Download.microsoft.com



Microsoft Forefront Security for Exchange Server Cluster Installation Guide

Microsoft Forefront Security for Exchange Server Version 10

Microsoft Corporation

Published: July 2009

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft Corporation may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft Corporation, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2009 Microsoft Corporation. All rights reserved.

Microsoft, Forefront, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

Privacy policy

Review the Microsoft Forefront Server Security Privacy Statement at the Microsoft Forefront Server Security Web site.

Contents

Cluster Install Introduction 5

Definitions 5

Local Continuous Replication (LCR) 5

Cluster Continuous Replication (CCR) 5

Single Copy Cluster (SCC) 6

Standby Continuous Replication (SCR) 6

Failover 6

Quorum 7

Supporting third-party vendors 7

Installing FSE on a cluster 7

Applying Exchange and FSE service packs and rollups 8

Cluster system requirements 9

Minimum server requirements 9

Minimum workstation requirements 10

Local Continuous Replication (LCR) installation 10

Standby Continuous Replication (SCR) installation 12

SCR system tips 13

Cluster Continuous Replication (CCR) installation 13

Replacing a CCR cluster node 15

CCR cluster tips 16

Single Copy Cluster (SCC) installation 16

Ensuring that your SCC cluster drive is available during installation 17

Installing FSE on an SCC active node 17

Installing FSE on an SCC passive node 19

SCC cluster tips 20

Additional considerations 22

Upgrading FSE 22

Uninstalling FSE 22

Uninstalling FSE from an LCR system 22

Uninstalling FSE from an SCR system 23

Uninstalling FSE from a CCR cluster 23

Additional CCR cluster uninstall notes 24

Uninstalling FSE from an SCC cluster 24

Evaluation version 25

Launching the Administrator 25

Cluster Install Introduction

In recent years, clustered installations have become more popular. Microsoft® Exchange Server 2007 can be installed on clustered systems, using both Cluster Continuous Replication (CCR) and Single Copy Cluster (SCC) configurations. Microsoft® Forefront Security™ for Exchange Server (FSE) can then be installed on Exchange mailbox servers in clustered systems. FSE supports volume mount points.

[pic]Note:

The Forefront Server Security Management Console is not supported in a clustered environment.

For more information about configuring and running FSE, see the Forefront Security for Exchange Server User Guide.

Definitions

These are terms you may encounter when working with clusters.

Local Continuous Replication (LCR)

LCR allows for data replication to an alternate drive attached to the same system. This is not a cluster configuration because it does not provide true high availability in the event of system failure. It is intended to provide protection against local storage failures, but does not protect against the failure of the server itself. LCR is a single-server solution that uses built-in asynchronous log shipping and log replay technology to create and maintain a copy of a storage group on a second set of discs that are connected to the same server as the production storage group. LCR provides a quick manual switch to a secondary copy of your data. The procedure for installing Forefront Security for Exchange Server on an LCR system is the same as that for a normal Standalone installation.

Cluster Continuous Replication (CCR)

This type of clustered mailbox server combines the replication and replay features in Exchange 2007 with failover features in Microsoft Cluster services. CCR is a solution that can be deployed with no single point of failure in a single data center or between two data centers. A node that is currently running a Clustered Mailbox Server (formerly called an Exchange Virtual Server) is an active node; a node in the cluster that is not currently running a Clustered Mailbox Server is a passive node.

CCR uses the database failure recovery functionality in Exchange 2007 to enable the continuous and asynchronous updating of a second copy of a database with the changes that have been made to the active copy of the database. Logs are not copied until they are closed and no longer in use by the Mailbox server. During installation of the passive node in a CCR environment, each storage group and its database is copied from the active node to the passive node. This operation is called “seeding”, and it provides a baseline for replication of the database. After the initial seeding is performed, log copying and replay are performed continuously. CCR uses the passive node to copy and replay the logs. Logs are accessed by the passive node via a secured file share.

In a CCR environment, replication capabilities are integrated with the Cluster service to deliver a high availability solution. In addition to providing data and service availability, CCR also provides for scheduled outages. When updates need to be installed or when maintenance needs to be performed, you can move a Clustered Mailbox Server manually to a passive node. After the move operation is complete, you can perform the needed maintenance.

Single Copy Cluster (SCC)

This type of clustered mailbox server uses shared storage in a failover cluster configuration to permit multiple servers to manage a single copy of the storage groups. In this architecture, although all nodes in the cluster can access shared data, they cannot access it at the same time.

In a Single Copy Cluster, an Exchange 2007 mailbox server uses its own network identity, not the identity of any node in the cluster. This network identity is referred to as a Clustered Mailbox Server. If the node running a Clustered Mailbox Server experiences problems, the Clustered Mailbox Server goes offline for a brief period until another node takes control of it and brings it online (a process known as “failover”). The shared storage is available to each possible host node of the Clustered Mailbox Server. As the failover happens, the storage associated with the clustered mailbox is logically detected from the failed node and placed under the control of the new host node.

Standby Continuous Replication (SCR)

This is a replication technology, not a cluster configuration. Unlike CCR, which requires that both servers belong to a Windows cluster (typically residing in the same data center), SCR can replicate data to a non-clustered server located in a different data center. This configuration creates redundancy for data center storage by permitting an additional copy of the data to exist inside or outside the data center. SCR uses the continuous replication technology to move data from one mailbox server to another. SCR enables a mailbox server to be a continuous replication target for a standalone mailbox server that does not have LCR enabled. A mailbox server can also be a passive node in a failover cluster where the mailbox role is installed, but no clustered mailbox server has been installed in the cluster.

Failover

The process by which a server in the cluster takes over the functions of another server in the cluster in the case of a failure of the first device. The term can also be used for a deliberate transfer of services to another server in the cluster.

Quorum

The storage device that keeps track of which node owns a clustered application. When a failover occurs, this is the device that decides which server then becomes active.

Supporting third-party vendors

Microsoft Customer Support Services (CSS) supports FSE clustering based on the failover clustering features of the Microsoft Cluster Service (MSCS). Several third-party vendors offer clustering services and solutions that do not rely on MSCS for applicable versions of Microsoft Windows operating system software. Microsoft cannot provide information about the actual performance or interaction of third-party clustering services and solutions that are running Exchange.

CSS will attempt to help you troubleshoot Exchange-related issues when Exchange is installed on a third-party clustering solution. CSS will help until it is reasonably believed that the cause of the issue is an incompatibility between the third-party clustering solution and Exchange. CSS may suggest removing the third-party solution to help resolve the issue, although this is not a precondition to receiving CSS support services. CSS may also refer you to the vendor of the third-party clustering solution for additional troubleshooting support. It is your responsibility to engage the third-party vendor's support organization. CSS will try to provide reasonable assistance in working with a third-party vendor's support organization; however CSS cannot be considered the primary liaison between you and the third-party vendor. It is strongly recommended that you develop support relationships with each vendor whose hardware or software is part of your Exchange solution.

Installing FSE on a cluster

Forefront Security for Exchange Server supports local installations in all types of Exchange Server 2007 cluster and cluster-like configurations:

• Local Continuous Replication (LCR)

• Standby Continuous Replication (SCR)

• Cluster Continuous Replication (CCR)

• Single Copy Cluster (SCC)

[pic]Note:

If your system is configured to run a Network Load Balancer (NLB), there are no special installation procedures for Forefront Security for Exchange Server. Simply follow the instructions in the "Forefront Security for Exchange Server User Guide" for a non-clustered installation.

[pic]Note:

Each node of the cluster is a mailbox-only server. FSE should also be installed on your Edge and Hub servers for more reliable protection and performance.

Forefront Security for Exchange Server recognizes the existence of Microsoft Windows Server 2003 and Microsoft Windows Server 2008 active/passive clusters. To install Forefront Security for Exchange Server in a cluster environment, you must log on to the local computer as a Domain user with an account that has Local administrator rights. Forefront Security for Exchange Server must be installed on each node. All program files must be installed to a local drive.

Features of the installation include:

• Configuration data (such as ScanJobs.fdb and Notifications.fdb) is associated with a Clustered Mailbox Server (CMS), not the physical nodes. Because of this, the data needs to be configured only for each CMS, regardless of how many nodes you have.

• Similarly, scanner signature files are associated with a CMS, so that both active and passive nodes are up-to-date.

• Configuration data kept in the registry is replicated on a CMS basis when the CMS moves from one computer to another during a failover event.

The Forefront Server Security Administrator should be connected to the Virtual Machine when connecting to Forefront Security for Exchange on a cluster server. If you try to connect to the physical server, you will be asked to select the Virtual Machine to which you would like to connect.

Applying Exchange and FSE service packs and rollups

This section describes how to apply Exchange and FSE service packs and rollups.

[pic]To install an Exchange service pack or rollup

|1. Disable FSE on all nodes using the steps described in The FSC Utility in the “Microsoft Forefront Security for Exchange|

|Server User Guide”. |

|2. On each node, follow the instructions provided with the specific Exchange service pack or rollup that you are |

|installing. |

|3. After the installation is complete and the Exchange services have been restarted, verify that mail is flowing. |

|4. Starting with the active node, enable FSE on all nodes using the steps described in The FSC Utility in the “Microsoft |

|Forefront Security for Exchange Server User Guide”. |

[pic]Warning:

Do not fail over the active node when performing these steps.

[pic]Note:

Some Exchange service packs and rollups require you to download and install an FSE update in order to ensure that FSE operates correctly. For information and downloads, visit the Microsoft Web site at Microsoft Help and Support.

[pic]To install an FSE service pack or rollup

|1. On the passive node, run the installer by double-clicking the service pack or rollup executable file. |

|2. On the active node, fail over the node to make it passive, and then run the installer by double-clicking the service |

|pack or rollup executable file. |

|3. After the installation is complete and the Exchange and FSE services have been restarted (this occurs automatically |

|during the installation), verify that FSE is working properly. |

|[pic]Note: |

|FSE service packs or rollups can also be installed using the FFSMC Deployment job. (For details, see Deployment Jobs in |

|the Forefront Server Security Management Console User Guide.) In this case, the installer runs in silent mode and there is|

|no user input required. The rest of the process remains the same as when running the installer by double-clicking the |

|executable file. |

Cluster system requirements

The following are the minimum server and workstation requirements for FSE.

