Using Forefront Server Protection Management Console 2010 (Part 2)

If you would like to read the other parts in this article series please go to:

Using Forefront Server Protection Management Console 2010 (Part 1)

  • Managing New Servers…

    FPSMC 2010 has an Autodiscover feature that by default runs once a day at 1 AM to find new servers running Forefront for SharePoint or Exchange. We can define the Auto discover process accessing the Registry Editor at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Server Security\Server Management\Services (Figure 01) and on that location we have several options, such as:

    • We can enable auto discover for SharePoint or Exchange by just setting the ExchAutoDiscoveryEnable and SPAutoDiscoveryEnable to 0 (the default value is 1)
    • We can define what time the auto discovery process will start changing the value of AutoDiscoveryTime

    Figure 01

    General Administration of the FPSMC 2010…

    The first administrative tasks is to define which users have access to the console, we can manage them by just clicking on the User Management item on the left menu, as shown in Figure 02. By default only the user that installed the tool will be listed, we can add more users by clicking on Add Users on the right hand side and type in or searching the domain for the users.

    Figure 02

    Another important task is to define our SMTP, Quarantine and statistics settings. We can do that by clicking on Global Configuration item and then we can define the SMTP server, if you are using any sort of Load Balancing then use that information on SMTP Server field where we can use authentication if required. We can use the same page to configure the quarantine and statistics on our console (Figure 03), and also define the download configuration for the engines and definition updates.

    If you are planning to send messages just to your internal domain, then authentication is not required if you are using the same IP address that your Receive Connector is listening to receive e-mail from the Internet.

    Figure 03

    Other than that we can configure Server Group using Server Group Management where we can for example create a group to all Hub Transport Servers and a different Group for Mailbox Server, this way we can apply different settings based on groups.

    One of the requirements to manage remote server is to install the FPSMC agent on the server, the agent is responsible to establish the communication between FPSMC and the Forefront Protection on the clients.

    The Server Management item is the place where we can add servers that have either Forefront Protection for Exchange or SharePoint installed to the FPSMC 2010. There are two ways to accomplish this: firstly, wait for the autodiscover process to add the servers or secondly, adding servers manually.

    We are not willing to wait for the next cycle to start using FPSMC, and for that reason let’s use the manual approach. Let’s click on Server Management, then click on Add Servers (on the right hand side you have several options to manage servers, such as: Add, delete, deploy agent and deployment status).

    On the new page, we can specify a server by its FQDN or we can click on Find Now (Figure 04) to locate our servers. This query is done against Active Directory (basically any server with Forefront installed adds a new configuration underneath of the machine object called ForefrontProtection). Let’s select the servers that are available and click on -> button and then we can define which group that server will belong to, after that, just click on Save.

    Figure 04

    Now that we have the server listed on the Server Management page, we can select the server and click on Deploy Agent (Figure 05). The following page will ask for credentials to install the agent on the server, please provide the required credentials and click OK. If you are going to deploy the agent on several servers, you can use a single credential to deploy agents instead of typing the credentials server by server.

    Figure 05

    In order to see what is going on, we can check the server and then click on Deployment Status and the page will be redirected to the Notification Logs area. Here, we can define a query to do a search, in our case Agent Deployment is fine, just click on Apply (Figure 06) and we will be able to see the results of the process that we have just started.

    Figure 06

    If you want to see the actual deployment on the Server, you can go to the target server and open Task Manager, and we should be able to see Microsoft.FFSMC.DeploymentAgentHost.exe process running there.

    Now, we can go back to the same Server management page, and the Agent will show as installed with the Version installed on the server (Figure 07). If you click on Deployment Status you will be redirected to the Notification Logs area, we will be covering further details of this section in our next article.

    Figure 07

    Creating a template configuration

    We already installed FPSMC and we have just deployed the agents, now it is time to manage several servers from a centralized location. The best way to do that is using Packages and Jobs available on the console. Differently from previous versions we won’t be able to deploy Forefront Protection for Exchange or SharePoint from the console, however, we can manage distribution of engines and definitions and configurations.

    The best way to start is configuring a server with Forefront Protection 2010 for Exchange installed with all settings that we need to be standard across the organization, that server will be used as our template and we should make sure to include and test all settings that we want to be standard before creating the package.

    Creating a new Package

    After configuring the settings in your model server, let’s open Forefront Management Shell and let’s run Export-FSESettings –Path C:\temp\FSE-Template.xml (in my example the C:\Temp already exists), and then we can copy the FSE-Template.xml to the FPSMC server.

    Let’s open FPSMC, and click on Packages, and then on the new page, click on Create Package. In the new page, we can define a name (you may find it useful to use versioning of this packages) and in our case we will be using the following format Exchange <OrganizationName> – Version <Incremental-Number> and then click on Browse and select the file that we have just exported from our server in the previous step (Figure 08).

    Since FPMSC is a web console we can access it from the Exchange Server and we don’t have to log on the actual server to create a package.

    Figure 08

    In the Policy Specification page (Figure 09). We can define which sections will be imported on our agents where this package will be deployed and also credentials to access engine updates and FOPE. In the Policy Sections area we can define which portion of the configuration we want on this new package which creates several layers to deploy changes in our organization. For example: we can have Global settings configured the same for all servers in the organization and Quarantine for just Hub Transport Servers. Let’s click on OK.

    Figure 09

    The results of this new package wizard will be listed on the main page of Packages, as shown in Figure 10.

    Figure 10

    The packages by themselves do nothing and they must be associated to a job to actually be deployed on the Agents.


    In this second article of our series we covered how to manage new servers installing agents and configuring autodiscover settings, global configuration and how to export and create a new package that will be used by Job deployment in our next article.

    If you would like to read the other parts in this article series please go to:

    About The Author

    Leave a Comment

    Your email address will not be published. Required fields are marked *

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Scroll to Top