Getting Started

 

Applies to: Forefront Server Security Management Console

After installing the Forefront Server Security Management Console, you should configure the following settings, in the order listed:

  1. Global configuration settings
  2. User accounts
  3. Managed servers
  4. Manage Jobs

In addition, if you have created one or more backup servers, you must configure replication. For more information about replication configuration, see Redundancy.

After these settings have been configured, the FSSMC is ready to perform other configuration and management tasks.

Configuring Global Configuration Settings

The FSSMC Global Configuration settings include SMTP server settings that are used for administrator notifications and the Statistics Polling settings that determine how often reporting data is collected from the managed servers.

SMTP Server Settings

The FSSMC uses SMTP server settings to send notifications about events and alerts.

To configure the SMTP server settings

  1. Click Global Configuration in the Administration section of the Navigation Area. The Manage Global Configuration work pane appears.

  2. Enter the name of the SMTP server to use in the SMTP Server field. You can enter either the computer name (in the format computername.domain.com) or the IP address.

  3. Enter a valid e-mail address in the From Address field. It will be used in the From field for notifications and alerts.

  4. To use authentication for sending e-mail reports from FSSMC if there are no anonymous SMTP servers in the domain, select Require SMTP Authentication to reveal the User Name and Password fields. Click Test E-mail to verify the credentials you just entered.

  5. Set the polling interval, in minutes (the default is 240 minutes), for the FSSMC to use when gathering information from the managed servers for reporting purposes in the Polling Interval field. The Poll Now button is used to instantly gather the information when running reports manually.

  6. Enter the Download Configuration information. This is the site from which the Forefront Server Security Management Console will download signatures. The Microsoft HTTP site is entered by default. You may change this to another HTTP site, if desired. If you are using a proxy server, enter information about it in this section, including the name of the server and its port. If necessary, specify a proxy user name and password.

  7. Click Save to retain your settings. If you selected Require SMTP Authentication, FSSMC now tries to log on to that SMTP server with the specified username and password. If the logon fails, you will receive an error message prompting you to verify the credentials and try again.

Configuring User Accounts

The user account utilized to install the FSSMC (called the Installation Administrator) is automatically granted access to the FSSMC. Other users who need to use the FSSMC to perform management tasks must have access granted to their Microsoft Windows Server 2003, Windows® 2000 Server, or Windows NT® Server 4.0 user accounts.

To add user accounts

  1. Click Users in the Administration section of the Navigation Area. The Manage Users work pane appears.

  2. Click Add Users. The Add Users work pane appears.

  3. Add local user accounts or domain accounts manually, or use Browse. For domain accounts, use the format domain\username. For local user accounts, enter the user name. Multiple user names are separated by semicolons (;).

    When you click Browse, choose a Domain from the list, and then click Refresh to have all the user names in that domain placed in the Users column. Select the users to be given access, and then click >>, to move their names to the Selected Users column. When you have finished, click Add. You will be returned to the Add Users work pane and all the users you have selected will appear in the Choose Users field.

    Note

    When managing users on servers that are not in the same domain or forest, you must enter users as fully qualified domain names (FQDN) in order for them to be resolved as user objects. For example, if you want to add a user from the mydomain.production.local domain, you would enter mydomain.production.local<EM>UserName in the Users field. You cannot use the Browse button to locate users on servers that are not in the same domain or forest.

    Use the Verify button to validate the existence of domain accounts, so that you can grant FSSMC access to other trusted domains.

  4. Click Add Users to add all the new users. They will then appear in the Manage Users work pane.

Deleting Users

Delete users by selecting the check boxes next to their names on the Manage Users work pane and clicking Delete Users. You will be asked to confirm the deletion.

Configuring Managed Servers

Each server to be managed must be added and configured using the Forefront Server Security Management Console.

Note

FSSMC does not support Unicode server names. All server names must be in English.

To add a server

  1. Click Servers in the Administration section of the Navigation Area. The Manage Servers work pane appears.

  2. Click Add Servers. The Add Servers work pane appears.

  3. Enter the servers to add to the FSSMC database in the Server Names field (or click Browse to find them). If you click Browse, the Browse Server dialog box appears, allowing you to limit the types of servers displayed.

