Ex13 - can't manually install Connection Filtering

Migrated from Ex07 -> Ex13 about a year ago. I have been trying to firm up anti-spam features and wanted to go back to the block lists I had working previously.  I ran the script to install antispam, but saw that Connection Filtering is not there. I searched KBs and found this procedure to manually install the agent:

>>>Install-TransportAgent -Name "Connection Filtering Agent" -TransportService FrontEnd -TransportAgentFactory "Microsoft.Exchange.Transport.Agent.ConnectionFiltering.ConnectionFilteringAgentFactory" -AssemblyPath "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange.Transport.Agent.Hygiene.dll"

>>>Enable-TransportAgent -TransportService FrontEnd -Identity "Connection Filtering Agent"

(no errors)

>>>Restart-Service MSExchangeTransport

But still no joy here:


Identity                                           Enabled         Priority
--------                                           -------         --------
SMSMSERoutingAgent                                 True            1
SMSMSESMTPAgent                                    True            2
Transport Rule Agent                               True            3
Malware Agent                                      False           4
Text Messaging Routing Agent                       True            5
Text Messaging Delivery Agent                      True            6
Content Filter Agent                               True            7
Sender Id Agent                                    True            8
Sender Filter Agent                                True            9
Recipient Filter Agent                             True            10
Protocol Analysis Agent                            True            11

I have installed and enabled blocklists and still no apparent action in the logs.  I think the reason is the failure to have Connection Filtering active.

I was hoping one of you Exchange wizards (Simon ?) could help out.   Thank you.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
Connection Filter agent is only available on servers with the Edge role.

If you don't have the Edge role then you will need to use something else to do the filtering.
Vamsoft ORF is my usual tool of choice here.

dvanakenAuthor Commented:
Simon. Thanks for your help. Pardon my ignorance on this but since I am running  on a single box does that mean no edge role exists?
Gareth GudgerSolution ArchitectCommented:
Correct. Edge is a separate role. It can not coexist on a multi-role server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Simon Butler (Sembee)ConsultantCommented:
Edge is a separate server, and the role was only introduced recently.
It will require an additional Windows and Exchange licence, which means in most cases it is poor value for money.

dvanakenAuthor Commented:
I will check out vamsoft - I used orf years ago on NT-based Exchange.  Many thanks!
dvanakenAuthor Commented:
Do I need to "uninstall" anything I did or can I just go safely forward with vamsoft?
Gareth GudgerSolution ArchitectCommented:
Looks like despite running those command the Connection Filter didn't install anyway. So you should be good. Up to you whether you want to keep the other Anti-spam features enabled.
dvanakenAuthor Commented:
Whoops - it now looks like it's working!  I found a blog that swears it works and I followed those steps.

[PS] C:\Windows\system32>Get-TransportAgent -TransportService Frontend

Identity                                           Enabled         Priority
--------                                           -------         --------
Connection Filtering Agent                         True            1

Then I tried an actual test of spamhaus via email:

Here's how the conversation looked from sbl.crynwr.com.
Note that some sites don't apply the SBL block to postmaster, so I use your envelope sender as the To: address.

I connected to and here's the conversation I had:

220 mail.domain.com Microsoft ESMTP MAIL Service ready at Mon, 29 Sep 2014 11:05:25 -0400 helo sbl.crynwr.com
250 mail.domain.com Hello [] mail from:<>
250 2.1.0 Sender OK
rcpt to:<me@domain.com>
550 5.7.1 Recipient not authorized, your IP has been found on a block list Terminating conversation

Seems to be working - agreed?
Gareth GudgerSolution ArchitectCommented:
Seems that way. But possibly not a supported configuration by Microsoft.

Can you link the blog post. Would be curious to read it.
dvanakenAuthor Commented:
Gareth GudgerSolution ArchitectCommented:
Hmm. Interesting read. My only concern would be if Microsoft would support you in this configuration.
dvanakenAuthor Commented:
GG:  Thanks for your comments.  I guess worst case is I would have to uninstall the agent...  I'll leave it for now and check the results in a week.

Thanks again.
dvanakenAuthor Commented:
Thank you both for your help.  As far as I can tell, this seems to be working despite MSFT architecture.
Gareth GudgerSolution ArchitectCommented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.