[pic]Note:

All minimum system memory and disk space requirements for Microsoft Exchange Server 2007 must be met before installing Forefront Security for Exchange Server. Too little available memory or disk space may impact the ability of Forefront to scan large files.

Minimum server requirements

The following are the minimum server requirements.

[pic]Note:

If both the Exchange and SharePoint products are installed on the same server, only Forefront for Exchange can be installed, to protect Exchange.

• x64 Architecture-based computer with:

• Intel Xeon or Intel Pentium Family processor that supports Intel Extended Memory 64 Technology (Intel EM64T), or

• AMD Opteron or AMD Athalon 64 processor that supports AMD64 platform.

• Server software

• Microsoft Windows Server® 2003 with Microsoft Exchange Server 2007

• Microsoft Windows Server 2008 with Microsoft Exchange Server 2007

• 1 gigabyte (GB) of free memory, in addition to that required to run Exchange 2007 (2 GB recommended).

[pic]Note:

With each additional scan engine used, more memory is needed per scanning process.

• 2 GB of available disk space. This is in addition to the disk space required for Microsoft Exchange Server 2007.

• Intel processor (1 gigahertz or GHz).

Minimum workstation requirements

The following are the minimum workstation requirements:

• Windows Server 2003 or Windows® 2000 Professional

• 6 MB of available memory

• 10 MB of available disk space

• Intel processor, or equivalent

Local Continuous Replication (LCR) installation

To install on an LCR Exchange server, you need to log on to the local computer using an account that has administrator rights. The steps are the same as those for a Standalone FSE installation. Click Next to continue after filling out a screen, unless otherwise directed.

[pic]Note:

As in most installations, Setup updates shared Microsoft files on your computer. If you are requested to restart your computer, you do not have to do that immediately, but it may be necessary for certain FSE features to work correctly.

[pic]To install Forefront Security for Exchange Server on an LCR Exchange server

|1. Run the Setup.exe file, which is available on your CD image or from the self-extracting package available at the |

|Microsoft Volume Licensing Download Center. |

|2. The initial setup screen is Welcome. Click Next to continue. |

|3. Read the license at the License Agreement screen and click Yes to accept it. |

|4. On the Customer Information screen, enter User Name and Company Name, if needed. |

|5. On the Installation Location screen, select Local Installation. |

|6. On the Installation Type screen, select Full Installation. |

|7. Setup checks to see if you have the correct version of the Windows Update Agent. If you do not have the correct |

|version, at the end of the installation you are directed to the Microsoft Update Web site to do the opt-in manually. If |

|you do have the correct version, Setup then checks if Microsoft Update is enabled. If it is not, the Use Microsoft Update |

|dialog box appears, permitting you to enable it. |

|8. On the Quarantine Security Settings screen, select the desired setting. |

|• Secure Mode causes all messages and attachments delivered from Quarantine to be re-scanned for viruses and filter |

|matches. This is the default. |

|• Compatibility Mode permits messages and attachments to be delivered from Quarantine without being scanned for filter |

|matches. (Messages and attachments are always scanned for viruses.) Forefront Security for Exchange Server identifies |

|these messages by placing special tag text in the subject line of all messages that are delivered from Quarantine. |

|9. On the Engine Updates Required screen, read the warning about engine updates. |

|10. To use a proxy server for scanner updates, select Use Proxy Settings and enter the proxy name or IP address and its |

|port on the Proxy Information screen. This ensures that your proxy server is correctly configured from the start. If you |

|are doing a fresh install, you may enter the proxy information. If this is an upgrade, and proxy data is available in the |

|registry, this screen will not appear and the existing data is preserved. Any changes to existing proxy information can be|

|made in General Options. |

|[pic]Note: |

|If a username and password are required for the proxy server, they must be entered through General Options once FSE has |

|been installed. This must be done immediately, otherwise engine updates will fail. |

|11. On the Choose Destination Location screen, either accept the default destination folder for the product, or click |

|Browse to select a different one. |

|Default: Program Files\Microsoft Forefront Security\Exchange Server |

|12. On the Select Program Folder screen, choose a program folder for Forefront. At this point, Setup checks for running |

|services. |

|Default program folder: Microsoft Forefront Security for Exchange Server |

|13. On the Start Copying Files screen, review the data presented to you. If any changes have to be made, use the Back |

|button to navigate to the screen to be changed. Otherwise, click Next to begin the installation. A progress bar indicates |

|that the files are being copied. |

|14. After installation is complete the Restart Exchange Transport Service screen appears. Use it to stop and restart the |

|Exchange services automatically so that Forefront Security for Exchange Server can become active. Click Next to have Setup|

|perform this step or click Skip to manually perform this step at a later time. |

|15. If you chose to restart the Exchange Transport Service, the Recycling Exchange Transport Service screen appears, |

|indicating that the services are being shut down and restarted. When the status changes to All services started, click |

|Next to continue. |

|16. On the InstallShield Wizard Complete screen, you are advised to view the Readme file (recommended). If you opted to |

|use Microsoft Update and you do not have the correct version of the Windows Update Agent, you are directed to a site to |

|obtain it. Click Finish to complete the installation. |

|17. View the ReadMe file. |

Standby Continuous Replication (SCR) installation

How FSE is installed on an SCR Exchange server system depends on the configuration of your source (data center) installation.

