Category Archives: Forefront

Forefront Family includ TMG (ISA), UAG, FIM, etc

UAG publish OWA should use basic authentication method.

this is a good idea that UAG hardcode UAG publish OWA using basic authentication method.


do not install KB971737 for ISA 200x on windows 2003 x86

this KB is an optional windows 2003 hotfix. Please do not install it on your  ISA 200x on windows 2003 x86. if you install it, just uninstall it.

How to check if installed KB 971737:

  1. From QFE list: from wmi using wmic, powershell or something else.
  2. From system information—>loaded modules, verify if Winhttp version is 5.2.3790.4584.
Leave a comment

Posted by on February 17, 2011 in Forefront


Forefront Protection Server Management Console 2010 Update

as you know, FPSMC was scheduled to updated at Q4 2010. Now the team write a new blog about this.

a little bit about the soon-to-be released Forefront Protection Server Management Console 2010 (FPSMC). FPSMC provides centralized management for the Forefront Protection 2010 for Exchange (FPE) and Forefront Protection 2010 for SharePoint (FPSP) servers in your environment. FPSMC is expected to be available as a free download in Q4 2010.

FPSMC provides multi-server management through a browser-based interface, and supports the following features:

Signature redistribution

The signature redistribution job is used to deploy antivirus signature updates to the FPE/FPSP servers in an environment. The most efficient way to update engine signatures on all your servers is to create a redistribution job to download them to the FPSMC server. The FPSMC server is then used as the retrieval point for all the other servers in the environment.

Policy (configuration) deployment

FPSMC supports deploying a centralized set of configuration settings to one or more FPE or FPSP servers in your environment. This is accomplished by configuring one of your FPE/FPSP servers to the desired configuration and then exporting these settings in xml format.  The xml file is then imported into FPSMC, which can deploy these same settings to your other FPE/FPSP servers.

Patch deployment

FPSMC supports deploying FPE and FPSP roll ups and service packs. Patch packages can either be .MSP or .EXE file types.

Centralized incident reporting

The Incident Detection report presents data about the number of malware incidents and filter matches over a period of time on one or more managed servers. This includes the five most common malware types detected in your organization and the most recent detection date and time.

Centralized spam reporting

The Spam Detection report presents data about the number of spam messages blocked by FPE. This includes a pie-chart breakdown by filter type and a line graph showing the number of spam messages detected over time.

Centralized engine versions reporting

The Engine and Definition Versions report presents data about the antivirus engine versions and definitions on selected servers running FPE and FPSP. This report compares the current engine versions of the managed servers to determine which, if any, of your signatures are out of date.

Quarantine management

FPSMC supports retrieving quarantine data from managed Forefront Protection servers for local analysis and management, including delivering Exchange quarantine and restoring SharePoint quarantine.

Integration with Forefront Online Protection for Exchange (FOPE).

If you are using FOPE in your organization, you can use FPSMC to access the FOPE Administration Center to monitor your email flow. FPSMC provides access to the FOPE home page, quarantine, reports, and mail tracing facilities.

Auto discovery of servers

On a nightly basis, FPSMC will automatically detect new FPE and FPSP servers that have been added to your network.

Exchange Clusters — CCR, SCC, and DAG 
FPSMC supports clustered Exchange servers, including E14 Database Availability Groups.

FPSMC will initially be available in English. Localized versions in all 11 languages (Chinese-Simplified, Chinese-Traditional, English, French, German, Italian, Japanese, Korean, Portuguese-Brazil, Russian, and Spanish) will be released at a later date (to be announced).

1 Comment

Posted by on October 27, 2010 in Forefront



exchange Server can not send mail or reveive mail after moving.

【previously, this article described many errors. i update it 20100815 】

Recently, I am working for a customer on upgrading Exchange Server 2003 to Exchange 2010. Before that, the customer plan to move all servers to a new datacenter. So first they to some test like IP change process.

let me demonstrate:

before moving:

ISA  internal IP GW, External IP 202.106.x.x

Exchange IP GW

IP change process:

ISA internal IP GW, external IP 202.106.x.x

Exchange IP GW

after moving:

ISA internal IP GW, external IP NAT 202.106.x.x

Exchange IP GW

Now Exchange is not working.


1-DNS query

nslookup,failed. even on DC shows DNS query out of time.

Because there is no DNS server in DMZ and DC can not forward DNS query to external. So ask Network team release DC dns query (port 53)to externla. All messages in queue sent out.

2-message send out to external. but can not receive messages.

from external telnet 202.106.x.x port 25 , no respond.

From internal telnet port 25 ,respond.

From ISA telent is no respond.

now I was a little confused on why isa do not respond. the only difference is the external IP. I am get a response from Network team that all tracffic from 202.106.x.x will forward to And all tracffic from will forward to 202.106.x.x

after some discover effort, I was thinked on the internal IP set settings on ISA. because intenal ip and external ip is almost in a big subnet, I think isa admin may miss the change process. So check it, bingo!

remove the external ip. then test again, still failed. I am crazy! The best and basci sence is reboot the isa server. Ok, it works. hooray!…..

but wait! I do not see the banner. It is not right. But it show it is still a configuration error on ISA.

the reson is that i create a client usage rule of SMTP, it is not the SMTP server publish rule. after change back to the old rule, everything works.

Total working time: 4 Hours. From 8:30 to 12:30.

Leave a comment

Posted by on August 1, 2010 in Forefront


manual download Microsoft Forefront Protection for Exchange Server engines define


1- download Update-Engines.ps1 from

2- download engines define


Update-Engines.ps1 -EngineDirPath C:\ScanEngineUpdates\

Update-Engines.ps1 -EngineDirPath C:\ScanEngineUpdates\ -UpdatePathUrl -Engines Microsoft -Platforms amd64, x86

3- configure Forefront servers to download updates from the directory created in step 2 by using a UNC path of a share name, such as \\server_name\share_name

Leave a comment

Posted by on July 31, 2010 in Forefront


FPE 2010 rollup 1 released.

FPE 2010 is released at 2009/11. now a rollup is released at June 30, 2010, but need customer self-request download from MS Download center.

size bigger than 200MB.

Leave a comment

Posted by on July 22, 2010 in Forefront


FPE 2010 can not control by FSSMC by now.

[update 20100722]

Forefront Protection Server Management Console (FPSMC) 2010 provide multi-node management for Forefront Protection 2010 for Exchange Server (FPE) and Forefront Protection 2010 for SharePoint (FPSP) is going to be available as a free download in Q4 2010.

Forefront Protection Server Script Kit (FPSSK) will be available as a free download on July 30th.



Forefront Server Security Management Console (FSSMC) can only control FPE 2007 by now. Project Group said that “As part of this strategy, we’ll be releasing a service pack update to Forefront Server Security Management Console (FSSMC) in second half of 2010 to provide centralized management for FPE and FPSP customers at no additional cost. New features in this release will include: » Improved user interface » Support for Exchange 2010 and Database Availability Group (DAG) Clusters » Improved user experience for managing servers deployed outside of firewall. Also delivering a Forefront Server Script Kit for administrators who want to use Remote PowerShell to configure & report on multiple deployments of FPE and FPSP. This’ll allow customers to create server discovery, policy distribution, data collection, and centralized reporting scripts for use with their existing management infrastructures. The kit will be posted for free download on Solution Accelerators site when it becomes available. In the meantime, if you’re interested in getting an early look at FSSMC Service Pack, you can request to be part of Customer Advisory Group“.

So what you have to do is waiting.

Leave a comment

Posted by on July 21, 2010 in Forefront

%d bloggers like this: