Like other ppl, I have a few questions regarding FP 2010 for Exchange - the SCP -1 issue, integration, backscatter, and more
Thursday, March 31, 2011 12:13 PM
I seem to be going around and around, reading the same sites, and not actually getting the answers so time to post a thread I think.
Firstly, here's the setup in order, from External to Internal:
- Perimeter Firewall (Enterprise level firewall, that does scan email traffic initially)
- Linux Mail Server - running Postfix - This has some older AV / Spam checks on it, and is the mail server that we were using prior to Exchange. It still exists as we are still in the migration period (although most of the users are migrated) and it handles entries for some other domains - mainly just aliases to the main AD domain (with Exchange). We have got this server set to deliver email to the Exchange HT server in the event that it cant deliver it to this server (not the best setup i know but its a working solution as we progress with the migration of the remaining users)
- Exchange 2010 HT server (we DONT have a Exchange EDGE server at this time) - this is the only server I've configured with FPE at the moment (want to get this correct first before putting FPE on the MBX servers). For info, we have this setup as a seperate server to any of the other Exchange roles (all Exchange servers are Exchange 2010 SP1)
The issues I've run in to at present:
1. No matter what I try, I cant seem to get any email coming into Exchange from External (to exchange) to be flagged as anything other than the following in the message headers:
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0
- populating the InternalSMTPServers in Exchange with the IP of the firewall
- populating the InternalSMTPServers in Exchange with the IP of the firewall, and the linux mail server
- leaving the InternalSMTPServers in Exchange empty
- with the above combinations, I've also tried include these IP combinations (and leaving it empty) in the "IP addresses used to identify external addresses" option located in the FPE console > Policy Management > Global Settings > Advanced Options, but hasnt made a difference.
Note: I've not restarted any services after making any of these changes and nothing specifies that you need to do that. I see in the Event Viewer that the configuration has been saved / changed when making these changes at each attempt, plus I cant just start randomly restarting the Exchange / FPE services continuously due to the organisation being very dependant on E-Mmail delivery (i'd have to do it late at night I wager).
The Antimalware side of things and File Filtering works however, as I have entries for these, but nothing seems to work in getting this antispam feature working.
This kind of leads me onto question 2....
2. Do you have to enable or disable anything in Exchange itself in order for the anti spam of FPE to work? How does FPE integrate with Exch in this way?
To explain a bit more, prior to trying FPE, I did attempt some while ago to set up the built in Anti Spam feature in Exchange but when trying to get it to install (using the script) it failed and I never got around to actually getting this resolved. Wondering whether this would have any bearing on it.
After setting up FPE, I've noticed that when I use the Exchange Management Console on the HT server, it has Anti Spam tabs (fonud at Org Configuration > Hub Transport and Server Configuration > Hub Transport), whereas it doesnt show these when using the EMC on any of the other exchange servers.
Is this down to FPE being installed? Does FPE actually install and turn on the native Exchange Anti Spam system and integrate into that, as these tabs and options within dont indicate FPE in any way, so I've no idea now whether they are meant to be used or not :(
3. Backscatter - I've enabled this and generated the key etc, but other than the Statistics in Server Security Views > Spam Details, I cant find any place showing logs of the messages that have been blocked. Is there some reason for this? The count seems quite high considering i only setup FPE last friday night and while I'm aware the first 24hrs to expect quite a number of them while it trains itself, the number seems to have increased steadily - it tells me 1227 messages have been blocked by the backscatter agent. It was about 400-500ish 24hrs later, but it still seems quite high considering we do have AV / spam / RBL checks in place in the firewall / linux mail server.
4. A side note but i've noticed a few things that I'd love to see in FPE in the future... does anyone know whether the FPE team welcome feedback (other than the surveys) where I could suggest to them some improvements?
Any help on the above would be really welcome, as it seems like a really good comprehensive tool, and most of it is easy enough to work out, but seems to be lacking as far as helping you actually integrate it when you are using different scenario's to what is expected.
Thursday, April 07, 2011 8:13 AMModerator
Thank you for the post.
It seem like Exchange issue. To narrow down this issue, please run the FSCUtility tool to disconnect Forefront Protection for Exchange from Exchange and see if it helps. When we install FPE on an Hub box, the content filtering agent of exchange is disabled, as Cloudmark is a premium anti-spam solution. You have to leave it disabled and not change it as this is the expected situation. And we do not need to configure anything related to anti-spam from the EMC. The settings that are configurable from FPE are about SCL ratings and the actions on mails that match the SCL ratings.
Nick Gu - MSFT
- Marked As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Friday, April 08, 2011 2:17 AM
Friday, May 11, 2012 6:29 PM
Did you ever get this working? I have pretty much exactly seen the same result -- (http://social.technet.microsoft.com/Forums/en-US/FSENext/thread/20009371-ac96-43ad-8a53-60a005f50ecc) -- and I'm not getting anwhere with it either. I was starting to think I'm the only one for whom FPE just doesn't freaking work. I even have a postfix gateway just like you; ours routes mail between on-premises exchange the student email (cloud hosted). I have FPE installed on the Hub Transport servers since we don't have an Edge Relay (told it wasn't necessary with postfix routing mail between the internet and exchange), and all of the mail comes in
just like yours.
Thursday, February 07, 2013 10:59 AM
We had the same issue with everything getting an SCL rating of -1 on the HubTransport servers.
We did a workaround by running the below powershell for the incoming smtp connector (we don't have EDGE either), this forces FPE to scan all mails.
Get-ReceiveConnector "Receive Connector Name" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
Thursday, February 07, 2013 1:54 PM
All I had to do was this, from FOPE Powershell:
New-FseExtendedOption -Name CFAllowBlockedSenders -Value true
- Edited by Systemspoet Thursday, February 07, 2013 1:54 PM