Installing Forefront Security for SharePoint

  • Article

 

Applies to: Forefront Security for SharePoint

Forefront Security for SharePoint (FSSP) supports local and remote installations. The setup wizards can be used to install the product to a local SharePoint Portal Server or Windows SharePoint Services site, to a remote SharePoint Portal Server or Windows SharePoint Services site, or as an Administrator-only installation to a local workstation. You can also install FSSP in a Hyper-V virtual environment.

The Virus Scanning Application Programming Interface (VSAPI) hook dynamic-link library (DLL) will be loaded into the W3wp.exe process (World Wide Web Publishing Service) address space and any applications using the SharePoint object model.

Important

All of these processes should be stopped prior to installation or upgrade of Forefront Security for SharePoint.

A remote install will exit if any of the applications are using the Forefront Security for SharePoint VSAPI DLL.

System requirements

The following are the minimum server and workstation requirements for Forefront Security for SharePoint.

Note

Forefront Security for SharePoint does not support Windows clustering but does support network load balancing (NLB). For more information, consult your SharePoint deployment documentation.

Minimum server requirements

The following are the minimum server requirements:

  • Dual-processor computer with 1 gigabyte (GB) of free memory (2 GB is recommended) and a clock speed of 2.5 gigahertz (GHz)
  • Microsoft Windows Server® 2003 (Standard, Enterprise, Datacenter, or Web Edition), with Service Pack 1
  • Microsoft Windows Workflow Foundation Runtime Components
  • Microsoft .NET Framework 2.0
  • Internet Information Services (IIS) in IIS 6.0 worker process isolation mode
  • NTFS file system
  • Microsoft Office SharePoint Server 2007 or Microsoft Windows SharePoint Services version 3
  • 550 megabytes (MB) of available disk space
  • Intel processor, or equivalent

Minimum workstation requirements

The following are the minimum workstation requirements:

  • Microsoft Windows Server 2003, Windows XP Professional, or Windows Vista
  • 6 MB of available memory
  • 10 MB of available disk space
  • Intel processor, or equivalent

Installing on a local server

Forefront for SharePoint is always installed on your SharePoint front-end or stand-alone server. To install Forefront Security for SharePoint on a local SharePoint Portal Server computer or on a computer running Windows SharePoint Services (formerly known as SharePoint Team Services), you will need to log on to the local computer using an account that has administrator rights (so that Setup can perform necessary service registrations). FSSP uses Hot Upgrade technology, which allows first-time installs of FSSP on SharePoint or Windows SharePoint Services servers to be performed without stopping and restarting the SharePoint or Windows SharePoint Services services. Click Next to continue after filling out a screen, unless otherwise directed.

To install Forefront Security for SharePoint on a local SharePoint server

  1. Run the Setup.exe file, which is available on your CD image or from the self-extracting package available at the Microsoft Volume Licensing Download Center.

  2. The initial setup screen is Welcome. Click Next to continue.

  3. Read the license at the License Agreement screen and click Yes to accept it..

  4. On the Customer Information screen, enter User Name and Company Name, if needed.

  5. On the Installation Location screen, select Local Installation.

  6. On the Installation Type screen, select Full Installation. Setup verifies that SharePoint Portal Server or Windows SharePoint Services is installed.

  7. Setup checks to see if you have the correct version of the Windows Update Agent. If you do not have the correct version, at the end of the installation you are directed to the Microsoft Update Web site to do the opt-in manually. If you do have the correct version, Setup then checks if Microsoft Update is enabled. If it is not, the Use Microsoft Update dialog box appears, permitting you to enable it.

  8. On the Choose Destination Location screen, either accept the default destination folder for the product, or click Browse to select a different one.

    Default - 64-bit architecture:

    C:\Program Files(x86)\Microsoft Forefront Security\SharePoint

    Default - 32-bit architecture:

    C:\Program Files\Microsoft Forefront Security\SharePoint

  9. On the Select Program Folder screen, choose a program folder for Forefront. At this point, Setup checks for running services.

    Default program folder: Forefront Security for SharePoint

  10. Enter the account to be used for remote SharePoint database access. This account must be a member of the local Administrators group on which SharePoint Portal Server is installed (one who is a local administrator on the Web server and who has System Administrator rights on the database server). You cannot use the default "Administrator" account. The user name must be entered in the following format:

    <domain or server name\user name>

  11. On the Start Copying Files screen, review the data presented to you. If any changes have to be made, use the Back button to navigate to the screen to be changed. Otherwise, click Next to begin the installation. A progress bar indicates that the files are being copied.

