Templates

  • Article

 

Applies to: Forefront Security for Exchange Server

When Forefront Security for Exchange Server is installed, it creates default templates for the various scan jobs, scan engines, and notifications. The scan jobs are configured to use the values in the default templates. Administrators can also create templates for file filter and content filter settings and additional scan job templates as needed. (These are called "named templates".) Templates are useful for controlling the configuration of Forefront Security for Exchange Server on multiple servers from a central location, controlling the configuration of scan jobs and other functions at installation, and defining configuration settings for newly mounted storage groups.

The Template.fdb file contains the following default templates:

  • Scan job templates: a Transport Scan Job template, a Realtime Scan Job template, and a Manual Scan Job template.

  • Notification templates for each of the default notifications.

  • Scanner update templates for each scan engine that is installed on the current system.

To deploy templates to remote computers after an upgrade, you must configure specific jobs to use either the default templates or named templates.

To view templates in the Forefront Server Security Administrator, click File, click Templates, and then click View Templates. This causes the default and named templates to be displayed in the various work panes.

Note

The settings for all the scan jobs are contained in the file Scanjobs.fdb. If it is not present when the FSCController starts, a new one is created, based on the values in the Template.fdb file. If the Template.fdb file does not exist, a new one is created, based on the values in the Scanjobs.fdb file. If they both do not exist, new ones are created using default values. Thus, by deliberately deleting one of these files, you can force its reconstruction based on the values contained in the other one.

Template uses

Templates are used for the following purposes:

  • Controlling configuration settings of all FSE servers from a single location.

    After a Template.fdb file is created, Microsoft Forefront Server Security Management Console (FSSMC) can be used to copy and activate the template settings on multiple FSE servers throughout an organization. Templates can be deployed simultaneously to multiple FSE servers, and the settings can be applied to currently running scan jobs without the need to stop or restart any services. (For more information about using FSSMC to deploy templates, see the "Microsoft Forefront Server Security Management Console User Guide".)

  • Controlling the configuration of scan jobs during remote installations.

    Use templates to configure your remote servers at the time FSE is installed.

  • Defining scan job settings for newly-mounted storage groups.

    In Exchange, storage groups can be added to the system dynamically while both Exchange and Forefront Security for Exchange Server are running. Forefront Security for Exchange Server detects when a new or previously used storage group is mounted. If the storage group is new, Forefront Security for Exchange Server needs to create a Realtime Scan Job and Manual Scan Job to protect that storage group. The settings that are used for each of these scan jobs are read from their associated templates found in Template.fdb.

    This feature enables an administrator to create default rules that protect new storage groups as they are added to the system.

Creating a named template

To use named templates, you must create them and associate them with scan jobs.

To create a named template

  1. Click File, click Templates, and then click New. The New Template dialog box appears.

  2. Select the Type of template you would like to create (Transport, Realtime, Manual, or Filter Set). For more information about filter set templates, see "Filter set templates" in Content filtering. For more information about the different types, see Using named templates.

  3. Give the template a Name, and then click OK. The new template is created and becomes a choice in the list in the top pane and in the Template list in the bottom pane of the Template Settings work pane.

  4. From the list in the top pane, select your new template. If the templates are not visible, you can display them by clicking File, selecting Templates, and then clicking View Templates.

    Note

    If you have many templates, you may want to normally hide them to simplify the display.

  5. Click the appropriate work pane to configure the template. For example, if you have created a Transport template, select Antivirus Job in the SETTINGS section of the Shuttle Navigator and configure the template as you would a Transport Scan Job. Click Save when you are done.

  6. For a scan job to use a template, the template must be associated with that scan job.

    1. Open the Forefront Server Security Administrator.

    2. In the SETTINGS section of the Shuttle Navigator, select Templates.

    3. In the list in the top pane, select the scan job to associate with the template you have just created. For example, select the Realtime Scan Job.

    4. In the lower work pane, select the desired template from the Template list.

    5. Click Load From Template.

    6. Click Save. The scan job’s settings are reconfigured to those in the selected template.

Note

The new template can be distributed to remote servers using the Forefront Server Security Management Console (FSSMC). For more information about using FSSMC to deploy templates, refer to the "Microsoft Forefront Server Security Management Console User Guide".

Renaming or deleting a named template

You can rename or delete any of your named templates. You cannot delete or rename a default template.

To rename or delete a named template

  1. Open the Forefront Server Security Administrator.

  2. If the templates are not visible, display them. Click File, select Templates, and then click View Templates.

  3. In the job list, select the template.

  4. Click File.

  5. Select Templates.

  6. Select Rename or Delete. If you choose Delete, you will be asked to confirm your choice.

Modifying templates

There are times when you might want to make changes to a default or a named template.

To modify a template

  1. Open the Forefront Server Security Administrator.

  2. If the templates are not visible, display them. Click File, select Templates, and then click View Templates.

  3. Select a work pane with the template to be modified (for example Scan Job, in the SETTINGS section of the Shuttle Navigator).

  4. In the job list, select the template to be modified.

  5. Configure the template as desired, using the various work panes, clicking Save on each.

Note

If you make changes directly to a specific scan job (for example, the Transport Scan Job), the templates associated with that scan job are not changed. It is important to remember that any custom filter updates must be made to the template to keep your settings in a consistent location. This is necessary in case you need to deploy the same template settings to another server.

Modifying default file scanner update templates

You may change the primary and secondary update path, change the updating schedule, and enable or disable automatic updates by using the scanner update templates.

To configure default file scanner update templates

  1. Open the Forefront Server Security Administrator.

  2. If the templates are not visible, display them. Click File, select Templates, and then click View Templates.

  3. From the SETTINGS section of the Shuttle Navigator, select Scanner Updates. The Scanner Update Settings work pane appears.

  4. From the job list select the file scanner template that you want to update (for example, Template for Microsoft Antimalware Engine). There should be one template for every installed engine.

  5. Change the primary and secondary Network Update Path, as desired.

  6. Change the date, time, frequency, and repeat interval, if desired. Enable or Disable updating as needed.

  7. Click Save.

New templates can be deployed locally using FSCStarter (for more information, see Deploying named templates) or deployed to remote servers using the Microsoft Forefront Server Security Management Console. For more information about using FSSMC to deploy templates, refer to the "Microsoft Forefront Server Security Management Console User Guide".

Note

If you are using FSSMC to update Forefront Security for Exchange Server scan engines, you should disable scheduled updates in Forefront Security for Exchange Server.

Modifying notification templates

Default notification templates can be used to deploy notification settings to remote servers.

To modify notification templates

  1. Open the Forefront Server Security Administrator.

  2. If the templates are not visible, display them. Click File, select Templates, and then click View Templates.

  3. In the REPORT section of the Shuttle Navigator, select Notification.

  4. From the job list, select the notification template you would like to modify (for example, Template for Virus Administrators).

  5. Edit the template in the lower work pane or use the Enable and Disable buttons to change the state of the template.

  6. Click Save.

Note

You cannot create new notification templates. You must modify the default notification template to update notification settings.

Using named templates

Named templates can be used to create and manage multiple configurations in an Exchange environment. If you run different configurations on the servers in your environment, it is recommended that you configure each server to use a named template as the default for its configuration settings.

For example, if you have twenty servers divided into four groups of five, you can create named templates for each server group. These templates will contain all of the configuration information for scan jobs, filtering, notifications, and scanner update paths. Each template has the name of the group:

TransportTemplate1

TransportTemplate2

TransportTemplate3

TransportTemplate4

These names are similar for each scan job and filter set template.

Named templates that you create are associated with scan jobs. (For more information, see Creating a named template.) These templates are then distributed to the various servers during the install or upgrade process. (For more information, see Deploying named templates.) The first time a named template is deployed to a server, it must be associated with a scan job on that server; otherwise the default template is used. You can use the Forefront Server Security Administrator to connect to the server and make the association. (For more information, see"Connecting to a remote server" inForefront Server Security Administrator.)

After you have done this, the scan jobs, filter sets, and notifications always load from the named templates during configuration changes or when you need to deploy global filter settings during a virus outbreak.

Deploying templates during a remote installation

New templates can be deployed to multiple remote servers using the Microsoft Forefront Server Security Management Console (FSSMC). After FSSMC has distributed the template files to the target server, it launches FSCStarter to install the templates on that server.

Before you deploy templates to a server (local or remote), you must ensure that the Forefront Security for Exchange Server scan jobs on that server are configured to run from templates. To do so, select Templates on the SETTINGS shuttle. The Template Settings work pane appears. The Template field associated with each scan job should be set to either Default (the default value) or to a named template. (Templates will not be used if the value is None.)

All the templates are stored in the Template.fdb file, so all will be deployed when you use the FSSMC. This is not a problem if all of your servers are configured identically, but if you have multiple configurations in your environment, be sure to distribute the template files that match the configuration of the targeted servers. If you have multiple configurations, it is helpful to configure your servers to use named templates for their settings. This will allow you to easily distribute template files to all your servers without worrying about corrupting configuration settings.

To have the template.fdb file distributed to all servers during a remote installation or upgrade, you must use the extract form of setup.exe. This is the syntax:

Setup.exe /x:<path>

This extracts all required files to the directory you specify in <path>, including another copy of setup.exe. Copy the template.fdb file to that same directory. Finally, execute the setup.exe file that was extracted to that directory. (For more information about remote installations, see "Manage Jobs" in the “Microsoft Forefront Server Security Management Console User Guide”. When you enter the location of the setup.exe file for the deployment job in the Management Console, it is the extracted one found in path.)

The first time a named template is deployed to a server, it must be associated with a scan job on that server; otherwise, the default template is used. You can use the Forefront Server Security Administrator to connect to the computer and make the association. (For more information, see Connecting to a Remote Server in Forefront Server Security Administrator.)

After you are connected to the remote server, you can associate the template with the appropriate scan job by following the steps in Creating a named template.

After you have associated a named template with a scan job, the assigned template continues to be used when there are configuration changes. It is not necessary to re-associate the scan job unless you want to switch the template being used.

Deploying named templates

New templates can be deployed locally using FSCStarter or deployed to remote servers using FSSMC.

Individual templates can be associated with current scan jobs in the Forefront Server Security Administrator using the Load From Template button. An exception is filter list templates, which must be associated with a scan job using the FSCStarter. The FSCStarter can be used to activate any or all templates from a command prompt directly on the server. The FSCStarter.exe file has the ability to activate template settings on the current server. The t parameter facilitates activating template settings.

The syntax of FSCStarter is:

FSCStarter t[c][f][l][n][p][s] [filename] [\servername]

The t parameter instructs FSCStarter to read the settings in the Template.fdb file and apply them on the current server. All filter settings, notification settings, and scanner update paths can be updated. You must insert a space between FSCStarter and the t parameter. However, there is no space between the t parameter and the options. Multiple switches are listed without punctuation or spacing.

If the optional filename parameter is specified, the file you indicate (by entering its full path) will overlay the current Template.fdb file before any settings are updated.

If the optional \servername parameter is specified, the templates will be activated on the named remote server.

The t parameter's options enable subsets of the template settings file (Template.fdb) to be applied. Enter any combination of the options, in any order, with no spaces. If no options are specified after the t parameter, all settings in the Template.fdb file are updated.

c   Update the content filter settings for each scan job.

f   Update the file filter settings for each scan job. The file filter settings of each scan job on the server are updated with the file filter settings found in the associated template type. For example, the file filter settings for all Realtime Scan Jobs are updated with the file filter settings found in the Realtime Scan Job template.

l   Update the filter lists for each scan job.

n   Update the notification settings with the data in the associated templates.

p   Update the file scanner update path, proxy server settings (if applicable), and the scanner update schedule items (date, time, frequency, and repeat interval). The update path for each file scanner settings is updated from the file scanner template that matches the vendor of the file scanner.

s   Update the scan job and antivirus settings. Each scan job on the server is updated with the settings found in the associated template type. For example, all Realtime Scan Jobs are updated with the settings found in the Realtime Scan Job template. This includes all filters.

For example, to update the content filter settings, the file filter settings, and the notification settings, you would enter:

FSCStarter tcfn

Deploying schedule job templates

When deploying the default schedule job template, the Background Scan Job and all Manual Scan Jobs that are set to use the default template are updated. This causes all Manual Scan Jobs and the background scan to begin at the same time and could degrade server performance. To avoid this problem, use named templates for each Manual Scan Job so that you can schedule each one independently of the background scan.

Template planning tips

Here are some tips to help you use your templates more efficiently.

  • In environments where you have both front-end and back-end servers, it is best to have two different sets of templates for each group.

  • Use one server as your "master", and use FSCStarter or FSSMC to deploy configuration changes to the other servers.

    • If you have more than one group, choose a "master" for each group.

    • Only make changes directly to the "master" server.

  • When using FSSMC to deploy templates, it is useful to name your packages so they are easily recognized for distribution. For example, you could use “FE Template 070607” to mean “Front End Template created on July 6, 2007”.