Solved

Ex13 - can't manually install Connection Filtering

Posted on 2014-09-29
14
266 Views
Last Modified: 2014-10-02
Migrated from Ex07 -> Ex13 about a year ago. I have been trying to firm up anti-spam features and wanted to go back to the block lists I had working previously.  I ran the script to install antispam, but saw that Connection Filtering is not there. I searched KBs and found this procedure to manually install the agent:

>>>Install-TransportAgent -Name "Connection Filtering Agent" -TransportService FrontEnd -TransportAgentFactory "Microsoft.Exchange.Transport.Agent.ConnectionFiltering.ConnectionFilteringAgentFactory" -AssemblyPath "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange.Transport.Agent.Hygiene.dll"

>>>Enable-TransportAgent -TransportService FrontEnd -Identity "Connection Filtering Agent"

(no errors)

>>>Restart-Service MSExchangeTransport

But still no joy here:

>>>Get-Transportagent

Identity                                           Enabled         Priority
--------                                           -------         --------
SMSMSERoutingAgent                                 True            1
SMSMSESMTPAgent                                    True            2
Transport Rule Agent                               True            3
Malware Agent                                      False           4
Text Messaging Routing Agent                       True            5
Text Messaging Delivery Agent                      True            6
Content Filter Agent                               True            7
Sender Id Agent                                    True            8
Sender Filter Agent                                True            9
Recipient Filter Agent                             True            10
Protocol Analysis Agent                            True            11

I have installed and enabled blocklists and still no apparent action in the logs.  I think the reason is the failure to have Connection Filtering active.

I was hoping one of you Exchange wizards (Simon ?) could help out.   Thank you.
0
Comment
Question by:dvanaken
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 2
14 Comments
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 250 total points
ID: 40349796
Connection Filter agent is only available on servers with the Edge role.
http://technet.microsoft.com/en-gb/library/jj218660(v=exchg.150).aspx

If you don't have the Edge role then you will need to use something else to do the filtering.
Vamsoft ORF is my usual tool of choice here.

Simon.
0
 

Author Comment

by:dvanaken
ID: 40349840
Simon. Thanks for your help. Pardon my ignorance on this but since I am running  on a single box does that mean no edge role exists?
0
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 250 total points
ID: 40349933
Correct. Edge is a separate role. It can not coexist on a multi-role server.
0
Do you have a plan for Continuity?

It's inevitable. People leave organizations creating a gap in your service. That's where Percona comes in.

See how Pepper.com relies on Percona to:
-Manage their database
-Guarantee data safety and protection
-Provide database expertise that is available for any situation

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40349950
Edge is a separate server, and the role was only introduced recently.
It will require an additional Windows and Exchange licence, which means in most cases it is poor value for money.

Simon.
0
 

Author Comment

by:dvanaken
ID: 40350033
I will check out vamsoft - I used orf years ago on NT-based Exchange.  Many thanks!
0
 

Author Comment

by:dvanaken
ID: 40350035
Do I need to "uninstall" anything I did or can I just go safely forward with vamsoft?
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40350067
Looks like despite running those command the Connection Filter didn't install anyway. So you should be good. Up to you whether you want to keep the other Anti-spam features enabled.
0
 

Author Comment

by:dvanaken
ID: 40350178
Whoops - it now looks like it's working!  I found a blog that swears it works and I followed those steps.

[PS] C:\Windows\system32>Get-TransportAgent -TransportService Frontend

Identity                                           Enabled         Priority
--------                                           -------         --------
Connection Filtering Agent                         True            1

Then I tried an actual test of spamhaus via email:

Here's how the conversation looked from sbl.crynwr.com.
Note that some sites don't apply the SBL block to postmaster, so I use your envelope sender as the To: address.

I connected to 50.243.42.83 and here's the conversation I had:

220 mail.domain.com Microsoft ESMTP MAIL Service ready at Mon, 29 Sep 2014 11:05:25 -0400 helo sbl.crynwr.com
250 mail.domain.com Hello [192.203.178.107] mail from:<>
250 2.1.0 Sender OK
rcpt to:<me@domain.com>
550 5.7.1 Recipient not authorized, your IP has been found on a block list Terminating conversation


Seems to be working - agreed?
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40350282
Seems that way. But possibly not a supported configuration by Microsoft.

Can you link the blog post. Would be curious to read it.
0
 

Author Comment

by:dvanaken
ID: 40350307
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40350667
Hmm. Interesting read. My only concern would be if Microsoft would support you in this configuration.
0
 

Author Comment

by:dvanaken
ID: 40350670
GG:  Thanks for your comments.  I guess worst case is I would have to uninstall the agent...  I'll leave it for now and check the results in a week.

Thanks again.
0
 

Author Closing Comment

by:dvanaken
ID: 40357107
Thank you both for your help.  As far as I can tell, this seems to be working despite MSFT architecture.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40358065
Awesome.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question