How to Configure Anti-Spam Automatic Updates
Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2009-01-20
For computers that are running Microsoft Exchange Server 2007, anti-spam Automatic Updates functionality relies on the Microsoft Update service framework. The Automatic Updates application is the Microsoft Windows client for the Microsoft Update service and is hosted on the computer that is running Microsoft Exchange. The Automatic Updates application manages connectivity and communication with Microsoft Update. Typically, the Automatic Updates client makes periodic requests to Microsoft Update for updates that apply to all applications on the host computer.
Because the data that spam signatures provide is especially time-sensitive, multiple requests per hour are required to maintain a high level of protection against spam. Therefore, the Microsoft Forefront Security for Exchange Server Anti-spam Update service uses the Automatic Updates client as a proxy for making requests to Microsoft Update. Forefront Anti-spam Automatic Updates is optimized for frequent checks and only requests updates of spam signature data and Microsoft IP Reputation Service data.
Forefront Anti-spam Automatic Updates requires a one-time opt-in process. Before you use Forefront Anti-spam Automatic Updates, you must opt in to Microsoft Update on each computer where you run the Forefront Anti-spam Automatic Updates. You can opt in to Microsoft Update by following one of these steps:
Visit Microsoft Update.
Note: If you have not yet opted in to Microsoft Update, the Microsoft Update link will take you to the Windows Update Web site. Windows Update only updates binaries and data for the Windows operating system. To keep Microsoft Exchange and the content filter data up-to-date, you must opt in to Microsoft Update. If you haven't visited Windows Update before, you may have to install a Microsoft ActiveX control.
If you opt in to Microsoft Update by using the Microsoft Update Web site, you still must enable anti-spam updates on the Exchange server by using one of the procedures in this topic.
Run the Enable Anti-spam Updates wizard as described later in this topic.
Run the Enable-AntispamUpdates cmdlet as described later in this topic.
To perform the following procedures on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.
Forefront Anti-spam Automatic Updates functionality is a premium feature that requires either an Exchange Enterprise Client Access License (CAL) for each user mailbox or a Microsoft Forefront Security for Exchange Server license.
Before you perform these procedures, you should understand the following Automatic Updates concepts:
Automatic Updates client As briefly discussed earlier, the Automatic Updates client is the application for the Windows operating system that communicates with the Windows Update and Microsoft Update Web sites. Automatic Updates polls the Windows Update or Microsoft Update Web sites for new updates that are applicable for any of the Microsoft software that is running on the host computer.
You can enable and configure the Automatic Updates client if you visit either the Windows Update or Microsoft Update Web sites. You can configure the Automatic Updates client to download updates automatically, to download and install the updates, or not to download updates. If you configure the Automatic Updates client so that it doesn't download updates, all updates must be performed manually by the end-user of the computer.
Forefront Anti-spam Automatic Updates Forefront Anti-spam Automatic Updates use the Automatic Updates client as a proxy to request and download updates from the Microsoft Update Web site. Forefront Anti-spam Automatic Updates only requests updates for content filtering, the Microsoft IP Reputation Service, and spam signature data.
Proxy configuration Forefront Anti-spam Automatic Updates use HTTP to access the Microsoft Update Web site. Exchange 2007 transport servers rely on the underlying Windows HTTP Services (WinHTTP) to manage all HTTP and HTTPS traffic. Both Hub Transport servers and Edge Transport servers may use HTTP to access updates for Microsoft Exchange 2007 Standard Anti-spam Filter Updates and Forefront Anti-spam Automatic Updates. Make sure WinHTTP is configured to allow HTTP traffic on the computers where updates will be downloaded. For more information, see How to Configure Proxy Settings for WinHTTP.
The schedule that you set for the Automatic Updates client that is used by the Windows operating system, does not define the frequency of Forefront Anti-spam Automatic Updates. By using the Exchange Management Console or the Exchange Management Shell, you can set Forefront Anti-spam Automatic Updates to download and install automatically. If you set Forefront Anti-spam Automatic Updates to download and install automatically, it will update much more frequently than the Windows Automatic Updates client allows.
Forefront Anti-spam Automatic Updates contain data only. They do not contain updated binaries or libraries. Anti-spam updates do not require mail flow interruption or service restarts.
It is a best practice to configure the anti-spam Automatic Updates to download spam signature data and the IP Block list service that is provided by the Microsoft IP Reputation Service. For more information about how to add block list providers, see How to Configure IP Allow List and IP Block List Providers.
In the Exchange Management Console, click Edge Transport.
Select the server on which the Exchange Anti-spam Update service is to be configured.
In the Action pane, click Enable Anti-spam Updates.
To enable anti-spam Automatic Updates if the destination computer is already opted in to Microsoft Update, run the following command:
Enable-AntispamUpdates -Identity SERVER01 -IPReputationUpdatesEnabled $True -UpdateMode Automatic -SpamSignatureUpdatesEnabled $True
In this case,
SERVER01is the server on which you want to enable anti-spam updates.
To enable anti-spam Automatic Updates and opt in to Microsoft Update, run the following command:
Enable-AntispamUpdates -Identity SERVER01 -IPReputationUpdatesEnabled $True -MicrosoftUpdate RequestNotifyDownload -UpdateMode Automatic -SpamSignatureUpdatesEnabled $True
In this case,
SERVER01is the server on which you want to enable anti-spam Automatic Updates. In this example, the MicrosoftUpdate parameter is set to
RequestNotifyDownload. This configuration sets the status of the computer as "opted-in" to Microsoft Update. The
RequestNotifyDownloadconfiguration also sets the Automatic Updates client to download binaries and other non-anti-spam data and then notify you when the updates are ready to install.
Important: The setting of the MicrosoftUpdate parameter does not affect the frequency of anti-spam updates. Anti-spam Automatic Updates are configured only by the UpdateMode parameter. Important: If you have already configured the Windows Automatic Updates client, you must set the Windows Automatic Updates schedule by using the Automatic Updates client. When you set the MicrosoftUpdate parameter, you do not configure the Automatic Updates client schedule if you have already configured the Windows Automatic Updates schedule.
For detailed syntax and parameter information, see Enable-AntispamUpdates.
For more information about anti-spam update functionality for Exchange 2007, see Anti-Spam Updates.
For more information about update services for IT professionals, see Windows Update, Microsoft Update, and Automatic Updates for IT Professionals.