FSOCS Forefront Server Security Administrator

  • Article

 

Applies to: Forefront Security for Office Communications Server

The Forefront Server Security Administrator is used to configure and run Microsoft Forefront Security for Office Communications Server (FSOCS) locally or remotely. For the Forefront Server Security Administrator to launch successfully, the FSCController and Office Communications Server Front-End (RtcSrv) services must be running on the computer to which the Forefront Server Security Administrator is connected. If you launch the Administrator and these services are not running, you will receive an error message.

Because the Forefront Server Security Administrator is the front end of the FSOCS software, it can be launched and closed without affecting the back-end processes being performed by the FSOCS services. The Forefront Server Security Administrator may also be run in a read-only mode in order to provide access to users who do not have permission to change settings or run jobs, but who may need to view information provided through the user interface.

Note

The Forefront Server Security Administrator should not be used to connect to previous versions of the product (Sybari Antigen for IM).

Enabling Forefront Server Security Administrator

Because of default security settings in Windows XP Service Pack 2 (SP2) and Windows Server 2003 SP2, before you can use Forefront Server Security Administrator on those operating systems, you must first enable the Administrator.

To enable the Forefront Server Security Administrator to run on Windows XP SP2

  1. Click Start, click Run, and then enter dcomcnfg.

  2. On the Component Services dialog box, expand Component Services, expand Computers, right-click My Computer, and then click Properties.

  3. On the COM Security tab, under Access Permissions, click Edit Limits, and then for the Anonymous Logon user, for Remote Access, select the Allow check box.

  4. Add the Forefront Server Security Administrator application to the Windows Firewall Exceptions list, as follows:

    1. Open Control Panel, and then double-click Security Center.
    2. Click Firewall Administrator.
    3. On the Windows Firewall dialog box, on the Exceptions tab, click Add Program, in the list, click FSSAClient, and then click OK. This adds the Forefront Server Security Administrator to the Programs and Services list.
    4. In the Programs and Services list, click the FSSAClient.
    5. Click Add Port, enter a name for the port, enter 135 as the port number, and then select TCP as the protocol.
    6. Click OK.

Note

If you are concerned about opening port 135 to all computers, it can be opened only for the servers running FSOCS. When you add port 135, click Change Scope and select Custom list. Enter the IP addresses of all the Forefront servers that should be permitted access through port 135.

To enable the Forefront Server Security Administrator to run on Windows Server 2003 SP2

  1. Click Start, click Run, and then enter dcomcnfg.

  2. On the Component Services dialog box, in the Console Root, expand Component Services, expand Computer, right-click My Computer, and then click Properties.

  3. On the Properties dialog box, on the COM Security tab, under Access Permissions, click Edit Limits, and then click Add anonymous logon account.

  4. For the Anonymous Logon user, for Remote Access, select the Allow check box.

Launching the Forefront Server Security Administrator

You can launch Forefront Server Security Administrator from either the Start menu or from a command prompt.

To launch Forefront Server Security Administrator from the Start menu

  • Click Start, point to All Programs, point to the Microsoft Forefront Server Security folder, point to the Office Communications Server folder, and then click Forefront Server Security Administrator.

To launch Forefront Server Security Administrator from a command prompt

  1. Open a command prompt.

  2. Navigate to the FSOCS installation directory. The default location is the following:

    C:\Program Files\Microsoft Forefront Security\Office Communications Server

  3. Enter FSSAclient.exe, and then press ENTER.

Connecting to a local server

The first time the Forefront Server Security Administrator is launched, it prompts you to connect to the OCS 2007 or OCS 2007 R2 server running on the local computer. You can use the server name or local alias in order to connect to the local server.

Connecting to a remote server

The Forefront Server Security Administrator can be connected to a remote OCS 2007 or OCS 2007 R2 server running FSOCS. This enables an administrator to use one installation of the Forefront Server Security Administrator in order to configure and control FSOCS throughout the network.

To connect to a remote server, when the Server dialog box opens, click the Browse button or enter the server name, IP address, or Domain Name System (DNS) name of the remote server.

Note

Due to enhanced security settings in Windows Server 2003 Service Pack 1 (SP1), DCOM settings may need to be updated when FSOCS is installed on a server running Windows Server 2003 SP1 in order to permit remote access. Remote administrators need to have privileges enabled for both remote launch and remote activation.
Because FSOCS installs access control lists (ACLs) in the installation folder for both Administrator-only installations and the full product installation, a remote administrator must have access to the local installation folder and registry key, as well as access to the server to which it is connecting.
If you are having problems connecting the Forefront Server Security Administrator to the OCS server, try using the PING command in order to test for server availability. If the server is available, be sure that no other Forefront Server Security Administrator instances are currently connected to it.

Connecting to a different server

You can connect to a different server from the Forefront Server Security Administrator.

To connect to a different server

  1. In the Forefront Server Security Administrator, in the File menu, click the Open command.

  2. On the Connect to Server dialog box, do one of the following:

    • Enter the name of another server running FSOCS
    • Select one that you have connected to before from the drop-down list
    • Click Browse to attach to a server to which you have never before connected

Note

You can also use the Server list at the top of the Forefront Server Security Administrator dialog box in order to quickly reconnect to a server.

Running in read-only mode

The Forefront Server Security Administrator may be run in a read-only mode. To do so, the administrator needs to modify the NTFS file system permissions on the FSOCS database directory in order to enable modify access only to those users with permission to change FSOCS settings. By default, the database directory is in the following location:

C:\Program Files\Microsoft Forefront Security\Office Communications Server\Data

To configure read-only access

  1. In Windows Explorer, navigate to the following location:
    C:\Program Files\Microsoft Forefront Security\Office Communications Server\

  2. Right-click the folder, and then click Properties.

  3. On the Properties page, on the Security tab, add a user or group that you want to have read-only access.

  4. Under Allow, clear all the check boxes except Read & Execute, click Save, and then close the Properties page.

  5. Open the registry, and then navigate to the Forefront Server Security registry key in the following location:

    HKLM\SOFTWARE\Microsoft\Forefront Server Security\Office Communications Server

  6. Right-click the key, and then click Permissions.

  7. Add the user or group that you want to have read-only access.

  8. Under Allow, clear all the check boxes except Read (you may also leave Special Permissions selected as well).

  9. Navigate to the Administrator registry key in the same HKLM location.

  10. Right-click the Administrator registry key, and then click Permissions.

  11. Add the user or group that you want to have read-only access.

  12. Select the Full control check box, and then close the registry editor.

  13. Click Start, click Run, and then type dcomcnfg.

  14. On the Component Services dialog box, in the Console Root section, expand Component Services, expand Computers, expand My Computer, and then expand DCOM Config.

  15. Right-click DCOM Config, and then click Properties.

  16. On the Properties dialog box, on the Security tab, in the Launch and Activation Permissions section, click the Edit button.

  17. Add the user or group that you want to have read-only access, select all the Allow check boxes, and then click OK.

  18. In the Access Permissions section, click the Edit button.

  19. Add the user or group that you want to have read-only access, select all the Allow check boxes, and then click OK.

  20. Click Save, and then close the Properties dialog box.

When a user without modify permissions opens the Administrator, the Administrator does not permit any configuration changes.

noteNote:
  • The system account and the RTCProxy Service user account (specified during installation) must have full control of the Forefront Security for Office Communications Server folder in order for the product to run properly.
  • In Windows Server 2003 SP 1, if you create a user that is part of the Administrators Group with read-only access rights to FSOCS, when that user logs on and tries to open the Forefront Server Security Administrator, the message "ERROR: Unable to connect to service. An error was returned. Location: CocreateInstanceEx.Error: Access is denied" appears.
    A security enhancement in Windows Server 2003 SP 1 causes this error. To work around this problem, follow these steps.

To work around the security enhancement in Windows Server 2003 SP 1

  1. Click Start, click Run, and then type DCOMCNFG.

  2. On the Component Services dialog box, expand Component Services, expand Computers, expand My Computer, and then expand DCOM Config.

  3. Right-click FSCController, and then click Properties.

  4. On the FSCController Properties dialog box, on the Security tab, in the Launch and Activation Permissions section, click Edit.

