Exchange Content Filter settings are ignored

Symptom

Consider that you have deployed Forefront TMG 2010 along with Exchange Edge and Forefront Protection for Exchange 2010 (FPE), and you have also enabled the E-Mail Policy feature in TMG.

In addition, you have configured from the TMG Management console some Content Filtering settings related to Exchange Edge.

The problem is that you notice that these settings are ignored. For instance:

You have defined a quarantine mailbox address based on spam confidence level (SCL) rating. Problem is that messages rated with a greater or equal SCL will never be sent to this mailbox.

The problem doesn’t happen for non Content Filtering settings like Allow/Block lists, Sender ID, etc …

Cause

The problem occurs because you have enabled the anti-spam filtering engine of FPE.

Actually when you deploy FPE, the anti-spam features that are built-in in Exchange Edge are disabled (see http://technet.microsoft.com/en-us/library/bb124739.aspx).

The anti-spam filtering of FPE can be enabled during installation of FPE, from FPE Management console or using the Set-FseSpamFiltering FPE cmdlet.

This means that if you open the Exchange Management Shell and execute the Get-TransportAgent cmdlet you will notice that the “Content Filter Agent” of Exchange is disabled. Instead, the “FSE Content Filter Agent” of FPE is enabled, as indicated in the screenshot below:

clip_image002

As a result, the settings mentioned above which belongs to Exchange are ignored because the “Content Filter Agent” of Exchange is disabled.

Solution and best practice

The best practice though is to enable the FPE anti-spam engine as it brings additional anti-spam filters like Cloudmark and Backscatter (see http://technet.microsoft.com/en-us/library/installingforefrontprotectiononastandaloneexchangeserver.aspx).

As explained above, the downside of enabling FPE anti-spam is that Exchange Content Filtering settings (configurable from the TMG MMC) that are performed thanks to the “Content Filter agent” are ignored.

If you need to use these Exchange filtering settings, you can perform the following task on each TMG array member:

  • Configure Antispam Filtering manually in FSE Administration Console or Management Shell. Note: all subsequent anti-spam filtering settings changes should be done on each server separately as TMG doesn’t track these settings.
  • Or disable Antispam Filtering (and restart MSExchangeTransport service)
  • Or enable Content Filter Agent using Enable-TransportAgent cmdlet (and restart MSExchangeTransport service)

Note: there will be an improvement in the upcoming TMG Service Pack (SP2) that will notify the TMG administrator of the issue (when FPE anti-spam filtering is enabled and Exchange Content Filter agent is disabled).

Authors:

Eric Detoc, Escalation Engineer, Forefront TMG

Technical Reviewer:

Vadim Galperin, Development Engineer, Forefront TMG