In an interesting shift, it seems Microsoft is getting out of the on-premises email filtering business. The Exchange Team, in a recent blog post uploaded last month, announced that they do not recommend installing the Exchange Edge Server role on Windows Server 2016. Further, while they will continue to support Edge Transport on earlier versions of Windows Server in accordance with the appropriate support life-cycle, they explicitly recommend that customers “stop relying upon this capability on all supported operating systems.”
So what does this mean? Well, obviously if you are relying upon the Exchange Edge Transport role you probably want to look at doing something else. The primary reason for this change is that there’s a conflict between the filters in Exchange and those in the operating system, and a lot is riding on the strength of the operating system’s protections. SmartScreen is a key component of Windows Server 2016 and Windows 10, but apparently it doesn’t play well with the technology in Exchange Edge Transport. Sure, they probably could just fix it in Exchange, but with Exchange Online Protection and the add-on Advanced Threat Protection as flagship offering within Office 365, Microsoft would probably prefer that customers move their hygiene to the cloud, rather than running it on-prem. Whether you ever plan on moving to the cloud or not, moving hygiene there is probably a gateway drug in several scenarios so would help drive adoption of Office 365.
It’s interesting that the post Enable antispam functionality on Mailbox servers still indicates that this is an option and to run the Install-AntiSpamAgents.ps1 script, but hopefully that will be pulled soon.
Moving hygiene to either a cloud or hosted solution can be seen as a better way to go, since that means all the bandwidth burned by spam and other junk never consumes your Internet pipe, and cloud based offering from Microsoft and others are much better able to handle surges. But what if you don’t want to go “to the cloud?”
Hygiene for messaging can be handled by server applications or hardware appliances. GFI Software’s own MailEssentials offers a number of protections including antimalware with up to five different commercial antivirus agents, spam and phishing protection, filtering and content policy enforcement, and a centralized management console to make it easy to set up, run, and monitor. You can even download a free 30 day trial to see how it works in your environment.
You might also look at one of the appliance based solutions from Cisco IronPort, though like with most Cisco solutions, you’re paying a lot for the name and will probably need professional services to implement.
A lot of admins like the ability to reach out and touch their own stuff, and having hygiene running on some on-prem system (either server or appliance) gives them both the direct interaction and the comfort level they want. GFI MailEssentials is a very strong contender for replacing Microsoft Exchange Edge Transport and with the free trial, is well worth your time to check out.
But whether you opt for the cloud or on-prem, one thing you want to make sure you do is avoid a crash of your on-prem systems. That would only be a half step from being as bad as running with no hygiene solution at all. So here’s what you want to do.
Find, implement, test, and cutover to your alternative message hygiene solution. You don’t want to let a single email into your environment that hasn’t been scanned, so move smartly on this one!
Run the Uninstall-AntiSpamAgents.ps1 script from the \Scripts folder on any Exchange server you ran the Install-AntiSpamAgents.ps1 script. This will remove the problem services.
Exchange 2016 only
If your services are already crashing, uninstall KB4013429 from the server, reboot, and then run the Uninstall-AntiSpamAgents.ps1 script.
If you are having problems with this, you can contact Microsoft support for assistance.