Distributing updates by using UNC updating
Applies to: Forefront Protection for SharePoint
Topic Last Modified: 2010-05-17
|Before reading this topic, it is recommended that you first read Maximizing scan engine performance.|
The most common method of distributing engine and definition updates in Microsoft Forefront Protection 2010 for SharePoint (FPSP) is to use UNC updating where one server (the redistribution server) downloads updates from the Microsoft HTTP server and then hosts those updates for the rest of the servers in your environment (the receiving servers). After the redistribution server downloads an update, any receiving server whose update path points to the redistribution server can download the updates from the redistribution server.
|UNC updating is the only supported method for redistribution.|
Before distributing updates, you must configure both the distributing server and receiving servers.To configure servers to receive and distribute updates
To prepare a server to act as an update redistribution server, you need to establish a Windows share for its Engines folder. For information about the location of the default Engines folder on your operating system, see Default folders.
On the chosen server, enable the redistribution server functionality, and optionally set up UNC authentication user credentials.
In the Global Settings - Engine Options pane, in the Additional Options section, select the Enable as an update redistribution server check box, and then click Save.
This configures FPSP to save the two most recent engine update packages instead of the usual single engine package. FPSP also downloads the full update package rather than performing an incremental update. The multiple engine packages enable the receiving servers to continue pulling updates from the redistribution server while a new update is being downloaded.
Optionally, create UNC authentication user credentials. It is recommended that you use credentials with the minimum privileges. These should not be domain credentials, and the user should only be granted access to the share.
- In the Global Settings - Engine Options pane, in the Additional Options section, select the Enable as an update redistribution server check box, and then click Save.
Configure each receiving server to point to the shared folder:
In the Global Settings - Engine Options pane, in the UNC authentication section, to enable UNC updating, select Enable UNC.
Optionally, click Edit UNC Credentials in order to display a dialog box where you can specify your UNC authentication user credentials. After specifying your credentials, click OK and then click Save.
In the Global Settings - Advanced Options pane, in the Intelligent Engine Management section, using the Engine management drop-down list, select Manual.
In the Update scheduling section, select the engines and then click the Edit Selected Engines button.
In the Edit Selected Engines dialog box, in the Primary update path field, enter the redistribution server's UNC path (\\ServerName\ShareName).
Tip: For redundancy, you may want to configure a second redistribution server. Then you can enter this redistribution server in the Secondary update path field. If updating from the first redistribution server fails, the latest updates can still be retrieved by the second redistribution server. You can also enter the Microsoft download location in the Secondary update path field. Then, if updating by means of the redistribution server fails, the latest updates can still be retrieved from Microsoft by using the Secondary update path. Note:
The use of static IP addresses within the update path is not recommended or supported.
When enabling redistribution, receiving servers cannot download updates from redistribution servers unless all the servers have the same 32-bit or 64-bit configuration. During the deployment, if the receiving servers have their Secondary update path pointing to the Microsoft download location (http://forefrontdl.microsoft.com/server/scanengineupdate), updates will continue to be downloaded even if the receiving and redistribution servers are not in sync.
- The use of static IP addresses within the update path is not recommended or supported.
Click OK to return to the Global Settings - Advanced Options pane, and then click Save.
- In the Global Settings - Engine Options pane, in the UNC authentication section, to enable UNC updating, select Enable UNC.
Example: Server Ex1 downloads its updates automatically from the Microsoft HTTP server. Ex1 has FPSP installed in the following location:
C:\Program Files\Microsoft Forefront Protection for SharePoint
You have created a share, called AdminShare, which begins at the Engines folder. Another server, Ex2, receives its updates from Ex1 by using the following primary update path: