’s copied to the workstation, run the script, specifying the file and the domain:

.\TestFOPEAddress.ps1 -RecipientFile .\recipients.xml -AcceptedDomainToTest domain.com

Once running, you’ll see the standard PowerShell progress bar reporting progress. Bear in mind, this is a simple little script, so this is kind of as advanced as it gets J


The resulting file is a CSV file named after the domain – e.g. domain.com.csv. Open this in Excel, and you’ll be able to see the addresses checked, the result and filter for any errors:


If you get any errors – you want to first, re-check manually and double check the event logs on your FOPE Directory Sync server. You’ll see errors for users that weren’t uploaded here; and you should see the users including any secondary addresses in the FOPE Administration Center. However if you’ve got this point, those areas should already have been checked and this is just a belt and braces attempt at making sure we everything tested so far definitely works.

As usual, the script is available for download from here (Link non-functional for edit – check back later).