November 2008 - posts - Forefront Nederland

November 2008 - posts

Forefront in Windows Essential Server

Wat meer info rond Forefront in Windows Essential Server:


You may have heard about last week's launch of Windows Essential Business Server 2008 and Small Business Server 2008SBS and EBS are integrated IT solutions that are priced and designed specifically for the needs of small and midsized companies. In sum, they help smaller firms take advantage of enterprise-class IT. 

In addition to Windows Server 2008, Exchange Server 2007 and other products, both SBS and EBS include Forefront Security for Exchange Server for layered protection against the latest e-mail based threats, including viruses, worms, and spam.

EBS also includes Forefront Threat Management Gateway Medium Business Edition.  Designed specifically as an integrated component of Essential Business Server, TMG MBE helps provide comprehensive threat management, secure Internet access, and remote access for small to medium size organizations (up to 300 users.) TMG MBE includes a fully featured corporate firewall capability, and adds a Unified Threat Management (UTM) capability to the EBS console. It allows customers to securely publish Microsoft Exchange Server (Outlook Web Access) and Microsoft Office SharePoint Server for remote access.

In contrast, Forefront TMG (not the Medium Business Edition in EBS) is the next version of the ISA Server, and builds on top of existing ISA Server functionality to deliver new protection capabilities, including Web antimalware, as well as enhancements to the UI, management, and reporting. It will support organizations from small to large.  TMG beta 1 is currently available for download and evaluation as part of the Forefront codename “Stirling” beta 1.

Support Calls - Forefront / Antigen

Een goed verhaal van Joe Anderson over wat je kunt als je problemen hebt met Antigen of Forefront. Zijn verhaal:


Hello. My name is Joe Anderson, and I work with the CSS Security Support Team.

Having firsthand experience with customers, I wanted to give some insight into things that we request when troubleshooting a particular issue. Below, I describe several of the common support scenarios and provide information about the type of diagnostics you will want to have on hand or be prepared to get before contacting support. I’ve also included some information about tools and utilities that are helpful in diagnosing problems.

Scenario 1.

What do I do if a virus gets past Antigen or Forefront?

While it doesn’t happen often, there’s always the chance that a virus outbreak will occur and the latest AV definitions are not able to detect a particular viral variant.

If this happens to you, you will want to lock down your messaging environment. Once you have your environment secure, you can follow knowledge base article KB952163 for the appropriate procedure to notify us about the undetected virus.

Scenario 2.

I have Antigen antispam protection, but too much spam is getting past the filters to the users’ inboxes. What do I do?

Spam can sometimes come in substantial waves. If you notice a big increase in the amount of spam that is hitting your environment or getting through to mailboxes, there are several troubleshooting steps you can take.

The first thing you should do is check to see that the antispam engine is being updated properly in the Antigen Administrator. If it is, then the likely problem is that the definitions have not yet been released for the spam variant hitting your environment.

In order to determine if the definitions are up to date, we usually request that you check the “update version” under “scanner updates” in the Forefront/Antigen administrator or run the “AntigenDiag” (see later in this article for details of what this contains) as this will tell us if updates are working or failing.

Other possible solutions and relief can be found in the following knowledge base article: KB920863

Scenario 3.

I have concerns about the functionality of Antigen/Forefront.

Depending on the issue, the bulk of our troubleshooting is done by reviewing the logs.

To help expedite the process, we usually ask customers to turn on additional diagnostics (These include: Additional Internet, Additional Realtime, Additional Manual) as well as set the “Max Programlog Size” setting to no more than 100000KB. All of the settings can be found in the General Options work pane in the Forefront/Antigen administrator.

While 100MB is a large size, it is important because the program log fills up quickly when additional diagnostics are turned on. The additional information provided when these settings are enabled is needed for extensive troubleshooting. If the program log size setting is left at a lower number, we run the risk of cutting off a part of the log that may be needed.

If you are opening up a ticket with support via a Web Incident, then a detailed summary of the problem and what steps you have already taken to try to resolve the issue will go a long way to helping the support engineer resolve your issue.

Helpful tools and utilities

Antigendiag.exe and FSCDiag.exe utility

The primary source for troubleshooting analysis is the

Antigendiag.exe / FSCDiag.exe. This utility gathers the following files:

  • ADB / FDB files (contains the settings that allow us to reproduce the Antigen/Forefront environment as closely as possible).
  • Event logs
  • Programlog.txt and HRlog.txt (details the activity of the product including updates, detections and errors).
  • Antigen/Forefront registry keys that tell us what’s turned on or not.
  • Version information
  • Dr. Watson logs and User Dumps (in case a dump is requested in performance related areas).

To Generate an Antigen/FSS Diagnostic

  • Locate the install folder for Antigen or Forefront
  • Double click on the AntigenDiag.exe (or the FSCDiag.exe if running Forefront)
  • A command prompt will open
  • Say YES to each question asked at the command prompt (not necessary in FSS)
  • The subsequent diagnostic will be a zip file found in the following directories:

Antigen - C:\Program Files\Microsoft Antigen for Exchange\log\Diagnostics

Forefront – C:\Program Files(x86)\Microsoft Forefront Security\Exchange Server\log\Diagnostics

OneClick, Process Monitor and Performance Monitor

Antigen and Forefront install with a comprehensive set of proprietary diagnostic tools. It is often helpful, however, to employ the following auxiliary tools that will generate additional intelligence that can help shorten the troubleshooting path and lead to a faster resolution of the problem.


In order to generate network traces, we can leverage OneClick. This tool will allow a user to more closely examine Antigen and FSS specific network activity and communications.

Among the functionality that can be examined with OneClick are virus engine updates, database queries, template distribution, notification activity, as well as a host of Exchange specific network activity.


Process Monitor

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon.

Troubleshooting for both Antigen and Forefront can require an administrator to more closely examine the properties and permissions of files and registry components as well as the status of process requests.


Performance Monitor

Performance Monitor is used to get statistical information about the hardware and software components of a server.

We can use this built-in tool to gather and analyze Antigen/FSS specific data. By adding Antigen/FSS counter objects and simultaneously introducing system counters, such as processor and memory usage, we can cross reference these values and determine Antigen/FSS’s tax on the server(s)

Download: Built in Windows tool; start->run->perfmon


As you can see, gathering the data and diagnostics described in this article allows us to find the quickest and most accurate path to finding a solution.

Joe Anderson

Antigen Support Group

PSS Microsoft Security

Tip: Implementatie van Forefront Client Security

Wil je weten wat er bij komt kijken om FCS te implementeren in jouw organisatie?  We bieden een handige korte internet clinic aan voor FCS deployment (kosteloos).  Verschillende scenarios, overwegingen en het zetten van FCS policies.


Forefront Client Security/NAP Readiness Assessent in New MAP Toolkit

Earlier this week Microsoft introduced the new Microsoft Assessment and Planning Toolkit 3.2. MAP is a scalable and agent-less assessment platform designed to make it easier to determine which Microsoft technologies are right for your infrastructure, and how to best implement them. In this version, MAP assessment capabilities have expanded to a range of Microsoft products, including Forefront Client Security and Network Access Protection.

The Security Assessment provides help to identify physical and virtual machines that may represent security risks in your environment, including:

  • Discovery and inventory of client machines.
  • Identification of machines where Windows Security Center is not running.
  • Identification of machines where firewall, antispyware or antivirus products are not found, are not running or are not up to date as reported by Windows Security Center.

Download MAP 3.2 here.

Intelligent Application Gateway SP2

This week we will announce the upcoming release of Intelligent Application Gateway Service Pack 2!  This news is one of the announcements being made in Barcelona this week at the Microsoft TechEd:  IT Pro conference.

As you may know, IAG is a remote access gateway that boosts productivity by giving mobile and remote workers, partners and customers easy, flexible and secure access to virtually any application from a broad range of devices and locations. IAG includes a variety of features, pre-configured policies and tunnels that allow access to virtually any application from any location – securely!  It is a good example of our ongoing focus on integrated identity and security solutions that help customers protect their assets and manage costs.

Service Pack 2 extends our key investments in application intelligence, end point security and interoperability as well overall performance, stability and ease of use. In the next few weeks, existing IAG customers will be able to obtain SP2 through our OEM hardware partners or on the Microsoft download center.

So let’s take a quick walk through some of the changes in SP2:

  • Ability to run as a virtual machine on Hyper-V: Using Hyper-V Server 2008 or Windows Server 2008 with Hyper-V you can now run IAG virtually! This can help lower costs and basically increases flexibility. Furthermore, customers can chose to virtualize their disaster recovery systems for easier roll-out.
  • Enhanced interoperability with non-Windows environments (such as Firefox, Linux and Mac): We’ve added end-point detection and Attachment Wiper capabilities for users coming from non Windows+IE environments, increasing the security and productivity from these platforms.
  • New application optimizers for Microsoft Dynamics CRM and OCS Web client: You could always publish these applications generically, but you now have the wizards and configurations in place.
  • New Getting Started Wizard: To help walk you through the first steps of setting up your IAG environment

Also on the list:

  • Improved Kerberos Constrained Delegation (KCD) administrative experience.
  • Improved stability and performance
  • Incorporates all current updates such as:
    • SharePoint Fix
    • WMI-based detection leveraging the Detection Center
    • IP based logging of Network Connector

I’d like to invite you all to learn more about IAG at\iag and register and be first to download the new, virtual trial of IAG.