In Part 1, we installed the Forefront Protection Management Console on a Windows 2008 R2 Server, using databases on a remote SQL 2008 instance, as a primary. Typically the next step would be to install a secondary or backup server, but for the moment we’ll skip that step and go straight to configuring FPE (Forefront Protection for Exchange.). The full operations guide is at http://technet.microsoft.com/en-us/library/gg507746.aspx.
The first thing I’m going to do is secure the site with SSL – see http://technet.microsoft.com/en-us/library/gg507696.aspx for details.
Once that is done, open up FPSMC in a browser (probably easier from a workstation than the server due to the browser being locked down) by browsing to https://servername/fpsmconsole
If you used the previous version of this console it will look familiar… let’s hope this is better than that version though, eh? Let’s have a look through.
Users who are allowed to administer the console are listed under user management. The account used to install FPSMC already has rights, but is not listed here. You may find old documentation saying some different things about permissions, groups that need to be created and needing local administrators permissions – these are most likely from beta documentation – this install is the RTM version (11.1.1614.0). I’ve added a couple of accounts so I can still get in when I try revoking some of my SQL permissions later.
In order to manage like servers (e.g. Mailbox Servers) it is advisable to create groups (a.k.a. product deployment groups) – these are not AD groups, just simple collections of servers for the purposes of management through FPSMC. To do this look at Administration à Server Group Management à Add Server Group
Once the group is created, when you add servers (Server Management à Add Servers) you can specify the server as a member of this group.
In the Add servers page you can search your domain for Exchange and Sharepoint servers with Forefront installed, or add individual servers by FQDN (for example Edge servers that are in a workgroup or untrusted forest).
Note: Microsoft publish the following ports used by FPMSC – you will need to allow these in/out of your firewall in order to deploy the agent to the server and for the agent to communicate with the FPSMC console.
|80/443||HTTP/S ports. Web browser à FPSMC, FPSMC àinternet.|
|445||FPSMC agent deployment(FPSMC server –> managed computer)|
|8815||Agent listens on this port to receive commands from the FPSMC(FPSMC server –> managed computer)|
|8816||The push installer listens on this port on managed servers(FPSMC server –> managed computer)|
|8817||The NotificationService on the FPSMC server listens on this port to receive data (such as quarantine and stats) from the managed servers.(Managed computer –> FPSMC)|
In order for FPSMC to manage these servers, you must deploy an agent. To do this, under Server Management, select the servers required and click Deploy Agent. Enter credentials, then click OK, and the Agent Deployment will commence immediately.
Click the Notification Logs or Deployment Status links to view the status
Clicking back to Server Management will also show the status. In this example one server was unavailable to reports an error in the FPSMC.
So that’s the servers to manage – but we haven’t configured anything here really yet. Before we do, we can just configure the Global Configuration – an SMTP server for notifications to be sent (specify a valid SMTP address), Quarantine settings (default = poll servers every 15 minutes and purge data after 5 days). Also you can specify a download location for engine and definition updates – FPSMC can act as a redistribution server.
Also, we can now already view the status of engines already deployed on the managed servers by clicking Reports à Engine and Definition Versions.
Configuring Packages and Jobs
As with the previous version, FPSMC doesn’t have a UI for configuring Forefront. Instead it works by redistributing settings already configured on one of your servers. So you need to configure at least one server first, export the settings, then import to FPSMC as a package. This package can then be redistributed to other servers, which will configure all servers the package is sent to with the same settings, so the best way to do this is configure server groups of similar servers – for example group together:
– Edge servers configured as a redistribution server (i.e. other servers get updates from these servers – although you could (and probably should) now use the FPSMC as your redistribution server instead)
– Edge servers not configured as redistribution servers
– Hub transport servers configured as redistribution servers
– Hub transport servers not configured as redistribution servers
– Mailbox servers
FPE settings are not going to be covered here – have a look at http://technet.microsoft.com/en-us/library/bestpracticesforconfiguringforefrontprotectionforexchange.aspx for information on that.
Looks like there are some oddities about where r how sections are managed – from Microsoft’s website at time of publishing I see the following:
“Not all Forefront Protection settings directly correspond to the policy sections on this page. For example, some settings found on the Global Settings – Scan Options dialog box in Forefront Protection for Exchange, such as Inbound Target Types, are represented by the Antimalware Settings policy section in the console.”
To export settings from an already configured Exchange server, open Forefront Management Shell on that computer and export the settings using the following cmdlet:
– Export-FseSettings -path export.xml
This will then create an export.xml file wherever you specified (by default in ‘C:Program Files (x86)Microsoft Forefront Protection for Exchange Server’ on the Exchange server. You can then create a package from the FPSMC UI by choosing Job Management à Packages à Create Package and importing the XML file.
Select the policy options which will be included in the package. Typically this will be all settings – click the top box to select all.
If this is not a redistribution server, or it is but you need to enter proxy credentials, do that here. If the FOPE gateway is deployed to your Exchange servers, you can enter credentials here. (You can still connect to FOPE from within the FPMSC console without setting this here). Click OK to create the package.
Now the package has been created this can be deployed to all servers. To do this, create a job under Job Management à Jobs à Deployment Jobs
Click Run Now
Click Notification Logs to view status – click Apply to refresh.
That’s pretty much it for the moment. I will update with findings once I’ve had a play, deployed to edge servers, redistributed packages, looked at FOPE options etc. A whistle-stop tour, but hopefully it’ll be useful to somebody, somewhere.
Tim Coveney | LlamaIT | w: llama.it
This posting is provided in good faith, “as is” with no warranties and confers no rights.