Introduction
In my previous article, Monitoring Exchange 2010 with OpsMgr 2007 R2, I mentioned a set of recommended additional management packs, in which the Forefront Protection 2010 for Exchange Server Management Pack (FPE 2010 MP) was included. Monitoring Exchange servers is not only about the specific Exchange services, but is also about managing a vast subset of additional services and applications that are critical to a healthy messaging system.
One of those services is, of course, anti-malware, so any Messaging Admin must guarantee the health of the anti-malware ecosystem. In case one is using Forefront Protection for Exchange (FPE) and System Center Operations Manager as the monitoring infrastructure, there is a specific management pack that greatly automates and helps the centralized management of systems with FPE installed.
FPE 2010 MP provides support for monitoring the “health” of your systems, informing you when they are running smoothly and when there are problems.
The FPE 2010 MP contains rules for:
- Monitoring the state of FPE and its key features.
- Collecting statistical data about file scanning performance for each scan job (realtime and scheduled).
The following tables provide an overview of the FPE 2010 MP monitoring functionality that is enabled through Operations Manager 2007:
DISCOVERIES |
Description |
Method |
FPE Server Discovery |
Discovers if there is FPE 2010 installed on the managed server |
Check registry key path HLKM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{GUID}) |
FPE Services Discovery |
Discovers FPE services |
FPE Services will be discovered if Exchange is not in CCR passive mode by check Registry Key HKLM:\SOFTWARE\Wow6432Node\Microsoft\
Forefront Server Security\APTA\ClusterStatus |
FPE CCR Cluster Discovery |
Discovers if Exchange is in CCR cluster mode |
Check Registry Key HKLM:\SOFTWARE\Wow6432Node\Microsoft\
Forefront Server Security\APTA\ClusterStatus |
CLASSES |
Purpose |
Notes |
FPE Server |
Health monitor for whole FPE server |
|
FPE Licensing |
Health monitor for license status |
|
FPE Scan Engines |
Health Monitor for FPE Scan Engines |
Includes antispam engines and antimalware engines. |
FPE Antimalware Engines |
Health monitor for antimalware engines |
|
FPE Antispam Engines |
Health monitor for antispam engines |
|
FPE Services |
Health monitor for all FPE services |
Includes controller service, monitor service, mail pickup service, eventing service, and exchange hook. |
FPE Controller Service |
Health monitor for FSCController service |
|
FPE Monitor Service |
Health Monitor for FSCMonitor Service |
|
FPE Mail Pickup Service |
Health monitor for FPEMailPickup service |
|
FPE Eventing Service |
Health monitor for FSCEventing service |
|
FPE Workload Integration |
Health monitor for integration with Exchange |
|
FPE CCR Cluster |
Health monitor for FPE on Exchange CCR |
|
FPE Scan Jobs |
Health monitor for FPE scan jobs |
Includes realtime scan jobs and scheduled scan jobs. |
FPE Realtime Scan Jobs |
Health monitor for FPE realtime scan job |
|
FPE Scheduled Scan Jobs |
Health monitor for FPE scheduled scan job |
|
FPE Transport Scan Job |
Health monitor for FPE Transport scan jobs |
Table 1: FPE 2010 MP monitoring functionalities
Solution Topology
For the purpose of writing this article, I installed the following environment on my test lab:
Figure 1: Solution topology used in this article
All the machines (virtualized on Hyper-V) are 64-bit, since this architecture is fully supported by OpsMgr 2007 R2.
Server Name |
Role |
Software |
OPSMGR2K7-R2 |
Root Management Server |
Windows Server 2008 R2 SP1
SQL Server 2008 SP2
System Center Operations Manager 2007 R2 + CU5* |
E2K10 |
Domain Controller
Mailbox Server
CAS Server
HUB Transport Server
Unified Messaging |
Windows Server 2008 R2 SP1
Exchange Server 2010 SP1 + RU3**
Forefront Protection for Exchange 2010 + HR3*** |
E2K10-MBX2 |
Mailbox Server |
Windows Server 2008 R2 SP1
Exchange Server 2010 SP1 + RU3
Forefront Protection for Exchange 2010 + HR3 |
E2K10-EDGE |
Edge Server |
Windows Server 2008 R2 SP1
Exchange Server 2010 SP1 + RU3
Forefront Protection for Exchange 2010 + HR3 |
*CU5 = Cumulative Update 5
**RU3 = Rollup Update 3
***HR3 = Hotfix Rollup 3
Table 2: List of servers
Installation and Configuration Procedures
There will be 5 steps covered in this article in order to install and fully configure the FPE 2010 MP for the environment previously described:
-
Ensure that all the necessary requirements are met.
-
Create a new management pack in which you store overrides and other customizations.
-
Download, install and import the management pack.
-
Add the Exchange servers with FPE as agent managed computers.
-
Override the parameters of the performance rules if you require performance monitoring.
1. FPE 2010 MP Prerequisites
Before importing the FPE 2010 MP for Operations Manager 2007, ensure that you meet all the requirements:
-
Ensure the managed Exchange 2010 servers with FPE installed have the PowerShell execution policy at least set to “RemoteSigned”. This can easily be checked by running the PowerShell cmdlet Get-ExecutionPolicy, has depicted in Figure 2.
Figure 2: Get-ExecutionPolicy
-
If you have installed a previous version of either the FPSP management pack or the FPE management pack (version 11.1.0269.0 or lower), you need to remove it before installing this management pack.
2. Create a new management pack for customizations
The customizations and overrides of sealed management packs, such as the FPE 2010 MP, are usually saved in the default management pack. As a best practice you should create and use a separate management pack for that purpose. Creating a new management pack for storing overrides has the following advantages:
- It simplifies the process of exporting customizations that were created in your test and pre-production environments to your production environment.
- It allows you to delete the original management pack without first needing to delete the default management pack.
- It is easier to track and update customizations to individual management packs.
- In the Operations Console, click the Administration button. In the Administration pane, right-click Management Packs and then click Create Management Pack. The Create a Management Pack wizard displays.
- In the General Properties page (Figure 3), type a name for the management pack in Name, the correct version number in Version, and a short description in Description. Click Next and then Create.
Figure 3: Creating a Custom MP for customizations
3. Install the Forefront Protection 2010 for Exchange Server MP
Download the Forefront Protection 2010 for Exchange Server Management Pack for System Center Operations Manager 2007 (version 11.1.301.0 was used in this article). You can find the latest Management Packs at the System Center Operations Manager 2007 Catalog.
Once you download the Forefront Protection MP, double click the .msi file in order to install it. The installation is a very simple process that just extracts the required Management Pack files to the folder you chose (Figure 4).
Figure 4: FPE 2010 MP installation
If you peek at the newly created folder, you’ll notice 3 files, 1 licensing supplemental notice (EULA) and the required management pack files:
- Microsoft.ForefrontProtection.Library.mp (Microsoft Forefront Server Protection 2010 Core Library) – This management pack is the core library for all versions of Forefront Protection Server. It defines all base classes and relationships.
- Microsoft.ForefrontProtection.FPE.mp (Microsoft Forefront Protection 2010 for Exchange Server Management Pack) – This management pack provides monitoring capabilities for Microsoft Forefront Protection 2010 for Exchange.
- To import the FPE 2010 MP, open the OpsMgr 2007 Operations Console. Click the Administration tab, right-click the Management Packs node and then click Import Management Packs.
- Click Add, Add from disk and then click No on the Online Catalog Connection window. Select all the files from the FPE 2010 MP directory, by default C:\Program Files (x86)\System Center Management Packs\FPE 2010 MP for SCOM 2007 (Figure 5), click Open and then click the Install button (Figure 6).
- After the import process is complete and the dialog box displays an icon next to each Management Pack that indicates success of the importation, click the Close button.
Figure 5: Select Management Packs to import
Figure 6: Import Management Packs
4. Add the Exchange servers with Forefront as agent managed computers
If you are using the Exchange Server 2010 MP, chances are that the servers that run FPE are already configured as agent managed computers. In case they aren’t, follow the procedures described in my previous article, Monitoring Exchange 2010 with OpsMgr 2007 R2, to add them.
As soon as the machines are configured as agent managed computers, the OpsMgr auto discovery process will identify them as Forefront servers. Figure 7 depicts the State View of the 3 Exchange Servers that are running FPE (there are 4 servers listed, because one of them is the Exchange DAG).
Figure 7: State View
Note:
If no FPE servers are discovered after the management pack importation, follow these steps:
- Please make sure:
a. The SCOM agent has been deployed to FPE servers.
b. The FPE version on managed server is 2010.
c. The Powershell Execution Policy level on the managed FPE server is set at least to “RemoteSigned”. - The MP will discover FPE servers every 4 hours. You can choose to override the frequency and set a shorter time interval if you need the management pack to have a quicker response to changes of FPE servers or you can configure a longer frequency to decrease the performance impact to FPE and Exchange.
Figure 8 depicts the folder structure for the common elements of the Forefront Protection Suite products and for Forefront Protection for Exchange Server. Alerts of all monitors in the FPE 2010 MP are located in the Alerts node under Forefront Protection for Exchange Server. Task Status, State information, and Scan Job Performance data are also located under this folder.
Figure 8: Folder structure of the FPE 2010 management pack
5. Configure Overrides
There is not much to manually configure in the FPE 2010 MP. Nevertheless, the management pack comes with performance rules disabled by default (Figure 9). Before you enable a performance rule, you should baseline the relevant performance counters and then apply the appropriate overrides to define and enable a suitable sampling frequency for your environment.
All rules are stored in the Authoring space of the Operations Manager 2007 console, in the Management Packs Objects node.
Figure 9: FPE 2010 MP Rules
There are three rules in the Forefront Protection 2010 for Exchange Server management pack that collect performance statistics data from managed FPE servers.
- Realtime Scan Performance: Reports the number of messages scanned, per second, by the FPE realtime scan.
- Scheduled Scan Performance: Reports the number of messages scanned, per second, by the FPE scheduled scan.
- Transport Scan Performance: Reports the number of messages scanned, per second, by the FPE transport scan.
To enable the Performance Rules, follow these steps:
- In the Operations Manager Operations Console, click the Authoring tab, expand Management Pack Objects and the select Rules. In the Look For box, enter FPE, and then click Find Now.
- Right-click any of the Scan Performance rules, select Overrides | Override the Rule | For all objects of class: FPE Transport Scan Job (Figure 10). If you want to define different overrides parameters for different servers, you might want to choose For a specific object of class: FPE Transport Scan Job.
Figure 10: Override the Rule: Transport Scan Performance
- In the Override Properties dialog box (Figure 11), select the Override column for the Enabled Parameter name, and then check that the Override Setting is set to True. Select any other overrides you might want to define, such as Frequency. Select a destination management pack and click OK.
Figure 11: Override Properties: Exchange 2007 Test UM Connectivity Remote Voice Collection
Working with Tasks
Tasks provide centralized control over the normal operations process and also provide a means to troubleshoot or correct problems identified through the OpsMgr 2007 Console.
These are the key functions included in the FPE 2010 MP tasks:
- Get Engine Versions — Retrieves the current engine versions of all scan engines on selected agent-managed systems. All the data for all the engines (not only version information) is returned.
- Restart FPE Services — Restarts all FPE services on selected agent-managed systems. On some environments, services might not restart with this task. This could happen if the task takes over five minutes to stop and restart all of the services.
- Update FPE Engines — Updates scan engines immediately on selected agent-managed systems. This task causes the FPE server to start updating engines. The task is considered successful if it triggers the update job. However, if this task is successful, it does not mean that the updates themselves were successful. To find out if the engines have been updated successfully, run the Get Engine Versions task and look at the UpdateStatus field for each engine in the Task Output section of the Task Status dialog box. If you closed the dialog box, the same information is available in the Monitoring space, in the Forefront Protection for Exchange Server / Task Status view. Select the most recent Get Engine Versions task in the Task Status pane and look at the UpdateStatus field for each engine in the Details pane.
In order to run a task, open the OpsMgr Operations Console, select the Monitoring space, and select the Forefront Protection for Exchange Server / State view. In the State pane, select the servers on which to run the task and then, in the Actions pane, the available tasks appear in the FPE Server Tasks section. Click a task in order to run it. Figure 12 depicts the Forefront related tasks.
Figure 12: Available tasks
Suppose you want to perform an immediate manual engine update the mailbox server. You just have to click that task from the Operations Console and then click Run on the Run Task window (Figure 13). When the task finishes, a Task Status is displayed with some details from the operation (Figure 14). Figure 15 shows the output of the task Get Forefront Protection 2010 for Exchange Server Engines Version.
Figure 13: Update engines
Figure 14: Task Status
Figure 15: Task Status
Alerts
When something goes wrong with Forefront, like any other MP, the FPE 2010 MP will display alerts (Figure 16). For instance, if one of the anti-virus engines is out of the date, there will be the corresponding alert (Figure 17), which also includes some Product Knowledge (Figure 18) with more details and suggested actions to resolve the alert.
Figure 16: Active Alerts
Figure 17: Alert Properties
Figure 18: Alert Knowledge
Figure 16 depicts only a small subset of the various types of problems that the Microsoft Forefront Server Protection Management Pack keeps track of. The following tables contain a full list of all the monitored potential problems.
