Connection Filtering In Exchange 2013
The change in Exchange 2013 architecture with just two roles has had an effect on the connection filtering anti-spam agent. John asked via email – “How can I implement connection filtering in Exchange 2013 now that FPE 2010 is discontinued? I was able to install the anti-spam agents on a 2010 hub server & the…
The change in Exchange 2013 architecture with just two roles has had an effect on the connection filtering anti-spam agent.
John asked via email – “How can I implement connection filtering in Exchange 2013 now that FPE 2010 is discontinued? I was able to install the anti-spam agents on a 2010 hub server & the connection filtering was taken care of”.
In Exchange 2013, the anti-spam agents can only be installed on the Mailbox role. But, the connection filtering which is very useful in fighting spam emails is not available in 2013. Same goes for the attachment filter. Even though CAS proxies emails back and forth (if setup correctly), it is a stateless proxy and can’t have any anti-spam agents on it.
As there is no Edge role in 2013 yet, the workaround is to use a 2007 or 2010 Edge role with the Exchange 2013 infrastructure. Both versions of Edge server can perform connection filtering. One point to note is that the edge subscription is setup from the Mailbox role in 2013 compared to the hub in 2010.
Another option to have connection filtering will be to use a cloud based anti-spam offering like FOPE or Exchange Online Protection (EOP) as it is called these days.
Any other options?
Had been pulling my hair out on this at loosing connection filtering, even though Microsoft now say it’s ok to run CAS and mailbox role together. Was about to give up and install an edge server when I came across this blog. It works like a dream – logs prove emails are being blocked by spamhaus lookup and users very happy at diminished spam once again in their inbox! Result!
Glad it helped you Dave.
when you say ‘the edge role is available with 2013 SP1’, it should be installed on CAS or MBX server?
Edge on 2013 goes on it’s own, on a server in the DMZ – just like 2010.
You cant install Edge along with other roles.
Can this be installed on the CAS server, or does it get installed on the Mailbox/CAS server.
No John. Now that the edge role is available with 2013 SP1, you need to use that.
Be sure to set your pathing properly in the above script. And, after installation, pop a reboot. When the connection filter catches an email, it will create it’s log directory This can be found at in the (default) directory x:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\AgentLog
It works just fine on exchange 2013. We have it running in 8 sites at this point with 0 issues. Hit powershell (run as admin):
Install-TransportAgent -Name “Connection Filtering Agent” -TransportService FrontEnd -TransportAgentFactory “Microsoft.Exchange.Transport.Agent.ConnectionFiltering.ConnectionFilteringAgentFactory” -AssemblyPath “D:\Program Files\Microsoft\Exchange Server
Add-IPBlockListProvider -Name zen.spamhaus.org -LookupDomain zen.spamhaus.org -AnyMatch $true -Enabled $true
Add-IPBlockListProvider -name bl.spamcop.net -LookupDomain bl.spamcop.net -AnyMatch $true -Enabled $true
Add-IPBlockListProvider -name b.barracudacentral.org -LookupDomain b.barracudacentral.com -AnyMatch $true -Enabled $true
Enable-TransportAgent -TransportService FrontEnd -Identity “Connection Filtering Agent”
Use a MailMarshall server at the edge?
Thanks Rob. I take Mailmarshal does connection filtering.