  12. After installation is complete, Setup can stop and restart the SharePoint services automatically. This must be done for FSSP to become active. Click Next to have Setup perform this step or click Skip to manually perform this step at a later time. Until the service has been started or restarted, FSSP cannot scan files.

  13. On the InstallShield Wizard Complete screen, you are advised to view the Readme file (recommended). If you do not have the correct version of the Windows Update Agent, you are presented with an option to be directed to a site to obtain it. Click Finish to complete the installation.

Installing on a remote server

To install Forefront Security for SharePoint on a remote SharePoint Portal Server computer or on a computer that has Windows SharePoint Services, you must log on to your local computer using an account that has administrator rights to the remote computer. This is necessary for Setup to be able to perform service registrations. Click Next to continue after filling out a screen, unless otherwise directed.

Note

Since the SMB protocol is used to copy the service to the remote server, you should ensure that you are working over a secure network.

To install Forefront Security for SharePoint on a remote SharePoint server

  1. Run the Setup.exe file, which is available on your CD image or from the self-extracting package available at the Microsoft Volume Licensing Download Center.

  2. The initial setup screen is Welcome. Click Next to continue.

  3. Read the license at the License Agreement screen and click Yes to accept it..

  4. On the Customer Information screen, enter User Name and Company Name, if needed.

  5. On the Installation Location screen, select Remote Installation. If FSSP is already installed on the remote SharePoint Portal Server or Windows SharePoint Services computer, the install process can automatically stop the SharePoint services, uninstall FSSP, and restart the SharePoint services prior to beginning the new installation.

  6. On the Remote Server Information screen, enter the following:

    1. Server Name. The name of the computer to which you are installing Forefront Security for SharePoint.
    2. Share Directory. The temporary location for the remote installation to use while setting up Forefront Security for SharePoint. The default is C$.

    At this point, Setup will determine if SharePoint Portal Server or Windows SharePoint Services is installed on the remote computer.

  7. On the Choose Destination Location screen, either accept the default destination folder for the product, or click Browse to select a different one.

    Default - 64-bit architecture:

    C:\Program Files(x86)\Microsoft Forefront Security\SharePoint

    Default - 32-bit architecture:

    C:\Program Files\Microsoft Forefront Security\SharePoint

  8. On the Select Program Folder screen, choose a program folder for Forefront. At this point, Setup checks for running services.

    Default program folder: Forefront Security for SharePoint

  9. Enter the account to be used for remote SharePoint database access. This account must be a member of the local Administrators group on which SharePoint Portal Server is installed (one who is a local administrator on the Web server and who has System Administrator rights on the database server). You cannot use the default "Administrator" account. The user name must be entered in the following format:

    <domain or server name\user name>

  10. On the Start Copying Files screen, review the data presented to you. If any changes have to be made, use the Back button to navigate to the screen to be changed. Otherwise, click Next to begin the installation. A progress bar indicates that the files are being copied.

  11. After installation is complete, Setup can stop and restart the SharePoint services automatically. This must be done for FSSP to become active. Click Next to have Setup perform this step or click Skip to manually perform this step at a later time. Until the service has been started or restarted, FSSP cannot scan files.

  12. When you are informed that the installation was successful, click Next to perform another remote installation, or click Cancel to exit the installation program. If you opted to use Microsoft Update and you do not have the correct version of the Windows Update Agent, you are directed to a site to obtain it.

Administrator-only installation

Performing an Administrator-only installation installs the Microsoft Forefront Server Security Administrator onto any workstation or server, which can then be used to centrally manage the FSSP service running on remote SharePoint servers. Administrator-only installation requires approximately 11 MB of disk space.

To install the Administrator only

  1. Run the Setup.exe file, which is available on your CD image or from the self-extracting package available at the Microsoft Volume Licensing Download Center.

