Exchange 2007 Operations » Installation Steps - Forefront Security for Exchange on the Exchange 2007 Mailbox Server Role

Installation Steps - Forefront Security for Exchange on the Exchange 2007 Mailbox Server Role

Now that we have a fully functional, multi-server Exchange 2007 Environment it is critical we include Anti-Virus capabilities.  You receive much more than simple 'Store-based Anti-Virus' when you consider Microsoft Forefront Security for Exchange (formerly Sybari Antigen for Exchange).  You can find prior Installation, Setup and Configuration of the existing Exchange 2007 Environment in the following Blog entries:

       Installation Steps - Installing the first Exchange 2007 Server into an Existing Exchange 2003 Organization

       Installation Steps - Installing the Edge Transport Server Role on a Server with 2 Network Interface Cards

       Configuration Steps - Creating an Edge Subscription between an Edge Transport Server Role and a Hub Transport Server Role in Exchange 2007

In this Scenario we are targeting placement of Forefront on the Mailbox Server Role.  Forefront Security for Exchange includes both Realtime and Transport Layer Scanning Capabilities along with a Manual Scan capability.  There is also a rich, highly customizable Content Scanning capability for both Files by File Extension (Example: Quarantine all files with a .scr File Extension) and File Name (Example: Quarantine all files named zippo_virus.txt), restrictions by Allowed Sender, Filtering by Key Word (Example: Delete all files with the word 'tucan' in the Subject or Message Body) and a Manual Scan capability that provides for Business specific combinations of the many variations available above.  We will explorer the initial installation and then in separate Blog entries provide examples of using Filtering by 1) Content, 2) Keyword, 3) File, 4) Allowed Sender or 5) Filter Lists.

Finally, it is always worth mentioning that one of the primary reasons Businesses are selecting Forefront Security for Exchange is it is a Product designed from the ground up to incorporate scanning through multiple Anti-Virus Engines with the maximum 5 Engines (of 10 available) selected for any one Scan Type.  The current Anti-Virus Vendors included in Forefront Security for Exchange are:

  • Norman Virus Control
  • Microsoft Antimalware Engine
  • Sophos Virus Detection Engine
  • CA Inoculate IT
  • CA Vet
  • Authentium Command Antivirus Engine
  • AhnLab Antivirus Scan Engine
  • Worm List
  • VirusBuster Antivirus Scan Technology
  • Kaspersky Antivirus Technology

Let's get this Product installed then explore its capabilities further!


I begin by logging onto the Exchange 2007 Mailbox Server Role and identifying the Forefront Security for Exchange Setup File.

 


I initiate the Setup process using the Wizard Based dialogue windows.

 

 

 


The complexity of the Setup configuration is low.  In this example I am completing a 'Local Installation'.

 


Forefront Security for Exchange provides the ability to complete a 'Full Installation' or a separate 'Console Only Installation. 

 


Once message are in 'Quarantine' there are several approaches to consider when 'handling' these Quarantined Messages.  'Secure Mode' is recommended as rescanning of Messages is a better idea (in my opinion) than not applying any of the unique Content or File Filtering capabilities a second time when viewing.

 


I select default, randomly chosen Anti-Virus Engines (5 of a possible 10 Engines) understanding that once Forefront Security for Exchange is in place we receive Anti-Virus Engine and Virus Definition Files from all 10 Vendors.  Additionally, we can then 'selectively choose 5 Vendors' on a Per Server (and even Per Scan Type) basis.

 


Here is a clear statement that all 10 Anti-Virus Engines and Anti-Virus Definition Files require downloadable updates upon completion of the installation process.   Typically this 'Engine' and 'AV Definition' update process takes under 30 Minutes total.

 

 

 


Final confirmation of the intended installation steps the Microsoft Intaller for Forefront Security for Exchange will execute prior to execution.

 


Since Forefront Security for Exchange incorporates 'Transport Level Anti-Virus Scanning' the Exchange 2007 Transport Service must be Stopped, Forefront Security for Exchange installed, then the Exchange 2007 Transport Service Started again.

 


Confirmation that the Exchange 2007 Transport Service re-Started again successfully.

 


Success!  A quick scan of the 'Readme' File and we are ready to roll.  Note: the 'Readme' file includes detail on how to generate a Test Virus File as prescribed by EICAR.  It is not really a Virus, just a file with Content that all Anti-Virus Vendors understand are 'test values'.  http://www.eicar.org

 


The Forefront Security for Exchange Administrator icon and Application are now in place and functionality.

 


I have found the most logical 'first step' in configuring Forefront Security for Exchange is validating the 'Proxy Server' settings are correct.  This allows the Application to go to the defined Microsoft Internet URL and download both Anti-Virus Engine Updates and Anti-Virus Definitions.

 


Anti-Virus Engine and Anti-Virus Definition Updates begin downloading right away.  The Download Schedule is completely customizable.

 


Now I move to a Windows XP SP2 Workstation with Outlook 2007 installed.  The intent of this Login is to use the 'Test EICAR Virus File', send it in an e-mail to fellow employees and determine if Forefront Security for Exchange 'catches' the Virus.

 


I login as Ralph McGee - one of my fictitious e-mail users on Exchange 2007.

 


I have placed the 'EICAR Virus Test File' on the Desktop of 'All Users' on this Worksation.  I briefly rename this file from 'eicar.com' to 'eicar.pow' and send it to other Mailbox holders.  Go Virus Test File Go!

 


Right away Forefront Security for Exchange picks up the 'EICAR Virus Test File' as witnessed in the Quarantine Object in the Forefront Security for Exchange Application.  We can see who sent the Virus, the Virus Type, the Recipients, anyone marked as a Carbon Copy (CC) and the action taken by Forefront Security for Exchange.  Most of these parameters are configurable based on the requirements of your Business.

 

 


Another valuable capability of Forefront Security for Exchange is that when an 'Event' occurs the Application Log on the Local Server includes an Event by Event ID.  There is complete integration with Microsoft Operations Manager 2005 and System Center Operations Manager 2007 for compiling Performance Metrics along with detailed Alerting.

 


I now move back to the Mailbox of Ralph McGee.  Forefront Security for Exchange has sent the e-mail and replaced the Virus Payload with a Text File named 'eicar.txt'.

 


We can customize the 'Notification Message' as I have done in this example by indicating the line starting with '....If you have questions about this File Deletion....'.  I could have incorporated Help Desk Intranet Links or a Help Desk Phone Number.

In subsequent Blog entries on Forefront Security for Exchange I will include configuration parameters for File Filtering, Content Filtering and many of the other capabilities of Forefront Security for Exchange.  For now - Enjoy!

 

Lynn Lunik
Independent Security Consultant
Windows(R) Platform
IT Pro Secure Corporation
and
exchangesummit.net
http://itprosecure.com and http://www.exchangesummit.net
blog <at> itprosecure.com

      

Posted Sep 06 2007, 12:34 PM by lynn lunik
Filed under: ,

Comments

Exchange 2007 Deployment Planning wrote Exchange Server 2007 Design and Architecture at Microsoft
on 09-22-2008 8:00 AM

A consistent theme with Large Clients entails discussions of 'How did Microsoft do their Exchange

Copyright IT Pro Secure Corporation 2009-2010 - All Rights Reserved Worldwide

Locations of visitors to this page