Installing Forefront Security

Applies to: Forefront Security for Exchange Server

This release of Forefront Security for Exchange Server (FSE) supports local and remote installations on Exchange Server 2007 and local installations on these Exchange cluster configurations:

• Local Continuous Replication (LCR)

• Standby Continuous Replication (SCR)

• Cluster Continuous Replication (CCR)

• Single Copy Cluster (SCC)

The Forefront Security for Exchange Server setup wizards can be used to install the product to a local Exchange server, to a remote Exchange server, or as an Administrator-only installation to a local workstation. You can also install FSE in a Hyper-V virtual environment.

You must have administrative rights to the computer on which you are installing Forefront Security for Exchange Server. To begin the installation procedure, run Setup.exe from the directory containing the installation files.

System requirements

The following are the minimum server and workstation requirements for Forefront Security for Exchange Server.

Minimum server requirements

The following are the minimum server requirements.

• x64 Architecture-based computer with:

  • Intel Xeon or Intel Pentium Family processor that supports Intel Extended Memory 64 Technology (Intel EM64T) or

  • AMD Opteron or AMD Athalon 64 processor that supports AMD64 platform.

• Server software:

  • Microsoft Windows Server® 2003, Windows Small Business Server 2003, or Microsoft Windows Server 2008

  • Microsoft Exchange Server 2007 (Standard or Enterprise)

• 1 gigabyte (GB) of free memory, in addition to that required to run Exchange 2007 (2 GB recommended).

  Note

  With each additional licensed scan engine, more memory is needed per scanning process.

• 2 GB of available disk space. This is in addition to the disk space required for Microsoft Exchange Server 2007.

• 1 gigahertz (GHz) Intel processor.

Minimum workstation requirements

The following are the minimum workstation requirements:

• Windows Server 2003, Windows® 2000 Professional, Windows XP, or Windows Vista

• 6 MB of available memory

• 10 MB of available disk space

• Intel processor, or equivalent

Installing on a local server

To install on a local Exchange server, you need to log on to the local computer using an account that has administrator rights. Click Next to continue after filling out a screen, unless otherwise directed.

To install Forefront Security for Exchange Server on a local server

1. Run the Setup.exe file, which is available on your CD image or from the self-extracting package available at the Microsoft Volume Licensing Download Center.

2. The initial setup screen is Welcome. Click Next to continue.

3. Read the license at the License Agreement screen and click Yes to accept it.

4. On the Customer Information screen, enter User Name and Company Name, if needed.

5. On the Installation Location screen, select Local Installation.

6. On the Installation Type screen, select Full Installation.

7. Setup checks to see if you have the correct version of the Windows Update Agent. If you do not have the correct version, at the end of the installation you are directed to the Microsoft Update Web site to do the opt-in manually. If you do have the correct version, Setup then checks if Microsoft Update is enabled. If it is not, the Use Microsoft Update dialog box appears, permitting you to enable it.

8. On the Quarantine Security Settings screen, select the desired setting.

   • Secure Mode causes all messages and attachments delivered from Quarantine to be re-scanned for viruses and filter matches. This is the default.

   • Compatibility Mode enables messages and attachments to be delivered from Quarantine without being scanned for filter matches. (Messages and attachments are always scanned for viruses.) Forefront Security for Exchange Server identifies these messages by placing special tag text in the subject line of all messages that are delivered from Quarantine.

9. On the Engine Updates Required screen, read the warning about engine updates.

10. If you use a proxy server for scanner updates, select Use Proxy Settings and enter the proxy name or IP address and its port on the Proxy Information screen. This ensures that your proxy server is correctly configured from the start. If you are doing a fresh install, you may enter the proxy information. If this is an upgrade, and proxy data is available in the registry, this screen does not appear and the existing data is preserved. Any changes to existing proxy information can be made in General Options.

    Note

    If a username and password are required for the proxy server, they must be entered through General Options once FSE has been installed. This must be done immediately, otherwise engine updates will fail.

11. If the server you are installing to is an edge server you may be asked if you want FSE to enable Anti-Spam Updates. If you’ve never made any change to the Anti-Spam Updates setting on the Exchange Management Console (that is, the setting is in its default state), you are offered this choice. If you have made a change to that setting, you will not see it. If you do not enable Anti-Spam Updates during FSE installation, you can turn them on by clicking Enable Anti-spam Updates in the Action section of the Exchange Management Console.

    Note

    If you enable Anti-Spam Updates during the installation and subsequently uninstall FSE, they will be disabled.

12. On the Choose Destination Location screen, either accept the default destination folder for the product, or click Browse to select a different one.

    Default: Program Files(x86)\Microsoft Forefront Security\Exchange Server

13. On the Select Program Folder screen, choose a program folder for Forefront. At this point, Setup checks for running services.

    Default program folder: Microsoft Forefront Server Security\Exchange Server

14. On the Start Copying Files screen, review the data presented to you. If any changes have to be made, use the Back button to navigate to the screen to be changed. Otherwise, click Next to begin the installation. A progress bar indicates that the files are being copied.

15. After installation is complete, you can start or restart the Exchange Transport Service, depending on whether it was stopped or running when the installation began. For a clean install, the service was probably still running and needs to be recycled. If you are reinstalling the product, the service had to be stopped before FSE could be uninstalled. If the service was running, the Restart Exchange Transport Service screen appears; if the service was stopped, the Start Exchange Transport Service screen appears. In either case, you can start the Transport service automatically so that Forefront Security for Exchange Server can become active. Click Next to have Setup perform this step or click Skip to manually perform this step at a later time. Until the service has been started or restarted, FSE cannot scan mail being sent or received.

16. Depending on whether the Exchange Transport Service is being started or restarted (that is, you clicked Next on the prior screen), the Starting Exchange Transport Service screen or the Recycling Exchange Transport Service screen appears. Wait until the status changes to All services started, before clicking Next to continue.

17. If the Information Store Service was stopped when the install began, the Start Exchange Information Store screen appears. You can start the Information Store service automatically so that Forefront Security for Exchange Server can become active. Click Next to have Setup perform this step or click Skip to manually perform this step at a later time. Until the service has been started, FSE cannot scan mail on the Store. If the Information Store was running when the installation began, this screen does not appear.

18. If the Information Store Service is being started (that is, you clicked Next on the prior screen), the Starting Exchange Services screen appears. Wait until the status changes to All services started, before clicking Next to continue.

19. On the InstallShield Wizard Complete screen, you are advised to view the Readme file (recommended). If you opted to use Microsoft Update and you do not have the correct version of the Windows Update Agent, you are directed to a site to obtain it. Click Finish to complete the installation.

Installing on a remote server

To remotely install Forefront Security for Exchange Server on an Exchange server, you must log on to your local computer using an account that has administrator rights to the remote computer. Click Next to continue after filling out a screen, unless otherwise directed.

To install Forefront Security for Exchange Server on a remote server

1. The initial setup screen is Welcome. Click Next to continue.

2. Read the license at the License Agreement screen and click Yes to accept it.

3. On the Customer Information screen, enter User Name and Company Name, if needed.

4. On the Installation Location screen, select Remote Installation. If Forefront Security for Exchange Server is already installed on the remote Exchange server, this process can automatically stop the Exchange services, uninstall Forefront Security for Exchange Server, and restart the Exchange services prior to beginning the new installation.

5. On the Remote Server Information screen, enter the following:

   • Server Name. The name of the computer to which you are installing Forefront Security for Exchange Server.

   • Share Directory. The temporary location for the remote installation to use while setting up Forefront Security for Exchange Server. The default is C$.

6. On the Quarantine Security Settings screen, select the desired setting.

   • Secure Mode causes all messages and attachments delivered from Quarantine to be re-scanned for viruses and filter matches. This is the default.

   • Compatibility Mode enables messages and attachments to be delivered from Quarantine without being scanned for filter matches. (Messages and attachments are always scanned for viruses.) Forefront Security for Exchange Server identifies these messages by placing special tag text in the subject line of all messages delivered from Quarantine.

   For more information about this setting, see Reporting and statistics.

7. On the Engine Updates Required screen, read the warning about engine updates.

8. If you use a proxy server for scanner updates, select Use Proxy Settings and enter the proxy name or IP address and its port on the Proxy Information screen. This ensures that your proxy server is correctly configured from the start. If you are doing a fresh install, you may enter the proxy information. If this is an upgrade, and proxy data is available in the registry, this screen does not appear and the existing data is preserved. Any changes to existing proxy information can be made in General Options.

   Note

   If a username and password are required for the proxy server, they must be entered through General Options once FSE has been installed. This must be done immediately, otherwise engine updates will fail.

9. At this point, Setup determines if Exchange is installed and running on the remote computer. If Exchange is not running, Setup gives you the option of starting the Exchange services. The Exchange services must be running for installation to continue.

10. If the server you are installing to is an edge server you may be asked if you want FSE to enable Anti-Spam Updates. If you’ve never made any change to the Anti-Spam Updates setting on the Exchange Management Console (that is, the setting is in its default state), you are offered this choice. If you have made a change to that setting, you will not see it. If you do not enable Anti-Spam Updates during FSE installation, you can turn them on by clicking Enable Anti-spam Updates in the Action section of the Exchange Management Console.

