Introduction
Manageability is the key that sometimes can make the difference between a good product and a great product. Fortunately, for the vast majority of Microsoft products, operations and management are a key concern from the very beginning of the development stage.
System Center Operations Manager (OpsMgr) 2007 is the heart of Microsoft management & operations strategy, a product that enables greater control of the IT environment, by means of dedicated Management Packs (MP), a collection of rules, tasks, and scripts that work together to maintain the overall health of the systems.
In a previous article, Monitoring Exchange 2007 With System Center Operations Manager 2007, I discussed the configuration steps for the Exchange Server 2007 MP. Since Forefront Server Security for Exchange (FSE) is a common antimalware product used in Exchange Organizations, I decided to write this installation and configuration guide.
Here is a small list that enumerates how the Microsoft Forefront Server Security Management Pack (FSSMP) for Operations Manager 2007 helps maintaining the health of your Forefront servers:
-
Monitors the state of Forefront Security and its key components, by deriving data from the Application Event Log, the System Event Log, and the Forefront Security ProgramLog.txt log file.
-
Collects statistical data on scanning, detection, and removal of message attachments.
- Contains tasks for:
- Launching manual scan jobs and background scan jobs.
- Controlling Forefront Security services and related services with dependencies.
- Setting the Statistic Threshold Percentage to warn of virus outbreaks.
- Triggering scan engine updates.
- Retrieving scan engine update versions.
- Launching the Administrator Console (FSSA) and the Management Console (FSSMC)
The following table provides an overview of the FSSMP monitoring functionality that is enabled through Operations Manager 2007:
|
Forefront component |
Monitored event |
|
Engines |
|
|
Transport and Realtime Scan Jobs |
|
|
Services |
|
|
License |
|
Table 1: Exchange 2007 MP monitoring functionalities
Solution Topology
For the purpose of this article, I installed the following environment on my test lab:
Figure 1: Solution Topology
All servers are virtualized with Windows Server 2008 Hyper-V.
|
Name |
Role |
Architecture |
Software |
|
OPSMGR |
Root Management Server |
x86 |
Windows Server 2003 R2 SP2 System Center Operations Manager 2007 SP1 |
|
E2K7-x64 |
Domain Controller Mailbox Server CAS Server HUB Transport Server |
x64 |
Windows Server 2008 Exchange Server 2007 SP1 + UR5 Forefront Server Security for Exchange 10 SP1 |
|
E2K7EDGE |
Edge Server |
x64 |
Windows Server 2003 R2 SP2 Exchange Server 2007 SP1 + UR5 Forefront Server Security for Exchange 10 SP1 |
Table 2: List of servers
FSSMP Prerequisites
Before importing the FSSMP for Operations Manager 2007, ensure that you meet all the requirements:
-
Install Microsoft Forefront Security for Exchange Server 10 SP1. This article describes FSSMP 10.1, which is intended for the same version of Forefront Server Security.
-
Install the updated Microsoft Operations Manager 2005 Backward Compatibility Management Pack, 6.0.5000.12 (or higher). If you do not install the updated Microsoft Operations Manager 2005 Backward Compatibility Management Pack before you install the FSSMP 10.1, your installation will fail.
Install the Forefront Security for Exchange Server MP
Download the Forefront Security for Exchange Server 10.1 MP for OpsMgr 2007. You can find the latest Management Packs at the System Center Operations Manager 2007 Catalog.
Once you download the Forefront Security MP, double click the .msi file in order to install it. The installation is a very simple process that just extracts the required Management Pack files to the folder you choose (Figure 2).
Figure 2: Exchange 2007 MP installation
If you take a peek at the newly created folder, you will notice 3 files, 1 installation guide, 1 licensing supplemental notice and the required management pack file:
- FSMPack2007_FSE.mp
To import the FSSMP, open the OpsMgr 2007 Operations Console. Click the Administration tab, right-click the Management Packs node and then click Import Management Packs. Select the required Management Packs and then click the Import button. After the import process is complete and the dialog box displays an icon next to each Management Pack that indicates success of the importation (Figure 3), click the Close button.
Figure 3: Import Management Packs
Add the Exchange servers with Forefront as agent managed computers
If you are using the Exchange Server 2007 MP, chances are that the servers that run FSE are already configured as agent managed computers. In case they aren't, follow the procedures described in my previous article, Monitoring Exchange 2007 With System Center Operations Manager 2007, to add them.