    Note

    When managing servers that are not in the same domain or forest, you must enter the servers as fully qualified domain names (FQDN) in order for them to be resolved as computer objects. For example, if you want to add a server from the example.domain1.com domain, you would enter MyComputerName.example.domain1.com in the Server Names field. You cannot use the Browse button to locate servers that are not in the same domain or forest.

    1. Select a domain from the list of known Domains.
    2. You can limit the types of servers returned with the Server Types field. The default is Any, but you can choose to see only Exchange servers or only SharePoint servers.
    3. You can further limit the selection with the optional Name field. Enter a portion of a name, with the asterisk (*) wildcard, and only server names containing that string will be returned. For example, if you enter *ABCD*, then all servers (in the selected domain and type) whose names contain the string “ABCD” will be returned.
    4. Click Find Now to search for all the servers matching your choices. The results will be placed in the Servers column.
    5. Select the servers to be managed and use the >> button to move them to the Selected Servers column.
    6. When all desired servers have been selected, click Add.
  4. After each server has been added, click Verify to ensure that the server path was entered correctly.

  5. Assign the selected servers to one or more server groups, if desired, with the Apply Groups option. This allows you to manage similar computers as a single unit. Unless you change the assignment here, all new servers will be added to the Default group (although they can be reassigned later). For more information about server groups, see Configuring Server Groups.

  6. When you have selected all of the servers to be added, click Add Servers. They will now appear in the Manage Servers work pane.

  7. Install agents on all the managed servers you just set up. For instructions on how to deploy agents, see Deploying Agents. Once you deploy an agent to it, each server will indicate, on the Manage Servers work pane, what version of Antigen 9.0 or Forefront 10.0 is installed.

Server Auto Discovery

Once your system is up and running FSSMC will automatically find new servers that were added to the network, on a nightly basis. Once an e-mail report has been scheduled (see in "Configuring and Running the New Servers Report" and "Scheduling E-Mail Reports", both in Reports), the administrator receives an e-mail that one or more new servers were added. When the FSSMC Console is opened the next day, there will be a message on the At a Glance pane indicating that a certain number of new servers were found and have not yet been added into the Management Console.

Note

Auto discovery jobs only search the installed domain for new computers that are running Microsoft Exchange server.

To add a new server from the New Servers pane

  1. Click on New Servers, just below At a Glance in the Navigation Area. The New Servers pane appears.

  2. All the new servers are listed, each with its own checkbox. By default, they are all selected. If there is a server that you do not want to manage, clear its checkbox.

  3. Select a Server Group for each new server in the Add to Group column. For more information about server groups, see Configuring Server Groups.

  4. Click Add Servers to add each server to its selected server group.

  5. Install agents on all the managed servers you just set up. For instructions on how to deploy agents, see Deploying Agents.

Registry Keys

There are several registry keys that control Server Auto Discovery:

AutoDiscoveryRetry

The number of retries to connect to the Active Directory if the initial attempt fails. The default is 3.

AutoDiscoveryRetryInterval

The time interval, in seconds, between retry attempts. The default is 180 seconds.

AutoDiscoveryTime

The time to start the Auto Discovery job, in 12-hour format. The default is 01:00:00 AM.

AutoDiscoveryTimeOut

The Auto Discovery timeout threshold value, in minutes. The default is 30 minutes.

ExchAutoDiscoveryEnable

Enables Auto Discovery for Exchange Servers. A value of 1 (the default) enables it; a value of 0 disables it.

Deploying Agents

After a server has been added to the Forefront Server Security Management Console database, you must install an agent on it. The agent serves as the interface between the FSSMC and the managed server.

To deploy an agent

  1. Select one or more servers without agents. Servers without agents display "Unknown" in the Status column of the Manage Servers work pane.

  2. Click Deploy Agent. The Deploy Agent work pane appears.

  3. Enter a user name (in the format domain\username or server\username) and a password to access the selected servers. The user name and password you provide must have administrative rights either as a local administrator to the server or a domain administrator. You can enter one set of credentials for all the servers (by selecting Use these credentials for all) or enter credentials separately for each server.

