Home > Exchange Server, ForeFront Family > Fine tuning Microsoft ForeFront Server Security for Exchange

Fine tuning Microsoft ForeFront Server Security for Exchange

November 14, 2010 Leave a comment Go to comments

ForeFront is Microsoft s security solution for MicrosoftExchange 2007. Installing ForeFront is less than half the battle however. Afteryou get Forefront installed, you ve got to fine tune its settings for MicrosoftExchange 2007. Brien Posey shows how to fine tune ForeFront Server Sercurityfor Exchange.

After the install

After that you have installed ForeFront, it’s time tofinish configuring and fine tuning it. You can access the administrativeconsole by selecting the ForeFront Server Security Administrator command fromthe Start | All Programs | Microsoft ForeFront Server Security | ExchangeServer menu. Upon doing so, you will see a prompt asking you which server youwant to connect to. The current server is selected by default, so just clickOK.

Click OK to skip the message regarding ForeFront’sevaluation period, and you be taken into the administrative console, shown in FigureA.


Figure A

This is the default view of the ForeFront Server Security Administratorconsole.

Configuring Scanning Engine Bias

Lesson number one when it comes to configuring ForeFrontis that having multiple scanning engines at your disposal isn’t always what itseems. When I walked you through the initial setup, I showed you how you couldconfigure ForeFront to use up to five different scanning engines. In a way thisis deceptive though, because depending on how ForeFront’s Bias settings areconfigured, ForeFront may not use all of those scanning engines simultaneously,which kind of defeats the whole purpose of using ForeFront.

To configure the Bias settings, click the Settings buttonin the column on the left, and then click the Antivirus button, found withinthe Settings section. When you do, you will see the screen shown in Figure B.


Figure B

The Antivirus screen allows you to configure ForeFront’s Bias settings.

If you look at the bottom of this screen, the first thingthat you will probably notice is the File Scanners section. As you can see inthe figure, the File Scanners section lists the various scanning engines thatare available. The scanning engines that you chose during the initial setupprocess are selected by default, but if you want to switch scanning engines forsome reason, you can do that by deselecting the scanning engine that you wantto remove, and selecting a new scanning engine.

Now, take a look at the Bias drop down list. You willnotice that the Bias setting is configured to favor certainty. This means thatby default, ForeFront will use its various scanning engines in a way that willbe likely to catch most, if not all of the viruses that come into your ExchangeServer.

Although this probably sounds as though ForeFront isconfigured to use all of the scanning engines to catch viruses, that’s notwhat’s actually happening. Microsoft’s documentation for ForeFront indicatesthat the Favor Certainty Bias setting causes ForeFront to fluctuate betweenusing half of the scanning engines and using all of them.

Before I move on, I want to quickly address the notion ofusing half of the scanning engines. When I talk about the other available Biassettings, you will find that several of them use half of the scanning engines.By default though, ForeFront is designed to use five different scanningengines. Since ForeFront can’t use two and a half scanning engines, itconsiders half of the scanning engines to be three. Of course that assumes thatyou have configured ForeFront to use all five available scanning engines. Ifyou have chosen less than five scanning engines, then half of them will be lessthan three. The table below lists what ForeFront considers to be half of thescanning engines in various situations:

Number of Scanning Engines Half of the Scanning Engines
5 3
4 2
3 2
2 1
1 1

Now that you know what ForeFront means by ‘half of thescanning engines’, here are the various Bias settings that you can choose from,and what those settings mean:

Bias Setting Meaning
Maximum Performance ForeFront will only use one scanning engine at a time.
Favor Performance ForeFront will fluctuate between using one scanning engine, and half of your scanning engines.
Neutral ForeFront will scan each message with half of the scanning engines.
Favor Certainty ForeFront will fluctuate between using half of the scanning engines and all of them.
Maximum Certainty ForeFront will scan all messages using all of the scanning engines.

As you can see, there is a tradeoff between certainty andperformance. Each scanning engine has some impact on system performance. Themore scanning engines you use at a time, the bigger that impact. ForeFront isdesigned to use its scanning engines as efficiently as possible. Items arestamped once they have been scanned. This helps to improve performance byeliminating redundant scanning. Even so, you may want to experiment withdifferent bias settings in order to find the best balance between performanceand accuracy.

One last thing that I want to show you before I move onis the Action section at the bottom of the screen. You can use the settingsfound in this section to control what happens when an infected message isdetected. By default, the message is cleaned and quarantined, but you have theoption of changing this behavior. As you can see in the figure, you have theoption of enabling or disabling quarantines and notifications by selecting ordeselecting the appropriate check boxes. The Actions drop down list gives youthe option of skipping the infection (detecting it only), cleaning andrepairing the infected file, or deleting the infected attachment. The choice isyours.

Controlling What Gets Scanned

The next thing that I want to show you is how you cancontrol exactly what it is that ForeFront scans. To do so, click on theSettings button on the right, and then click on the Scan Job button. When youdo, you will see the screen that is shown in Figure C.


Figure C

The Scan Job section allows you to control what is scanned for viruses.

