Connection Filtering and RBLs in Exchange 2013

by Bharat Suneja on April 17, 2013

Exchange 2003 and later have included Connection Filtering in its repertoire of built-in anitspam tools. In Exchange 2007 and Exchange 2010, this is implemented using the Connection Filtering agent, a transport agent. Connection Filtering agent offers the following functionality:

  • IP Allow List and IP Block List: Static lists of IP addresses you can populate to accept or block messages from a particular host (or specifically, a particular IP address)
  • IP Allow List Provider and IP Block List Provider.: The DNS-based variants of allow and block lists; the latter allows you to use RBLs/DNSBLs.

For more details, see Understanding Connection Filtering.

In Exchange 2010 & Exchange 2007, if you don’t have an Edge Transport server – the server role designed to be a mail host in perimeter networks or DMZs, you can install antispam agents on your Hub Transport servers.

Exchange 2013 did not include an Edge Transport server role at RTM and does not have the Hub Transport server role. Exchange 2013 does include antispam agents and you can install anti-spam agents on Exchange 2013 Mailbox servers using the installantispamagents.ps1 script in the default \Scripts directory – but it doesn’t install the Connection Filtering Agent.

What happened to the Connection Filtering Agent? The What’s Discontinued in Exchange 2013 article in Exchange 2013 documenation says:

Anti-spam and anti-malware

Feature Comments and mitigation
Anti-spam agent management in the EMC In Exchange 2010, when you enabled the anti-spam agents on the Hub Transport server, you could manage the anti-spam agents in the Exchange Management Console (EMC). In Exchange 2013, when you enable the anti-spam agents in the Transport service on a Mailbox server, you can’t manage the agents in the Exchange admin center (EAC). You can only use the Exchange Management Shell. For information about how to enable the anti-spam agents on a Mailbox server, see Enable Anti-Spam Functionality on a Mailbox Server.
Connection Filtering agent on Hub Transport servers In Exchange 2010, when you enabled the anti-spam agents on a Hub Transport server, the Attachment Filter agent was the only anti-spam agent that wasn’t available. In Exchange 2013, when you enable the anti-spam agents in the Transport service on a Mailbox server, the Attachment Filter agent and the Connection Filtering agent aren’t available. The Connection Filtering agent provides IP Allow List and IP Block List capabilities. For information about how to enable the anti-spam agents on a Mailbox server, see Enable Anti-Spam Functionality on a Mailbox Server.

In other words, Connection Filtering agent is only available on the Edge Transport server role. Exchange 2013 does not have an Edge Transport server role yet.

If you want to implement Connection Filtering functionality, including RBL/DNSBL support that many organizations find invaluable, here are the options:

  1. Use a down-level (Exchange 2010/2007) Edge Transport server, which includes Connection Filtering agent.
  2. Use Microsoft Exchange Online Protection (EOP), an Exchange Online antispam/antimalware service.

    You can use Exchange Online Protection (EOP) service with your on-premises Exchange severs. If you have Exchange 2013 Enterprise CAL with Services, it includes EOP service. More info in Exchange Enterprise CAL with Services features in Exchange Online Protection Overview.

  3. Use a third-party antispam product or service that offers this functionality.

{ 3 comments… read them below or add one }

Michel June 26, 2013 at 12:17 am

You can mannualy install the Connection Filtering Agent on the FrontEnd transport service. On a mailbox role server the transport service does not handle incomming connections but the FrontEnd service does.

Reply

Robert November 2, 2014 at 6:23 pm

Do you have to run the install-antispamagents command on each of the (Transport Servers, for 2010) or the (mailbox servers) for 2013?

Thanks,

Robert

Reply

Bharat Suneja November 6, 2014 at 9:34 am

Yes, anti-spam agents must be installed on each transport server.

For Exchange 2013, see Enable anti-spam functionality on Mailbox servers.

Reply

Leave a Comment

Previous post:

Next post: