Monitoring Forefront Protection 2010 for Exchange with Operations Manager 2007 R2

Introduction

 

In my previous article, Monitoring Exchange 2010 with OpsMgr 2007 R2, I mentioned a set of recommended additional management packs, in which the Forefront Protection 2010 for Exchange Server Management Pack (FPE 2010 MP) was included. Monitoring Exchange servers is not only about the specific Exchange services, but is also about managing a vast subset of additional services and applications that are critical to a healthy messaging system.

 

One of those services is, of course, anti-malware, so any Messaging Admin must guarantee the health of the anti-malware ecosystem. In case one is using Forefront Protection for Exchange (FPE) and System Center Operations Manager as the monitoring infrastructure, there is a specific management pack that greatly automates and helps the centralized management of systems with FPE installed.

 

FPE 2010 MP provides support for monitoring the “health” of your systems, informing you when they are running smoothly and when there are problems.

 

The FPE 2010 MP contains rules for:

 

 

  • Monitoring the state of FPE and its key features.
  • Collecting statistical data about file scanning performance for each scan job (realtime and scheduled).

 

The following tables provide an overview of the FPE 2010 MP monitoring functionality that is enabled through Operations Manager 2007:

 

 

 

DISCOVERIES

 

Description

 

Method

 

FPE Server Discovery

 

Discovers if there is FPE 2010 installed on the managed server

 

Check registry key path HLKM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{GUID})

 

FPE Services Discovery

 

Discovers FPE services

 

FPE Services will be discovered if Exchange is not in CCR passive mode by check Registry Key HKLM:\SOFTWARE\Wow6432Node\Microsoft\

 

Forefront Server Security\APTA\ClusterStatus

 

FPE CCR Cluster Discovery

 

Discovers if Exchange is in CCR cluster mode

 

Check Registry Key HKLM:\SOFTWARE\Wow6432Node\Microsoft\

 

Forefront Server Security\APTA\ClusterStatus

 

 

 

CLASSES

 

Purpose

 

Notes

 

FPE Server

 

Health monitor for whole FPE server

 

FPE Licensing

 

Health monitor for license status

 

FPE Scan Engines

 

Health Monitor for FPE Scan Engines

 

Includes antispam engines and antimalware engines.

 

FPE Antimalware Engines

 

Health monitor for antimalware engines

 

FPE Antispam Engines

 

Health monitor for antispam engines

 

FPE Services

 

Health monitor for all FPE services

 

Includes controller service, monitor service, mail pickup service, eventing service, and exchange hook.

 

FPE Controller Service

 

Health monitor for FSCController service

 

FPE Monitor Service

 

Health Monitor for FSCMonitor Service

 

FPE Mail Pickup Service

 

Health monitor for FPEMailPickup service

 

FPE Eventing Service

 

Health monitor for FSCEventing service

 

FPE Workload Integration

 

Health monitor for integration with Exchange

 

FPE CCR Cluster

 

Health monitor for FPE on Exchange CCR

 

FPE Scan Jobs

 

Health monitor for FPE scan jobs

 

Includes realtime scan jobs and scheduled scan jobs.

 

FPE Realtime Scan Jobs

 

Health monitor for FPE realtime scan job

 

FPE Scheduled Scan Jobs

 

Health monitor for FPE scheduled scan job

 

FPE Transport Scan Job

 

Health monitor for FPE Transport scan jobs

 

Table 1: FPE 2010 MP monitoring functionalities

 

Solution Topology

 

For the purpose of writing this article, I installed the following environment on my test lab:

 


Figure 1: Solution topology used in this article

 

All the machines (virtualized on Hyper-V) are 64-bit, since this architecture is fully supported by OpsMgr 2007 R2.

