Installing FSOCS

 

Applies to: Forefront Security for Office Communications Server

This release of Forefront Security for Office Communications Server (FSOCS) supports the Standard Edition server role as well as the Enterprise Edition Front End, Access Edge, and Director server roles. These server roles are supported on both OCS 2007 and OCS 2007 R2.

The FSOCS setup wizard is used to install FSOCS on any of the supported server roles. The same msi-based installer will install FSOCS on either OCS 2007 or OCS 2007 R2.

You must have administrative rights to the computer on which you are installing FSOCS.

Note

You cannot install FSOCS on a server that contains any other Forefront Server Security product.

System requirements

The following are the minimum server and workstation requirements for FSOCS.

Note

All minimum system memory and disk space requirements for OCS 2007 or OCS 2007 R2 should be met before installing FSOCS. Too little available memory or disk space may impact the ability of FSOCS to scan large files.

Minimum server requirements

The following are the minimum server requirements:

  • Server software:
    • Microsoft Windows Server® 2003. For OCS 2007 R2 the following Operating Systems are supported (64-bit hardware only): Microsoft Windows Server 2008, Microsoft Windows Server 2003, Microsoft Windows Server 2003 R2.
    • Microsoft Office Communications Server Standard Edition, or Enterprise Edition with one of the following server roles configured: Front End, Access Edge, Director.
  • 1 gigabyte (GB) of free memory, in addition to that required to run OCS (2 GB recommended).

Note

With each additional licensed scan engine, more memory is needed per scanning process.

  • 2 GB of available disk space. This is in addition to the disk space required for Microsoft OCS.
  • 1 gigahertz (GHz) Intel processor.

Minimum workstation requirements

The following are the minimum workstation requirements:

  • Windows Server 2003, Windows® 2000 Professional, Windows XP, or Windows Vista®.
  • .NET 2.0, for an Administrator-only installation.
  • 6 MB of available memory.
  • 10 MB of available disk space.
  • Intel processor, or equivalent.

Requirements for a service account

During the installation, you are asked for a domain account (on the Service Account Requirements page). The requirements for this account depend on whether the installation is for an access edge role or for another type of role.

Access edge role requirements

  • The account must have the "Logon As Service" privilege. This privilege is automatically granted by setup if not already enabled on the account.
  • The account must be a member of the "RTC Server Applications" local security group. The account is automatically added to this group by setup if necessary.
  • The account must be a member of the "RTC Server Local Group" local security group. The account will automatically be added to this group by setup if necessary.
  • The account must be a member of the "Performance Monitor Users" local security group. The account will automatically be added to this group by setup if necessary.

Standard Edition, front end, or director role requirements

  • The account must have the "Logon As Service" privilege. This privilege is automatically granted by setup if not already enabled on the account.
  • The account must be a member of the "RTC Server Applications" local group. The account will automatically be added to this group by setup if necessary.
  • The account must be a member of the "RTCUniversalServerAdmins" and "RTCProxyUniversalServices" domain groups.

Failure to meet these requirements results in the installation ending prematurely and the Office Communications Server front-end service being unable to start.

Installing on a local server

To install on a local OCS 2007 or OCS 2007 R2 server, you need to log on to the local computer by using an account that has administrative rights.

Note

As in most installations, Setup updates shared Microsoft files on your computer. If you are requested to restart your computer, you do not have to do that immediately, but it may be necessary for certain FSOCS features to work correctly.

To install FSOCS on a local server

  1. From your CD image or from the self-extracting package available at the Microsoft Volume Licensing Download Center, run the Setup.exe file.

  2. Read the license on the End-User License Agreement page. To accept its terms and continue with the installation, select the I accept the terms in the License Agreement check box.

  3. On the Choose Setup Type page, select Full Installation.

  4. Read the requirements for the service account on the Service Account Requirements page, and then click Next. There are different requirements for this account, depending on whether the installation is for an access edge role or for another type of role. For more information about these requirements, see Requirements For A Service Account.