  5. Add domain users, and then select Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

  6. In both open dialog boxes, click OK.

Forefront Server Security Administrator user interface

The user interface for the Forefront Server Security Administrator contains the Shuttle Navigator on the left and the panes on the right.

The Shuttle Navigator is divided into several areas, each of which has icons that enable you to access the following panes:

  • SETTINGS—Enables you to configure scan jobs, antivirus settings, scanner updates, templates, and General Options.
  • FILTERING—Enables you to configure content filtering, keyword filtering, file filtering, allowed senders-recipients lists, and filter lists.
  • OPERATE—Enables you to control virus scanning and filter options.
  • REPORT—Enables you to configure notifications, view and manage incidents, and view and manage quarantined files.

General Options

The General Options pane, accessed from the SETTINGS section of the Shuttle Navigator, provides access to a variety of system-level settings for FSOCS. These options are stored in the registry. The General Options pane eliminates the need to directly access the registry when changing these settings.

Although there are many options that can be controlled through the General Options pane, each of them has a default (enabled, disabled, or a value) that is probably the correct one for your enterprise. It is rare that any of these settings would need to be changed. However, several of the settings were entered during installation, and you might need to change one of them from time to time.

To access the General Options: in the Shuttle Navigator, in the SETTINGS section, click General Options. The General Options pane opens.

The General Options pane is divided into several sections: Diagnostics, Logging, Scanner Updates, Scanning, Transport Notification Server, and IM Notification Agent.

Diagnostics section

The following table lists and describes the settings in the Diagnostics section of the General Options pane.

Setting Description

Additional IM

Additional diagnostic messages are added to programlog.txt for IM. Disabled by default. . Works in conjunction with Enable Forefront Program Log, which is a General Option in the Logging section. For more information about this setting, see Data captured in the program log.

Notify on Startup

Indicates that FSOCS should send a notification to all the email addresses listed in the Virus Administrators list whenever the scanner starts. Disabled by default.

Logging section

The following table lists and describes the settings in the Logging section of the General Options pane.

Setting Description

Enable Event Log

Enables logging of FSOCS events to the event log. Enabled by default.

Enable Performance Monitor and Statistics

Enables the logging of FSOCS performance statistics in the Performance snap-in. Enabled by default.

Enable Forefront Program Log

Enables the Forefront program log (ProgramLog.txt). Enabled by default. Works in conjunction with Additional IM, which is a General Option in the Diagnostics section. For more information about this setting, see Data captured in the program log.

Enable Forefront Virus Log

Enables the Forefront virus log (VirusLog.txt). Disabled by default.

Enable Incidents Logging

Enables incident logging for the IM Scan Job. Enabled by default. Disabling this setting prevents entries from being written to the Run Job pane of the OPERATE shuttle or to the Incidents pane of the REPORTS shuttle.

Max Program Log Size

Specifies the maximum size of the program log. Expressed in kilobytes (KB), the minimum size is 512 KB. A value of 0 (the default) indicates that there is no limit to the maximum size. The default is 25600 KB.

For more information about the log files and the Performance snap-in, see FSOCS reporting and statistics.

Scanner Updates section

The following table lists and describes the settings in the Scanner Updates section of the General Options pane.

Setting Description

Redistribution Server

Indicates that this server is acting as the central hub in order to distribute scanner updates to other servers. Disabled by default. (For more information, see FSOCS file scanner updating.)

Perform Updates at Startup

Indicates that engines should be automatically updated every time FSOCS is started. Disabled by default.

Send Update Notification

Indicates that a notification should be sent to the Virus Administrator each time a scan engine is updated. Disabled by default. (For more information about setting up notifications to administrators, see FSOCS event notifications.)

Use Proxy Settings

Indicates that proxy settings are to be used when retrieving antivirus scanner updates. Disabled by default, unless you indicated during installation that proxy settings were to be used. (For more information, see "Updating the file scanner through a proxy" in FSOCS file scanner updating.)

Use UNC Credentials

Indicates that Universal Naming Convention (UNC) credentials are needed when retrieving antivirus scanner updates. Disabled by default. (For more information, see FSOCS file scanner updating.)

Proxy Server Name/IP Address

The name or IP address of the proxy server. Required if using proxy settings when retrieving antivirus-scanner updates. If you indicated during installation that proxy settings were to be used, the value you entered then is used to populate this field.

Proxy Port

Indicates the port number of the proxy server. Required if using proxy settings when retrieving antivirus scanner updates. The default is port 80. If you indicated during installation that proxy settings were to be used, the value you entered then is used to populate this field.

Proxy Username

The name of a user with access rights to the proxy server, if necessary. Optional field.

Proxy Password

The appropriate password for the proxy user name, if necessary. Optional field.

UNC Username

The name of a user with access rights to the UNC path, if necessary. Optional field.

UNC Password

The appropriate password for the UNC user name, if necessary. Optional field.

For more information about updating the scan engines, see FSOCS file scanner updating.

Scanning section

The following table lists and describes the settings in the Scanning section of the General Options pane.

Setting Description

Delete Corrupted Compressed Files

Specifies whether corrupted compressed files are deleted. A corrupted compressed file is an archive or compressed file type that does not conform to the standard of that type. These files usually have internal headers set incorrectly, or it could be that the file exceeds the size limit configured for FSOCS.

When a corrupted compressed file is detected, FSOCS reports it as a CorruptedCompressedFile virus. This option is enabled by default.

Quarantining of these files is determined by the individual scan job settings. By default, files identified as corrupted are quarantined. You can also create a new registry key setting named QuarantineCorruptedCompressedFiles in order to override quarantining for these file types. The DWORD setting must be created, and its value must be set to 0.

Note

In addition to CorruptedCompressedFile viruses, this setting also handles the following file types:

  • UnwritableCompressedFile—A type of corrupted compressed file whose contents cannot be correctly modified (cleaned or deleted) or correctly inserted back into the archive by the scanners, due to the corrupt nature of the file.
  • UnReadableCompressedFile—A type of corrupted compressed file whose contents cannot be correctly read out of the archive, due to the corrupt nature of the archive.

Delete Corrupted UUEncode Files

Specifies whether corrupted UUEncode files are deleted. Typically, a UUEncoded file that FSOCS is unable to parse is considered corrupted. FSOCS reports those as a CorruptedCompressedUuencodeFile virus. Enabled by default.

Delete Encrypted Compressed Files

Specifies whether an encrypted compressed file with at least one encrypted item within its contents is deleted (encrypted files cannot be scanned by antivirus scan engines). Disabled by default. FSOCS reports those as an EncryptedCompressedFile virus.

Treat ZIP archives containing highly-compressed Files as corrupted compressed

Specifies whether ZIP archives containing highly compressed files are reported as corrupted compressed. If the archive is reported as corrupted compressed, and if the Delete corrupted compressed files check box is enabled, the archive is deleted. If the Delete corrupted compressed files check box is disabled, the files in the ZIP archive are passed to the antivirus scan engines in order to be scanned in their compressed form. The ZIP archive itself is also passed to the antivirus scan engines. If scanned and no threat is found, the message is delivered. If a threat can be cleaned, the message is delivered. If a threat cannot be cleaned, the message is deleted. If the file is compressed with an unknown algorithm, it is treated as corrupted compressed, regardless of the setting of this option. This option is enabled by default (that is, ZIP archives containing highly compressed files are treated as corrupted compressed).

Treat multipart RAR archives as corrupted compressed

A file within a RAR archive can be compressed across multiple files or parts (hence “multipart”), thereby enabling very large files to be broken into smaller-sized files for ease of file transfer. This option specifies whether RAR archives containing such parts are reported as corrupted compressed.

Disabling this option enables you to receive such files. However, in this case, a virus may escape detection if it is split across multiple volumes. Therefore, this setting is enabled by default.

If the archive is reported as corrupted compressed, and if the Delete corrupted compressed files check box is enabled, the archive is deleted. If the Delete corrupted compressed files check box is disabled, only the RAR archive as a whole is passed to the antivirus scan engines to be scanned. If no threat is found when the archive is scanned, the message is delivered. If a threat is found and can be cleaned, the message is delivered. If a threat is found and cannot be cleaned, the message is deleted. Enabled by default.

Note

If you are using multipart RAR in order to compress files that exceed 100 MB when uncompressed, you should be aware of the registry value MaxUncompressedFileSize. For more information, see FSOCS registry keys.

Treat concatenated gzips as corrupted compressed

Multiple GNU zip (gzip) files can be concatenated into a single file. Although FSOCS recognizes concatenated gzips, it may not recognize individual files split across concatenated gzips. Therefore, FSOCS treats concatenated gzips as corrupted compressed, by default. In combination with the Delete Corrupted Compressed Files option, this default behavior prevents all concatenated gzips from passing through, thereby preventing potential infections.

Disabling the Treat concatenated gzips as corrupted compressed option enables you to receive concatenated gzips. However, in this case, a virus may escape detection.

Scan Doc Files As Containers - IM

Specifies that the IM Scan Job should scan .doc files and any other files that use structured storage and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any embedded files are scanned as potential virus carriers. Disabled by default.

Case Sensitive Keyword Filtering

Specifies that keyword filtering should be case-sensitive. Disabled by default (that is, filtering is not case-sensitive).

Enable Forefront

Permits administrators to enable or disable the FSOCS job. The options are Disable and Enable (the default). After changing this setting, the FSOCS services must be recycled. (For more information about recycling the services, see "Recycling the FSOCS services" in FSOCS services.)

IM Process Count

Used to change the number of scanning processes that are used by FSOCS. The default value is 4. You may create up to 10 IM processes by using the Forefront Server Security Administrator. If you need more processes (a maximum of 25), you can specify the number by changing the value of the IMProcessCount registry key. This is in the following location: HKLM\SOFTWARE\Microsoft\Forefront Server Security\Office Communications Server
If you change the number of processes, the FSOCS services must be recycled. (For more information about this setting, see IM Scan Job.)

Engine Error Action

Enables administrators to set the action that FSOCS should take if a scan engine error occurs. (Examples include an engine exception, excessive read/write operations, a virus found without a virus name, multiple engine errors, and any other failure code returned by an engine.) The options are the following:

  • Ignore—Logs the error to the program log.
  • Skip: detect only—Logs the error to the program log and displays an EngineError entry with the state Detected in the UI.
  • Delete—Logs the error to the program log, deletes the file that caused the error, and displays an EngineError entry with the state Removed in the UI.
  • The file that caused the engine error is always quarantined. The default value is Delete.

IM Scan Timeout Action

Indicates what to do in the event that the IM Scan Job times out while scanning a file. The options are the following:

  • Ignore—Lets the file pass without being scanned.
  • Skip—Reports in the incidents log and the program log that the file exceeded the scan time and lets it pass without being scanned.
  • Delete—Reports the event and replaces the contents of the file with the deletion text.
  • A copy of the file will be stored in the Quarantine database if quarantining is enabled and the IM Scan Timeout Action is set to either Skip or Delete. The default value is Delete.

Max Container File Infections

Specifies the maximum number of infections permitted in a compressed file. If this is exceeded, the entire file is deleted, and an incident is logged, stating that an ExceedinglyInfected virus was found. A value of zero means that a single infection causes the entire container to be deleted. In this case, the logged incident has "Container Removed" appended. The default value is 5.

Max Container File Size

Specifies the maximum container file size (in bytes) that FSOCS attempts to clean or repair in the event that it discovers an infected file. The default is 26 MB (26,214,400 bytes). Files larger than the maximum size are deleted if they are infected or meet file filter rules, provided that the IM Scan Job action has been set to Delete or Clean. FSOCS reports these deleted files as a LargeInfectedContainerFile virus.

Max Nested Attachments

Specifies the limit for the maximum number of nested documents that can appear in MSG, TNEF, MIME, and UUEncode documents. The limit includes the sum of the nestings of all of these types. If the maximum number is exceeded, FSOCS will block or delete the document and report that an ExceedinglyInfected virus was found. The default value is 30.

Max Nested Compressed Files

Specifies the maximum nested depth for a compressed file. If this is exceeded, the entire file is deleted, and FSOCS sends a notification stating that an ExceedinglyNested virus was found. A value of zero represents that an infinite amount of nestings is permitted. The default value is 5.