 

 

 

Server Name

 

Role

 

Software

 

OPSMGR2K7-R2

 

Root Management Server

 

Windows Server 2008 R2 SP1

 

SQL Server 2008 SP2

 

System Center Operations Manager 2007 R2 + CU5*

 

E2K10

 

Domain Controller

 

Mailbox Server

 

CAS Server

 

HUB Transport Server

 

Unified Messaging

 

Windows Server 2008 R2 SP1

 

Exchange Server 2010 SP1 + RU3**

 

Forefront Protection for Exchange 2010 + HR3***

 

E2K10-MBX2

 

Mailbox Server

 

Windows Server 2008 R2 SP1

 

Exchange Server 2010 SP1 + RU3

 

Forefront Protection for Exchange 2010 + HR3

 

E2K10-EDGE

 

Edge Server

 

Windows Server 2008 R2 SP1

 

Exchange Server 2010 SP1 + RU3

 

Forefront Protection for Exchange 2010 + HR3

 

*CU5 = Cumulative Update 5

 

**RU3 = Rollup Update 3

 

***HR3 = Hotfix Rollup 3

 

Table 2: List of servers

 

Installation and Configuration Procedures

 

There will be 5 steps covered in this article in order to install and fully configure the FPE 2010 MP for the environment previously described:

 

 

  1. Ensure that all the necessary requirements are met.

     

  2. Create a new management pack in which you store overrides and other customizations.

     

  3. Download, install and import the management pack.

     

  4. Add the Exchange servers with FPE as agent managed computers.

     

  5. Override the parameters of the performance rules if you require performance monitoring.

 

1.    FPE 2010 MP Prerequisites

 

Before importing the FPE 2010 MP for Operations Manager 2007, ensure that you meet all the requirements:

 

 

  • Ensure the managed Exchange 2010 servers with FPE installed have the PowerShell execution policy at least set to “RemoteSigned”. This can easily be checked by running the PowerShell cmdlet Get-ExecutionPolicy, has depicted in Figure 2.

 


Figure 2: Get-ExecutionPolicy

 

 

  • If you have installed a previous version of either the FPSP management pack or the FPE management pack (version 11.1.0269.0 or lower), you need to remove it before installing this management pack.

 

2.    Create a new management pack for customizations

 

The customizations and overrides of sealed management packs, such as the FPE 2010 MP, are usually saved in the default management pack. As a best practice you should create and use a separate management pack for that purpose. Creating a new management pack for storing overrides has the following advantages:

 

 

  • It simplifies the process of exporting customizations that were created in your test and pre-production environments to your production environment.
  • It allows you to delete the original management pack without first needing to delete the default management pack.
  • It is easier to track and update customizations to individual management packs.

 

 

  1. In the Operations Console, click the Administration button. In the Administration pane, right-click Management Packs and then click Create Management Pack. The Create a Management Pack wizard displays.
  2. In the General Properties page (Figure 3), type a name for the management pack in Name, the correct version number in Version, and a short description in Description. Click Next and then Create.

 


Figure 3: Creating a Custom MP for customizations

 

3.    Install the Forefront Protection 2010 for Exchange Server MP

 

Download the Forefront Protection 2010 for Exchange Server Management Pack for System Center Operations Manager 2007 (version 11.1.301.0 was used in this article). You can find the latest Management Packs at the System Center Operations Manager 2007 Catalog.

 

Once you download the Forefront Protection MP, double click the .msi file in order to install it. The installation is a very simple process that just extracts the required Management Pack files to the folder you chose (Figure 4).

 


Figure 4: FPE 2010 MP installation

 

If you peek at the newly created folder, you’ll notice 3 files, 1 licensing supplemental notice (EULA) and the required management pack files:

 

 

  • Microsoft.ForefrontProtection.Library.mp (Microsoft Forefront Server Protection 2010 Core Library) – This management pack is the core library for all versions of Forefront Protection Server. It defines all base classes and relationships.
  • Microsoft.ForefrontProtection.FPE.mp (Microsoft Forefront Protection 2010 for Exchange Server Management Pack) – This management pack provides monitoring capabilities for Microsoft Forefront Protection 2010 for Exchange.

