Monitoring Forefront Security for Exchange with OpsMgr 2007 (SCOM 2007)



Manageability is the key that sometimes can make the difference between a good product and a great product. Fortunately, for the vast majority of Microsoft products, operations and management are a key concern from the very beginning of the development stage.


System Center Operations Manager (OpsMgr) 2007 is the heart of Microsoft management & operations strategy, a product that enables greater control of the IT environment, by means of dedicated Management Packs (MP), a collection of rules, tasks, and scripts that work together to maintain the overall health of the systems.


In a previous article, Monitoring Exchange 2007 With System Center Operations Manager 2007, I discussed the configuration steps for the Exchange Server 2007 MP. Since Forefront Server Security for Exchange (FSE) is a common antimalware product used in Exchange Organizations, I decided to write this installation and configuration guide.


Here is a small list that enumerates how the Microsoft Forefront Server Security Management Pack (FSSMP) for Operations Manager 2007 helps maintaining the health of your Forefront servers:



  • Monitors the state of Forefront Security and its key components, by deriving data from the Application Event Log, the System Event Log, and the Forefront Security ProgramLog.txt log file.


  • Collects statistical data on scanning, detection, and removal of message attachments.


  • Contains tasks for:
    – Launching manual scan jobs and background scan jobs.
    – Controlling Forefront Security services and related services with dependencies.
    – Setting the Statistic Threshold Percentage to warn of virus outbreaks.
    – Triggering scan engine updates.
    – Retrieving scan engine update versions.
    – Launching the Administrator Console (FSSA) and the Management Console (FSSMC)


The following table provides an overview of the FSSMP monitoring functionality that is enabled through Operations Manager 2007:




Forefront component


Monitored event




  • Engine updates enabled


  • Engine updates successful


  • Last engine update


  • Last engine update


  • Engines selected for the Transport Scan Job have been initialized


  • Engines selected for the Realtime Scan Job have been initialized

Transport and Realtime Scan Jobs


  • Scan job enabled


  • Scan process state


  • Scanning statistics (Transport and Mailbox)



  • Transport connected


  • Mailbox connected


  • FSC Monitor running



  • License state


Table 1: Exchange 2007 MP monitoring functionalities


Solution Topology


For the purpose of this article, I installed the following environment on my test lab:


Figure 1: Solution Topology


All servers are virtualized with Windows Server 2008 Hyper-V.














Root Management Server




Windows Server 2003 R2 SP2


System Center Operations Manager 2007 SP1




Domain Controller


Mailbox Server


CAS Server


HUB Transport Server




Windows Server 2008


Exchange Server 2007 SP1 + UR5


Forefront Server Security for Exchange 10 SP1




Edge Server




Windows Server 2003 R2 SP2


Exchange Server 2007 SP1 + UR5


Forefront Server Security for Exchange 10 SP1


Table 2: List of servers


FSSMP Prerequisites


Before importing the FSSMP for Operations Manager 2007, ensure that you meet all the requirements:




Install the Forefront Security for Exchange Server MP


Download the Forefront Security for Exchange Server 10.1 MP for OpsMgr 2007. You can find the latest Management Packs at the System Center Operations Manager 2007 Catalog.


Once you download the Forefront Security MP, double click the .msi file in order to install it. The installation is a very simple process that just extracts the required Management Pack files to the folder you choose (Figure 2).


Figure 2: Exchange 2007 MP installation


If you take a peek at the newly created folder, you will notice 3 files, 1 installation guide, 1 licensing supplemental notice and the required management pack file:





To import the FSSMP, open the OpsMgr 2007 Operations Console. Click the Administration tab, right-click the Management Packs node and then click Import Management Packs. Select the required Management Packs and then click the Import button. After the import process is complete and the dialog box displays an icon next to each Management Pack that indicates success of the importation (Figure 3), click the Close button.


Figure 3: Import Management Packs


Add the Exchange servers with Forefront as agent managed computers


If you are using the Exchange Server 2007 MP, chances are that the servers that run FSE are already configured as agent managed computers. In case they aren’t, follow the procedures described in my previous article, Monitoring Exchange 2007 With System Center Operations Manager 2007, to add them.


As soon as the machines are configured as agent managed computers, the OpsMgr auto discovery process will identify them as Forefront servers. Figure 4 depicts the State View of the 2 Exchange Servers that are running FSE.


Figure 4: State View




The Performance rules included in this MP retrieve statistics for all scan jobs, in the following categories:



  • Total number of attachments scanned
  • Total number of attachments cleaned
  • Total number of attachments removed
  • Total number of attachments detected
  • Total number of messages detected
  • Total number of messages purged
  • Total number of messages scanned
  • Total number of messages tagged in the Subject line
  • Rate of scanning (number of attachments scanned per second)


All these statistics can be accessed through OpsMgr Operations Console, under Scan Jobs (Figure 5), which aggregates all the performance data for FSE systems. They are divided in 2 categories: Realtime and Transport jobs. These are all presented as graphed output.


Figure 5: Scan Jobs statistics




Tasks provide centralized control over the normal operations process and also provide a means to troubleshoot or correct problems identified through the OpsMgr 2007 Console.


These are the key functions included in the FSSMP tasks:



  • Set the statistic threshold percentage
  • Trigger an immediate manual scan job
  • Trigger an immediate background scan
  • Control services centrally: stop, start, and restart them
  • Run scan engine updates
  • Retrieve scan engine update versions


In order to run a task, open the OpsMgr Operations Console, select the Computers node, select one or more computers and all the tasks will appear in the Actions pane. Figure 6 depicts the Forefront related tasks.


Figure 6: Available tasks


Suppose you want to perform an immediate manual scan on the mailbox server. You just have to click that task from the Operatios Console and then click Run on the Run Task window (Figure 7). When the task finishes, a Task Status is displayed with some details from the operation (Figure 8).


Figure 9 illustrates another different task, Microsoft Antimalware Engine Update in this case.


Figure 7: Manual Scan


Figure 8: Manual Scan Status


Figure 9: Microsoft Antimalware Engine Update


All tasks execute scripts (VBScript) remotely on the selected agent-managed systems. Included in every script is some logging logic, which creates text entries in a log file on each managed server. The log file (Tasks.log) is located in the Operations Manager 2007 Logs subfolder under the Microsoft Forefront Security product installation folder (usually C:\Program Files(x86)\Microsoft Forefront Security\Exchange Server\MOMLogs\)


Figure 10: Tasks log


Set Statistic Threshold Percentage


Out of the box, this MP has most of the configuration needed pretty well covered. One thing you could (and should) do is to set the statistic threshold percentage, which allows you to set the percentage of infected messages received within the last hour that would be considered a virus outbreak. The default is 50%, that is, if more than 50% of the messages received in the last hour were infected, it is considered a virus outbreak.


In order to change the percentage, select the computer(s) where you want to modify the threshold, and run the task Set Statistic Threshold Percentage from the Actions pane.


A window pops up (Figure 11), with the previous selected servers marked as targets. Hit Run and you can then modify the Threshold and whether you  want the operation to be logged or not (Figure 12). Click Override and if all goes well, you will be presented a success status page (Figure 13). Click Close.


Figure 11: Set Statistics Threshold


Figure 12: Override Task Parameters


Figure 13: Task Status




When something goes wrong with Forefront, like any other MP, the FSSMP will display alerts (Figure 14). For instance, if one of the anti-virus engines is out of the date, there will be the corresponding alert (Figure 15), which also includes some Product Knowledge (Figure 16) with more details and suggested actions to resolve the alert.


Figure 14: Active Alerts


Figure 15: Alert Properties


Figure 16: Alert Knowledge




No messaging infrastructure is complete without a proper anti-malware solution. Forefront Security for Exchange is a fine product and a perfect fit for Microsoft Exchange Server.


In order to keep all the pieces of the engine running smoothly, carefully monitoring the different components that build the Exchange Server systems is strongly advised. System Center Operations Manager 2007 with the necessary Management Packs (Exchange Server, Forefront Security, Active Directory, Windows Server, IIS) provides the necessary logic to monitor and proactively execute the necessary procedures that will help you maintain a healthy IT environment.


Related Links



About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top