Spotlight on Exchange 2010: Receiving faxes using Exchange 2010 Unified Messaging
Published Aug 19 2009 03:29 AM 21.7K Views

If you are using Exchange 2007 UM to receive faxes, you should know about the changes we have made to the inbound faxing capabilities in Exchange 2010 UM. After working with our customers and partners, we determined that it was best for specialized partners with deep fax expertise to provide the comprehensive fax capability for Exchange Server 2010. We have therefore established partnerships with several fax vendors to ensure a seamless fax experience for customers who are new to Unified Messaging as well as those upgrading from Exchange Server 2007.

Exchange 2010 no longer creates fax messages itself but instead forwards the inbound fax calls to a dedicated partner fax solution. The partner fax solution establishes the fax call with the remote endpoint and receives the fax media on behalf of the UM-enabled user. It then sends an SMTP message, which contains the fax as a TIFF attachment, to the recipient's mailbox. The Exchange 2010 UM server ensures that the fax message is formatted just like the fax messages coming from Exchange 2007 UM server (Figure 1). 

Figure 1: Example of Exchange 2010 UM fax message.

To allow users to receive faxes via Exchange 2010 UM, customers must install and configure or sign up for service with one of the UM-certified partner fax solutions. At the time of writing, fax partner testing and certification is in progress. The list of compatible, UM-certified fax partners will be made available on our website when Exchange 2010 is launched.

The new fax capabilities in Exchange 2010 RTM are controlled by the following attributes:

    • FaxEnabled on UMDialPlan objects
    • AllowFax and FaxServerURI on UMMailboxPolicy objects
    • FaxEnabled on UMMailbox objects

By default, when the user is first UM-enabled, the UMDialPlan.FaxEnabled and UMMailbox.FaxEnabled are set to true, whereas UMMailboxPolicy.AllowFax is set to false. In order to enable a UM user for fax, all three of these attributes must be set to true and UMMailboxPolicy.FaxServerURI must point to a valid partner fax solution endpoint. Whenever UMMailboxPolicy.AllowFax is set to true, FaxServerURI must be provided to indicate to the UM server where to redirect the fax calls. FaxServerURI must have the following form: sip::;, where "fax server URI" is either an FQDN or an IP address of the partner fax solution; "port" is the port on which the fax server listens for incoming fax calls and "transport" is the transport protocol over which the fax calls are made (udp, tcp or tls). For example, you might configure fax as follows:

[PS] D:\>Set-UMMailboxPolicy MyPolicy -AllowFax $true -FaxServerURI ";transport=tcp"

You may be wondering how to secure communication with the partner fax solution. Partner fax messages must be authenticated; any unauthenticated message claiming to have come from a fax partner will not be processed by the UM server but instead will be delivered as a regular email. For authenticating the connection from the partner you can use mutual TLS, sender ID validation [1, 2], or establish trust via a dedicated receive connector. A receive connector should be sufficient for authenticating the partner fax solutions deployed in the enterprise together with the UM server. The receive connector will ensure that the Exchange server treats all traffic coming from the partner fax solution as authenticated. The connector should be deployed on the Hub Transport server used by the partner fax solution to submit SMTP fax messages and should have the following property values:

AuthMechanism                           : ExternalAuthoritative

PermissionGroups                        : ExchangeServers, Partners

RemoteIPRanges                          : {faxserverIP}

RequireTLS                              : False

EnableAuthGSSAPI                        : False

LiveCredentialEnabled                   : False

If the partner fax solution that you are using sends traffic to the UM server over a public network (e.g., a service-based partner fax solution hosted in the cloud), it is recommended to authenticate the sender using a sender ID check. This validation ensures that the IP, from which the message originated, is in fact authorized to send emails on behalf of the partner domain that the message claims to have come from. DNS acts as an intermediary by storing the sender ID records (or SPF records); fax partners must publish their SPF records in the DNS and Exchange 2010 will validate these by querying DNS. The sender ID agent must be running on Exchange Edge servers in order to perform the query. Alternatively, TLS can be used for traffic encryption or mutual TLS for encryption and authentication between the partner fax solution and Exchange.

The fax functionality of Exchange 2010 discussed here is not included with the beta version of Exchange 2010 but will be available with the RTM version. In the beta build of Exchange 2010, UM fax capabilities are completely disabled.

To summarize, the fax messages destined for UM-enabled users of Exchange 2010 UM RTM will look exactly the same as the ones in Exchange 2007. However, to enable this behavior, a certified partner fax solution must be deployed together with the UM server. The UMMailboxPolicy objects must be configured to point to the fax solution and the SMTP exchange between the partner fax solution and the UM server must be authenticated.

- Katarzyna Puchala


[1] Fighting SPAM and Phishing with Sender ID. Internet Resource. Last Accessed 7/21/09.

[2] Sender ID. Internet Resource. Last Accessed 7/21/09.

John Robinson

Version history
Last update:
‎Jul 01 2019 03:45 PM
Updated by: