FSOCS event notifications

Applies to: Forefront Security for Office Communications Server

Event notifications are critical in keeping users informed about changes that occur to their messages and attachments due to virus cleaning and file filtering, and they are also critical to informing users of infections that exist when a virus is detected, but not cleaned. Event notifications are also important to administrators who prefer to have information delivered directly to their mailbox instead of continually checking logs for activity.

In OCS 2007 and OCS 2007 R2 Enterprise Edition deployment topologies, where support for external users is configured, the Administrator can specify whether external users receive notifications of various detected events by enabling the notifications for those roles. Users are identified as external if the SIP domain associated with their SIP URI does not match the SIP domain where FSOCS is installed.

How notifications are sent

Microsoft Forefront Security for Office Communications Server (FSOCS) utilizes both IM and Simple Mail Transfer Protocol (SMTP) messaging for notification purposes. SMTP (e-mail) notifications are for IM Administrators only. All other users receive instant messages.

The settings for SMTP messaging are configured in the Forefront Server Security Administrator (in the Transport Notification Server section of General Options).

FSOCS uses the ForefrontNotificationAgent in order to send IM notifications. The ForefrontNotificationAgent is configured during the installation procedure, when the administrator specifies the Session Initiation Protocol (SIP) Uniform Resouce Identifier (URI), SIP server/pool, and transport type. These three settings can be modified, if necessary, by editing the following three registry keys:

• NotificationAgentSIPUri (for SIP URI)
• NotificationAgentSIPServer (for SIP server/pool)
• NotificationAgentSIPServerTransportType (for Transport type)

The NotificationAgentSIPUri should correspond to the URI of the user whose account is being used to run the ForefrontRTCProxy service.

Configuring notifications

There are various types of notification messages, and each can be individually configured.

To configure notifications

1. In the Shuttle Navigator, in the REPORT area, select Notification. The Notification Setup pane appears.

   The top pane contains the list of default notification roles. Each role can be customized, as well as enabled or disabled. For more information about each of the roles, see Notification roles.

2. In the Notification Setup pane, enable those notifications that are to be in effect. (For more information, see Enabling and disabling a notification.)

   Note

   Scan job configurations control whether a scan job sends any enabled notifications.

3. Make the desired changes to the notifications that are to be enabled, and then click Save. For more information, see Editing a notification.

Notification roles

The following list describes the various notification roles. Typically, each notification is used for reporting the who, what, where, and when details of the infection or the filtering performed, including the disposition of the virus or the attachment.

• IM Administrators—Alerts administrators of all viruses and filter matches detected on a server being protected by FSOCS. These notifications are sent via e-mail.
• IM Sender (internal)—Alerts the sender of the infection or filter match if the sender is an IM user in your organization. The typical message includes the following:
  • Help in determining the extent of infection on the user's own computer
  • Who to call
  • How to proceed
    These notifications are sent via an IM message.
• IM Sender (external)—Alerts the sender of the infection or filter match, if the sender is not an IM user in your organization. These notifications are sent via an IM message.
• IM Recipients (internal)—Alerts the recipient of the infection or filter match, if the recipient is an IM user in your organization. The typical message includes the following:
  • Help in determining the extent of infection on the user's own computer
  • Who to call
  • How to proceed
    These notifications are sent via an IM message.
• IM Recipients (external)—Alerts the recipient of the infection or filter match, if the recipient is not an IM user in your organization. These notifications are sent via an IM message.

Configuring internal addresses

Internal addresses must be identified in FSOCS so that the proper notifications can be sent to senders and recipients. Internal addresses are configured with the Internal Address option in the General Options pane or by use of the Domains.dat file. For information about configuring internal addresses, see the "General Options" section in FSOCS Forefront Server Security Administrator.

Enabling and disabling a notification

The Enable and Disable buttons in the Notification Setup pane permit you to enable or disable any selected notification. The current status of each notification is displayed in the list in the top pane, under the State column. A change made to the status of a notification takes effect as soon as you click Save.

Editing a notification

The changes that are made to the lower portion of the Notification Setup pane apply to the notification role currently selected in the notification list. Making any change to the configuration activates the Save and Cancel buttons. If you make a change to a notification and try moving to another notification role or shuttle icon without saving the changes, you are prompted to save or discard your changes. All changes take effect immediately when saved.

All fields can use keyword substitution macros. For more information, see FSOCS keyword substitution macros.

The following are the fields that can be edited: