Connection Filtering In Exchange 2013

Share & Comment

The change in Exchange 2013 architecture with just two roles has had an effect on the connection filtering anti-spam agent.

John asked via email – “How can I implement connection filtering in Exchange 2013 now that FPE 2010 is discontinued? I was able to install the anti-spam agents on a 2010 hub server & the connection filtering was taken care of”.

In Exchange 2013, the anti-spam agents can only be installed on the Mailbox role. But, the connection filtering which is very useful in fighting spam emails is not available in 2013. Same goes for the attachment filter. Even though CAS proxies emails back and forth (if setup correctly), it is a stateless proxy and can’t have any anti-spam agents on it.

As there is no Edge role in 2013 yet, the workaround is to use a 2007 or 2010 Edge role with the Exchange 2013 infrastructure. Both versions of Edge server can perform connection filtering. One point to note is that the edge subscription is setup from the Mailbox role in 2013 compared to the hub in 2010.

Another option to have connection filtering will be to use a cloud based anti-spam offering like FOPE or Exchange Online Protection (EOP) as it is called these days.

Any other options?

Share & Comment
Subscribe for Updates
Never miss a blog post again

10 comments… add one

  1. Rob

    Use a MailMarshall server at the edge?

    1. Rajith Jose Enchiparambil

      Thanks Rob. I take Mailmarshal does connection filtering.

  2. It works just fine on exchange 2013. We have it running in 8 sites at this point with 0 issues. Hit powershell (run as admin):
    cd $exscripts
    Install-TransportAgent -Name “Connection Filtering Agent” -TransportService FrontEnd -TransportAgentFactory “Microsoft.Exchange.Transport.Agent.ConnectionFiltering.ConnectionFilteringAgentFactory” -AssemblyPath “D:\Program Files\Microsoft\Exchange Server
    Add-IPBlockListProvider -Name -LookupDomain -AnyMatch $true -Enabled $true
    Add-IPBlockListProvider -name -LookupDomain -AnyMatch $true -Enabled $true
    Add-IPBlockListProvider -name -LookupDomain -AnyMatch $true -Enabled $true
    Enable-TransportAgent -TransportService FrontEnd -Identity “Connection Filtering Agent”
    Restart-Service MSExchangeTransport

  3. Be sure to set your pathing properly in the above script. And, after installation, pop a reboot. When the connection filter catches an email, it will create it’s log directory This can be found at in the (default) directory x:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\AgentLog


  4. Hi Eric
    Can this be installed on the CAS server, or does it get installed on the Mailbox/CAS server.

    1. Rajith Jose Enchiparambil

      No John. Now that the edge role is available with 2013 SP1, you need to use that.

  5. Renato P


    when you say ‘the edge role is available with 2013 SP1′, it should be installed on CAS or MBX server?

    1. Hi Renato,

      Edge on 2013 goes on it’s own, on a server in the DMZ – just like 2010.
      You cant install Edge along with other roles.

  6. Dave Longman

    Had been pulling my hair out on this at loosing connection filtering, even though Microsoft now say it’s ok to run CAS and mailbox role together. Was about to give up and install an edge server when I came across this blog. It works like a dream – logs prove emails are being blocked by spamhaus lookup and users very happy at diminished spam once again in their inbox! Result!

    1. Glad it helped you Dave.

Leave a Comment