  2. The initial setup screen is Welcome. Click Next to continue.

  3. Read the license at the License Agreement screen and click Yes to accept it..

  4. On the Customer Information screen, enter User Name and Company Name, if needed.

  5. On the Installation Location screen, select Local Installation.

  6. On the Installation Type screen, select Client - Admin console only.

  7. Setup checks to see if you have the correct version of the Windows Update Agent. If you do not have the correct version, at the end of the installation you are directed to the Microsoft Update Web site to do the opt-in manually. If you do have the correct version, Setup then checks if Microsoft Update is enabled. If it is not, the Use Microsoft Update dialog box appears, permitting you to enable it.

  8. On the Choose Destination Location screen, either accept the default destination folder for the product, or click Browse to select a different one.

    Default - 64-bit architecture:

    C:\Program Files(x86)\Microsoft Forefront Security\SharePoint

    Default - 32-bit architecture:

    C:\Program Files\Microsoft Forefront Security\SharePoint

  9. On the Select Program Folder screen, choose a program folder for Forefront. At this point, Setup checks for running services.

    Default program folder: Forefront Security for SharePoint

  10. On the Start Copying Files screen, review the data presented to you. If any changes have to be made, use the Back button to navigate to the screen to be changed. Otherwise, click Next to begin the installation. A progress bar indicates that the files are being copied.

  11. On the InstallShield Wizard Complete screen, you are advised to view the Readme file (recommended). If you do not have the correct version of the Windows Update Agent, you are presented with an option to be directed to a site to obtain it. Click Finish to complete the installation.

Guidelines for installing FSSP in a Hyper-V virtual environment

Microsoft Forefront Security for SharePoint (FSSP) supports the Hyper-V platform. Hyper-V is a hypervisor-based server virtualization technology that enables you to consolidate multiple server roles as separate virtual machines running on a single physical machine. For more information about Hyper-V, see the Hyper-V and Virtualization TechCenter.

The deployment, configuration, and operation of FSSP are the same in Hyper-V virtual server environments as on physical servers. This section provides guidelines for installing FSSP in a Hyper-V virtual environment.

Note

FSSP is also approved for any hypervisor-based virtualization technology certified under the Microsoft Server Virtualization Validation Program.

Verifying system requirements for using FSSP in a Hyper-V environment

The minimum server and client requirements for FSSP are essentially the same when installing in a virtual Hyper-V environment as on a physical server. For details about FSSP system requirements, see System Requirements.

However, the application, operating system, and hardware platform versions must be supported by Microsoft Office SharePoint Server on the Hyper-V platform. For details about Office SharePoint Server support recommendations on Hyper-V, see Hardware virtualization support for SharePoint products and technologies. For another resource to see if your virtualization configuration is supported, you can access the Virtualization Support Wizard at the following URL: https://go.microsoft.com/fwlink/?LinkId=157617.

About FSSP virtualization guidelines:

Once the requirements for running SharePoint Server in a Hyper-V environment are met, the following guidelines must be followed for the host computer:

The following are guidelines for the host computer:

  • The host computer must have enough hardware resources to accommodate the virtual machines being deployed and their intended roles, and the host computer should be deployed with only the virtualization role.
  • Memory and CPU intensive applications should not be run on the same host computer as the guest hypervisor.
  • File-level antivirus scanning should be disabled on directories hosting the guest virtual hard drives (VHD). For more information, see "Third-party file-level antivirus programs" in SharePoint Introduction.

The following are guidelines for the guest computer on which FSSP will be installed:

  • The size of the guest .vhd file must be a fixed value. Predefining the size of the .vhd file ensures that the host computer does not run out of hard drive space.
  • For performance reasons, it is recommended that you choose Small Computer System Interface (SCSI) or Internet SCSI-based (iSCSI) storage in order to host the FSSP database, preferably separately from the guest operating system.
  • File-level antivirus scanning should exclude all necessary SharePoint and FSSP directories. For more information, see "Third-party file-level antivirus programs" in SharePoint Introduction.
  • Snapshots in guest virtual machines are strongly discouraged and are not supported.

Note

You may encounter network bottlenecks if you are running more than one guest computer and the host computer only has a single network card. You should add a second network card and create an additional Virtual Network adapter. Network bottlenecks may also occur if you are running more than one guest computer and the host computer only has a single hard drive. Ideally, each VHD should be on its own hard drive to prevent slowdowns due to multiple computers accessing the same physical hard drive.

Tuning performance

Adding FSSP increases the resources utilized by your SharePoint environment. To ensure that your virtual environment can handle the anticipated load from SharePoint and FSSP, it is recommended that you measure the performance counters before and after installing FSSP.