 

 

  1. To import the FPE 2010 MP, open the OpsMgr 2007 Operations Console. Click the Administration tab, right-click the Management Packs node and then click Import Management Packs.
  2. Click Add, Add from disk and then click No on the Online Catalog Connection window. Select all the files from the FPE 2010 MP directory, by default C:\Program Files (x86)\System Center Management Packs\FPE 2010 MP for SCOM 2007 (Figure 5), click Open and then click the Install button (Figure 6).
  3. After the import process is complete and the dialog box displays an icon next to each Management Pack that indicates success of the importation, click the Close button.

 


Figure 5: Select Management Packs to import

 


Figure 6: Import Management Packs

 

4.    Add the Exchange servers with Forefront as agent managed computers

 

If you are using the Exchange Server 2010 MP, chances are that the servers that run FPE are already configured as agent managed computers. In case they aren’t, follow the procedures described in my previous article, Monitoring Exchange 2010 with OpsMgr 2007 R2, to add them.

 

As soon as the machines are configured as agent managed computers, the OpsMgr auto discovery process will identify them as Forefront servers. Figure 7 depicts the State View of the 3 Exchange Servers that are running FPE (there are 4 servers listed, because one of them is the Exchange DAG).

 


Figure 7: State View

 

Note:
If no FPE servers are discovered after the management pack importation, follow these steps:

 

 

  1. Please make sure:
    a.     The SCOM agent has been deployed to FPE servers.
    b.     The FPE version on managed server is 2010.
    c.     The Powershell Execution Policy level on the managed FPE server is set at least to “RemoteSigned”.
  2. The MP will discover FPE servers every 4 hours. You can choose to override the frequency and set a shorter time interval if you need the management pack to have a quicker response to changes of FPE servers or you can configure a longer frequency to decrease the performance impact to FPE and Exchange.

 

Figure 8 depicts the folder structure for the common elements of the Forefront Protection Suite products and for Forefront Protection for Exchange Server. Alerts of all monitors in the FPE 2010 MP are located in the Alerts node under Forefront Protection for Exchange Server. Task Status, State information, and Scan Job Performance data are also located under this folder.

 


Figure 8: Folder structure of the FPE 2010 management pack

 

5.    Configure Overrides

 

There is not much to manually configure in the FPE 2010 MP. Nevertheless, the management pack comes with performance rules disabled by default (Figure 9). Before you enable a performance rule, you should baseline the relevant performance counters and then apply the appropriate overrides to define and enable a suitable sampling frequency for your environment.

 

All rules are stored in the Authoring space of the Operations Manager 2007 console, in the Management Packs Objects node.

 


Figure 9: FPE 2010 MP Rules

 

There are three rules in the Forefront Protection 2010 for Exchange Server management pack that collect performance statistics data from managed FPE servers.

 

 

  • Realtime Scan Performance: Reports the number of messages scanned, per second, by the FPE realtime scan.
  • Scheduled Scan Performance: Reports the number of messages scanned, per second, by the FPE scheduled scan.
  • Transport Scan Performance: Reports the number of messages scanned, per second, by the FPE transport scan.

 

To enable the Performance Rules, follow these steps:

 

 

  1. In the Operations Manager Operations Console, click the Authoring tab, expand Management Pack Objects and the select Rules. In the Look For box, enter FPE, and then click Find Now.
  2. Right-click any of the Scan Performance rules, select Overrides | Override the Rule | For all objects of class: FPE Transport Scan Job (Figure 10). If you want to define different overrides parameters for different servers, you might want to choose For a specific object of class: FPE Transport Scan Job.

 


Figure 10: Override the Rule: Transport Scan Performance

 

 

  1. In the Override Properties dialog box (Figure 11), select the Override column for the Enabled Parameter name, and then check that the Override Setting is set to True. Select any other overrides you might want to define, such as Frequency. Select a destination management pack and click OK.

 


Figure 11: Override Properties: Exchange 2007 Test UM Connectivity Remote Voice Collection

 

Working with Tasks

 

Tasks provide centralized control over the normal operations process and also provide a means to troubleshoot or correct problems identified through the OpsMgr 2007 Console.

 

These are the key functions included in the FPE 2010 MP tasks:

 

 

  • Get Engine Versions — Retrieves the current engine versions of all scan engines on selected agent-managed systems. All the data for all the engines (not only version information) is returned.
  • Restart FPE Services — Restarts all FPE services on selected agent-managed systems. On some environments, services might not restart with this task. This could happen if the task takes over five minutes to stop and restart all of the services.
  • Update FPE Engines — Updates scan engines immediately on selected agent-managed systems. This task causes the FPE server to start updating engines. The task is considered successful if it triggers the update job. However, if this task is successful, it does not mean that the updates themselves were successful. To find out if the engines have been updated successfully, run the Get Engine Versions task and look at the UpdateStatus field for each engine in the Task Output section of the Task Status dialog box. If you closed the dialog box, the same information is available in the Monitoring space, in the Forefront Protection for Exchange Server / Task Status view. Select the most recent Get Engine Versions task in the Task Status pane and look at the UpdateStatus field for each engine in the Details pane.

 

In order to run a task, open the OpsMgr Operations Console, select the Monitoring space, and select the Forefront Protection for Exchange Server / State view. In the State pane, select the servers on which to run the task and then, in the Actions pane, the available tasks appear in the FPE Server Tasks section. Click a task in order to run it. Figure 12 depicts the Forefront related tasks.

 


Figure 12: Available tasks

 

Suppose you want to perform an immediate manual engine update the mailbox server. You just have to click that task from the Operations Console and then click Run on the Run Task window (Figure 13). When the task finishes, a Task Status is displayed with some details from the operation (Figure 14). Figure 15 shows the output of the task Get Forefront Protection 2010 for Exchange Server Engines Version.

 


Figure 13: Update engines

 


Figure 14: Task Status

 


Figure 15: Task Status

 

Alerts

 

When something goes wrong with Forefront, like any other MP, the FPE 2010 MP will display alerts (Figure 16). For instance, if one of the anti-virus engines is out of the date, there will be the corresponding alert (Figure 17), which also includes some Product Knowledge (Figure 18) with more details and suggested actions to resolve the alert.

 


Figure 16: Active Alerts

 


Figure 17: Alert Properties

 


Figure 18: Alert Knowledge

 

Figure 16 depicts only a small subset of the various types of problems that the Microsoft Forefront Server Protection Management Pack keeps track of. The following tables contain a full list of all the monitored potential problems.

 

Engines

 

 

 

Monitored Event

 

Success (green)

 

Warning (yellow)

 

Error (red)

 

Antimalware Engines Update Enabled

 

 

The engines selected to be used for the scan jobs are those that are enabled for updating.

 

The engines selected to be used for the scan jobs are not all enabled for updating.

 

Not applicable.

 

Antimalware Engines Update Success Rate

 

All engines enabled for updating were successfully updated.

 

At least half of the engines enabled for updating were successfully updated.

 

Less than half of the engines enabled for updating were successfully updated.

 

Antimalware engines last update time

 

All engines enabled for updating were successfully updated within the last five days.

 

Some of the engines enabled for updating were not updated within the last five days.

 

None of the engines enabled for updating were updated within the last five days.

 

Last antispam definition update

 

Content filter definitions have been updated in the last hour.

 

Content filter definitions were last updated in the past 1-12 hours.

 

The last content filter definition update was over 12 hours ago.

 

Table 3: Monitored Engines problems

 

Workload Integration

 

 

 

Monitored Event

 

Success (green)

 

Warning (yellow)

 

Error (red)

 

Exchange Transport Hook State

 

The Microsoft Exchange Transport service is running and the Forefront agent is registered.

 

Not applicable.

 

The agent failed to register or is not enabled. This prevents the Microsoft Exchange Transport service from starting.

 

Forefront Agent State

 

The Microsoft Exchange Transport service is running and the Forefront agent is registered.

 

Not applicable.

 

The Microsoft Exchange Transport service is running, but the Forefront Agent is not registered.

 

VSAPI registration

 

The Microsoft Exchange Information Store is running and the Forefront VSAPI library is registered.

 

Not applicable.

 

The Microsoft Exchange Information Store is running, but the Forefront VSAPI library is not registered.

 

Table 4: Monitored Workload Integration problems

 

Scan jobs

 

 

 

Monitored Event

 

Success (green)

 

Warning (yellow)

 

Error (red)

 

Scan job enabled (for transport and realtime scans)

 

The scan job is enabled properly.

 

The scan job was disabled or bypassed.

 

Scan engines have been initialized (for transport, realtime, and scheduled scans)

 

The engines selected for the scan job have been initialized.

 

Not applicable.

 

The selected scanning engines were not initialized with the scan job.

 

Scan filter engine loaded (for transport, realtime, and scheduled scans)

 

The engine that handles filtering loaded correctly.

 

Not applicable.

 

The engine that handles filtering did not load correctly.

 

Scan process state (for transport and realtime scans)

 

The scanning processes are running.

 

Some processes did not restart after a timeout or exception.

 

No scanning processes restarted after a timeout or exception.

 

Scheduled scan termination

 

The scheduled scan executed within the allowed time.

 

Not applicable.

 

The scheduled scan exceeded the allowed time limit.

 

Transport Scanning Deliverable State

 

All messages have been scanned and delivered.

 

Not applicable.

 

A message scan could not be completed. The message was placed in the Undeliverable Archive folder for further review.

 

Table 5: Monitored Scan Jobs problems

 

Services

 

 

 

Monitored Event

 

Success (green)

 

Warning (yellow)

 

Error (red)

 

FSCController service

 

The FSCController service is running.

 

Not applicable.

 

The FSCController service has stopped.

 

Eventing service

 

The Eventing service is running.

 

Not applicable.

 

The Eventing service has stopped.

 

FSEMailPickup service

 

The FSEMailPickup service is running.

 

Not applicable.

 

The FSEMailPickup service has stopped.

 

FSCMonitor service

 

The FSCMonitor service is running.

 

Not applicable.

 

The FSCMonitor service is inactive.

 

Table 6: Monitored Services problems

 

Cluster servers

 

 

 

Monitored Event

 

Success (green)

 

Warning (yellow)

 

Error (red)

 

CCR cluster engine replication

 

Engine replication across the CCR cluster succeeded.

 

Not applicable

 

Engine replication across the CCR cluster failed.

 

CCR cluster file synchronization

 

File synchronization succeeded.

 

Not applicable

 

File synchronization failed.

 

Active node lookup

 

FPE successfully found the active node.

 

Not applicable

 

FPE could not find the active node

 

Passive node transition

 

The transition to the passive state succeeded.

 

Not applicable

 

An error occurred while transitioning to the passive state

 

CCR cluster change notifications

 

The CCR replication service cluster state monitoring is able to receive cluster change notifications.

 

Cluster change notifications cannot be received.

 

Not applicable.

 

Table 7: Monitored Cluster problems

 

License

 

 

 

Monitored Event

 

Success (green)

 

Warning (yellow)

 

Error (red)

 

License state

 

The Forefront Protection 2010 for Exchange Server is licensed.

 

The Forefront Protection 2010 for Exchange Server license will expire soon.

 

The Forefront Protection 2010 for Exchange Server license has expired.

 

Table 8: Monitored License problems

 

Conclusion

 

If you want to know in first-hand if any of your Exchange servers is not updating correctly the anti-malware engines, or if the e-mail messages are not being scanned, the Forefront Server Protection for Exchange Management Pack for SCOM is a powerful tool for tracking an entire deployment of FPE.

 

Related Links

 

 

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top