As soon as the machines are configured as agent managed computers, the OpsMgr auto discovery process will identify them as Forefront servers. Figure 4 depicts the State View of the 2 Exchange Servers that are running FSE.
Figure 4: State View
Statistics
The Performance rules included in this MP retrieve statistics for all scan jobs, in the following categories:
- Total number of attachments scanned
- Total number of attachments cleaned
- Total number of attachments removed
- Total number of attachments detected
- Total number of messages detected
- Total number of messages purged
- Total number of messages scanned
- Total number of messages tagged in the Subject line
- Rate of scanning (number of attachments scanned per second)
All these statistics can be accessed through OpsMgr Operations Console, under Scan Jobs (Figure 5), which aggregates all the performance data for FSE systems. They are divided in 2 categories: Realtime and Transport jobs. These are all presented as graphed output.
Figure 5: Scan Jobs statistics
Tasks
Tasks provide centralized control over the normal operations process and also provide a means to troubleshoot or correct problems identified through the OpsMgr 2007 Console.
These are the key functions included in the FSSMP tasks:
- Set the statistic threshold percentage
- Trigger an immediate manual scan job
- Trigger an immediate background scan
- Control services centrally: stop, start, and restart them
- Run scan engine updates
- Retrieve scan engine update versions
In order to run a task, open the OpsMgr Operations Console, select the Computers node, select one or more computers and all the tasks will appear in the Actions pane. Figure 6 depicts the Forefront related tasks.
Figure 6: Available tasks
Suppose you want to perform an immediate manual scan on the mailbox server. You just have to click that task from the Operatios Console and then click Run on the Run Task window (Figure 7). When the task finishes, a Task Status is displayed with some details from the operation (Figure 8).
Figure 9 illustrates another different task, Microsoft Antimalware Engine Update in this case.
Figure 7: Manual Scan
Figure 8: Manual Scan Status
Figure 9: Microsoft Antimalware Engine Update
All tasks execute scripts (VBScript) remotely on the selected agent-managed systems. Included in every script is some logging logic, which creates text entries in a log file on each managed server. The log file (Tasks.log) is located in the Operations Manager 2007 Logs subfolder under the Microsoft Forefront Security product installation folder (usually C:\Program Files(x86)\Microsoft Forefront Security\Exchange Server\MOMLogs\)
Figure 10: Tasks log
Set Statistic Threshold Percentage
Out of the box, this MP has most of the configuration needed pretty well covered. One thing you could (and should) do is to set the statistic threshold percentage, which allows you to set the percentage of infected messages received within the last hour that would be considered a virus outbreak. The default is 50%, that is, if more than 50% of the messages received in the last hour were infected, it is considered a virus outbreak.
In order to change the percentage, select the computer(s) where you want to modify the threshold, and run the task Set Statistic Threshold Percentage from the Actions pane.
A window pops up (Figure 11), with the previous selected servers marked as targets. Hit Run and you can then modify the Threshold and whether you want the operation to be logged or not (Figure 12). Click Override and if all goes well, you will be presented a success status page (Figure 13). Click Close.
Figure 11: Set Statistics Threshold
Figure 12: Override Task Parameters
Figure 13: Task Status
Alerts
When something goes wrong with Forefront, like any other MP, the FSSMP will display alerts (Figure 14). For instance, if one of the anti-virus engines is out of the date, there will be the corresponding alert (Figure 15), which also includes some Product Knowledge (Figure 16) with more details and suggested actions to resolve the alert.
Figure 14: Active Alerts
Figure 15: Alert Properties
Figure 16: Alert Knowledge
Conclusion
No messaging infrastructure is complete without a proper anti-malware solution. Forefront Security for Exchange is a fine product and a perfect fit for Microsoft Exchange Server.
In order to keep all the pieces of the engine running smoothly, carefully monitoring the different components that build the Exchange Server systems is strongly advised. System Center Operations Manager 2007 with the necessary Management Packs (Exchange Server, Forefront Security, Active Directory, Windows Server, IIS) provides the necessary logic to monitor and proactively execute the necessary procedures that will help you maintain a healthy IT environment.
Related Links
- Forefront Security for Exchange Server 10.1 MP for OpsMgr 2007
- Forefront Server Security Management Pack for Microsoft System Center Operations Manager 2007 User Guide
- Operations Management and Monitoring of an Exchange Server 2007 Organization
- System Center Operations Manager 2007 Product Documentation
Management Pack Catalog
