Microsoft Forefront Security for Exchange Server Cluster Installation Guide
Microsoft Forefront Security for Exchange Server Version 10
Microsoft Corporation
Published: July 2009
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft Corporation may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft Corporation, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, Forefront, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Privacy policy
Review the Microsoft Forefront Server Security Privacy Statement at the Microsoft Forefront Server Security Web site.
Contents
Cluster Install Introduction
Definitions
Local Continuous Replication (LCR)
Cluster Continuous Replication (CCR)
Single Copy Cluster (SCC)
Standby Continuous Replication (SCR)
Failover
Quorum
Supporting third-party vendors
Installing FSE on a cluster
Applying Exchange and FSE service packs and rollups
Cluster system requirements
Minimum server requirements
Minimum workstation requirements
Local Continuous Replication (LCR) installation
Standby Continuous Replication (SCR) installation
SCR system tips
Cluster Continuous Replication (CCR) installation
Replacing a CCR cluster node
CCR cluster tips
Single Copy Cluster (SCC) installation
Ensuring that your SCC cluster drive is available during installation
Installing FSE on an SCC active node
Installing FSE on an SCC passive node
SCC cluster tips
Additional considerations
Upgrading FSE
Uninstalling FSE
Uninstalling FSE from an LCR system
Uninstalling FSE from an SCR system
Uninstalling FSE from a CCR cluster
Additional CCR cluster uninstall notes
Uninstalling FSE from an SCC cluster
Evaluation version
Launching the Administrator
Cluster Install Introduction
In recent years, clustered installations have become more popular. Microsoft® Exchange Server 2007 can be installed on clustered systems, using both Cluster Continuous Replication (CCR) and Single Copy Cluster (SCC) configurations. Microsoft® Forefront Security™for Exchange Server (FSE) can then be installed on Exchange mailbox servers in clustered systems. FSE supports volume mount points.
Note:
The Forefront Server Security Management Console is not supported in a clustered environment.
For more information about configuring and running FSE, see the Forefront Security for Exchange Server User Guide.
Definitions
These are terms you may encounter when working with clusters.
Local Continuous Replication (LCR)
LCR allows for data replication to an alternate drive attached to the same system. This is not a cluster configuration because it does not provide true high availability in the event of system failure. It is intended to provide protection against local storage failures, but does not protect against the failure of the server itself. LCR is a single-server solution that uses built-in asynchronous log shipping and log replay technology to create and maintain a copy of a storage group on a second set of discs that are connected to the same server as the production storage group. LCR provides a quick manual switch to a secondary copy of your data. The procedure for installing Forefront Security for Exchange Server on an LCR system is the same as that for a normal Standalone installation.
Cluster Continuous Replication (CCR)
This type of clustered mailbox server combines the replication and replay features in Exchange2007 with failover features in Microsoft Cluster services. CCR is a solution that can be deployed with no single point of failure in a single data center or between two data centers. A node that is currently running a Clustered Mailbox Server (formerly called an Exchange Virtual Server) is an active node; a node in the cluster that is not currently running a Clustered Mailbox Server is a passive node.
CCR uses the database failure recovery functionality in Exchange2007 to enable the continuous and asynchronous updating of a second copy of a database with the changes that have been made to the active copy of the database. Logs are not copied until they are closed and no longer in use by the Mailbox server. During installation of the passive node in a CCR environment, each storage group and its database is copied from the active node to the passive node. This operation is called “seeding”, and it provides a baseline for replication of the database. After the initial seeding is performed, log copying and replay are performed continuously. CCR uses the passive node to copy and replay the logs. Logs are accessed by the passive node via a secured file share.
In a CCR environment, replication capabilities are integrated with the Cluster service to deliver a high availability solution. In addition to providing data and service availability, CCR also provides for scheduled outages. When updates need to be installed or when maintenance needs to be performed, you can move a Clustered Mailbox Server manually to a passive node. After the move operation is complete, you can perform the needed maintenance.
Single Copy Cluster (SCC)
This type of clustered mailbox server uses shared storage in a failover cluster configuration to permit multiple servers to manage a single copy of the storage groups. In this architecture, although all nodes in the cluster can access shared data, they cannot access it at the same time.
In a Single Copy Cluster, an Exchange2007 mailbox server uses its own network identity, not the identity of any node in the cluster. This network identity is referred to as a Clustered Mailbox Server. If the node running a Clustered Mailbox Server experiences problems, the Clustered Mailbox Server goes offline for a brief period until another node takes control of it and brings it online (a process known as “failover”). The shared storage is available to each possible host node of the Clustered Mailbox Server. As the failover happens, the storage associated with the clustered mailbox is logically detected from the failed node and placed under the control of the new host node.
