Monitoring Forefront Protection 2010 for Exchange with Operations Manager 2007 R2

Introduction

In my previous article, Monitoring Exchange 2010 with OpsMgr 2007 R2, I mentioned a set of recommended additional management packs, in which the Forefront Protection 2010 for Exchange Server Management Pack (FPE 2010 MP) was included. Monitoring Exchange servers is not only about the specific Exchange services, but is also about managing a vast subset of additional services and applications that are critical to a healthy messaging system.

One of those services is, of course, anti-malware, so any Messaging Admin must guarantee the health of the anti-malware ecosystem. In case one is using Forefront Protection for Exchange (FPE) and System Center Operations Manager as the monitoring infrastructure, there is a specific management pack that greatly automates and helps the centralized management of systems with FPE installed.

FPE 2010 MP provides support for monitoring the "health" of your systems, informing you when they are running smoothly and when there are problems.

The FPE 2010 MP contains rules for:

  • Monitoring the state of FPE and its key features.
  • Collecting statistical data about file scanning performance for each scan job (realtime and scheduled).

The following tables provide an overview of the FPE 2010 MP monitoring functionality that is enabled through Operations Manager 2007:

DISCOVERIES

Description

Method

FPE Server Discovery

Discovers if there is FPE 2010 installed on the managed server

Check registry key path HLKM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{GUID})

FPE Services Discovery

Discovers FPE services

FPE Services will be discovered if Exchange is not in CCR passive mode by check Registry Key HKLM:\SOFTWARE\Wow6432Node\Microsoft\

Forefront Server Security\APTA\ClusterStatus

FPE CCR Cluster Discovery

Discovers if Exchange is in CCR cluster mode

Check Registry Key HKLM:\SOFTWARE\Wow6432Node\Microsoft\

Forefront Server Security\APTA\ClusterStatus

CLASSES

Purpose

Notes

FPE Server

Health monitor for whole FPE server

FPE Licensing

Health monitor for license status

FPE Scan Engines

Health Monitor for FPE Scan Engines

Includes antispam engines and antimalware engines.

FPE Antimalware Engines

Health monitor for antimalware engines

FPE Antispam Engines

Health monitor for antispam engines

FPE Services

Health monitor for all FPE services

Includes controller service, monitor service, mail pickup service, eventing service, and exchange hook.

FPE Controller Service

Health monitor for FSCController service

FPE Monitor Service

Health Monitor for FSCMonitor Service

FPE Mail Pickup Service

Health monitor for FPEMailPickup service

FPE Eventing Service

Health monitor for FSCEventing service

FPE Workload Integration

Health monitor for integration with Exchange

FPE CCR Cluster

Health monitor for FPE on Exchange CCR

FPE Scan Jobs

Health monitor for FPE scan jobs

Includes realtime scan jobs and scheduled scan jobs.

FPE Realtime Scan Jobs

Health monitor for FPE realtime scan job

FPE Scheduled Scan Jobs

Health monitor for FPE scheduled scan job

FPE Transport Scan Job

Health monitor for FPE Transport scan jobs

Table 1: FPE 2010 MP monitoring functionalities

Solution Topology

For the purpose of writing this article, I installed the following environment on my test lab:


Figure 1: Solution topology used in this article

All the machines (virtualized on Hyper-V) are 64-bit, since this architecture is fully supported by OpsMgr 2007 R2.

Server Name

Role

Software

OPSMGR2K7-R2

Root Management Server

Windows Server 2008 R2 SP1

SQL Server 2008 SP2

System Center Operations Manager 2007 R2 + CU5*

E2K10

Domain Controller

Mailbox Server

CAS Server

HUB Transport Server

Unified Messaging

Windows Server 2008 R2 SP1

Exchange Server 2010 SP1 + RU3**

Forefront Protection for Exchange 2010 + HR3***

E2K10-MBX2

Mailbox Server

Windows Server 2008 R2 SP1

Exchange Server 2010 SP1 + RU3

Forefront Protection for Exchange 2010 + HR3

E2K10-EDGE

Edge Server

Windows Server 2008 R2 SP1

Exchange Server 2010 SP1 + RU3

Forefront Protection for Exchange 2010 + HR3

*CU5 = Cumulative Update 5

**RU3 = Rollup Update 3

***HR3 = Hotfix Rollup 3

Table 2: List of servers

Installation and Configuration Procedures

There will be 5 steps covered in this article in order to install and fully configure the FPE 2010 MP for the environment previously described:

  1. Ensure that all the necessary requirements are met.

  2. Create a new management pack in which you store overrides and other customizations.

  3. Download, install and import the management pack.

  4. Add the Exchange servers with FPE as agent managed computers.

  5. Override the parameters of the performance rules if you require performance monitoring.

1.    FPE 2010 MP Prerequisites

Before importing the FPE 2010 MP for Operations Manager 2007, ensure that you meet all the requirements:

  • Ensure the managed Exchange 2010 servers with FPE installed have the PowerShell execution policy at least set to "RemoteSigned". This can easily be checked by running the PowerShell cmdlet Get-ExecutionPolicy, has depicted in Figure 2.


Figure 2: Get-ExecutionPolicy

  • If you have installed a previous version of either the FPSP management pack or the FPE management pack (version 11.1.0269.0 or lower), you need to remove it before installing this management pack.

2.    Create a new management pack for customizations

The customizations and overrides of sealed management packs, such as the FPE 2010 MP, are usually saved in the default management pack. As a best practice you should create and use a separate management pack for that purpose. Creating a new management pack for storing overrides has the following advantages:

  • It simplifies the process of exporting customizations that were created in your test and pre-production environments to your production environment.
  • It allows you to delete the original management pack without first needing to delete the default management pack.
  • It is easier to track and update customizations to individual management packs.

  1. In the Operations Console, click the Administration button. In the Administration pane, right-click Management Packs and then click Create Management Pack. The Create a Management Pack wizard displays.
  2. In the General Properties page (Figure 3), type a name for the management pack in Name, the correct version number in Version, and a short description in Description. Click Next and then Create.


Figure 3: Creating a Custom MP for customizations

3.    Install the Forefront Protection 2010 for Exchange Server MP

Download the Forefront Protection 2010 for Exchange Server Management Pack for System Center Operations Manager 2007 (version 11.1.301.0 was used in this article). You can find the latest Management Packs at the System Center Operations Manager 2007 Catalog.

Once you download the Forefront Protection MP, double click the .msi file in order to install it. The installation is a very simple process that just extracts the required Management Pack files to the folder you chose (Figure 4).


Figure 4: FPE 2010 MP installation

If you peek at the newly created folder, you’ll notice 3 files, 1 licensing supplemental notice (EULA) and the required management pack files:

  • Microsoft.ForefrontProtection.Library.mp (Microsoft Forefront Server Protection 2010 Core Library) - This management pack is the core library for all versions of Forefront Protection Server. It defines all base classes and relationships.
  • Microsoft.ForefrontProtection.FPE.mp (Microsoft Forefront Protection 2010 for Exchange Server Management Pack) - This management pack provides monitoring capabilities for Microsoft Forefront Protection 2010 for Exchange.

  1. To import the FPE 2010 MP, open the OpsMgr 2007 Operations Console. Click the Administration tab, right-click the Management Packs node and then click Import Management Packs.
  2. Click Add, Add from disk and then click No on the Online Catalog Connection window. Select all the files from the FPE 2010 MP directory, by default C:\Program Files (x86)\System Center Management Packs\FPE 2010 MP for SCOM 2007 (Figure 5), click Open and then click the Install button (Figure 6).
  3. After the import process is complete and the dialog box displays an icon next to each Management Pack that indicates success of the importation, click the Close button.


Figure 5: Select Management Packs to import


Figure 6: Import Management Packs

4.    Add the Exchange servers with Forefront as agent managed computers

If you are using the Exchange Server 2010 MP, chances are that the servers that run FPE are already configured as agent managed computers. In case they aren’t, follow the procedures described in my previous article, Monitoring Exchange 2010 with OpsMgr 2007 R2, to add them.

As soon as the machines are configured as agent managed computers, the OpsMgr auto discovery process will identify them as Forefront servers. Figure 7 depicts the State View of the 3 Exchange Servers that are running FPE (there are 4 servers listed, because one of them is the Exchange DAG).


Figure 7: State View

Note:
If no FPE servers are discovered after the management pack importation, follow these steps:

  1. Please make sure:
    a.     The SCOM agent has been deployed to FPE servers.
    b.     The FPE version on managed server is 2010.
    c.     The Powershell Execution Policy level on the managed FPE server is set at least to “RemoteSigned”.
  2. The MP will discover FPE servers every 4 hours. You can choose to override the frequency and set a shorter time interval if you need the management pack to have a quicker response to changes of FPE servers or you can configure a longer frequency to decrease the performance impact to FPE and Exchange.

Figure 8 depicts the folder structure for the common elements of the Forefront Protection Suite products and for Forefront Protection for Exchange Server. Alerts of all monitors in the FPE 2010 MP are located in the Alerts node under Forefront Protection for Exchange Server. Task Status, State information, and Scan Job Performance data are also located under this folder.


Figure 8: Folder structure of the FPE 2010 management pack

5.    Configure Overrides

There is not much to manually configure in the FPE 2010 MP. Nevertheless, the management pack comes with performance rules disabled by default (Figure 9). Before you enable a performance rule, you should baseline the relevant performance counters and then apply the appropriate overrides to define and enable a suitable sampling frequency for your environment.

All rules are stored in the Authoring space of the Operations Manager 2007 console, in the Management Packs Objects node.


Figure 9: FPE 2010 MP Rules

There are three rules in the Forefront Protection 2010 for Exchange Server management pack that collect performance statistics data from managed FPE servers.

  • Realtime Scan Performance: Reports the number of messages scanned, per second, by the FPE realtime scan.
  • Scheduled Scan Performance: Reports the number of messages scanned, per second, by the FPE scheduled scan.
  • Transport Scan Performance: Reports the number of messages scanned, per second, by the FPE transport scan.

To enable the Performance Rules, follow these steps:

  1. In the Operations Manager Operations Console, click the Authoring tab, expand Management Pack Objects and the select Rules. In the Look For box, enter FPE, and then click Find Now.
  2. Right-click any of the Scan Performance rules, select Overrides | Override the Rule | For all objects of class: FPE Transport Scan Job (Figure 10). If you want to define different overrides parameters for different servers, you might want to choose For a specific object of class: FPE Transport Scan Job.


Figure 10: Override the Rule: Transport Scan Performance

  1. In the Override Properties dialog box (Figure 11), select the Override column for the Enabled Parameter name, and then check that the Override Setting is set to True. Select any other overrides you might want to define, such as Frequency. Select a destination management pack and click OK.


Figure 11: Override Properties: Exchange 2007 Test UM Connectivity Remote Voice Collection

Working with Tasks

Tasks provide centralized control over the normal operations process and also provide a means to troubleshoot or correct problems identified through the OpsMgr 2007 Console.

These are the key functions included in the FPE 2010 MP tasks:

  • Get Engine Versions — Retrieves the current engine versions of all scan engines on selected agent-managed systems. All the data for all the engines (not only version information) is returned.
  • Restart FPE Services — Restarts all FPE services on selected agent-managed systems. On some environments, services might not restart with this task. This could happen if the task takes over five minutes to stop and restart all of the services.
  • Update FPE Engines — Updates scan engines immediately on selected agent-managed systems. This task causes the FPE server to start updating engines. The task is considered successful if it triggers the update job. However, if this task is successful, it does not mean that the updates themselves were successful. To find out if the engines have been updated successfully, run the Get Engine Versions task and look at the UpdateStatus field for each engine in the Task Output section of the Task Status dialog box. If you closed the dialog box, the same information is available in the Monitoring space, in the Forefront Protection for Exchange Server / Task Status view. Select the most recent Get Engine Versions task in the Task Status pane and look at the UpdateStatus field for each engine in the Details pane.

In order to run a task, open the OpsMgr Operations Console, select the Monitoring space, and select the Forefront Protection for Exchange Server / State view. In the State pane, select the servers on which to run the task and then, in the Actions pane, the available tasks appear in the FPE Server Tasks section. Click a task in order to run it. Figure 12 depicts the Forefront related tasks.


Figure 12: Available tasks

Suppose you want to perform an immediate manual engine update the mailbox server. You just have to click that task from the Operations Console and then click Run on the Run Task window (Figure 13). When the task finishes, a Task Status is displayed with some details from the operation (Figure 14). Figure 15 shows the output of the task Get Forefront Protection 2010 for Exchange Server Engines Version.


Figure 13: Update engines


Figure 14: Task Status


Figure 15: Task Status

Alerts

When something goes wrong with Forefront, like any other MP, the FPE 2010 MP will display alerts (Figure 16). For instance, if one of the anti-virus engines is out of the date, there will be the corresponding alert (Figure 17), which also includes some Product Knowledge (Figure 18) with more details and suggested actions to resolve the alert.


Figure 16: Active Alerts


Figure 17: Alert Properties


Figure 18: Alert Knowledge

Figure 16 depicts only a small subset of the various types of problems that the Microsoft Forefront Server Protection Management Pack keeps track of. The following tables contain a full list of all the monitored potential problems.

Engines

Monitored Event

Success (green)

Warning (yellow)

Error (red)

Antimalware Engines Update Enabled

The engines selected to be used for the scan jobs are those that are enabled for updating.

The engines selected to be used for the scan jobs are not all enabled for updating.

Not applicable.

Antimalware Engines Update Success Rate

All engines enabled for updating were successfully updated.

At least half of the engines enabled for updating were successfully updated.

Less than half of the engines enabled for updating were successfully updated.

Antimalware engines last update time

All engines enabled for updating were successfully updated within the last five days.

Some of the engines enabled for updating were not updated within the last five days.

None of the engines enabled for updating were updated within the last five days.

Last antispam definition update

Content filter definitions have been updated in the last hour.

Content filter definitions were last updated in the past 1-12 hours.

The last content filter definition update was over 12 hours ago.

Table 3: Monitored Engines problems

Workload Integration

Monitored Event

Success (green)

Warning (yellow)

Error (red)

Exchange Transport Hook State

The Microsoft Exchange Transport service is running and the Forefront agent is registered.

Not applicable.

The agent failed to register or is not enabled. This prevents the Microsoft Exchange Transport service from starting.

Forefront Agent State

The Microsoft Exchange Transport service is running and the Forefront agent is registered.

Not applicable.

The Microsoft Exchange Transport service is running, but the Forefront Agent is not registered.

VSAPI registration

The Microsoft Exchange Information Store is running and the Forefront VSAPI library is registered.

Not applicable.

The Microsoft Exchange Information Store is running, but the Forefront VSAPI library is not registered.

Table 4: Monitored Workload Integration problems

Scan jobs

Monitored Event

Success (green)

Warning (yellow)

Error (red)

Scan job enabled (for transport and realtime scans)

The scan job is enabled properly.

The scan job was disabled or bypassed.

Scan engines have been initialized (for transport, realtime, and scheduled scans)

The engines selected for the scan job have been initialized.

Not applicable.

The selected scanning engines were not initialized with the scan job.

Scan filter engine loaded (for transport, realtime, and scheduled scans)

The engine that handles filtering loaded correctly.

Not applicable.

The engine that handles filtering did not load correctly.

Scan process state (for transport and realtime scans)

The scanning processes are running.

Some processes did not restart after a timeout or exception.

No scanning processes restarted after a timeout or exception.

Scheduled scan termination

The scheduled scan executed within the allowed time.

Not applicable.

The scheduled scan exceeded the allowed time limit.

Transport Scanning Deliverable State

All messages have been scanned and delivered.

Not applicable.

A message scan could not be completed. The message was placed in the Undeliverable Archive folder for further review.

Table 5: Monitored Scan Jobs problems

Services

Monitored Event

Success (green)

Warning (yellow)

Error (red)

FSCController service

The FSCController service is running.

Not applicable.

The FSCController service has stopped.

Eventing service

The Eventing service is running.

Not applicable.

The Eventing service has stopped.

FSEMailPickup service

The FSEMailPickup service is running.

Not applicable.

The FSEMailPickup service has stopped.

FSCMonitor service

The FSCMonitor service is running.

Not applicable.

The FSCMonitor service is inactive.

Table 6: Monitored Services problems

Cluster servers

Monitored Event

Success (green)

Warning (yellow)

Error (red)

CCR cluster engine replication

Engine replication across the CCR cluster succeeded.

Not applicable

Engine replication across the CCR cluster failed.

CCR cluster file synchronization

File synchronization succeeded.

Not applicable

File synchronization failed.

Active node lookup

FPE successfully found the active node.

Not applicable

FPE could not find the active node

Passive node transition

The transition to the passive state succeeded.

Not applicable

An error occurred while transitioning to the passive state

CCR cluster change notifications

The CCR replication service cluster state monitoring is able to receive cluster change notifications.

Cluster change notifications cannot be received.

Not applicable.

Table 7: Monitored Cluster problems

License

Monitored Event

Success (green)

Warning (yellow)

Error (red)

License state

The Forefront Protection 2010 for Exchange Server is licensed.

The Forefront Protection 2010 for Exchange Server license will expire soon.

The Forefront Protection 2010 for Exchange Server license has expired.

Table 8: Monitored License problems

Conclusion

If you want to know in first-hand if any of your Exchange servers is not updating correctly the anti-malware engines, or if the e-mail messages are not being scanned, the Forefront Server Protection for Exchange Management Pack for SCOM is a powerful tool for tracking an entire deployment of FPE.

Related Links

Rui Silva

Share
Published by
Rui Silva

Recent Posts

IFA 2019: Smart TVs and even smarter wearables unveiled

What will be in your living room or on your wrist this year? It may very likely be one of…

3 hours ago

Consider these SD-WAN technologies for faster, more reliable networking

As virtualization becomes a major part of organizations’ infrastructure, these SD-WAN technologies provide faster and more reliable networking solutions.

6 hours ago

An overview of PCI DSS and a guide to compliance

PCI DSS is the globally recognized security standard for any business that processes credit card payments. Are you in compliance…

23 hours ago

Quick tip: Runbook script to start and stop your Azure Firewall

In this blog post, we are going over a simple script that can be used as an Azure runbook to…

1 day ago

Private 5G networks: Everything you need to know

We are on the verge of the rollout of public 5G networks. And following close behind is the reality of…

1 day ago

On-premises backup for cloud data and cloud infrastructure protection

On-premises backup is a down-to-earth solution for backing up your cloud data – especially for those with a healthy paranoia…

2 days ago