    Note

    If you enable Anti-Spam Updates during the installation and subsequently uninstall FSE, they will be disabled.

11. On the Choose Destination Location screen, either accept the default destination folder for the product, or click Browse to select a different one.

12. On the Select Program Folder screen, choose a program folder for Forefront. At this point, Setup checks for running services.

13. On the Start Copying Files screen, review the data presented to you. If any changes have to be made, use the Back button to navigate to the screen to be changed. Otherwise, click Next to begin the installation. A progress bar indicates that the files are being copied.

14. After installation is complete, you can start or restart the Exchange Transport Service, depending on whether it was stopped or running when the installation began. For a clean install, the service was probably still running and needs to be recycled. If you are reinstalling the product, the service had to be stopped before FSE could be uninstalled. If the service was running, the Restart Exchange Transport Service screen appears; if the service was stopped, the Start Exchange Transport Service screen appears. In either case, you can start the Transport service automatically so that Forefront Security for Exchange Server can become active. Click Next to have Setup perform this step or click Skip to manually perform this step at a later time. Until the service has been started or restarted, FSE cannot scan mail being sent or received.

15. Depending on whether the Exchange Transport Service is being started or restarted (that is, you clicked Next on the prior screen), the Starting Exchange Transport Service screen or the Recycling Exchange Transport Service screen appears. Wait until the status changes to All services started, before clicking Next to continue.

16. If the Information Store Service was stopped when the install began, the Start Exchange Information Store screen appears. You can start the Information Store service automatically so that Forefront Security for Exchange Server can become active. Click Next to have Setup perform this step or click Skip to manually perform this step at a later time. Until the service has been started, FSE cannot scan mail on the Store. If the Information Store was running when the installation began, this screen does not appear.

17. If the Information Store Service is being started (that is, you clicked Next on the prior screen), the Starting Exchange Services screen appears. Wait until the status changes to All services started, before clicking Next to continue.

18. When you have been informed that the installation was successful, click Next to perform another remote installation, or click Cancel to exit the installation program. If you opted to use Microsoft Update and you do not have the correct version of the Windows Update Agent, you are directed to a site to obtain it.

Administrator-only installation

Performing an Administrator-only installation installs the Microsoft Forefront Server Security Administrator onto any workstation or server, which can then be used to centrally manage the FSE service running on remote Exchange servers. Administrator-only installation requires approximately 2.5 MB of disk space.

To install the Administrator only

1. Run the Setup.exe file, which is available on your CD image or from the self-extracting package available at the Microsoft Volume Licensing Download Center.

2. The initial setup screen is Welcome. Click Next to continue.

3. Read the license at the License Agreement screen and click Yes to accept it.

4. On the Customer Information screen, enter User Name and Company Name, if needed.

5. On the Installation Location screen, select Local Installation.

6. On the Installation Type screen choose Client - Admin Console Only.

7. If Microsoft Update is not enabled, the Use Microsoft Update to help keep your computer secure and up to date screen appears. If you select the option to use Microsoft Update, Setup will check to see if you have the correct version of the Windows Update Agent. If you do not have the correct version, you are directed to get it at the end of the installation and complete the opt-in online.

8. On the Choose Destination Location screen, either accept the default destination folder for the product, or click Browse to select a different one.

   Default: Program Files(x86)\Microsoft Forefront Security\Exchange Server

9. On the Select Program Folder screen, choose a program folder for Forefront.

   Default: Microsoft Forefront Server Security\Exchange Server

10. On the Start Copying Files screen, review the data presented to you. If any changes have to be made, use the Back button to navigate to the screen to be changed. Otherwise, click Next to begin the installation. A progress bar indicates that the files are being copied.

    On the InstallShield Wizard Complete screen, you are advised to view the Readme file (recommended). If you opted to use Microsoft Update and you do not have the correct version of the Windows Update Agent, you are directed to a site to obtain it. Click Finish to complete the installation.

Guidelines for installing FSE in a Hyper-V virtual environment

FSE supports the Hyper-V platform. Hyper-V is a hypervisor-based server virtualization technology that enables you to consolidate multiple server roles as separate virtual machines running on a single physical machine. For more information about Hyper-V, see the Hyper-V and Virtualization TechCenter.

The deployment, configuration, and operation of FSE are the same in Hyper-V virtual server environments as on physical servers. This section provides guidelines for installing FSE in a Hyper-V virtual environment.

Verifying system requirements for using FSE in a Hyper-V environment

The minimum server and client requirements for FSE are essentially the same when installing in a virtual Hyper-V environment as on a physical server. For information about FSE system requirements, see System Requirements.