Based on the differences in the performance data from before and after the FSSP installation, you may want to adjust your virtual hardware requirements. This can include allocating more memory, CPU affinity, and improved disk I/O. Memory and CPU utilization are usually the most heavily impacted by FSSP.

Note

For more information on using performance counters, see Performance and Reliability Monitoring Step-by-Step Guide for Windows Server 2008 or Windows Server 2003 Performance Counters Reference.

Optimizing guest and host operating system settings

Because guest and host operating system settings such as video, sound cards, floppy disk drives, and virtual hardware require resources, it is recommended that you configure all nonessential items for "best performance." If you are not using it, you may also want to consider disabling or removing any nonessential item. This helps optimize performance in general of both the guest and host computers.

About process counts

Be cautious when adjusting process counts (realtime scan jobs only), as this can quickly deplete memory resources in your guest virtual machine. For example, realtime scanning is set by default to 3 process counts. If all 3 are in use, then the number of selected scan engines is multiplied by the number of realtime processes in use plus the size of the files being scanned. For example, if you are using the default realtime process count of 3, the maximum of 5 scan engines for the realtime scan job, and each engine is using 100 megabytes (MB) of memory, then you can estimate the overall memory utilization by using the following computation:

3 (realtime processes) x 5 (scan engines) x 100 (MB)+ file sizes of scanned attachments = Memory utilization

Note

This is an example only and real world results may vary.

If you increase the realtime process counts, add more scan engines, and increase the bias, memory is quickly exhausted. In most cases, the default number of process counts is adequate; however, you should consult SharePoint Realtime Scan Job for more information on fine tuning these settings. Additionally, use the performance data you collected earlier to help gauge how many process counts you should be using.

Post-installation security consideration

When you install Forefront Security for SharePoint, it is configured to permit everyone access to FSCController. To change the security settings to restrict access to FSCController, use DCOMCNFG to modify the security settings. For more information about securing access to FSCController, see Forefront Security for SharePoint services.

Installing to multiple servers

The Microsoft Forefront Server Security Management Console (FSSMC) should be used to install Forefront Security for SharePoint to multiple SharePoint servers. For complete installation instructions, see the "Microsoft Forefront Server Security Management Console User Guide".

Command line parameters for Setup.exe

While Setup.exe is designed to work by just double-clicking it, there are parameters that can be used to launch it from a command prompt.

The self-extracting Setup.exe

The initial Setup.exe is a self-extracting file that places all the files needed for installation in a default folder. If you want to change that folder, you can invoke Setup.exe as follows:

Setup /xPrompt for the target path

Setup /x:pathUse the given target path.

Note

If the given target path has spaces, you must use quotes around it. For example:
Setup /x:"c:\Program Files(x86)\Microsoft Forefront"

Important

The target path cannot be the same folder where setup.exe resides.

The installation Setup.exe

Once all the installation files have been extracted, you can double-click the extracted setup.exe, or enter it at a command prompt with the optional k (license key) parameter:

Setup /klicense_keyIndicate the license key.

For example: Setup /k00000-00000-00000-00000-00000

Upgrading

You can upgrade prior versions of Forefront Security for SharePoint 10.0 to SP2 without uninstalling the older version. (You must uninstall versions older than 10.0 in order to upgrade to SP2.)

If the SharePoint server is upgraded, you do not have to uninstall a 10.0 version of FSSP. If you are upgrading both FSSP and SharePoint server, upgrade FSSP first. It is not necessary to upgrade SharePoint server in order to upgrade FSSP.

Note

When upgrading Forefront Security for SharePoint, all scan jobs have their template settings configured to none, to prevent users from inadvertently overwriting existing settings. To deploy templates, you need to change this setting on each server to default or a named template. For more information about configuring scan job template settings, see SharePoint Templates.

Upgrading an installation only requires that you provide the password for the user account that the FSSP services run under. (For security reasons, FSSP does not store this.) When you upgrade, FSSP retains all of your previous settings, and additional features may be added, based on your environment.

When you start the upgrade installation, Setup detects the old version and asks you to confirm the upgrade. You are asked if you want to stop the Microsoft Operations Manager (MOM) and the Performance Logs and Alerts Service. All these services will be stopped, disabled, enabled, and started again, without the need for restarting the server.

