SharePoint Templates

  • Article

 

Applies to: Forefront Security for SharePoint

When Forefront Security for SharePoint is installed, it creates default templates for the various scan jobs, scan engines, and notifications. The scan jobs are configured to use the values in the default templates. Administrators can also create templates for file filter and keyword filter settings and additional scan job templates as needed. (These are called "named templates".) Templates are useful for controlling the configuration of Forefront Security for SharePoint on multiple servers from a central location and the configuration of scan jobs and other functions at installation.

Templates are stored in the Template.fdb file, which contains the following default templates:

  • Scan job templates: a Realtime Scan Job template and a Manual Scan Job template.
  • Notification templates for each of the default notifications.
  • Scanner update templates for each scan engine that is installed on the current system.

To deploy templates to remote computers after an upgrade, you must configure specific jobs to use either the default templates or named templates.

To view templates in the Forefront Server Security Administrator, click File, click Templates, and then click View Templates. This causes the default and named templates to be displayed in the various work panes.

Note

The settings for all the scan jobs are contained in the file Scanjobs.fdb. If it is not present when the FSCController starts, a new one is created, based on the values in the Template.fdb file. If the Template.fdb file does not exist, a new one is created, based on the values in the Scanjobs.fdb file. If they both do not exist, new ones are created using default values. Thus, by deliberately deleting one of these files, you can force its reconstruction based on the values contained in the other one.

New templates can be deployed locally using the FSCStarter (for more information, see Deploying named templates) or deployed to remote servers using the Microsoft Forefront Server Security Management Console. For more information about using FSSMC to deploy templates, refer to the "Microsoft Forefront Server Security Management Console User Guide".

Template uses

Templates are used for the following purposes:

  • Controlling configuration settings of all FSSP servers from a single location.
    After a Template.fdb file is created, Microsoft Forefront Server Security Management Console (FSSMC) can be used to copy and activate the template settings on multiple FSSP servers throughout your organization. Templates can be deployed simultaneously to multiple FSSP servers, and their settings can be applied to currently running scan jobs without the need to stop or restart any services. (For more information about using FSSMC to deploy templates, see the "Microsoft Forefront Server Security Management Console User Guide".)
  • Controlling the configuration of scan jobs during remote installations.
    By including templates in your install images, you can configure your remote servers at the time of installation.

Creating a named template

To use named templates, you must create them and associate them with scan jobs.

To create a named template

  1. Click File, click Templates, and then click New. The New Template dialog box appears.

  2. Select the Type of template you would like to create (Realtime, Manual, or Filter Set). For more information about filter set templates, see "Filter sets for file filters" in SharePoint file filtering. For more information about the different types, see Using named templates.

  3. Give the template a Name, and then click OK. The new template is created and becomes a choice in the list in the top pane and in the Template list in the bottom pane of the Template Settings work pane.

  4. In the list in the top pane, select your new template. If the templates are not visible, you can display them by clicking File, selecting Templates, and then clicking View Templates.

    Note

    If you have many templates, you may want to normally hide them to simplify the display.

  5. Click the appropriate work pane to configure the template. For example, if you have created a Realtime template, select Antivirus Job in the SETTINGS section of the Shuttle Navigator and configure the template as you would a Realtime Scan Job. Click Save when you are done.

  6. For a scan job to use a template, the template must be associated with that scan job.

    1. In the SETTINGS section of the Shuttle Navigator, select Templates.
    2. In the list in the top pane, select the scan job to associate with the template you have just created. For example, select the Realtime Scan Job.
    3. In the lower work pane, select the desired template from the Template list.
    4. Click Load From Template.
    5. Click Save. The select scan job’s settings are reconfigured to those in the selected template.

Note

The new template can be distributed to remote servers using the Forefront Server Security Management Console (FSSMC). For more information about using FSSMC to deploy templates, refer to the "Microsoft Forefront Server Security Management Console User Guide".

Renaming or deleting a named template

You can rename or delete any of your named templates. You cannot delete or rename a default template.