• If the source system is configured as a standalone server, follow the instructions at Local Continuous Replication (LCR) installation.

• If the source system is configured as CCR, follow the instructions at Cluster Continuous Replication (CCR) installation.

• If the source system is configured as SCC, follow the instructions at Single Copy Cluster (SCC) installation.

FSE should only be installed on the source system. If the source system fails over to the target system, the original target becomes the new source, which is now online (the original source, which had failed, is now offline). FSE should now be installed on this "new source".

[pic]Note:

The FSE settings not replicated from the source server to the target server. After a failover has occurred, FSE must be installed on the target server and configured with the same settings as on the original source server. However, before installing FSE after a failover, you must run the Exchange Setup command with the RestoreCMS parameter. The syntax is:Setup /RestoreCMS

SCR system tips

The following are additional guidelines when using FSE on an SCR system:

• Install FSE on the source system, not the target system (since, by their nature, all target nodes are passive). If the source installation fails over to the target installation, the target installation now becomes the new source. Install FSE on the new source system and uninstall it from the failed over system.

After FSE has been uninstalled, run the Exchange Setup command with the RecoverCMS parameter to remove the original source Clustered Mailbox Server. The syntax is:

Setup /recovercms

• Configuration data such as ScanJobs.fdb and Notifications.fdb will be associated with a CMS and not with the physical nodes. Because of this behavior, the data must be configured for each CMS only, regardless of how many nodes you have.

• Scanner signature files are associated with a CMS so that active nodes and passive nodes will be up to date.

• Configuration data that is kept in the registry will be replicated on a CMS basis when the CMS moves from one server to another server during a failover event.

• When you use the Forefront Server Security Administrator console to connect to the Forefront Security for Exchange Server installation on a cluster, you must connect to the CMS. If you try to connect to the physical node, you will be prompted to select the CMS to which you want to connect.

For more information about uninstalling FSE, see "Uninstalling FSE From an SCR System" at Uninstalling FSE.

Cluster Continuous Replication (CCR) installation

Ensure that the user doing the installation is a domain user with administrative privileges on the system on which FSE is being installed.

You must first install FSE on the active node and then on the passive node. Click Next to continue after filling out a screen, unless otherwise directed.

You cannot perform a remote installation of a CCR cluster. Use a terminal server session or the Forefront Server Security Management Console (FSSMC) instead. FSSMC provides support for remote installations.

[pic]Note:

As in most installations, Setup updates shared Microsoft files on your computer. If you are requested to restart your computer, you do not have to do that immediately, but it may be necessary for certain FSE features to work correctly.

[pic]To install FSE on the active node of a new CCR cluster system

|1. Run the Setup.exe file, which is available on your CD image or from the self-extracting package available at the |

|Microsoft Volume Licensing Download Center. |

|2. The initial setup screen is Welcome. Click Next to continue. |

|3. Read the license at the License Agreement screen and click Yes to accept it. |

|4. On the Customer Information screen, enter User Name and Company Name, if needed. |

|5. On the Installation Location screen, select Local Installation. |

|6. On the Installation Type screen, select Full Installation. |

|7. Setup checks to see if you have the correct version of the Windows Update Agent. If you do not have the correct |

|version, at the end of the installation you are directed to the Microsoft Update Web site to do the opt-in manually. If |

|you do have the correct version, Setup then checks if Microsoft Update is enabled. If it is not, the Use Microsoft Update |

|dialog box appears, permitting you to enable it. |

|8. On the Quarantine Security Settings screen, select the desired setting. |

|• Secure Mode causes all messages and attachments delivered from Quarantine to be re-scanned for viruses and filter |

|matches. This is the default. |

|• Compatibility Mode permits messages and attachments to be delivered from Quarantine without being scanned for filter |

|matches. (Messages and attachments are always scanned for viruses.) Forefront Security for Exchange Server identifies |

|these messages by placing special tag text in the subject line of all messages that are delivered from Quarantine. |

|9. On the Engine Updates Required screen, read the warning about engine updates. |

|10. To use a proxy server for scanner updates, select Use Proxy Settings and enter the proxy name or IP address and its |

|port on the Proxy Information screen This ensures that your proxy server is correctly configured from the start. If you |

|are doing a fresh install, you may enter the proxy information. If this is an upgrade, and proxy data is available in the |

|registry, this screen does not appear and the existing data is preserved. Any changes to existing proxy information can be|

|made in General Options. |

|[pic]Note: |

|If a username and password are required for the proxy server, they must be entered through General Options once FSE has |

|been installed. This must be done immediately, otherwise engine updates will fail. |

|11. On the Choose Destination Location screen, either accept the default destination folder for the product, or click |

|Browse to select a different one. FSE must be installed in the same corresponding directory on the active and passive |

|nodes. |

|Default: Program Files\Microsoft Forefront Security\Exchange Server |

|12. On the Select Program Folder screen, choose a program folder for Forefront. At this point, Setup checks for running |

|services. |

|Default program folder: Microsoft Forefront Security for Exchange Server |

|13. On the Start Copying Files screen, review the data presented to you. If any changes have to be made, use the Back |

|button to navigate to the screen to be changed. Otherwise, click Next to begin the installation. A progress bar indicates |

|that the files are being copied. |

|14. On the Recycle CMS screen, read the notice about the need to recycle the Clustered Mailbox Server, and then click Next|

|to have Setup stop and restart the CMS or Cancel to skip the step for now. |

|[pic]Note: |

|The CMS must be recycled before FSE is used for the first time. FSE will not be functional until you recycle the CMS. |

|15. On the Clustered Mailbox Servers Offline screen, wait for the clustered servers to be taken offline before clicking |

|Next. |

|16. On the Bringing Clustered Mailbox Servers Online screen, wait for the clustered servers to be brought back online |

|before clicking Next. |

|17. On the InstallShield Wizard Complete screen, you are advised to view the Readme file (recommended). If you opted to |

|use Microsoft Update and you do not have the correct version of the Windows Update Agent, you are directed to a site to |

|obtain it. Click Finish to complete the installation. |

|18. Repeat the same steps to install FSE on the passive node. The CMS should still be running on the active node at this |

|point; do not failover to the passive node. |

|[pic]Note: |

|When the Proxy Information dialog box appears during passive node installation, you can leave the information blank, even |

|if you filled it in for the active node. The cluster replication process overwrites the settings on the passive node with |

|those of the active node. |

Replacing a CCR cluster node

In the event that a CCR cluster node becomes damaged or unusable, it must be replaced.

[pic]To replace a CCR cluster node

|1. Add the new server to the cluster as the passive node. |

|2. Install Exchange on the passive node. |

|3. Install FSE on the passive node. |

|[pic]Note: |

|Wait until one replication cycle has completed (seeding) before permitting the node to become the active node. When the |

|seeding is complete, the following message is written to the event log: “Successfully updated from the active CCR node |

|(seeding successful).” |

CCR cluster tips

Keep these tips in mind when installing FSE on a CCR cluster:

• Never configure FSE by connecting directly to the passive node of a CCR cluster.

• The Quarantine and Incident databases are not replicated. To release an item from quarantine on the passive node, connect directly to the passive node. Do not make any other configuration changes.

• After saving configuration changes on the active node you must allow time for a replication cycle to complete before failing over to the passive node. The default replication cycle is 30 seconds for configuration files and five minutes for engines.

• Do not configure FSE on the passive node separately. Configure it on the active node and the replication cycle will copy all your configuration settings.

• If you need to convert an existing CCR cluster node with FSE to a standalone server, FSE must be uninstalled and reinstalled.

• The FSE replication service creates backup files on startup and whenever a transition from active node to passive node occurs. These files can be used for recovery if current configuration data is accidentally overwritten with older configuration data.

• On a CCR cluster system, the Redistribution Server option is automatically selected in the General Options pane. This option is required for successful engine updates on the cluster. Do not disable this option. If this option is disabled, you can select the Redistribution Server check box again to restore engine updates. Each engine will require a new update before it can be replicated correctly again.

Single Copy Cluster (SCC) installation

The following steps describe how to install Forefront Security for Exchange Server on the active and passive nodes of an SCC cluster. FSE is installed on the active node first, then the passive node.

To install Forefront Security for Exchange Server on the passive node, log on to the computer with an account that has administrator rights. This is necessary for Setup to be able to perform service registration. The CMS should still be running on the active node at this point. You will not need to configure Forefront Security for Exchange Server on the passive nodes separately. All configurations and registry settings will be automatically replicated to the passive nodes.

Ensuring that your SCC cluster drive is available during installation

You must determine before the installation whether your cluster drive has mount volume information. When you install FSE on an active node of an SCC cluster, you are asked to indicate the shared drive from a list. If the drive you want to install FSE on has mount volume information, you can skip to the section Installing FSE On an SCC Active Node. If not, Setup cannot obtain the shared drive information and it will not be included in the list. To preclude having to cancel the installation at that point, begin by invoking Setup.exe with the /c parameter and the shared drive letter. This places that shared drive in the list of available drives.

[pic]Using the driveletter switch

|1. Run the Setup.exe file, which is available on your CD image or from the self-extracting package available at the |

|Microsoft Volume Licensing Download Center. Be sure to use the /c parameter and the drive letter. |

|The syntax for the command line invocation is: |

|Setup /cdriveletter |

|There is no space between the /c and the drive letter, which must end in a colon. For example, to use the S: drive for the|

|installation: |

|Setup /cS: |

|2. Now that you know the cluster drive will appear in the Disk Resource Name For Shared Drive list on the Forefront Server|

|Security On an Active/Passive Cluster screen, you are ready to begin installation on the active node. |

Installing FSE on an SCC active node

These are the steps to install FSE on an SCC active node. Click Next to continue after filling out a screen, unless otherwise directed.

[pic]Note:

Like most installations, Setup updates shared Microsoft files on your computer. If you are requested to restart your computer, you should wait until Forefront Security for Exchange Server has been installed on all computers in the cluster before restarting.

[pic]To install Forefront Security for Exchange Server on an SCC active node

|1. Run the Setup.exe file, which is available on your CD image or from the self-extracting package available at the |

|Microsoft Volume Licensing Download Center. |

|2. The initial setup screen is Welcome. Click Next to continue. |

|3. Read the license at the License Agreement screen and click Yes to accept it. |

|4. On the Customer Information screen, enter User Name and Company Name, if needed. |

|5. On the Installation Location screen, select Local Installation. |

|6. On the Installation Type screen, select Full Installation. |

|7. On the Installing Forefront Server Security On an Active/Passive Cluster screen, enter your cluster drive information. |

|Select the cluster drive from the list in the Shared Cluster Volume field and enter the Cluster Folder. |

|8. Setup checks to see if you have the correct version of the Windows Update Agent. If you do not have the correct |

|version, at the end of the installation you are directed to the Microsoft Update Web site to do the opt-in manually. If |

|you do have the correct version, Setup then checks if Microsoft Update is enabled. If it is not, the Use Microsoft Update |

|dialog box appears, permitting you to enable it. |

|9. On the Quarantine Security Settings screen, select the desired setting. |

|• Secure Mode causes all messages and attachments delivered from Quarantine to be re-scanned for viruses and filter |

|matches. This is the default. |

|• Compatibility Mode permits messages and attachments to be delivered from Quarantine without being scanned for filter |

|matches. (Messages and attachments are always scanned for viruses.) Forefront Security for Exchange Server identifies |

|these messages by placing special tag text in the subject line of all messages that are delivered from Quarantine. |

|10. On the Engine Updates Required screen, read the warning about engine updates. |

|11. To use a proxy server for scanner updates, select Use Proxy Settings and enter the proxy name or IP address and its |

|port on the Proxy Server (optional settings) screen. This ensures that your proxy server is correctly configured from the |

|start. If you are doing a fresh install, you may enter the proxy information. If this is an upgrade, and proxy data is |

|available in the registry, this screen does appear and the existing data is preserved. Any changes to existing proxy |

|information can be made in General Options. |

|[pic]Note: |

|If a username and password are required for the proxy server, they must be entered through General Options once FSE has |

|been installed. This must be done immediately, otherwise engine updates will fail. |

|12. On the Choose Destination Location screen, either accept the default destination folder for the product, or click |

|Browse to select a different one. |

|Default: Program Files\Microsoft Forefront Security\Exchange Server |

|13. On the Select Program Folder screen, choose a program folder for Forefront. At this point, Setup checks for running |

|services. |

|Default program folder: Microsoft Forefront Server Security\Exchange Server |

|14. On the Start Copying Files screen, review the data presented to you. If any changes have to be made, use the Back |

|button to navigate to the screen to be changed. Otherwise, click Next to begin the installation. A progress bar indicates |

|that the files are being copied. |

|15. On the Recycle CMS screen, read the notice about the need to recycle the Clustered Mailbox Server. You can skip this |

|step and recycle the CMS later (clicking Cancel completes the installation), however, FSE will not be functional until you|

|recycle the CMS. |

|16. On the Bringing Clustered Mailbox Servers Online screen, wait until the step has completed, and then click Next. |

|17. On the InstallShield Wizard Complete screen, you are advised to view the Readme file (recommended). If you opted to |

|use Microsoft Update and you do not have the correct version of the Windows Update Agent, you are directed to a site to |

|obtain it. |

|18. Click Finish to complete the installation. |

|19. Verify that the shared folder ForefrontCluster is on the shared drive. The database files (for example, scanjobs.fdb |

|and incidents.fdb) are in this directory |

|20. Install FSE on the passive node. |

Installing FSE on an SCC passive node

To install Forefront Security for Exchange Server on the passive node, log on to the computer with an account that has administrator rights. This is necessary for Setup to be able to perform service registration. The CMS should still be running on the active node at this point.

[pic]Note:

You do not need to configure Forefront Security for Exchange Server on the passive nodes separately.

[pic]To install Forefront Security for Exchange Server on an SCC passive node

|1. Run the Setup.exe file, which is available on your CD image or from the self-extracting package available at the |

|Microsoft Volume Licensing Download Center. |

|2. The initial setup screen is Welcome. Click Next to continue. |

|3. Read the license at the License Agreement screen and click Yes to accept it. |

|4. On the Customer Information screen, enter User Name and Company Name, if needed. |

|5. On the Installation Location screen, select Local Installation. |

|6. On the Installation Type screen, select Full Installation. |

|7. Setup checks to see if you have the correct version of the Windows Update Agent. If you do not have the correct |

|version, at the end of the installation you are directed to the Microsoft Update Web site to do the opt-in manually. If |

|you do have the correct version, Setup then checks if Microsoft Update is enabled. If it is not, the Use Microsoft Update |

|dialog box appears, permitting you to enable it. |

|8. On the Quarantine Security Settings screen, select the desired setting. |

|• Secure Mode causes all messages and attachments delivered from Quarantine to be re-scanned for viruses and filter |

|matches. This is the default. |

|• Compatibility Mode permits messages and attachments to be delivered from Quarantine without being scanned for filter |

|matches. (Messages and attachments are always scanned for viruses.) Forefront Security for Exchange Server identifies |

|these messages by placing special tag text in the subject line of all messages that are delivered from Quarantine. |

|9. On the Engine Updates Required screen, read the warning about engine updates. |

|10. When the Proxy Information screen appears during passive node installation, you can leave the information blank, even |

|if you filled it in for the active node. The cluster replication process overwrites the settings on the passive node with |

|those of the active node. |

|11. On the Choose Destination Location screen, either accept the default destination folder for the product, or click |

|Browse to select a different one. |

|Default: Program Files\Microsoft Forefront Security\Exchange Server |

|12. On the Select Program Folder screen, choose a program folder for Forefront. At this point, Setup checks for running |

|services. |

|Default program folder: Microsoft Forefront Server Security\Exchange Server |

|13. On the Start Copying Files screen, review the data presented to you. If any changes have to be made, use the Back |

|button to navigate to the screen to be changed. Otherwise, click Next to begin the installation. A progress bar indicates |

|that the files are being copied. |

|14. On the InstallShield Wizard Complete screen, you are advised to view the Readme file (recommended). If you opted to |

|use Microsoft Update and you do not have the correct version of the Windows Update Agent, you are directed to a site to |

|obtain it. Click Finish to complete the installation. |

|15. Click Finish to complete the installation. |

SCC cluster tips

Installing on clusters can be complicated by the default naming of the disk resources associated with each CMS in the cluster administrator. Be aware of changes to the disk resource names within the Cluster Administrator, since the installation process uses the disk resource name to derive the drive letter for the installation. During the installation, you are prompted for both a shared drive and a cluster folder. Based on the listed assumptions the results of the various combinations are listed below.

Assume the following configuration in the cluster administrator:

|Disk resource Name |Physical path |Type |

|Disk E: |E: |Shared Drive |

|Diskf |F: |Shared Drive |

|Disk G: |G: |Shared Drive |

|Mtptdr |F:\mpd |Mount point |

|Gmpd |G:\mpd2 |Mount point |

For shared drive installs:

|Disk resource name for shared drive |Cluster folder |Path Forefront uses |

|E: |Forefront Cluster |E:\Forefront Cluster |

|Diskf |Forefront Cluster |F:\Forefront Cluster |

|E: |Test\Forefront Cluster |E:\test\Forefront Cluster |

|F:\mtpdr |Forefront Cluster |X – no match in resource names |

|F:\mpd |Forefront Cluster |X – no match in resource names |

|E:\test |Forefront Cluster |X – no match in resource names |

|F: |Forefront Cluster |X – no match in resource names |

For mount point drive installs:

|Disk resource name for shared drive |Cluster folder |Path Forefront uses |

|G: |mpd2\Forefront Cluster |gmpd\Forefront Cluster |

|Diskf |mpd\Forefront Cluster |F:\mpd\Forefront Cluster |

|Mpd |Forefront Cluster |X – no drive associated with mount point |

| | |resource |

|E: |mpd\Forefront Cluster |X - Installs, but not to mount point. It is |

| | |installed to E:\mpd\Forefront Cluster |

|G: |gmpd\Forefront Cluster |X – Installs, but not to mount point. It is |

| | |installed to g:\gmpd\Forefront Cluster |

Additional considerations

• There must be at least one passive node.

• Forefront supports any number of active nodes and one or more passive nodes.

• Each node can only run one Clustered Mailbox Server (CMS) at a time.

• Failovers must be to the passive node.

• All configuration data is stored on the shared drive, so active and passive nodes have the same settings.

Upgrading FSE

To upgrade FSE in a cluster environment, you must do a “rolling upgrade” with the Setup.exe program.

[pic]To do a rolling upgrade

|1. Upgrade all passive nodes. If prompted to restart the server, do so. |

|2. For each active node, failover the CMS to a passive node that has already been upgraded, |

|3. Upgrade the new passive node (the one that has just been failed over). If prompted to restart the server, do so. |

|[pic]Note: |

|When upgrading an SCC cluster from FSE RTM to FSE SP1, after all nodes have been upgraded, run FSCUtility on all active |

|nodes to add the FSEClusRes resource to the CMS and configure it. FSEClusRes is a Forefront cluster resource DLL that is |

|loaded and run inside the Resource Monitor service (a Windows cluster service). Its sole purpose is to prevent more than |

|one Clustered Mailbox Server (CMS) from coming online on one cluster node (either because of manual administrative action |

|or a failover), so as not to corrupt FSE’s replicated registry settings. It is only installed on a SCC cluster. The syntax|

|is: FSCUtility /enable |

Uninstalling FSE

Each of the cluster types requires a different method of uninstalling FSE.

Uninstalling FSE from an LCR system

These are the steps to remove FSE from a Local Continuous Replication system.

[pic]To uninstall FSE from an LCR system

|1. Ensure that the Forefront Server Security Administrator is not running. |

|2. Open Services in the Control Panel. |

|3. Stop the FSCController service. This causes the Microsoft Exchange Transport Service and Microsoft Exchange Information|

|Store to be stopped also. |

|4. When all these services have stopped, close the Services dialog box. |

|5. Open Add or Remove Programs in the Control Panel. |

|6. Remove Microsoft Forefront Security for Exchange Server. Click Yes to confirm the deletion. |

|7. At the Uninstall Complete screen, click Finish. |

|8. Any settings that you have made still remain in .fdb files in the Microsoft Forefront Security folder in Program Files |

|(or whatever folder you installed to). Additionally, the incidents and quarantine database files remain, as well as |

|Statistics.xml. If you will be reinstalling FSE and want to retain those settings, do nothing. If you will not be |

|reinstalling FSE or if you want to start with fresh settings, delete that folder. |

|9. If you are not planning to re-install Forefront Security for Exchange Server, restart the stopped Exchange services. |

Uninstalling FSE from an SCR system

How FSE is removed from an SCR Exchange server system depends on the configuration of your source (data center) installation. Additionally, see SCR system tips.

• If the source system is configured as a standalone server, follow the instructions at Uninstalling FSE From an LCR System.

• If the source system is configured as CCR, follow the instructions at Uninstalling FSE From a CCR Cluster.

• If the source system is configured as SCC, follow the instructions at Uninstalling FSE From an SCC Cluster.

Uninstalling FSE from a CCR cluster

These are the steps to remove FSE from a CCR cluster. When uninstalling from clustered servers, the Remove Program tool stops the Internet Information Services (IIS). It also takes the CMS offline on the active node. You do not have to stop services to uninstall from a CCR cluster.

[pic]To uninstall FSE from a CCR cluster

|1. Begin with the active node. |

|2. Use Add or Remove Programs in Control Panel to remove Forefront Security for Exchange Server. When uninstalling from |

|clustered servers, the Remove Program tool takes the CMS offline on the active node. |

|3. After FSE has been removed from the active node, remove it from the passive node. |

|[pic]Important: |

|Do not restart any computer until Forefront is uninstalled on all nodes, even if the uninstaller prompts you to restart |

|the computer. Otherwise, if an active node is restarted, the CMS running on that node may move to a passive node before |

|the passive node can be uninstalled successfully. Do not manually move any CMS until Forefront has been uninstalled on all|

|nodes. |

Additional CCR cluster uninstall notes

FSE configures a checkpoint for the following two registry subkeys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Server Security\Exchange Server

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan

When you uninstall Forefront Security SP1 from a cluster, it is important to follow the instructions exactly. If the instructions are not followed correctly, the registry checkpoint settings that were configured by the FSE installation may still be active. In this scenario, you must use the cluster command to remove the checkpoint settings.

[pic]To remove the checkpoint settings for the resource names

|1. From a command prompt, you can view the list of cluster resources and their corresponding registry checkpoint settings |

|by executing the following command: |

|cluster RES /CHECK |

|2. To remove the checkpoints for the resource names, type the following commands: |

|• cluster res “Exchange Information Store Instance (CLUSTER_MAILBOX_NAME)” /removecheck:“SOFTWARE\Microsoft\Forefront |

|Server Security\Exchange Server” |

|• cluster res “Exchange Information Store Instance (CLUSTER_MAILBOX_NAME)” |

|/removecheck:“SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan” |

Uninstalling FSE from an SCC cluster

These are the steps to uninstall FSE from an SCC cluster. When uninstalling from clustered servers, the Remove Program tool stops the Internet Information Services (IIS). It also takes the CMS offline on the active node . You do not have to stop services to uninstall from an SCC cluster.

[pic]To uninstall FSE from an SCC cluster

|1. Uninstall Forefront on the active nodes first, then on the passive nodes. |

|2. Use Add or Remove Programs in Control Panel to remove Forefront Security for Exchange Server. When uninstalling from |

|clustered servers, the Remove Program tool takes the CMS offline on the active node. |

|3. Restart all computers. |

|[pic]Important: |

|Do not restart any computer until Forefront is uninstalled on all nodes, even if the uninstaller prompts you to restart |

|the computer. Otherwise, if an active node is restarted, the CMS running on that node may move to a passive node before |

|the passive node can be uninstalled successfully. Do not manually move any CMS until Forefront has been uninstalled on all|

|nodes. |

Evaluation version

Microsoft provides a fully functional version of Forefront Security for Exchange Server for a 120-day evaluation. If you have a product key and enter it during installation, the product becomes a fully licensed subscription version. If not, it remains an evaluation version.

After 120 days, the evaluation version of FSE continues to operate and report detected files. It does, however, cease to clean, delete, and purge files (that is, the action for all virus detection is reset to Skip: detect only). All filters (file, content, and keyword) also have their actions set to Skip: detect only. Finally, the Allowed Sender lists are disabled and scan engines no longer update.

To subsequently convert an evaluation version to a subscription version, enter a product key using the Forefront Server Security Administrator, by selecting Register Forefront Server from the Help menu.

Launching the Administrator

To run the Forefront Server Security Administrator, click Start, expand All Programs, expand the Forefront Security for Exchange Server Program folder, and then click the Forefront Security for Exchange Server icon.

You can also launch the Administrator from a command prompt.

[pic]To launch Forefront Server Security Administrator from a command prompt

|1. Open a Command Prompt window. |

|2. Navigate to the Forefront Security for Exchange Server installation directory. |

|The default is: C:\Program Files\Microsoft Forefront Security\Exchange Server |

|3. Enter FSSAclient.exe. |

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download