Hot Upgrade

The Microsoft Hot Upgrade technology allows you to apply most upgrades to FSSP without the need to stop or recycle the SharePoint services.

However, if critical files need to be upgraded, the services must be recycled after the upgrade. In that case, you are given the opportunity to recycle the services after the upgrade or stop the upgrade if you do not want the services to be recycled at that time.

Applying SharePoint and FSSP service packs and rollups

This section describes how to apply SharePoint and FSSP service packs and rollups.

To install a SharePoint service pack or rollup

Follow the instructions provided with the specific service pack or rollup that you are installing.

Note

Some SharePoint service packs and hotfixes require you to download and install an FSSP update in order to ensure that FSSP operates correctly. For information and downloads, visit the Microsoft Web site at Microsoft Help and Support.

To install an FSSP service pack or rollup

  1. Run the installer by double-clicking the service pack or rollup executable file.

    Note

    While the installer is running, the SharePoint and FSSP services are stopped, and documents will not be uploaded.

  2. After the installation is complete and the SharePoint and FSSP services have been restarted (this occurs automatically during the installation), verify that FSSP is working properly.

Note

FSSP service packs or rollups can also be installed using the FFSMC Deployment job. (For details, see Deployment Jobs in the Forefront Server Security Management Console User Guide.) In this case, the installer runs in silent mode and there is no user input required. The rest of the process remains the same as when running the installer by double-clicking the executable file.

Relocating Forefront Security for SharePoint data files

Forefront Security for SharePoint stores program settings as well as scanning activity information (including the Quarantine Area) on the file system. If you want, you can relocate these files at any time after installation. For complete instructions, see the Moving the Databases section of SharePoint reporting and statistics.

Uninstalling Forefront Security for SharePoint

To uninstall Forefront Security for SharePoint, log on to the computer on which it is installed.

To uninstall Forefront Security for SharePoint

  1. Ensure that the Forefront Server Security Administrator is not running.

  2. Open Services in the Control Panel.

  3. Stop the FSCController service. This causes the SharePoint services to be stopped also.

  4. When all these services have stopped, close the Services dialog box.

  5. Open Add or Remove Programs in the Control Panel.

  6. Remove Microsoft Forefront Security for SharePoint. Click Yes to confirm the deletion.

  7. At the Uninstall Complete screen, click Finish.

  8. Any settings that you have made still remain in .fdb files in the Microsoft Forefront Security folder in Program Files(x86) (for 64-bit installations), Program Files (for 32-bit installations), or whatever folder you installed the product to. Additionally, the incidents and quarantine database files remain, as well as Statistics.xml. If you will be reinstalling FSSP and want to retain those settings, do nothing. If you will not be reinstalling FSSP or if you want to start with fresh settings, delete that folder.

  9. If you are not planning to re-install Forefront Security for SharePoint, restart the stopped SharePoint services.

Evaluation version

Microsoft provides a fully functional version of Forefront Security for SharePoint for a 120-day evaluation. If you have a product key and enter it during installation, the product becomes a fully licensed subscription version. If not, it remains an evaluation version.

After 120 days, the evaluation version of FSSP continues to operate and report detected files. It does, however, cease to clean and delete files (that is, the action for all virus detection is reset to Skip: detect only. All file and keyword filters also have their actions set to Skip: detect only.

To subsequently convert an evaluation version to a subscription version, enter a product key using the Forefront Server Security Administrator, by selecting Register Forefront Server from the Help menu.

Product licensing information

After you have activated your product, you can enter licensing information (which can be obtained from Microsoft Sales).

These are the reasons to license your product:

  • You can align when your product expires with your license agreement (otherwise, the expiration is three years from the installation date).
  • You can easily renew your license by entering a new expiration date.

To license FSSP, select Register Forefront Server from the Help menu. If you have not already activated the product, the Product Activation dialog box appears. After you enter your product activation information, the Product Licensing Agreement and Expiration dialog box appears. If you have activated FSSP, only the Product License Agreement and Expiration dialog box appears.

Enter your 7-digit License Agreement Number and then an expiration date. You should enter a date that corresponds to the expiration of your license agreement, to coordinate the expiration of both the license agreement and the product. When the product nears its expiration, you should renew your license agreement and enter the new license information into the Product Licensing Agreement and Expiration dialog box.