Engines
Monitored Event |
Success (green) |
Warning (yellow) |
Error (red) |
Antimalware Engines Update Enabled
|
The engines selected to be used for the scan jobs are those that are enabled for updating. |
The engines selected to be used for the scan jobs are not all enabled for updating. |
Not applicable. |
Antimalware Engines Update Success Rate |
All engines enabled for updating were successfully updated. |
At least half of the engines enabled for updating were successfully updated. |
Less than half of the engines enabled for updating were successfully updated. |
Antimalware engines last update time |
All engines enabled for updating were successfully updated within the last five days. |
Some of the engines enabled for updating were not updated within the last five days. |
None of the engines enabled for updating were updated within the last five days. |
Last antispam definition update |
Content filter definitions have been updated in the last hour. |
Content filter definitions were last updated in the past 1-12 hours. |
The last content filter definition update was over 12 hours ago. |
Table 3: Monitored Engines problems
Workload Integration
Monitored Event |
Success (green) |
Warning (yellow) |
Error (red) |
Exchange Transport Hook State |
The Microsoft Exchange Transport service is running and the Forefront agent is registered. |
Not applicable. |
The agent failed to register or is not enabled. This prevents the Microsoft Exchange Transport service from starting. |
Forefront Agent State |
The Microsoft Exchange Transport service is running and the Forefront agent is registered. |
Not applicable. |
The Microsoft Exchange Transport service is running, but the Forefront Agent is not registered. |
VSAPI registration |
The Microsoft Exchange Information Store is running and the Forefront VSAPI library is registered. |
Not applicable. |
The Microsoft Exchange Information Store is running, but the Forefront VSAPI library is not registered. |
Table 4: Monitored Workload Integration problems
Scan jobs
Monitored Event |
Success (green) |
Warning (yellow) |
Error (red) |
Scan job enabled (for transport and realtime scans) |
The scan job is enabled properly. |
The scan job was disabled or bypassed. |
|
Scan engines have been initialized (for transport, realtime, and scheduled scans) |
The engines selected for the scan job have been initialized. |
Not applicable. |
The selected scanning engines were not initialized with the scan job. |
Scan filter engine loaded (for transport, realtime, and scheduled scans) |
The engine that handles filtering loaded correctly. |
Not applicable. |
The engine that handles filtering did not load correctly. |
Scan process state (for transport and realtime scans) |
The scanning processes are running. |
Some processes did not restart after a timeout or exception. |
No scanning processes restarted after a timeout or exception. |
Scheduled scan termination |
The scheduled scan executed within the allowed time. |
Not applicable. |
The scheduled scan exceeded the allowed time limit. |
Transport Scanning Deliverable State |
All messages have been scanned and delivered. |
Not applicable. |
A message scan could not be completed. The message was placed in the Undeliverable Archive folder for further review. |
Table 5: Monitored Scan Jobs problems
Services
Monitored Event |
Success (green) |
Warning (yellow) |
Error (red) |
FSCController service |
The FSCController service is running. |
Not applicable. |
The FSCController service has stopped. |
Eventing service |
The Eventing service is running. |
Not applicable. |
The Eventing service has stopped. |
FSEMailPickup service |
The FSEMailPickup service is running. |
Not applicable. |
The FSEMailPickup service has stopped. |
FSCMonitor service |
The FSCMonitor service is running. |
Not applicable. |
The FSCMonitor service is inactive. |
Table 6: Monitored Services problems
Cluster servers
Monitored Event |
Success (green) |
Warning (yellow) |
Error (red) |
CCR cluster engine replication |
Engine replication across the CCR cluster succeeded. |
Not applicable |
Engine replication across the CCR cluster failed. |
CCR cluster file synchronization |
File synchronization succeeded. |
Not applicable |
File synchronization failed. |
Active node lookup |
FPE successfully found the active node. |
Not applicable |
FPE could not find the active node |
Passive node transition |
The transition to the passive state succeeded. |
Not applicable |
An error occurred while transitioning to the passive state |
CCR cluster change notifications |
The CCR replication service cluster state monitoring is able to receive cluster change notifications. |
Cluster change notifications cannot be received. |
Not applicable. |
Table 7: Monitored Cluster problems
License
Monitored Event |
Success (green) |
Warning (yellow) |
Error (red) |
License state |
The Forefront Protection 2010 for Exchange Server is licensed. |
The Forefront Protection 2010 for Exchange Server license will expire soon. |
The Forefront Protection 2010 for Exchange Server license has expired. |
Table 8: Monitored License problems
Conclusion
If you want to know in first-hand if any of your Exchange servers is not updating correctly the anti-malware engines, or if the e-mail messages are not being scanned, the Forefront Server Protection for Exchange Management Pack for SCOM is a powerful tool for tracking an entire deployment of FPE.
Related Links
- Forefront Protection 2010 for Exchange Server Management Pack for System Center Operations Manager 2007
- Forefront Protection 2010 for Exchange Server Management pack for Microsoft System Center Operations Manager 2007 – Technical Library
- System Center Operations Manager 2007 R2 – Technical Library
- Exchange Server 2010 Monitoring Management Pack
- System Center Operations Manager Management Pack Catalog