Max Container Scan Time (msec) - IM

Specifies the number of milliseconds that the Realtime Scan Job or the IM Scan Job will scan a compressed attachment before reporting it as a ScanTimeExceeded virus. Intended to prevent denial-of-service risk from zip-of-death attacks. The default value is 120,000 milliseconds (two minutes).

Internal Address

FSOCS can be configured to send different notifications to internal and external senders and recipients. If your list of internal names is small, enter the domain names in the Internal Address box in order to show who should be sent internal notifications. Domains should be entered as a semicolon-delimited list with no spaces (for example: contoso.com; fabrikam.com; fineartschool.net). Any change to this value is immediately reflected in virus notifications.

When entering a domain name in the Internal Address box, be aware that its subdomains are covered by the entry.

For example: domain.com includes subdomain.domain.com and subdomain2.domain.com.

Alternate domains, such as domain.net or domain.org, must be entered individually.

Values entered in the Internal Address box are used as a substring match of the end of an e-mail address. For example, the entry mple.com would consider someone@example.com and someone@abcdef123example.com to be internal addresses.

If you have a large number of domains to be used as internal addresses, enter them in an external file called Domains.dat, and leave the Internal Address field blank. Domains.dat was created as an empty file in the DatabasePath directory during installation. It is a text file into which you enter all your internal domains, each on a separate line. Unlike the Internal Address field, all subdomains must be entered individually.

In order to use the external Domains.dat file, you must change the value of the UseDomainsDat registry key to 1 (its default value is 0). For more about this key, see FSOCS registry keys.

Note

The Domains.dat file is reloaded at 02:00 (2:00 in the morning) each day. This is when any changes you make to the file take effect.

(For more information about internal addresses and notifications, see FSOCS event notifications.)

Transport Notification Server section

The following table lists and describes the settings in the Transport Notification Server section of the General Options pane.

Setting Description

Transport Server

Specifies the Transport server to be used for Administrator email notifications and for delivering quarantined messages.

Username

Specifies a user with access rights to the designated Transport server. This optional name is displayed in the FROM field of the notification. If all the fields in this section (other than Transport Server) are blank, the following appears in the FROM field:

ForefrontServerSecurity@<computerName>.com

where <computerName> is the name of the server where Forefront is running.

Password

Specifies the password for the designated user. If this optional field is blank, there is no authentication for the specified user name.

IM Notification Agent

The following table lists and describes the settings in the IM Notification Agent section of the General Options pane.

Setting

Description

Use ForefrontRTCProxy Service Credentials

Specifies whether the IM Notification Agent should use the custom credentials specified by the user. If this setting is enabled, then the IM Notification Agent uses the same credentials as the ForefrontRTCProxy service account when logging in to OCS.  It is enabled by default on non-Edge roles.

Transport

Select "TLS" or "TCP". It is recommended that you use TLS, a secure certificate-based connection channel. TCP is a non-secure connection channel.

Username

Specifies a user who is enabled for IM communications and who is therefore used to send IM notifications. Enter the username in the format domain\username.

Password

Specifies the password for the designated user. If this optional field is blank, there is no authentication for the specified user name. The password should match the password of the specified user to allow authentication into the organization’s Active Directory.

SIP URI

Specifies the SIP URI of the notification agent, as configured in the Active Directory.

Home or Pool Server

Specifies the server to which the user should connect in order to send instant messages. On Director and Front-end servers, this is the name of the pool where the user resides on the Standard Edition server. On the Edge, this is the hostname of the Director.

Data captured in the program log

The following types of information are available for logging:

  • Error—Generated when an error is detected.
  • Exception—Generated when an exception is caught.
  • Warning—Generated when a recoverable error is detected or when a monitored threshold is reached.
  • Informational—Generated when entering or exiting a significant process stage. It is also generated to indicate progress through a stage.
  • Diagnostic—Generated when it is felt that additional detail needs to be entered in the log.

General Options settings determine which of these types are logged. The log system supports three logging levels:

  • Diagnostic—All messages are written to the program log when the Enable Forefront Program Log and Additional IM General Options are both enabled.
  • Normal—All messages other than diagnostic are written to the program log when Enable Forefront Program Log is enabled, but Additional IM is not.
  • None—Logging is turned off when Enable Forefront Program Log is disabled.