  4. Click Continue. The FSSMC will install an agent on each selected server.

The FSSMC will provide a status update, in a pop-up window, to report if the installation of the agent was completed successfully. (To see this window, pop-up blocking software must be disabled.) If you are deploying agents to several hundred servers, you can close the Console and check the deployment status after the jobs have finished, by inspecting the Manage Servers work pane. After that screen is refreshed, the Status column will show, for each server, Installed (indicating success), Error (indicating a problem), or Unknown (indicating that no attempt was made to install an agent).

After you have deployed agents to new servers, you may want to assign them to server groups. For more information about assigning servers, see Assigning Servers to a Group.

Removing Servers

The Manage Servers work pane may be used to remove servers. When a server is removed, it is no longer managed by the FSSMC.

To remove servers

  1. Select a server to be deleted on the Manage Servers work pane.

  2. Click Delete Server. You will be asked to confirm the deletion.

Configuring Server Groups

Server groups provide a way for administrators to group servers for the purpose of deployment, engine updates, or configuration through deploying templates. Unless the administrator specifies otherwise, all servers added to the FSSMC will be placed in the Default server group.

To manage server groups, click Server Groups in the Administration section of the Navigation Area. The Manage Server Groups work pane appears. All server groups are shown in a hierarchy, with Root Group at the top. There is a single subgroup set up for you: Default. Unless you set up your own groups under Root Group, all servers will be assigned to the Default group.

The work pane provides a way for administrators to add, rename, delete, or move groups and assign or remove servers from groups. The various processes are described in the following sections.

Adding Server Groups

Perform the following procedure to add a server group.

To add a new server group

  1. Click Server Groups in the Administration section of the Navigation Area. The Manage Server Groups work pane appears, displaying the existing server groups in a tree structure.

  2. Select an existing group under which you want to add the new group (server groups can be nested), and then click Add Group. The Add Group work pane appears.

  3. Enter a name for the new group, and then click Add. The new group will be added below the selected group.

After a new server group has been added, existing servers may be moved into the group using the Assign Server work pane. New servers may be assigned to the group at the same time they are added to the FSSMC, by selecting a server group from the Apply Groups list on the Add Servers work pane. For more information about assigning servers, see Assigning Servers To a Group.

Renaming Server Groups

Once they have been created, server groups can be renamed.

To rename a server group

  1. Select the server group to be renamed in the Manage Server Groups work pane.

  2. Click Rename Group. The Rename Group work pane appears.

  3. Enter the new name.

  4. Click Rename to save the new name.

Deleting Server Groups

To delete a server group, select its name in the Manage Server Groups work pane, and then click Delete Group. You will be asked to confirm your request.

Note

When a server group is deleted, its servers are not deleted from the FSSMC. Any servers which only belonged to the deleted group are automatically transferred to the Default group.

Moving Server Groups

You can reorganize your groups to create a hierarchical structure with top-level groups and sub-groups. The Move Group function allows you to move groups into or out of sub-groups or move groups that may not have been categorized correctly when created.

To move a server group

  1. Select the group to be moved in the Manage Server Groups work pane.

  2. Click Move Group. The Move Group work pane appears.

  3. Select the target folder under which you would like the group moved.

  4. Click Move. The group is moved.

Assigning Servers To a Group

Once you have added servers and deployed agents to them, you can assign the servers to a server group.

To assign a server to a group

  1. Select the target group on the Manage Server Groups work pane.

  2. Click Assign Servers. The Assign Server work pane appears. All the managed servers and server groups are listed on it, in a hierarchical tree. There is a check box next to the name of each server within the group. To help you determine where to assign servers, each one indicates what version of Antigen 9.0 or Forefront 10.0 is installed on it.

  3. Select the servers to be assigned to the target group.

  4. Click Assign.

Note

A server can be assigned to multiple groups. When you assign a server, it is not moved from one group to another. The server becomes a member of both groups.

To remove a server from a group, see Removing Servers from a Group.

Removing Servers from a Group

To remove a server from a group, select its name in the group on the Manage Server Groups work pane, and then click Delete Servers. You will be asked to confirm your request.

Note

When a server is removed from a group, it is not deleted from the FSSMC or from any other group it is a member of. Therefore, it continues to be managed by FSSMC.