The first Forefront for Exchange release focused on anti-virus and anti-malware email hygiene. Targeting MS Exchange 2007, spam filtering was handled by the various transport agents included out of the box. Whether or not you ran Forefront, spam filtering was the job for the Content Filter Agent, Connection Filtering Agent, Sender Filter Agent, etc.
With Exchange 2010 we got the second wave of Forefront releases including Microsoft Forefront Protection 2010 for Exchange (FPE). Amongst other additions this release introduced a new anti-spam solution that is less reliant on the native Exchange 2007/2010 agents.
When saying less reliant, I am choosing my words carefully. Both Exchange 2007 and 2010 ship a set of anti-spam agents that do not require Forefront. FPE 2010 does not replace all the native agents either. It still relies on some of the native agents (such as for Sender Filtering) but introduces other agents that inject Forefront specific functionality.
Some of the Forefront anti-spam settings exposed at the Management Console are a wrapper to the configuration of the native anti-spam agents. Of course this is not the case when dealing with functionality unique to Forefront.
Disablement of the Native Content Filter Agent
One of the most significant changes introduced in FPE 2010 (on the anti-spam side) was the introduction of a new content filter agent. This replaces the native content filter agent shipped with Exchange 2007/2010. The new agent is registered with the Exchange transport on enabling the Forefront anti-spam. You can see this from the Exchange Management Shell by running:
Get-TransportAgent
The following screenshot shows the Exchange 2010 agent list after installing Forefront with anti-spam disabled:
Next is the agent list after enabling Forefront anti-spam:
Here we have a couple of interesting points to highlight:
The native content filter is actually disabled in two places:
We already saw the first switch above. This is a property common to all transport agents configurable using Enable-TransportAgent/Disable-TransportAgent
.
The second switch is a content filter property configurable using Set-ContentFilterConfig
or the management console:
There are some obvious reasons why Forefront disables the native content filter agent. To begin with there is little point to have two content filters connected back-to-back. Secondly the two filters use the same SCL rating system. If the Forefront agent finds that an email is already stamped with an SCL it won't process it.
Re-Enabling the Native Content Filter
Now that we better understand how and why the native content filter is disabled, we proceed to re-enable it! You might have installed Forefront for evaluation and decided not to go ahead with it. Uninstalling Forefront 2010 does not re-enable the native content filter leaving Exchange exposed to spam.
To re-enable it, at the Exchange Management Shell, we just run the following cmdlets:
Enable-TransportAgent "Content Filter Agent"
Set-ContentFilterConfig -Enabled $true
At the end we just restart the Microsoft Exchange Transport service and the native content filter is back online.
Forefront Installation and Configuration
For completeness let's take a look at the Forefront installation and the configuration console. FPE 2010 does not enable anti-spam filtering by default. At installation time we get the following selection:
The default here is that to keep anti-spam disabled. So unless this is changed, FPE completes the installation without touching the native content filter enablement status. The install wouldn't even create the Forefront content filter agent.
Moving to the Forefront administrative console, we can enable anti-spam from:
Policy Management | Antispam | Configure | Enable Antispam Filtering
Clicking the 'Enable Antispam Filtering' button changes the system to replace the content filter as described earlier. Once the native content filter is disabled, the only way to get it back is to do it manually. Of course doing this only makes sense if you plan to stop using Forefront anti-spam.