FSOCS templates

 

Applies to: Forefront Security for Office Communications Server

When Microsoft Forefront Security for Office Communications Server (FSOCS) is installed, it creates default templates for the IM Scan Job, scan engines, and notifications. The IM Scan Job is configured to use the values in the default templates. Administrators can also create templates for file-filter settings, content-filter settings, and additional scan-job templates, as needed. (These are called named templates.) Templates are useful for the following:

  • Controlling the configuration of FSOCS on multiple servers from a central location.
  • Controlling the configuration of scan jobs and other functions at installation.
  • Defining configuration settings for newly mounted storage groups.

The Template.fdb file contains the following default templates:

  • An IM Scan Job template.
  • Notification templates for each of the default notifications.
  • Scanner update templates for each scan engine that is installed on the current system.

To deploy templates to remote computers after an upgrade, you must configure specific jobs to use either the default templates or named templates.

To view templates in the Forefront Server Security Administrator

  • Click File, click Templates, and then click View Templates. This causes the default and named templates to be displayed in the various panes.

Note

The settings for all the scan jobs are contained in the file Scanjobs.fdb. If it is not present when the FSCController starts, a new one is created, based on the values in the Template.fdb file. If the Template.fdb file does not exist, a new one is created, based on the values in the Scanjobs.fdb file. If they both do not exist, new ones are created using default values. Thus, by deliberately deleting one of these files, you can force its reconstruction based on the values contained in the other one.

Template uses

Templates are used to control configuration settings of all FSOCS servers.

After a Template.fdb file is created on one server, that file can be copied to other servers and used to configure those servers. This can be done via the FSCStarter command. For more information about FSCStarter, see Deploying named templates.

Creating a named template

To use named templates, you must create them and associate them with scan jobs.

To create a named template and associate it with a scan job

  1. Click File, click Templates, and then click New.

  2. In the New Template dialog box, select the type of template you would like to create, IM or Filter Set. For more information about filter set templates, see "Filter set templates" in FSOCS content filtering. For more information about the different types of templates, see Using named templates.

  3. In the Name box, enter a name for the template, and then click OK. The new template is created and becomes a choice in both of the following locations:

    • In the list at the top of the pane
    • In the Template Settings pane, at the bottom, in the Template list
  4. In the list in the top of the pane, click your new template. If the templates are not visible, you can display them by clicking File, clicking Templates, and then clicking View Templates.

    Note

    If you have many templates, you may want to hide them to simplify the display.

  5. Navigate to the appropriate location in order to configure the template. For example, if you have created an IM template, in the Shuttle Navigator, in the SETTINGS section, select Antivirus Job, and then configure the template as you would an IM Scan Job. Click Save when you are done.

  6. For a scan job to use a template, the template must be associated with that scan job. To associate it, follow these steps:

    1. Open the Forefront Server Security Administrator.
    2. In the Shuttle Navigator, in the SETTINGS section, select Templates.
    3. In the top of the pane, in the list, click the IM Scan Job.
    4. In the bottom of the pane, in the Template list, select the desired template, click Load From Template, and then click Save.
    5. The scan job’s settings are reconfigured to those in the selected template.
  7. To distribute new template to remote servers, use the FSCStarter command. For more information about FSCStarter, see Deploying named templates.

Renaming or deleting a named template

You can rename or delete any of your named templates. You cannot delete or rename a default template.

To rename or delete a named template

  1. Open the Forefront Server Security Administrator.

  2. If the templates are not visible, click File, click Templates, and then click View Templates.

  3. In the job list, click the template to be renamed or deleted.

  4. Click File, click Templates, and then click Rename or Delete. If you select Delete, you are asked to confirm your choice.

Modifying templates

There are times when you might want to make changes to a default or a named template.

To modify a template

  1. Open the Forefront Server Security Administrator.

  2. If the templates are not visible, click File, click Templates, and then click View Templates.

  3. Select a pane with the template to be modified (for example Scan Job, in the Shuttle Navigator, in the SETTINGS section).

  4. In the job list, select the template to be modified, and then click Templates.

  5. Configure the template as desired by using the various panes, clicking Save on each.

Note

After you have associated a named template with a scan job, the assigned template continues to be used when there are configuration changes. It is not necessary to reassociate the scan job unless you want to switch the template being used. However, if you make changes directly to a specific scan job (for example, the IM Scan Job), the templates associated with that scan job are not changed. It is important to remember that any custom filter updates must be made to the template in order to keep your settings in a consistent location. This is necessary in case you need to deploy the same template settings to another server.

Modifying default file scanner update templates

By using the scanner update templates, you may do the following:

  • Change the primary and secondary update path
  • Change the updating schedule
  • Enable or disable automatic updates

To configure default file scanner update templates

  1. Open the Forefront Server Security Administrator.

  2. If the templates are not visible, click File, click Templates, and then click View Templates.

  3. In the Shuttle Navigator, in the SETTINGS section, click Scanner Updates.

  4. In the Scanner Update Settings pane, in the job list, click the file-scanner template that you want to update (for example, Template for Microsoft Antimalware Engine). There should be one template for every installed engine.

  5. If desired, change the primary and secondary Network Update Path, date, time, frequency, and repeat interval.

  6. Enable or disable updating as needed, and then click Save.

Modifying notification templates

Default notification templates can be used to deploy notification settings to remote servers.

To modify notification templates

  1. Open the Forefront Server Security Administrator.

  2. If the templates are not visible, click File, click Templates, and then click View Templates.

  3. In the Shuttle Navigator, in the REPORT section, click Notification.

  4. In the job list, click the notification template you would like to modify (for example, Template for Virus Administrators).

  5. If you want to make changes to the template, in the lower pane, edit the template.
    If you want to change the state of the template, use the Enable and Disable buttons.

  6. Click Save.

Note

You cannot create new notification templates. You must modify the default notification template in order to update notification settings.

Using named templates

Named templates can be used to create and manage multiple configurations in an OCS environment. If you run different configurations on the servers in your environment, it is recommended that you configure each server to use a named template as the default for its configuration settings.

For example, if you have 20 servers divided into four groups of five, you can create named templates for each server group. These templates contain all of the configuration information for scan jobs, filtering, notifications, and scanner-update paths. Each template has the name of the group:

IMTemplate1

IMTemplate2

IMTemplate3

IMTemplate4

These names are similar for each scan-job template and filter-set template.

Named templates that you create are associated with scan jobs. (For more information, see Creating a named template.) These templates are then distributed to the various servers during the install or upgrade process. (For more information, see Deploying named templates.) The first time a named template is deployed to a server, it must be associated with a scan job on that server; otherwise, the default template is used. You can use the Forefront Server Security Administrator in order to connect to the server and make the association. (For more information, see "Connecting to a remote server" in FSOCS Forefront Server Security Administrator.)

After you have done this, the scan jobs, filter sets, and notifications always load from the named templates during configuration changes or when you need to deploy global filter settings during a virus outbreak.

Deploying templates

New templates can be copied to remote servers by using the FSCStarter command. For more information about FSCStarter, see Deploying named templates.

Before you deploy templates to a server (local or remote), you must ensure that the FSOCS scan jobs on that server are configured to run from templates.

To configure scan jobs to run from templates

  1. Open the Forefront Server Security Administrator.

  2. If the templates are not visible, click File, click Templates, and then click View Templates.

  3. In the SETTINGS shuttle, click Templates.

  4. In the Template Settings pane, set the Template field associated with each scan job to either Default (the default value) or to a named template, and then click Save. (Templates are not used if the value is None.)

All the templates are stored in the Template.fdb file, so all are deployed when you use the FSCStarter command. This is not a problem if all of your servers are configured identically, but if you have multiple configurations in your environment, be sure to distribute the template files that match the configuration of the targeted servers. If you have multiple configurations, it is helpful to configure your servers to use named templates for their settings. This allows you to easily distribute template files to all your servers without worrying about corrupting configuration settings.

The first time a named template is deployed to a server, it must be associated with a scan job on that server; otherwise, the default template is used. You can use the Forefront Server Security Administrator in order to connect to the computer and make the association. (For more information, see "Connecting to a Remote Server" in FSOCS Forefront Server Security Administrator.)

After you are connected to the remote server, you can associate the template with the appropriate scan job by following the steps in Creating a named template.

After you have associated a named template with a scan job, the assigned template continues to be used when there are configuration changes. It is not necessary to reassociate the scan job unless you want to switch the template being used.

Deploying named templates

New templates can be deployed by using the FSCStarter command.

Individual templates can be associated with current scan jobs in the Forefront Server Security Administrator by using the Load From Template button. Or, the FSCStarter command can be used to activate any or all templates from a command prompt directly on the server. The FSCStarter.exe file has the ability to activate template settings on the current server. The t parameter facilitates activating template settings.

The following is the syntax of FSCStarter:

FSCStarter t[c][f][l][n][p][s] [filename] [\servername]

The t parameter instructs FSCStarter to read the settings in the Template.fdb file and apply them on the current server. All filter settings, notification settings, and scanner-update paths can be updated. You must insert a space between FSCStarter and the t parameter. However, there is no space between the t parameter and the options. Multiple switches are listed without punctuation or spaces.

If the optional filename parameter is specified, the file you indicate (by entering its full path) overlays the current Template.fdb file before any settings are updated.

If the optional \servername parameter is specified, the templates are activated on the named remote server.

The t parameter’s options enable subsets of the template-settings file (Template.fdb) to be applied. Enter any combination of the options, in any order, with no spaces. If no options are specified after the t parameter, all settings in the Template.fdb file are updated.

The following are the t parameter options.

Option Description

c

Update the content-filter settings for each scan job.

f

Update the file-filter settings for each scan job. The file-filter settings of each scan job on the server are updated with the file-filter settings found in the associated template type. For example, the file-filter settings for all Realtime Scan Jobs are updated with the file-filter settings found in the Realtime Scan Job template.

l

Update the filter lists for each scan job.

n

Update the notification settings with the data in the associated templates.

p

Update the file-scanner update path, proxy-server settings (if applicable), and the scanner update schedule items (date, time, frequency, and repeat interval). The update path for each file-scanner setting is updated from the file-scanner template that matches the vendor of the file scanner.

s

Update the scan job and antivirus settings. Each scan job on the server is updated with the settings found in the associated template type. For example, all Realtime Scan Jobs are updated with the settings found in the Realtime Scan Job template. This includes all filters.

For example, to update the content-filter settings, the file-filter settings, and the notification settings, you would enter:

   FSCStarter tcfn

Template planning tips

Here are some tips to help you use your templates more efficiently.

  • In OCS Enterprise Edition environments, it is recommended that you have different sets of templates for each server role.
  • Use one server as your master server, and use FSCStarter in order to deploy configuration changes to the other servers.
    • If you have more than one group, select a master server for each group.
    • Only make changes directly to the master server.