Monitoring Forefront Security for Exchange with OpsMgr 2007 (SCOM 2007)

Introduction

 

Manageability is the key that sometimes can make the difference between a good product and a great product. Fortunately, for the vast majority of Microsoft products, operations and management are a key concern from the very beginning of the development stage.

 

System Center Operations Manager (OpsMgr) 2007 is the heart of Microsoft management & operations strategy, a product that enables greater control of the IT environment, by means of dedicated Management Packs (MP), a collection of rules, tasks, and scripts that work together to maintain the overall health of the systems.

 

In a previous article, Monitoring Exchange 2007 With System Center Operations Manager 2007, I discussed the configuration steps for the Exchange Server 2007 MP. Since Forefront Server Security for Exchange (FSE) is a common antimalware product used in Exchange Organizations, I decided to write this installation and configuration guide.

 

Here is a small list that enumerates how the Microsoft Forefront Server Security Management Pack (FSSMP) for Operations Manager 2007 helps maintaining the health of your Forefront servers:

 

 

  • Monitors the state of Forefront Security and its key components, by deriving data from the Application Event Log, the System Event Log, and the Forefront Security ProgramLog.txt log file.

     

  • Collects statistical data on scanning, detection, and removal of message attachments.

     

  • Contains tasks for:
    – Launching manual scan jobs and background scan jobs.
    – Controlling Forefront Security services and related services with dependencies.
    – Setting the Statistic Threshold Percentage to warn of virus outbreaks.
    – Triggering scan engine updates.
    – Retrieving scan engine update versions.
    – Launching the Administrator Console (FSSA) and the Management Console (FSSMC)

 

The following table provides an overview of the FSSMP monitoring functionality that is enabled through Operations Manager 2007:

 

 

 

Forefront component

 

Monitored event

 

Engines

 

  • Engine updates enabled

     

  • Engine updates successful

     

  • Last engine update

     

  • Last engine update

     

  • Engines selected for the Transport Scan Job have been initialized

     

  • Engines selected for the Realtime Scan Job have been initialized
 

Transport and Realtime Scan Jobs

 

  • Scan job enabled

     

  • Scan process state

     

  • Scanning statistics (Transport and Mailbox)
 

Services

 

  • Transport connected

     

  • Mailbox connected

     

  • FSC Monitor running
 

License

 

  • License state

 

Table 1: Exchange 2007 MP monitoring functionalities

 

Solution Topology

 

For the purpose of this article, I installed the following environment on my test lab:

 


Figure 1: Solution Topology

 

All servers are virtualized with Windows Server 2008 Hyper-V.

 

 

 

Name

 

Role

 

Architecture

 

Software

 

OPSMGR

 

Root Management Server

 

x86

 

Windows Server 2003 R2 SP2

 

System Center Operations Manager 2007 SP1

 

E2K7-x64

 

Domain Controller

 

Mailbox Server

 

CAS Server

 

HUB Transport Server

 

x64

 

Windows Server 2008

 

Exchange Server 2007 SP1 + UR5

 

Forefront Server Security for Exchange 10 SP1

 

E2K7EDGE

 

Edge Server

 

x64

 

Windows Server 2003 R2 SP2

 

Exchange Server 2007 SP1 + UR5

 

Forefront Server Security for Exchange 10 SP1

 

Table 2: List of servers

 

FSSMP Prerequisites

 

Before importing the FSSMP for Operations Manager 2007, ensure that you meet all the requirements:

 

 

 

Install the Forefront Security for Exchange Server MP

 

Download the Forefront Security for Exchange Server 10.1 MP for OpsMgr 2007. You can find the latest Management Packs at the System Center Operations Manager 2007 Catalog.

 

Once you download the Forefront Security MP, double click the .msi file in order to install it. The installation is a very simple process that just extracts the required Management Pack files to the folder you choose (Figure 2).

 


Figure 2: Exchange 2007 MP installation

 

If you take a peek at the newly created folder, you will notice 3 files, 1 installation guide, 1 licensing supplemental notice and the required management pack file:

 

 

  • FSMPack2007_FSE.mp

 

To import the FSSMP, open the OpsMgr 2007 Operations Console. Click the Administration tab, right-click the Management Packs node and then click Import Management Packs. Select the required Management Packs and then click the Import button. After the import process is complete and the dialog box displays an icon next to each Management Pack that indicates success of the importation (Figure 3), click the Close button.

 


Figure 3: Import Management Packs

 

Add the Exchange servers with Forefront as agent managed computers

 

If you are using the Exchange Server 2007 MP, chances are that the servers that run FSE are already configured as agent managed computers. In case they aren’t, follow the procedures described in my previous article, Monitoring Exchange 2007 With System Center Operations Manager 2007, to add them.

 

As soon as the machines are configured as agent managed computers, the OpsMgr auto discovery process will identify them as Forefront servers. Figure 4 depicts the State View of the 2 Exchange Servers that are running FSE.

 


Figure 4: State View

 

Statistics

 

The Performance rules included in this MP retrieve statistics for all scan jobs, in the following categories:

 

 

  • Total number of attachments scanned
  • Total number of attachments cleaned
  • Total number of attachments removed
  • Total number of attachments detected
  • Total number of messages detected
  • Total number of messages purged
  • Total number of messages scanned
  • Total number of messages tagged in the Subject line
  • Rate of scanning (number of attachments scanned per second)

 

All these statistics can be accessed through OpsMgr Operations Console, under Scan Jobs (Figure 5), which aggregates all the performance data for FSE systems. They are divided in 2 categories: Realtime and Transport jobs. These are all presented as graphed output.

 


Figure 5: Scan Jobs statistics

 

Tasks

 

Tasks provide centralized control over the normal operations process and also provide a means to troubleshoot or correct problems identified through the OpsMgr 2007 Console.

 

These are the key functions included in the FSSMP tasks:

 

 

  • Set the statistic threshold percentage
  • Trigger an immediate manual scan job
  • Trigger an immediate background scan
  • Control services centrally: stop, start, and restart them
  • Run scan engine updates
  • Retrieve scan engine update versions

 

In order to run a task, open the OpsMgr Operations Console, select the Computers node, select one or more computers and all the tasks will appear in the Actions pane. Figure 6 depicts the Forefront related tasks.

 


Figure 6: Available tasks

 

Suppose you want to perform an immediate manual scan on the mailbox server. You just have to click that task from the Operatios Console and then click Run on the Run Task window (Figure 7). When the task finishes, a Task Status is displayed with some details from the operation (Figure 8).

 

Figure 9 illustrates another different task, Microsoft Antimalware Engine Update in this case.

 


Figure 7: Manual Scan

 


Figure 8: Manual Scan Status

 


Figure 9: Microsoft Antimalware Engine Update

 

All tasks execute scripts (VBScript) remotely on the selected agent-managed systems. Included in every script is some logging logic, which creates text entries in a log file on each managed server. The log file (Tasks.log) is located in the Operations Manager 2007 Logs subfolder under the Microsoft Forefront Security product installation folder (usually C:\Program Files(x86)\Microsoft Forefront Security\Exchange Server\MOMLogs\)

 


Figure 10: Tasks log

 

Set Statistic Threshold Percentage

 

Out of the box, this MP has most of the configuration needed pretty well covered. One thing you could (and should) do is to set the statistic threshold percentage, which allows you to set the percentage of infected messages received within the last hour that would be considered a virus outbreak. The default is 50%, that is, if more than 50% of the messages received in the last hour were infected, it is considered a virus outbreak.

 

In order to change the percentage, select the computer(s) where you want to modify the threshold, and run the task Set Statistic Threshold Percentage from the Actions pane.

 

A window pops up (Figure 11), with the previous selected servers marked as targets. Hit Run and you can then modify the Threshold and whether you  want the operation to be logged or not (Figure 12). Click Override and if all goes well, you will be presented a success status page (Figure 13). Click Close.

 


Figure 11: Set Statistics Threshold

 


Figure 12: Override Task Parameters

 


Figure 13: Task Status

 

Alerts

 

When something goes wrong with Forefront, like any other MP, the FSSMP will display alerts (Figure 14). For instance, if one of the anti-virus engines is out of the date, there will be the corresponding alert (Figure 15), which also includes some Product Knowledge (Figure 16) with more details and suggested actions to resolve the alert.

 


Figure 14: Active Alerts

 


Figure 15: Alert Properties

 


Figure 16: Alert Knowledge

 

Conclusion

 

No messaging infrastructure is complete without a proper anti-malware solution. Forefront Security for Exchange is a fine product and a perfect fit for Microsoft Exchange Server.

 

In order to keep all the pieces of the engine running smoothly, carefully monitoring the different components that build the Exchange Server systems is strongly advised. System Center Operations Manager 2007 with the necessary Management Packs (Exchange Server, Forefront Security, Active Directory, Windows Server, IIS) provides the necessary logic to monitor and proactively execute the necessary procedures that will help you maintain a healthy IT environment.

 

Related Links

 

 

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top