If you look at the top portion of this screen, you willsee a listing for Transport Scan Job. This scan job is created by default, andis responsible for scanning messages as they move through the transportpipeline. Keep in mind that in my lab I have installed ForeFront onto an edgetransport server. According to my research though, ForeFront creates the samejob on hub transport servers.

In pretty much every Microsoft management utility that Ican think of, you are able to right click on the items listed within theconsole, choose the Properties command from the resulting shortcut menu, andthen edit the listing’s properties on the resulting properties sheet. TheForeFront Server Security Administrator is different though. The job or jobsthat are listed are not clickable. If you want to control what is beingscanned, then you must simply select the job and then select the appropriatecheck boxes within the Transport Messages section below.

As the names of the check boxes imply, selecting theInbound check box causes SMTP messages from the Internet to be scanned as theyenter your Exchange Server organization. Inbound messages are by far the mostimportant messages to scan.

Outbound messages are messages that your users send torecipients outside of your Exchange Server organization. It is usually a goodidea to scan outbound messages. You never know when a user in your organizationmight contract an e-mail virus, and you would not want that user to be able tospread that virus to your customers or suppliers.

The third scanning option is Internal. If you select thisoption, then messages sent between users within your Exchange Serverorganization will be automatically scanned for viruses. I have read casestudies in which some companies disable internal scanning for performancereasons. The logic is that if inbound and outbound messages are being scanned,then there is no reason why any of the internal messages should ever beinfected. Furthermore, workstation level antivirus software that’s integrated intoOutlook should be able to stop any infections from being spread internally.

In a way, I can see the logic in this point of view, andI do not disagree with the idea that disabling internal scanning can help toimprove the server’s performance. Personally though, I think that if ForeFrontoffers you the chance to scan messages flowing across the internal transportpipeline, then you should take advantage of that capability. Sure, you can relyon client level antivirus software to detect viruses as they are accessedthrough Outlook, but taking this approach does not allow you to use multiplescanning engines to scan internal messages.

Another reason why I think that you should enableinternal scanning is that if you disable internal scanning, then there is thepotential for infected messages to make it into user’s inboxes. Yes, clientlevel antivirus software can disinfect the messages as users open them throughOutlook, but do you really want to have viruses present within your informationstore database? Besides, what happens if a user uses OWA to open an infectedattachment instead of using Outlook?

The good news is that Inbound, Outbound, and Internalmessage scanning is enabled by default. If you do decide to make a changethough, keep in mind that the change will not take effect until you click theSave button located in the lower, right hand corner of the console screen.

One last thing that is worth pointing out on this screenis the Deletion Text and Tag Text buttons. The Deletion Text button allows youto control the contents of the notification that a user receives ifnotifications are enabled and an infected attachment is deleted. By default,the user receives a short message containing the name of the infected file andthe name of the virus that was detected.

The Tag Text button allows you to add a tag line to amessage’s subject line if ForeFront suspects that the message might be spam. Idon’t really want to get into ForeFront’s spam filtering capabilities sincethey initially mirror those that are built into Exchange 2007. If you want touse ForeFront to filter spam though, you can access those capabilities byclicking the Filtering button, as shown in Figure D.


Figure D

You can use ForeFront to control spam filtering.

Performing Exchange Server Maintenance

One last issue that I want to discuss is that ofperforming Exchange Server maintenance. Periodically, you will probably want toinstall service packs or hot fixes for Exchange. If you are using an automaticupdate mechanism, such as Windows Server Update Service (WSUS), then you won’tusually have to worry about what I am about to show you. If you typicallyperform manual updates though, then this is important.

To install an update for Exchange Server once ForeFronthas been installed, you must begin by stopping all of the Exchange Serverrelated services. After doing so, you must temporarily disable ForeFront. Theeasiest way of accomplishing this is to open a Command Prompt window, andnavigating to the folder in which ForeFront is installed. You must then use theFSCUtility command with the /disable switch to disable ForeFront. Assuming thatForeFront is installed in the default location, the actual commands that youwould use are:


CD\Program Files (x86)\Microsoft ForeFrontSecurity\Exchange Serer

FSCUtility /disable

Once you have executed these commands, you can apply yourExchange Server update. When the update process is complete, you can re-enableForeFront by entering the following commands:

FSCUtility /enable


Keep in mind that you may still have to restart thevarious Exchange Server services.

One thing that you might have noticed about the first setof commands that I showed you is that the default installation path forForeFront is \Program Files (x86)\Microsoft ForeFront Security\Exchange Server.This installation path indicated that the server is running a 64-bit version ofWindows, but a 32-bit version of ForeFront. The reason for this is that Iinstalled ForeFront onto my lab server directly from the Exchange 2007installation DVD. Microsoft does offer a 64-bit version of ForeFront, which youshould be using for real world deployments.

  1. May 3, 2013 at 2:27 am

    I like what you guys are usually up too. This type of clever work and exposure!
    Keep up the amazing works guys I’ve incorporated you guys to my blogroll.

  2. July 23, 2014 at 8:33 pm

    I like the valuable info you provide in your articles.

    I’ll bookmark your weblog and check again here frequently.
    I am quite certain I will learn a lot of new stuff right here!
    Best of luck for the next!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: