Upgrading Forefront Protection 2010 for Exchange Server

Article
07/23/2014

Applies to: Forefront Protection for Exchange

This topic presents information about how to preserve your configuration settings and the location of certain options between two versions of Microsoft Forefront Protection 2010 for Exchange Server. If you have the release candidate (RC) version of Forefront Protection 2010 for Exchange Server (FPE) installed and want to maintain your RC data when you upgrade to the general availability release of FPE, you must run the FPE installation program without uninstalling the RC version of the product. By doing this, the original program files and data directories are preserved during the installation.

If you are not concerned about data retention, we recommend that you uninstall the RC version of the product, delete the old FPE data folder (Default: C:\Program Files (x86)\Microsoft Forefront Protection for Exchange Server\Data), and then perform a fresh installation.

Tip

If you have installed and are managing FPE on multiple Exchange servers, in an enterprise, for example, Microsoft recommends that you use the Microsoft Forefront Protection Server Management Console (FPSMC). You can download FPSMC from the Microsoft Download Center at the following location: Microsoft Forefront Protection Server Management Console (FPSMC) 2010. Documentation for FPSMC can be found in the TechNet library at Forefront Protection Server Management Console. Otherwise, you can install and configure FPE on a single Exchange server, and then export and import these configuration settings to additional Exchange servers (keeping in mind that each FPE installation must be performed individually on that server first). For more information, see Exporting and importing configuration settings.

Automatic upgrades from Forefront Security for Exchange Server Version 10 (FSE) to FPE are not supported. This topic provides guidance for migrating your FSE installations to FPE.

Migrating from Forefront Security for Exchange Server Version 10

This topic will help guide you through the process of manually migrating data from Forefront Security for Exchange Server Version 10, as well as mapping configuration settings from the prior version of the product to their current location in the Forefront Protection 2010 for Exchange Server Administrator Console (FPE Administrator Console) user interface. This topic outlines the following items with the goal of making the migration process easier:

Data values that can be preserved and transferred. For more information, see Saving your data files, registry keys, and filter lists.
Data values that you should record before uninstalling Version 10 and then installing FPE. For more information, see Recording important settings.
Mapping configuration settings from the earlier version of the product to their current location in the FPE Administrator Console. For more information, see General Options settings and Monitoring and configuration settings after migration.

Saving your data files, registry keys, and filter lists

Before you upgrade to FPE it is a good idea to save the data files, registry keys, and filter lists from your FSE installation in case you want to roll-back to that version for any reason. Filter lists can also be imported into FPE so that you do not have to re-create them after you install FPE.

The FSE data files include the following:

Incidents.mdb—The incidents database information.
Quarantine.mdb—The quarantine database information.
Domains.dat—The domain information that is used to identify internal addresses.

Note

The FSE incidents and quarantine data files cannot be used in FPE. Therefore the data in these files will not be available through the FPE Administrator Console. The domains.dat file can be used in FPE. You will have to save your FSE domains.dat file into the FPE data folder. For more information about how to use the domains.dat file in FPE, see Identifying external and internal addresses.

To back up the various FSE data files, back up the following folder. Be sure to include all files and subfolders in the folders:

drive:\Program Files\Microsoft Forefront Security\Exchange Server\Data

The FSE registry keys can be found in the following location:

HkeyLocalMachine\Software\Wow6432Node\Microsoft\Forefront Server Security

You should copy all of the keys in this location in case you want to roll back to FSE for any reason.

Preserving filter lists created in FSE

If you created filter lists in FSE, you can export the lists to a text file and then import them into FPE. You cannot export filter sets from FSE because they are contained in an .fdb file that will not work in FPE. If you have filters that are not contained in filter lists, you may want to create lists for the filters so that they can be exported for use in FPE.

Exporting your filter lists

You can export data from a filter list into an external text file. You cannot select individual items to be exported; you must export the filter list in its entirety.

To export items from a filter list

In the Forefront Server Security Administrator console, select Filter Lists in the Filtering section of the menu.
Select the filter list type from which you are exporting data.
Select a list in the List Names area.
Click Edit, and then in the Edit Filter List pane, click Export.
In the file Explorer window, browse the location where you want to export the text file, specify the file name, and then click Save.

The items in the filter list are exported into the file. The items appear on a single line, separated by commas.

Importing items into filter lists

For information about how to import items into FPE filter lists, see Importing items into a filter list.

Recording important settings

Before uninstalling FSE, it is a good idea to record the settings for any configuration that you have changed from the default settings. This enables you to configure those settings in FPE in the same way. There are also some configuration defaults that have changed from FSE to FPE.

You should record the following settings:

Deletion text
Tag text
Notification text (including subject line and message body)
Critical Notification List—Now named Critical error and located on the Configuration - Notifications pane in the Monitoring view of the administrator console.
Transport Process Count—Now named Process count and located on the Antimalware - Hub Transport pane in the Policy Management view of the administrator console. If you are using an Edge Transport server, Edge Transport appears instead of Hub Transport.
Realtime Process Count—Now named Process count and located on the Antimalware -Mailbox Realtime pane in the Policy Management view of the administrator console.
Internal Address—Now named Domain names used for identifying internal addresses and located on the Global Settings - Advanced Options pane in the Policy Management view of the administrator console. You can import your domains.dat file from FSE as described previously.
Transport External Hosts—Now named IP addresses used to identify external addresses and located on the Global Settings - Advanced Options pane in the Policy Management view of the administrator console.

The default has changed for the following setting:

Deliver from Quarantine Security—This General Options setting is used to prevent FSE from re-filtering items delivered from quarantine. By default this setting was configured to re-scan messages that were delivered from quarantine for filter matches and viruses. In FPE, the setting is now named Rescan filters on send and can be found in the Configuration - Quarantine Options pane of the administrator console. By default it is off so that items delivered from quarantine are only scanned for malware.

General Options settings

The following sections show the Forefront Security for Exchange Server Version 10 General Options settings and their current location in Forefront Protection 2010 for Exchange Server (FPE).

Diagnostics section

This table lists the settings in the Diagnostics section of General Options and its accompanying setting in FPE.

FSE Setting FPE Setting

FSE Setting	FPE Setting
Additional Transport Additional Manual Additional Realtime	These settings are no longer available in the user interface. Use the `Set-FseTracing -level` Windows PowerShell command from the Forefront Management Shell instead. For information on using PowerShell in FPE, see the topic Using Windows PowerShell.
Archive Transport Mail	Use the Archive transport mail setting in the Logging Options section on the Global Settings - Advanced Options pane (located under the Policy Management view).
Critical Notification List	Use the Critical error event notification on the Configuration – Notifications pane (located under the Monitoring view).

Additional Transport

Additional Manual

Additional Realtime

These settings are no longer available in the user interface. Use the Set-FseTracing -level Windows PowerShell command from the Forefront Management Shell instead. For information on using PowerShell in FPE, see the topic Using Windows PowerShell.

Archive Transport Mail

Use the Archive transport mail setting in the Logging Options section on the Global Settings - Advanced Options pane (located under the Policy Management view).

Critical Notification List

Use the Critical error event notification on the Configuration – Notifications pane (located under the Monitoring view).

Logging section

For the settings in the Logging section of General Options, in FPE you can use the Logging Options settings on the Global Settings - Advanced Options pane (located under the Policy Management view). In FPE, event logging options are more granular than they were in previous product versions. There is also an option to Enable content filtering incident logging. For the Max Program Log Size setting, use the Set-FseTracing -MaxLogSize Windows PowerShell command; this setting is no longer available in the user interface.

Scanner Updates section

This table lists the settings in the Scanner Updates section of General Options and its accompanying setting in FPE. Aside from Send Update Notification, these settings are now available on the Global Settings - Engine Options pane (located under the Policy Management view).

FSE Setting	FPE Setting
Redistribution Server	Use the Enable as an update redistribution server setting.
Perform Updates at Startup	Use the Update engines on server startup setting.
Send Update Notification	Use the Engine updated, Engine update failed, and Engine update not available event notifications on the Configuration – Notifications pane (located under the Monitoring view).
Use Proxy Settings	Use the Enable proxy server setting.
Use UNC Credentials	Use the Enable UNC setting.
Proxy Server Name/IP Address	Use the Proxy server setting.
Proxy Port	Use the Port setting.
Proxy Username	Click the Edit Proxy Server Credentials button and specify the User name in the Edit Proxy Server dialog box.
Proxy Password	Click the Edit Proxy Server Credentials button and specify the Password in the Edit Proxy Server dialog box.
UNC Username	Click the Edit UNC Credentials button and specify the User name in the Edit UNC Credentials dialog box.
UNC Password	Click the Edit UNC Credentials button and specify the Password in the Edit UNC Credentials dialog box.

Scanning section

This table lists the settings in the Scanning section of General Options and its accompanying setting in FPE.

FSE Setting	FPE Setting
Body Scanning – Manual	Use the Scan message body setting in the Additional Options section on the Antimalware - Mailbox Scheduled pane (located under the Policy Management view).
Body Scanning – Realtime	Use the Scan message body setting in the Additional Options section on the Antimalware - Mailbox Realtime pane (located under the Policy Management view).
Delete Corrupted Compressed Files	Use the Delete corrupted compressed files setting in the Deletion Criteria section on the Global Settings - Advanced Options pane (located under the Policy Management view).
Delete Corrupted Uuencode Files	Use the Delete corrupted UUEncoded files setting in the Deletion Criteria section on the Global Settings - Advanced Options pane (located under the Policy Management view).
Delete Encrypted Compressed Files	Use the Delete encrypted compressed files setting in the Deletion Criteria section on the Global Settings - Advanced Options pane (located under the Policy Management view).
Treat ZIP archives containing highly-compressed Files as corrupted compressed	Use the Treat high compression .zip file as a corrupted compressed file setting in the Specialty File Type Settings section on the Global Settings - Advanced Options pane (located under the Policy Management view).
Treat multipart RAR archives as corrupted compressed	Use the Treat multi-part .rar archive as a corrupted compressed file setting in the Specialty File Type Settings section on the Global Settings - Advanced Options pane (located under the Policy Management view).
Treat concatenated gzips as corrupted compressed	This setting is no longer applicable.
Scan Doc Files As Containers - Manual	Use the Scan doc files as containers setting in the Additional Options section on the Antimalware - Mailbox Scheduled pane (located under the Policy Management view).
Scan Doc Files As Containers - Transport	Use the Scan doc files as containers setting in the Additional Options section on the Antimalware – Hub Transport pane (located under the Policy Management view). (If you are using an Edge Transport server, Edge Transport appears instead of Hub Transport.)
Scan Doc Files As Containers - Realtime	Use the Scan doc files as containers setting in the Additional Options section on the Antimalware - Mailbox Realtime pane (located under the Policy Management view).
Case Sensitive Keyword Filtering	Use the Enable case-sensitive keyword filtering setting in the Transport Filtering Options section on the Filters – Filter Options pane (located under the Policy Management view).
Fix Bare CR or LF in Mime Headers	This setting is no longer applicable.
Optimize for Performance by Not Scanning Messages That Were Already Virus Scanned - Transport	Use the Optimize for performance by not rescanning messages already virus scanned setting in the Additional Options section on the Antimalware - Hub Transport pane (located under the Policy Management view). (If you are using an Edge Transport server, Edge Transport appears instead of Hub Transport.)
Scan on Scanner Update	Use the Scan after engine update setting in the Additional Options section on the Antimalware - Mailbox Realtime pane (located under the Policy Management view).
Perform Reverse DNS Lookups	Use the Use reverse DNS lookup when determining whether a message is inbound setting in the Scans section on the Global Settings - Advanced Options pane (located under the Policy Management view).
Purge Message if Message Body Deleted – Transport	Use the Purge if message body is deleted setting in the Additional Options section on the Antimalware – Hub Transport pane (located under the Policy Management view). (If you are using an Edge Transport server, Edge Transport appears instead of Hub Transport.)
Enable Forefront Security for Exchange Scan	Depending on which scan you want to enable, use the Enable transport antivirus scan, Enable realtime antivirus scan, Enable scheduled antivirus scan, and Mailbox On-Demand settings. (There are similar settings for enabling antispyware scanning except for the on-demand scan which does not support spyware scanning.)
Transport Process Count	Use the Process count setting in the Additional Options section on the Antimalware - Hub Transport pane (located under the Policy Management view). (If you are using an Edge Transport server, Edge Transport appears instead of Hub Transport.)
Realtime Process Count	Use the Process count setting in the Additional Options section on the Antimalware - Mailbox Realtime pane (located under the Policy Management view).
Forefront Manual Priority	Use the Set Priority setting in the Scheduled Scan Settings section on the Antimalware - Mailbox Scheduled pane (located under the Policy Management view). Note To set the priority for the on-demand scan, use the `Set-FseOnDemandScan -Priority` Windows PowerShell command.
Engine Error Action	Use the Engine error action setting in the Scans section on the Global Settings - Advanced Options pane (located under the Policy Management view).
Illegal MIME Header Action	Use the Illegal MIME header action setting in the Additional Options section on the Antimalware - Hub Transport pane (located under the Policy Management view). (If you are using an Edge Transport server, Edge Transport appears instead of Hub Transport.)
Transport Scan Timeout Action	Use the Scan timeout action setting in the Additional Options section on the Antimalware - Hub Transport pane (located under the Policy Management view). (If you are using an Edge Transport server, Edge Transport appears instead of Hub Transport.)
Realtime Scan Timeout Action	Use the Scan timeout action setting in the Additional Options section on the Antimalware - Mailbox Realtime pane (located under the Policy Management view).
Quarantine Messages	This setting is no longer applicable.
Deliver From Quarantine Security	Use the Rescan filters on send setting Configuration – Quarantine Options pane (located under the Monitoring view). Also note that the default for this setting has changed so that filters are not rescanned upon delivery.
Transport Sender Information	Use the Transport sender information setting in the Additional Options section on the Antimalware - Hub Transport pane (located under the Policy Management view). (If you are using an Edge Transport server, Edge Transport appears instead of Hub Transport.)
Max Container File Infections	Use the Maximum container file infections setting in the Threshold Levels section on the Global Settings - Advanced Options pane (located under the Policy Management view).
Max Container File Size	Use the Maximum container file size (megabytes) setting in the Threshold Levels section on the Global Settings - Advanced Options pane (located under the Policy Management view).
Max Nested Attachments	Use the Maximum nested attachments setting in the Threshold Levels section on the Global Settings - Advanced Options pane (located under the Policy Management view).
Max Nested Compressed Files	Use the Maximum nested depth compressed files setting in the Threshold Levels section on the Global Settings - Advanced Options pane (located under the Policy Management view).
Max Container Scan Time (msec) - Realtime/Transport	Depending on which scan you want to configure, in the Antimalware - Mailbox Realtime or Antimalware - Hub Transport pane (both (located under the Policy Management view), use the Maximum container scan time (seconds) setting.
Max Container Scan Time (msec) - Manual	Use the Maximum container scan time (seconds) setting in the Additional Options section on the Antimalware - Mailbox Scheduled pane (located under the Policy Management view). Note To set the maximum container scan time (in seconds) for the on-demand scan, use the `Set-FseOnDemandScan -MaxContainerScanTime` Windows PowerShell command.
Internal Address	Use the Domains names used for indentifying internal addresses setting in the Scans section on the Global Settings - Advanced Options pane (located under the Policy Management view).
Transport External Hosts	Use the IP Addresses used to identify external addresses setting in the Scans section on the Global Settings - Advanced Options pane (located under the Policy Management view).

Background Scanning section

This table lists the settings in the Background Scanning section of General Options and its accompanying setting in FPE.

FSE Setting	FPE Setting
Enable Background Scan if 'Scan On Scanner Update' Enabled	This setting is no longer applicable.
Scan Only Messages With Attachments	Use the Scan only messages with attachments setting in the Scheduled Scan Settings section on the Antimalware - Mailbox Scheduled pane (located under the Policy Management view).
Scan Only Unscanned Messages	Use the Scan only unscanned messages setting in the Scheduled Scan Settings section on the Antimalware - Mailbox Scheduled pane (located under the Policy Management view).
Scan Messages Received Within The Last <x> Days	Use the Scan only messages received in the last setting in the Scheduled Scan Settings section on the Antimalware - Mailbox Scheduled pane (located under the Policy Management view).

Monitoring and configuration settings after migration

Because there is no direct upgrade path from FSE to FPE, some data will be lost and many settings will have to be manually configured after the FPE installation is complete. This section provides information about the main monitoring and configuration areas in the FPE Administrator Console to help you understand and complete your migration as quickly and easily as possible.

Incidents and quarantine—All incident and quarantine data and all statistical data will be lost when you upgrade, because FPE uses a new storage method for this information. For more information about incidents and quarantine in FPE, see Viewing and managing incidents and Viewing and managing quarantine.
Notifications—There is no way to preserve your notification settings, so notifications will have to be configured after the FPE installation is complete. You should, however, record any custom notification text you had configured in FSE for use in FPE. Manually saving the text to a Word or text file before migration will be helpful. For more information about notifications in FPE, see Configuring e-mail notifications.
Antimalware settings:
- Realtime Scan Job
  
  This scan job is now called the Antimalware - Mailbox Realtime scan.
  
  Antispyware is enabled by default and the action is set to Delete.
  
  The engine bias setting has the same default as FSE, but the names for the various settings have changed. These settings are now located in the Engines and Performance section of the FPE Administrator Console.
  
  Deletion text is now named Malware Deletion Text. It includes spyware deletion text.
- Transport Scan Job
  
  This scan job is now called the Antimalware - Hub Transport or Antimalware - Edge Transport scan.
  
  Antispyware is enabled by default and the action is set to Delete.
  
  The engine bias setting has the same default as FSE, but the names for the various settings have changed. These settings are now located in the Engines and Performance section of the FPE Administrator Console.
  
  Deletion text is now named Malware Deletion Text. It includes spyware deletion text.
- Background Scan Job
  
  This scan job is now called the Antimalware - Mailbox Scheduled scan.
  
  FPE has this as a separate scan job with its own configuration settings.
  
  It has the same defaults as the background scan in FSE.
  
  There is a new option named Enable maximum scan time that controls how long the scan should run. You can configure the number of hours and minutes for the scan to run.
- Manual Scan and Quick Scan Job
  
  These scan jobs were combined and are now called the Mailbox - On-Demand scan.
  
  The on-demand scan is configured through the Task Library pane in the administrator console. This scan enables you to immediately scan specific mailboxes as you could do with the Manual Scan Job.
Note

By default, all 5 engines are chosen for each scan job. We recommend that you leave the default settings in place. For more information about antimalware scanning in FPE, see Configuring antimalware scanning.
Antispam settings—Antispam scanning is new in FPE. These settings are located in the Antispam area of the FPE Administrator Console. For more information about antimalware scanning in FPE, see Using antispam filtering.
Individual filter entries—There are no individual filter entries in FPE. All filters are created as entries in filter lists. Filter lists can be exported from FSE and imported into FPE. For details, see Preserving filter lists created in FSE. The filter lists must be configured for each scan job manually. For more information about creating and managing filter lists in FPE, see Configuring filtering.
File filter lists—FPE has a wizard for creating file filter lists that provides three options for name and/or type selection. The Filter files of specific types by inspecting the file header option is the equivalent of a * file filter, with types selected. For more information about creating file filter lists in FPE, see Creating a file filter list.
Filter Options—File filter deletion text is now located in the Filter Options section of the FPE Administrator Console.
Online Protection—Forefront Online Protection for Exchange (FOPE) is new. These settings are located in the Online Protection area of the FPE Administrator Console. For more information about FOPE, see Integrating Forefront Online Protection for Exchange with FPE to create an extra layer of protection.
Global Settings—Many settings that were configured in the General Options section of the administrator console in FSE are configured in the Global Settings section of the FPE Administrator Console. A mapping of most settings in FSE to their counterparts (where relevant) in FPE is provided in General Options settings.
Engine options—By default, the Intelligent Engine Management in FPE is set to Automatic. The default engine update schedule is same as in FSE, which is once per hour. This is true for both the antimalware scan engines and the new Cloudmark antispam engine.

In order to change the schedules, FPE requires the user to change the Intelligent Engine Management selection to Manual. This setting is configured in the Advanced Options pane of the Global Settings area of the administrator console. Once you are in Manual mode, you can configure the various engine options, including selecting the engines for specific scan jobs and changing the default settings for engine and definition updates.

UNC authentication and proxy server settings are configured in the Global Settings - Engine Options section of the administrator console. These settings apply to all scan engines.

For more information about configuring engine update options in FPE, see Configuring engine and definition updates.