Standby Continuous Replication (SCR)
This is a replication technology, not a cluster configuration. Unlike CCR, which requires that both servers belong to a Windows cluster (typically residing in the same data center), SCR can replicate data to a non-clustered server located in a different data center. This configuration creates redundancy for data center storage by permitting an additional copy of the data to exist inside or outside the data center. SCR uses the continuous replication technology to move data from one mailbox server to another. SCR enables a mailbox server to be a continuous replication target for a standalone mailbox server that does not have LCR enabled. A mailbox server can also be a passive node in a failover cluster where the mailbox role is installed, but no clustered mailbox server has been installed in the cluster.
Failover
The process by which a server in the cluster takes over the functions of another server in the cluster in the case of a failure of the first device. The term can also be used for a deliberate transfer of services to another server in the cluster.
Quorum
The storage device that keeps track of which node owns a clustered application. When a failover occurs, this is the device that decides which server then becomes active.
Supporting third-party vendors
Microsoft Customer Support Services (CSS) supports FSE clustering based on the failover clustering features of the Microsoft Cluster Service (MSCS). Several third-party vendors offer clustering services and solutions that do not rely on MSCS for applicable versions of Microsoft Windows operating system software. Microsoft cannot provide information about the actual performance or interaction of third-party clustering services and solutions that are running Exchange.
CSS will attempt to help you troubleshoot Exchange-related issues when Exchange is installed on a third-party clustering solution. CSS will help until it is reasonably believed that the cause of the issue is an incompatibility between the third-party clustering solution and Exchange. CSS may suggest removing the third-party solution to help resolve the issue, although this is not a precondition to receiving CSS support services. CSS may also refer you to the vendor of the third-party clustering solution for additional troubleshooting support. It is your responsibility to engage the third-party vendor's support organization. CSS will try to provide reasonable assistance in working with a third-party vendor's support organization; however CSS cannot be considered the primary liaison between you and the third-party vendor. It is strongly recommended that you develop support relationships with each vendor whose hardware or software is part of your Exchange solution.
Installing FSE on a cluster
Forefront Securityfor Exchange Server supports local installations in all types of Exchange Server 2007 cluster and cluster-like configurations:
Local Continuous Replication (LCR)
Standby Continuous Replication (SCR)
Cluster Continuous Replication (CCR)
Single Copy Cluster (SCC)
Note:
If your system is configured to run a Network Load Balancer (NLB), there are no special installation procedures for Forefront Security for Exchange Server. Simply follow the instructions in the "Forefront Security for Exchange Server User Guide" for a non-clustered installation.
Note:
Each node of the cluster is a mailbox-only server. FSE should also be installed on your Edge and Hub servers for more reliable protection and performance.
Forefront Securityfor Exchange Server recognizes the existence of Microsoft Windows Server2003 and Microsoft Windows Server 2008 active/passive clusters. To install Forefront Securityfor Exchange Server in a cluster environment, you must log on to the local computer as a Domain user with an account that has Local administrator rights. Forefront Securityfor Exchange Server must be installed on each node. All program files must be installed to a local drive.
Features of the installation include:
Configuration data (such as ScanJobs.fdb and Notifications.fdb) is associated with a Clustered Mailbox Server (CMS), not the physical nodes. Because of this, the data needs to be configured only for each CMS, regardless of how many nodes you have.
Similarly, scanner signature files are associated with a CMS, so that both active and passive nodes are up-to-date.
Configuration data kept in the registry is replicated on a CMS basis when the CMS moves from one computer to another during a failover event.
The Forefront Server Security Administrator should be connected to the Virtual Machine when connecting to Forefront Security for Exchange on a cluster server. If you try to connect to the physical server, you will be asked to select the Virtual Machine to which you would like to connect.
Applying Exchange and FSE service packs and rollups
This section describes how to apply Exchange and FSE service packs and rollups.
To install an Exchange service pack or rollup
1.Disable FSE on all nodes using the steps described in The FSC Utility in the “Microsoft Forefront Security for Exchange Server User Guide”.2.On each node, follow the instructions provided with the specific Exchange service pack or rollup that you are installing.
3.After the installation is complete and the Exchange services have been restarted, verify that mail is flowing.
4.Starting with the active node, enable FSE on all nodes using the steps described in The FSC Utility in the “Microsoft Forefront Security for Exchange Server User Guide”.
Warning:
Do not fail over the active node when performing these steps.
Note:
Some Exchange service packs and rollups require you to download and install an FSE update in order to ensure that FSE operates correctly. For information and downloads, visit the Microsoft Web site at Microsoft Help and Support.
To install an FSE service pack or rollup
1.On the passive node, run the installer by double-clicking the service pack or rollup executable file.2.On the active node, fail over the node to make it passive, and then run the installer by double-clicking the service pack or rollup executable file.
3.After the installation is complete and the Exchange and FSE services have been restarted (this occurs automatically during the installation), verify that FSE is working properly.
Note:
FSE service packs or rollups can also be installed using the FFSMC Deployment job. (For details, see Deployment Jobs in the Forefront Server Security Management Console User Guide.) In this case, the installer runs in silent mode and there is no user input required. The rest of the process remains the same as when running the installer by double-clicking the executable file.
Cluster system requirements
The following are the minimum server and workstation requirements for FSE.
Note:
All minimum system memory and disk space requirements for Microsoft Exchange Server 2007 must be met before installing Forefront Security for Exchange Server. Too little available memory or disk space may impact the ability of Forefront to scan large files.
Minimum server requirements
The following are the minimum server requirements.
Note:
If both the Exchange and SharePoint products are installed on the same server, only Forefront for Exchange can be installed, to protect Exchange.
x64 Architecture-based computer with:
Intel Xeon or Intel Pentium Family processor that supports Intel Extended Memory 64 Technology (Intel EM64T), or
AMD Opteron or AMD Athalon 64 processor that supports AMD64 platform.
Server software
Microsoft Windows Server®2003 with Microsoft Exchange Server2007
Microsoft Windows Server 2008 with Microsoft Exchange Server2007
1 gigabyte (GB) of free memory, in addition to that required to run Exchange 2007 (2 GB recommended).
Note:
With each additional scan engine used, more memory is needed per scanning process.
2 GB of available disk space. This is in addition to the disk space required for Microsoft Exchange Server 2007.
Intel processor (1 gigahertz or GHz).
Minimum workstation requirements
The following are the minimum workstation requirements:
Windows Server2003 or Windows®2000 Professional
6MB of available memory
10MB of available disk space
Intel processor, or equivalent
Local Continuous Replication (LCR) installation
To install on an LCR Exchange server, you need to log on to the local computer using an account that has administrator rights. The steps are the same as those for a Standalone FSE installation. Click Next to continue after filling out a screen, unless otherwise directed.
Note:
As in most installations, Setup updates shared Microsoft files on your computer. If you are requested to restart your computer, you do not have to do that immediately, but it may be necessary for certain FSE features to work correctly.
To install Forefront Security for Exchange Server on an LCR Exchange server
1.Run the Setup.exe file, which is available on your CD image or from the self-extracting package available at the Microsoft Volume Licensing Download Center.2.The initial setup screen is Welcome. Click Next to continue.
3.Read the license at the License Agreement screen and click Yes to accept it.
4.On the Customer Information screen, enter User Name and Company Name, if needed.
5.On the Installation Location screen, select Local Installation.
6.On the Installation Type screen, select Full Installation.
7.Setup checks to see if you have the correct version of the Windows Update Agent. If you do not have the correct version, at the end of the installation you are directed to the Microsoft Update Web site to do the opt-in manually. If you do have the correct version, Setup then checks if Microsoft Update is enabled. If it is not, the Use Microsoft Update dialog box appears, permitting you to enable it.
8.On the Quarantine Security Settings screen, select the desired setting.
Secure Mode causes all messages and attachments delivered from Quarantine to be re-scanned for viruses and filter matches. This is the default.
Compatibility Mode permits messages and attachments to be delivered from Quarantine without being scanned for filter matches. (Messages and attachments are always scanned for viruses.) Forefront Securityfor Exchange Server identifies these messages by placing special tag text in the subject line of all messages that are delivered from Quarantine.
9.On the Engine Updates Required screen, read the warning about engine updates.
10.To use a proxy server for scanner updates, select Use Proxy Settings and enter the proxy name or IP address and its port on the Proxy Information screen. This ensures that your proxy server is correctly configured from the start. If you are doing a fresh install, you may enter the proxy information. If this is an upgrade, and proxy data is available in the registry, this screen will not appear and the existing data is preserved. Any changes to existing proxy information can be made in General Options.
Note:
If a username and password are required for the proxy server, they must be entered through General Options once FSE has been installed. This must be done immediately, otherwise engine updates will fail.
11.On the Choose Destination Location screen, either accept the default destination folder for the product, or click Browse to select a different one.
Default: Program Files\Microsoft Forefront Security\Exchange Server
12.On the Select Program Folder screen, choose a program folder for Forefront. At this point, Setup checks for running services.
Default program folder: Microsoft Forefront Securityfor Exchange Server
13.On the Start Copying Files screen, review the data presented to you. If any changes have to be made, use the Back button to navigate to the screen to be changed. Otherwise, click Next to begin the installation. A progress bar indicates that the files are being copied.
14.After installation is complete the Restart Exchange Transport Service screen appears. Use it to stop and restart the Exchange services automatically so that Forefront Securityfor Exchange Server can become active. Click Next to have Setup perform this step or click Skip to manually perform this step at a later time.
15.If you chose to restart the Exchange Transport Service, the Recycling Exchange Transport Service screen appears, indicating that the services are being shut down and restarted. When the status changes to All services started, click Next to continue.
16.On the InstallShield Wizard Complete screen, you are advised to view the Readme file (recommended). If you opted to use Microsoft Update and you do not have the correct version of the Windows Update Agent, you are directed to a site to obtain it. Click Finish to complete the installation.
17.View the ReadMe file.
Standby Continuous Replication (SCR) installation
How FSE is installed on an SCR Exchange server system depends on the configuration of your source (data center) installation.