Evan Dodds - Microsoft Exchange Server Blog

Exchange, Exchange administration stuff, and other assorted ramblings

Blogs

Where to install IMF (and other miscellaneous IMF explanations)...

  • Comments 6
  • Likes

Intelligent Message Filter (IMF) has been a hot topic since it was released to the web last week. I've seen a few questions fly by, and had a few directed at me so let's talk about some of the basics many of you may be wondering.

First, let's talk about how IMF works. There are two aspects to IMF: Gateway action, and Store action.

Gateway actions only happen on the machine where IMF is installed, and it is the process of scanning the message and tagging it with an SCL value. An action is defined, based on the SCL value returned by IMF (delete, reject, archive, or "no action").

If and only if the message makes it past the gateway, it will eventually be delivered (with SCL attached) into the Exchange mailbox store. If this mailbox store is running Exchange 2003 (RTM or SP1), a second determination will take place. Based on the Store threshold set through the IMF GUI, the message will be dropped into either the Inbox or moved to the Junk E-mail folder as a server-side store action. This requires no interaction with Outlook, so it will happen with any version of Outlook or OWA that you are using, as long as the Junk E-mail folder exists in your mailbox. (* - Note: Outlook 2003 safe lists and Junk E-mail settings can override this server-side behavior)

Conversely, if your mailbox server is Exchange 2000 or Exchange 5.5, it won't be able to do the store action, regardless of what version of Outlook you're running and any Junk E-mail action would still have to be performed client-side.

So, what's the principle take-away from this? You only need to install IMF at the Internet gateway. No need to install IMF on each and every Exchange 2003 mailbox store in the organization. If the SCL has been tagged onto the message at the gateway, it'll be handled by the store-side action when it hits the Exchange 2003 mailbox store without any need to have the IMF evaluate it again.

Also, a question came up about clusters -- IMF can't be installed on clustered Exchange servers and some folks wanted to know why. There are conflicts with the way SMTP protocol virtual servers are configured on cluster and the required bindings for IMF. This combination was not tested, as internet bridgehead servers are not generally run as clustered Exchange servers.

Comments
  • Why is the IMF a Global Config only? Is it possible to configure it at the Administrative group level or SMTP VS level?

  • Reddsoda -

    It's possible to configure some items on a per-server basis. You can override the Gateway Threshold and Gateway Action, for instance, by setting the values in the registry. The registry value will override the "global" AD setting.

    At this Key: HKLM\Software\Microsoft\Exchange\ContentFilter

    "GatewayThreshold" - DWORD - SCL value for action if >=

    "GatewayAction" - DWORD - Possible Settings (same as in AD):
    0 = No action
    1 = Delete
    2 = Reject
    5 = Archive (& subsequently delete)

    Evan

  • Is the name of the junk folder configurable? I'd like to use IMF with a third party solution, but am working in a multi-language environment (D/F/E). Therefore junk folder names vary - which makes it hard to have the third party products move their junk into the same folder.

  • Evan,

    One of our clients is a small business. They have a single clustered server that they use to run the business. It has Exchange, SQL, and file shares - sort of like a Small Business Server but cluster-based. They used a cluster for reliability because if the server goes down they are out of business - no sales, no production, no QA.

    They also have a small locked-down server running ISA server that faces the Internet. This is a pretty clean system because the ISA folks recommend that you don't install applications on your firewall. The cluster and the firewall are the only two servers they have.

    It's driving me crazy that you don't allow IMF to install on a cluster. My client shouldn't have to set up a separate Exchange server with the attendent administration and backup overhead just to run IMF! I understand that a larger organization will have front-end servers and multiple mailbox servers but it seems to me that you are forgetting about small businesses - they get spam too!

    It caused us headaches upgrading from Exchange 5.5 because you didn't support the ADC on a cluster either. My client went into clustering because they believed Microsoft's pitch about greater reliability. Now you Exchange folks penalize them at every turn. Somebody running an Exchange cluster has purchased Exchange enterprise (5x the cost of regular Exchange), and 2 copies at that. A customer like that should get *better* support from the Exchange team, not be treated like second-class citizens.

    It seems to me that you Exchange guys think clustering is only used at large enterprises, and not very often even there. Please do what you can to pass on to the Exchange team that there are small businesses for which a clustered Exchange server is their *only* Exchange installation, and you need to support them as well.

    Getting back to the topic, any hope of cluster support in the next update of IMF?

    Thanks,
    Mike G