To rename or delete a named template

  1. Open the Forefront Server Security Administrator.

  2. If the templates are not visible, display them. Click File, select Templates, and then click View Templates.

  3. In the Job List, select the template.

  4. Click File.

  5. Select Templates.

  6. Select Rename or Delete. If you choose Delete, you will be asked to confirm your choice.

Modifying templates

There are times when you might want to make changes to a default or a named template.

To modify a template

  1. If the templates are not visible, display them. Click File, click Templates, and then click View Templates.

  2. Select a work pane with the template to be modified (for example, Scan Job in the SETTINGS section of the Shuttle Navigator).

  3. In the Job List, select the template to be modified.

  4. Configure the template as desired, using the various work panes and clicking Save on each.

Note

If you make changes directly to a specific scan job (for example, the. Realtime Scan Job), the templates associated with that scan job are not changed. It is important to remember that any custom filter updates must be made to the template to keep your settings in a consistent location. This is necessary in case you need to deploy the same template settings to another server. To change the settings in a default template, you must follow the steps in Modifying default file scanner update templates.

Modifying default file scanner update templates

You may change the primary and secondary update path, change the updating schedule, and enable or disable automatic updates by using the scanner update templates.

To configure default file scanner update templates

  1. If the templates are not visible, display them. Click File, click Templates, and then click View Templates.

  2. From the SETTINGS section of the Shuttle Navigator, select Scanner Updates. The Scanner Update Settings work pane appears.

  3. From the Job List, select the file scanner template that you want to update (for example, Template for Microsoft Antimalware Engine). There should be one template for every installed engine.

  4. Change the primary or secondary Network Update Path, as desired.

  5. Change the date, time, frequency, and repeat interval, if desired. Enable or Disable updating as needed.

  6. Click Save.

Note

If you are using FSSMC to update Forefront Security for SharePoint scan engines, you should disable scheduled updates in Forefront Security for SharePoint.

Modifying notification templates

Default notification templates can be used to deploy notification settings to remote servers.

To configure notification templates

  1. If the templates are not visible, display them. Click File, click Templates, and then click View Templates.

  2. In the REPORT section of the Shuttle Navigator, select Notification.

  3. From the Job List, select the notification template you would like to modify (for example, Template for Virus Administrators).

  4. Edit the template in the lower work pane or use the Enable and Disable buttons to change the state of the template.

  5. Click Save.

Note

You cannot create new notification templates. You must modify the default notification template to update notification settings.

Using named templates

Named templates can be used to create and manage multiple configurations in your SharePoint environment. If you run different configurations on the servers in your environment, it is recommended that you configure each server to use a named template as the default for its configuration settings.

For example, if you have twenty servers divided into four groups of five, you can create named templates for each server group. These templates contain all of the configuration information for scan jobs, filtering, notifications, and scanner update paths. Each template has the name of the group:

ServerGroupTemplate1

ServerGroupTemplate2

ServerGroupTemplate3

ServerGroupTemplate4

Named templates that you create are associated with scan jobs. (For more information, see Creating a named template and Deploying templates during a remote installation) These templates are then distributed to the various servers during the install or upgrade process. (For more information, see Deploying named templates.) The first time a named template is deployed to a server, it must be associated with a scan job on that server, otherwise the default template is used. You can use the Forefront Server Security Administrator to connect to the server and make the association.

After you have done this, the scan jobs, filter sets, and notifications always load from the named templates during configuration changes or when you need to deploy global filter settings during a virus outbreak.

Deploying templates during a remote installation

New templates can be deployed to multiple remote servers using the Microsoft Forefront Server Security Management Console (FSSMC). After the FSSMC has distributed the template files to the target server, it launches FSCStarter to install the templates on that server.

Before you deploy templates to a server (local or remote), you must ensure that the Forefront Security for SharePoint scan jobs on that server are configured to run from templates. To do so, select Templates on the SETTINGS shuttle. The Template Settings work pane appears. The Template field associated with each scan job should be set to either Default (the default value) or to a named template. (Templates will not be used if the value is None.)

All the templates are stored in the Template.fdb file, so all will be deployed when you use the FSSMC. This is not a problem if all of your servers are configured identically, but if you have multiple configurations in your environment, be sure to distribute the template files that match the configuration of the targeted servers. If you have multiple configurations, it is helpful to configure your servers to use named templates for their settings. This will allow you to easily distribute template files to all your servers without worrying about corrupting configuration settings.

To have the template.fdb file distributed to all servers during a remote installation or upgrade, you must use the extract form of setup.exe. This is the syntax:

Setup.exe /x:path

This extracts all required files to the directory you specify in path, including another copy of setup.exe. Copy the template.fdb file to that same directory. Finally, execute the setup.exe file that was extracted to that directory. (For more information about remote installations, see “Manage Jobs” in the “Microsoft Forefront Server Security Management Console User Guide”. When you enter the location of the setup.exe file for the deployment job in the Management Console, it is the extracted one found in path.)

The first time a named template is deployed to a server, it must be associated with a scan job on that server, otherwise, the default template is used. You can use the Forefront Server Security Administrator to connect to the computer and make the association. (For more information, see "Connecting To a Remote Server" in SharePoint Forefront Server Security Administrator.

After you are connected to the remote server, you can associate the template with the appropriate scan job by following the steps in Creating a named template.

After you have associated a named template with a scan job, the assigned template continues to be used when there are configuration changes. It is not necessary to re-associate the scan job unless you want to switch the template being used.

Deploying named templates

New templates can be deployed locally using FSCStarter or deployed to remote servers using FSSMC.

Individual templates can be associated with current scan jobs in the Forefront Server Security Administrator using the Load From Template button. Or, FSCStarter can be used to activate any or all templates from a command prompt directly on the server. The FSCStarter.exe file has the ability to activate template settings on the current server. The t parameter facilitates activating template settings.

The syntax of FSCStarter is:

FSCStarter t[c][f][l][n][p][s] [filename] [\servername]

The t parameter instructs FSCStarter to read the settings in the Template.fdb file and apply them on the current server. All filter settings, notification settings, and scanner update paths can be updated. You must insert a space between FSCStarter and the t parameter. However, there is no space between the t parameter and the options. Multiple switches are listed without punctuation or spacing.

If the optional filename parameter is specified, the file you indicate (by entering its full path) will overlay the current Template.fdb file before any settings are updated.

If the optional \servername parameter is specified, the templates will be activated on the named remote server.

The t parameter’s options enable subsets of the template settings file (Template.fdb) to be applied. Enter any combination of the options, in any order, with no spaces. If no options are specified after the t parameter, all settings in the Template.fdb file are updated.

c   Update the content filter settings for each scan job.

f    Update the file filter settings for each scan job. The file filter settings of each scan job on the server are updated with the file filter settings found in the associated template type. For example, the file filter settings for all Realtime Scan Jobs are updated with the file filter settings found in the Realtime Scan Job template.

l    Update the filter lists for each scan job.

n   Update the notification settings with the data in the associated templates.

p   Update the file scanner update path, proxy server settings (if applicable), and the scanner update schedule items (date, time, frequency, and repeat interval). The update path for each file scanner settings is updated from the file scanner template that matches the vendor of the file scanner.

s   Update the scan job and antivirus settings. Each scan job on the server is updated with the settings found in the associated template type. For example, all Realtime Scan Jobs are updated with the settings found in the Realtime Scan Job template. This includes all filters.

For example, to update the content filter settings, the file filter settings, and the notification settings, you would enter:

fscstarter tcfn

Template planning tips

Here are some tips to help you use your templates more efficiently.

  • In environments where you have both front-end and back-end servers, it is best to have two different sets of templates for each group.
  • Use one server as your "master", and use FSCStarter or FSSMC to deploy configuration changes to the other servers.
    • If you have more than one group, choose a "master" for each group.
    • Only make changes directly to the "master" server.
  • When using FSSMC to deploy templates, it is useful to name your packages so they are easily recognized for distribution. For example, you could use "FE Template 070607" to mean "Front End Template created on July 6, 2007".