However, the application, operating system, and hardware platform versions must be supported by Microsoft Exchange Server on the Hyper-V platform. For details about Exchange Server support recommendations on Hyper-V, see Microsoft Support Policies and Recommendations for Exchange Servers in Hardware Virtualization Environments. For another resource to see if your virtualization configuration is supported, you can access the Virtualization Support Wizard at the following URL: https://go.microsoft.com/fwlink/?LinkId=157617

About FSE virtualization guidelines:

Once the requirements for running Exchange Server in a Hyper-V environment are met, the following guidelines must be followed for the host computer:

• The host computer must have enough hardware resources to accommodate the virtual machines being deployed and their intended roles, and the host computer should be deployed with only the virtualization role.

• Memory and CPU intensive applications should not be run on the same host computer as the guest hypervisor.

• File-level antivirus scanning should be disabled on directories hosting the guest virtual hard drives (VHD). For more information, see "Third-party file-level antivirus programs" in Exchange Introduction.

The following are guidelines for the guest computer on which FSE will be installed:

• The size of the guest .vhd file must be a fixed value. Predefining the size of the .vhd file ensures that the host computer does not run out of hard drive space.

• For performance reasons, it is recommended that you choose Small Computer System Interface (SCSI) or Internet SCSI-based (iSCSI) storage in order to host the FSE database, preferably separately from the guest operating system.

• File-level antivirus scanning should exclude all necessary Exchange and FSE directories. For more information, see "Third-party file-level antivirus programs" in Exchange Introduction.

• Snapshots in guest virtual machines are strongly discouraged and are not supported.

Tuning performance

Adding FSE increases the resources utilized by your Exchange environment. To ensure that your virtual environment can handle the anticipated load from Exchange and FSE, it is recommended that you measure the performance counters before and after installing FSE.

Based on the differences in the performance data from before and after the FSE installation, you may want to adjust your virtual hardware requirements. This can include allocating more memory, CPU affinity, and improved disk I/O. Memory and CPU utilization are usually the most heavily impacted by FSE.

Optimizing guest and host operating system settings

Because guest and host operating system settings such as video, sound cards, floppy disk drives, and virtual hardware require resources, it is recommended that you configure all nonessential items for "best performance." If you are not using it, you may also want to consider disabling or removing any nonessential item. This helps optimize performance in general of both the guest and host computers.

About process counts

Be cautious when adjusting the number of processes you want running per server for the FSE scan jobs (transport or realtime scan jobs only), as this can quickly deplete memory resources in your guest virtual machine. For example, transport scanning is set by default to 4 process counts. If all 4 are in use, then the number of selected scan engines is multiplied by the number of transport processes in use plus the size of the files being scanned. For example, if you are using the default transport process count of 4, the maximum of 5 scan engines for the transport scan job, and each engine is using 100 megabytes (MB) of memory, then you can estimate the overall memory utilization by using the following computation:

4 (transport processes) x 5 (scan engines) x 100 (MB) + file sizes of scanned attachments = memory utilization

Memory is quickly exhausted if you increase the transport or realtime process counts, add more scan engines, and increase the bias. In most cases, the default number of process counts is adequate; however, you should consult Transport Scan Job and Realtime Scan Job for more information on fine tuning these settings. Additionally, use the performance data you collected earlier to help gauge how many process counts you should be using.

Installing to multiple servers

The Microsoft Forefront Server Security Management Console (FSSMC) should be used to install Forefront Security for Exchange Server to multiple Exchange servers. For complete installation instructions, see the Microsoft Forefront Server Security Management Console User Guide.

Initial scanning

When FSE is first installed, all mail up to one day old is scanned. (A registry key called OnAccessCutoff has an initial value of 24 hours). Each day, FSE adds 24 hours to the OnAccessCutoff value, so that progressively older and older mail is scanned. Mail that is older than the current value of OnAccessCutoff is not scanned, even if accessed. This keeps your system from being overwhelmed by the initial scan when FSE is installed.

Post-installation security consideration

When you install Forefront Security for Exchange Server, it is configured to permit everyone access to FSCController. To restrict access to FSCController, use DCOMCNFG to modify the security settings. For more information about securing access to FSCController, see "Securing the service from unauthorized use" in Forefront Security for Exchange Server Services.

Upgrading

You can upgrade prior versions of Forefront Security for Exchange Server 10.0 to SP1 without uninstalling the older version. (You must uninstall versions older than 10.0 in order to upgrade to SP1.)

If Exchange Server 2007 has already been upgraded, you do not need to uninstall a 10.0 version of FSE. If you are upgrading both FSE and Exchange Server, upgrade FSE first. It is not necessary to upgrade Exchange Server in order to upgrade FSE. If, however, you are upgrading Exchange 2007 to Exchange 2007 SP1, FSE must also be upgraded to SP1, and then disabled during the Exchange upgrade, or it will no longer function correctly. Your configuration settings remain intact.

When you start the upgrade installation, Setup detects the old version and asks you to confirm the upgrade. You are asked if you want to stop the Exchange Information Store, the Exchange Transport Service, the Microsoft Operations Manager (MOM), and the Performance Logs and Alerts Service. All these services will be stopped, updated, and started again, without the need for restarting the server.

During an upgrade, the only setting that can be changed is the Installation Mode (Secure Mode or Compatibility Mode).

Uninstalling

To uninstall Forefront Security for Exchange Server, log on to the computer on which it is installed.

To uninstall Forefront Security for Exchange Server

1. Ensure that the Forefront Server Security Administrator is not running.

2. Open Services in the Control Panel.

3. Stop the FSCController service. This causes the Microsoft Exchange Transport Service and Microsoft Exchange Information Store to be stopped also.

4. When all these services have stopped, close the Services dialog box.

5. Open Add or Remove Programs in the Control Panel.

6. Remove Microsoft Forefront Security for Exchange Server. Click Yes to confirm the deletion.

7. At the Uninstall Complete screen, click Finish.

8. Any settings that you have made still remain in .fdb files in the Microsoft Forefront Security folder in Program Files(x86) (or whatever folder you installed to). Additionally, the incidents and quarantine database files remain, as well as Statistics.xml. If you will be reinstalling FSE and want to retain those settings, do nothing. If you will not be reinstalling FSE or if you want to start with fresh settings, delete that folder.

9. If you are not planning to re-install Forefront Security for Exchange Server, restart the stopped Exchange services.

Applying Exchange and FSE service packs and rollups

This section describes how to apply Exchange and FSE service packs and rollups. For cluster installations, follow the instructions in Installing FSE on a cluster in the “Microsoft Forefront Security for Exchange Server Cluster Installation Guide”.

To install an Exchange service pack or rollup

1. Disable FSE using the steps described in The FSC utility.

2. Follow the instructions provided with the specific service pack or rollup that you are installing.

3. After the installation is complete and the Exchange services have been restarted, verify that mail is flowing.

4. Enable FSE using the steps described in The FSC utility.

To install an FSE service pack or rollup

1. Run the installer by double-clicking the service pack or rollup executable file.

   Note

   While the installer is running, the Exchange and FSE services are stopped, and your mail flow is temporarily halted.

2. After the installation is complete and the Exchange and FSE services have been restarted (this occurs automatically during the installation), verify that FSE is working properly.

   Note

   FSE service packs or rollups can also be installed using the FFSMC Deployment job. (For details, see Deployment Jobs in the Forefront Server Security Management Console User Guide.) In this case, the installer runs in silent mode and there is no user input required. The rest of the process remains the same as when running the installer by double-clicking the executable file.

Product licensing information

After you have activated your product, you can enter licensing information (which can be obtained from Microsoft Sales).

These are the reasons to license your product:

• You can align when your product expires with your license agreement (otherwise, the expiration is three years from the installation date).

• You can easily renew your license by entering a new expiration date.

To license FSE, select Register Forefront Server from the Help menu. If you have not already activated the product, the Product Activation dialog box appears. After you enter your product activation information, the Product License Agreement and Expiration dialog box appears. If you have activated FSE, only the Product Licensing Agreement and Expiration dialog box appears.

Enter your 7-digit License Agreement Number and then an expiration date. You should enter a date that corresponds to the expiration of your license agreement, to coordinate the expiration of both the license agreement and the product. When the product nears its expiration, you should renew your license agreement and enter the new license information into the Product Licensing Agreement and Expiration dialog box.

Evaluation version

Microsoft provides a fully functional version of Forefront Security for Exchange Server for a 120-day evaluation. If you have a product key and enter it during installation, the product becomes a fully licensed subscription version. If not, it remains an evaluation version.

After 120 days, the evaluation version of FSE continues to operate and report detected files. It does, however, cease to clean, delete, and purge files (that is, the action for all virus detection is reset to Skip: detect only). All filters (file, content, and keyword) also have their actions set to Skip: detect only. Finally, the Allowed Sender lists are disabled and scan engines no longer update.

To subsequently convert an evaluation version to a subscription version, enter a product key using the Forefront Server Security Administrator, by selecting Register Forefront Server from the Help menu.