Wednesday, October 21, 2015

Two Necessary Steps to Make Your Anti-Malware Updates Working Behind Proxy

Hi folks,

As you all well aware Microsoft replaced Forefront Protection for Exchange (FPE) on Exchange 2013 with the integrated anti-malware. On the first glance it appears as FPE integrated into Exchange. As long as its configuration is concerned anti-malware is almost like an appliance since there's not much to configure.

I found this article extremely helpful in configuring and troubleshooting proxy settings for Exchange 2013 anti-malware updates.

There are 2 areas of configuration to ensure that updates are successfully happening: file system and proxy settings.

First we will attend file system. Browse with File Explorer the folder where Exchange is installed (for example C:\Program Files\Microsoft\Exchange\V15\FIP-FS\Data\Engines\amd64\Microsoft\bin). When accessing FIP-FS directory (and some other subdirectories) File Explorer displays a dialog box that prompts you with the following: "You don’t currently have permission to access this folder. Click Continue to permanently get access to this folder". After clicking Continue you are able to browse directory contents. Check NTFS security permissions for this directory and ensure that NETWORK SERVICE has  "Full Control" permissions.

Secondly, if you are running behind proxy you will need to configure proxy settings on your Exchange server. First you need to make sure that your Exchange servers can connect to http://forefrontdl.microsoft.com/server/scanengineupdate via proxy server without authentication. After this is configured we need to configure it on the Exchange server level. Please note that anti-malware totally ignores proxy settings configured via Internet Explorer properties or unauthenticated proxy configured by using netsh command (yet the latest will still be needed to check CAS certificates URLs).

You will need to configure proxy settings for your anti-malware by executing the following commands:

Add-PsSnapin Microsoft.Forefront.Filtering.Management.Powershell

Set-ProxySettings -Enabled $true -Server 192.168.0.1 -Port 80

(of course you will need to replace the values with yours)

After this you will need to execute the following command to manually kick downloads:

cd $exscripts
.\Update-MalwareFilteringServer.ps1 -Identity SERVER1.CONTOSO.COM

Make sure that you type server FQDN rather than the hostname after the Identity parameter.

If download is successful you will get event 6033 as follows.



You can also browse to C:\Program Files\Microsoft\Exchange\V15\FIP-FS\Data\Engines\amd64\Microsoft\bin (or whatever is your Exchange installation folder) and ensure that new update files are there.

I hope you will find it helpful for your endeavors.

Enjoy.