  5. On the Service Account Setup page, enter the following information about a user account to be used for running the ForefrontRTCProxy service. If you intend to use the same user account for both the Service account and the Notification account, then this user must be enabled for Communications Server

    1. User name—The name of the user, in the form domain\username (for Standard Edition, front end and director roles) or machinename\username (for an access edge server role).
    2. Password—The password for the user account.
    3. Verify Password—Confirmation of the password.
  6. On the Notification Account Setup page, enter information about a user account to be used for running the ForefrontNotificationAgent. Depending on what role the installation is for, you can select to use the same account as the ForefrontRTCProxy service account or to use different credentials for the Notification account.

    For Standard Edition, front end, and director roles, the default is to use the same account as the ForefrontRTCProxy service account. You can choose to use different credentials for the Notification account by entering them explicitly. If you choose to use different credentials for the Notification account, they must belong to an account that is enabled for Communications Server.

    For the access edge server role, you must enter the credentials explicitly.

    These are the credentials that must be explicitly entered:

    • User name—The name of the user, in the form domain\username
    • Password—The password for the user account
    • Verify Password—Confirmation of the password
  7. On the next page (also called Notification Account Setup), enter information about transport, SIP URI, and home or pool server.

    • Transport—Select the transport method from the following choices:
      TLS (Transport Layer Security)—Messages sent using TLS are encrypted. This is the default.
      TCP—Messages sent using TCP are not encrypted.
    • SIP URI—Enter the Session Initiated Protocol (SIP) identifier in the form sip:username@domain.com.
    • Home or Pool Server—Enter the home server or the pool server in the form machinename.domain.com or poolname.domain.com.

    On Standard Edition, front end and director roles, the SIP URI and pool server fields are pre-populated (you can edit them, if required). For an access edge server role, these fields are not pre-populated; you must enter the data.

  8. On the Director Role Configuration page, if you want to configure the director role, check Configure Forefront for the Director role on this server. This page does not appear for an access edge server role.

  9. If you use a proxy server for scanner updates, select Use Proxy Settings, and then on the Proxy Information page, enter the proxy server name or IP address and its port. This ensures that your proxy server is correctly configured from the start. If you are doing a new installation, you must enter the proxy information for your site. If this is an upgrade, this page is pre-populated with the existing proxy information.

  10. On the Engines page, approve or change the antivirus engine selection. The Microsoft Antimalware Engine and four other randomly selected engines are chosen. You can modify the engine selection, choosing a maximum of five engines, including the Microsoft Antimalware Engine.

  11. On the Scan Engine Update Notice page, read the warning about engine updates.

  12. On the Change destination folder page, either accept the default destination folder for FSOCS or select a different one. The following is the default location:

    C:\Program Files\Microsoft Forefront Security\Office Communications Server.

    Also, accept the default data folder path or select a different one on the same page. The following is the default location:

    C:\Program Files\Microsoft Forefront Security\Office Communications Server\data

  13. Setup checks to see if you have the correct version of the Windows Update Agent. If you do have the correct version, Setup then checks if Microsoft Update is enabled. If it is not, the Use Microsoft Update for updates dialog box appears, permitting you to enable it.

  14. On the Ready to Install page, review the choices that you have made.
    If you want to make any changes, use the Back button in order to navigate to the page to be changed.
    If you do not need to make changes or have finished making changes, click Install to begin the installation. A progress bar indicates that the files are being copied.

  15. On the Install Complete page, it is recommended that you view the Readme file. Click Finish to complete the installation.

Administrator-only installation

Performing an Administrator-only installation installs the Microsoft Forefront Server Security Administrator console onto any workstation or server, which can then be used to centrally manage FSOCS services running on remote OCS 2007 and OCS 2007 R2 servers. Administrator-only installation requires approximately 2.5 MB of disk space.

Note

.NET 2.0 is required for an Administrator-only installation.

To install only the Microsoft Forefront Server Security Administrator console

  1. From your CD image or from the self-extracting package available at the Microsoft Volume Licensing Download Center, run the Setup.exe file.

  2. Read the license on the End-User License Agreement page. To accept its terms and continue with the installation, select the I accept the terms in the License Agreement check box.

  3. On the Choose Setup Type page, select Administration console.

  4. Setup checks to see if you have the correct version of the Windows Update Agent. If you do not have the correct version, at the end of the installation, you are directed to the Microsoft Update Web site in order to do the opt-in manually. If you do have the correct version, Setup then checks if Microsoft Update is enabled. If it is not, the Use Microsoft Update for updates dialog box appears, permitting you to enable it.

  5. On the Change destination folder page, either accept the default destination folder for FSOCS or select a different one. The following is the default location:

    C:\Program Files\Microsoft Forefront Security\Office Communications Server

  6. On the Ready to Install page, review the choices that you have made.
    If you want to make any changes, use the Back button in order to navigate to the page to be changed.
    If you do not need to make changes or have finished making changes, click Install to begin the installation. A progress bar indicates that the files are being copied.

  7. On the Install Complete page, it is recommended that you view the Readme file. Click Finish to complete the installation.

Post-installation security consideration

When you install FSOCS, it is configured to permit everyone access to FSCController. To restrict access to FSCController, use DCOMCNFG in order to modify the security settings. For more information about securing access to FSCController, see FSOCS services.

Command line parameters for Setup.exe

While Setup.exe is designed to work by double-clicking it, there are parameters that can be used to launch it from a command prompt.

The installation Setup.exe

You can double-click on the setup.exe, or enter it at a command prompt with these optional parameters:

Setup /k:<license_key> - Indicate a license key for use during setup.

For example: Setup /k:00000-00000-00000-00000-00000

Setup /a - Start an administrative network installation.

Setup /u - Uninstall the product.

Uninstalling

To uninstall FSOCS, follow these steps.

To uninstall FSOCS

  1. Log on to the computer on which FSOCS is installed.

  2. Ensure that the Forefront Server Security Administrator is not running.

  3. In Control Panel, click on Services.

  4. Stop the FSCController service. When the service has stopped, close the Services dialog box.

  5. In Control Panel, click on Add or Remove Programs.

  6. Remove Microsoft Forefront Security for Office Communications Server. Click Yes to confirm the deletion.

  7. At the Uninstall Complete page, click Finish.

Any settings that you have made will remain in .fdb files in the Microsoft Forefront Security folder in Program Files (or whatever folder you installed to). Additionally, the incidents and quarantine database files remain, as well as Statistics.xml. If you will be reinstalling FSOCS and want to retain those settings, do nothing. If you will not be reinstalling FSOCS, or if you want to start with new settings, delete that folder.

If you are not planning to reinstall FSOCS, restart the stopped OCS services.

Relocating FSOCS data files

FSOCS stores program settings as well as scanning activity information including the Quarantine Area on the file system. If you want, you can relocate these files at any time after installation. For complete instructions, see the "Moving the databases" section of FSOCS reporting and statistics.

Evaluation version

Microsoft provides a fully functional version of FSOCS for a 120-day evaluation. If you have a product key and enter it during installation, the product becomes a fully licensed subscription version. If not, it remains an evaluation version.

After 120 days, the evaluation version of FSOCS continues to operate and report detected files. It does, however, cease to clean, delete, and purge files (that is, the action for all virus detection is reset to Skip: detect only). All filters (file, content, and keyword) also have their actions set to Skip: detect only. Finally, the allowed sender lists are disabled, and scan engines no longer update.

To subsequently convert an evaluation version to a subscription version, enter a product key by using the Forefront Server Security Administrator. To do this, on the Help menu, select Register Forefront Server.

Product licensing information

After you have activated your product, you can enter licensing information (which can be obtained from Microsoft Sales).

These are the reasons to license your product:

  • You can align when your product expires with your license agreement (otherwise, the expiration is three years from the installation date).
  • You can easily renew your license by entering a new expiration date.

To license FSOCS, on the Help menu, select Register Forefront Server. If you have not already activated the product, the Product Activation dialog box appears. After you enter your product activation information, the Product Licensing Agreement and Expiration dialog box appears. If you have activated FSOCS, only the Product License Agreement and Expiration dialog box appears.

Enter your 7-digit License Agreement Number and then an expiration date. You should enter a date that corresponds to the expiration of your license agreement, to coordinate the expiration of both the license agreement and the product. When the product nears its expiration, you should renew your license agreement and enter the new license information into the Product Licensing Agreement and Expiration dialog box.