Forefront TMG 2010 EOL Announcement

Today, Microsoft finally announced the discontinuing of most of it’s ForeFront products, including the retirement of products used in many Exchange deployments, ForeFront Threat Management Gateway (TMG) 2010 and ForeFront Protection for Exchange (FPE).

The products to be discontinued are:

  • ForeFront Threat Management Gateway (TMG), including Forefront TMG Web Protection Services (TMG WPS);
  • ForeFront Protection for Exchange (FPE);
  • ForeFront Protection for SharePoint (FPSP);
  • ForeFront Security for OCS (FSOCS);
  • ForeFront Protection Server Management Console (FPSMC).

This announcement is not a real surprise; rumors TMG would cease to exist circulated for months. Using this official statement companies can start adapting their strategies, when they have not already done so, when using one of the products mentioned. When companies were planning to use them in the (near) future, they need to turn to alternative solutions as well, since the these ForeFront offerings will no longer be available for purchase as of December 1st, 2012!

As it stands, mainstream support for TMG will end on April 14th, 2015; extended support for TMG will end on April 14th, 2020. Forefront Online Protection for Exchange (FOPE) will be rebranded as Exchange Online Protection.

First, the hygiene products. This is clearly a move these shift these layers of protection to “the cloud”, which has clear benefits like filtering incoming messages before they enter the organization which is also nice from a bandwidth perspective. However, that’s no solution for the many customers still requiring an on-premise solution which, for example, does store scanning; these customers are forced to tend to to 3rd parties, like McAfee or Symantec. Note that Exchange 2013 will contain basic anti-malware functionality, but I doubt this will meet any customer’s demands and certainly isn’t a very manageable solution.

Next, there’s the firewall, reverse proxy, load balancing and VPN functionality offered by TMG. Currently, many organizations use TMG to publish Exchange and as like many say and know, Exchange and TMG go very well together. For example, TMG can offer pre-authentication or SSL offloading for your Exchange boxes.These customers need to look into VPN like solutions like ForeFront UAG, which is a totally different concept and less straightforward than implementing a TMG in front of your Exchange boxes, or check for 3rd party solutions, like F5 BIG-IP with the Access Policy Manager add-on. Of course, your revised strategy and eligible solutions depend on your business requirements.

Roadmaps of ForeFront Identity Manager (FIM) and ForeFront Unified Access Gateway (UAG) remain unchanged, so publishing Exchange using UAG remains a future-proof possibility.

Forefront Protection for Exchange Rollup 4

Microsoft released Hotfix Rollup 4 for Forefront Protection for Exchange Server (KB2619883).

Here’s the list of fixes included in this rollup:

  1. Email is sent to the Forefront Protection for Exchange UNDELIVERABLE folder instead of being delivered
  2. UNC and proxy credentials are stored in clear text in the Forefront Protection for Exchange file system
  3. The Forefront Protection for Exchange FSEMachinePrep.exe fails with a fatal error
  4. The external sender does not receive the expected Forefront Protection for Exchange generated notification
  5. Forefront Protection for Exchange generates a notification with a blank subject line
  6. Forefront Protection for Exchange virus engine updates fail between the passive node and active node in CCR clusters
  7. Forefront Protection for Exchange only accepts 7-digit License Agreement numbers
  8. Forefront Protection for Exchange generates a 2098 event ID every time the MSExchangeTransport service is restarted
  9. Email queues at startup on an Exchange server running Forefront Protection for Exchange

For more details on the fixes consult the knowledge base article. You can request the hotfix rollup directly from the support center here.

Forefront Protection for Exchange Rollup 3

Microsoft released Hotfix Rollup 3 for Forefront Protection for Exchange Server (KB2538719).

Here’s the list of fixes included in this rollup:

  1. Mail queues and sluggish Exchange/Outlook performance
  2. Increased “Available Disk Space” Health Point threshold to 250MB
  3. Error: The DNS Blocklist lookup domain blocklist.messaging.microsoft.com could not be contacted
  4. The Exchange Information store crashes with Forefront Protection for Exchange installed
  5. An attempted upgrade of Forefront Protection for Exchange fails with a “Registration Service Failed” error
  6. You receive Forefront Protection Health Notifications indicating a status of “Green to Green”
  7. Forefront generates a MaxDisabledWait error within 15 minutes after starting
  8. A MaxDisabledWait error occurs and Forefront Protection does not recover
  9. Forefront Protection doesn’t apply keyword filtering within hyperlink strings
  10. Forefront Protection for Exchange crashes while scanning a TAR file
  11. An engine update fails in Forefront Protection for Exchange
  12. Emails that are 90 MB or larger are being sent to the Forefront archive folder
  13. The Microsoft Forefront Server Protection Eventing Service will not start following an upgrade from a beta version of Forefront Protection for Exchange
  14. Forefront Protection for Exchange detects files as “Engine Error” when no engines have been enabled for scanning
  15. Messages quarantined due to engine error can now be delivered as complete email
  16. High CPU conditions in EdgeTransort.exe process result in crash
  17. You receive Forefront generated email notification that the Cloudmark engine or Worm list could not update
  18. Exchange email queues at startup following an abnormal shutdown

For more details on the fixes consult the related knowledge base article. You can request the hotfix rollup through the support center here.

Forefront Protection 2010 for Exchange Rollup 2

Microsoft released Hotfix Rollup 2 for Forefront Protection 2010 for Exchange Server (KB2420647).

Here’s the list of fixes included in this rollup:

  1. Out of memory state occurs when running a manual scan in Forefront Protection for Exchange
  2. The link provided by Forefront Protection for Exchange to request removal from the SpamHaus block list wrong
  3. Forefront Protection for Exchange does not display data in multiple console fields and mail cannot be sent externally
  4. When starting a Windows Server 2008 R2 server running Exchange and Forefront Protection for Exchange, startup times are exceptionally long
  5. Forefront Protection for Exchange falsely detects legitimate attachments as Corrupted Compressed files
  6. File filtering does not occur in Forefront Protection for Exchange
  7. A Forefront Protection for Exchange antivirus engine fails to load and mail is deleted
  8. Forefront Protection for Exchange quarantines a blank message when taking action on a subject line filter
  9. When installing FPE on Data Availability Group cluster (DAG), Domain Administrator privileges are required
  10. Messages cannot be scanned because the FSCController service in Forefront Protection for Exchange is stuck in a continuous loop
  11. “The Expiration Date is not valid” is returned when you try to enter a new expiration date in Forefront Protection for Exchange
  12. The Forefront Protection for Exchange Administrator console hangs for several minutes when you navigate to the Filter Lists section
  13. Cannot uninstall Forefront Protection for Exchange on a non-clustered server
  14. Transport Scan process is not safely aborted after an out-of-memory condition occurs
  15. The FSCTransportScanner.exe process in Forefront Protection for Exchange may stop responding, and this generates a Dr. Watson crash that references Bucket ID 1211603866
  16. Filter Lists display an incorrect scan action in the Forefront Protection for Exchange Administrator console
  17. FSCController.exe is reloaded many times whenever the Start-SignatureUpdate cmdlet is run on a cluster running Forefront Protection for Exchange
  18. Submission queues in Exchange 2007 or 2010 fill when making a configuration change in the Forefront through the administrator or through Power Shell

For more details on the fixes consult the related knowledge base article (KB2420647). You can download the Forefront Protection 2010 for Exchange Server Hotfix Rollup 2 here.

Forefront Security for Exchange SP2 RU3

The ForeFront team released Rollup 2 for Forefront Security for Exchange (FSE) Service Pack 2. This rollup which fixes and issue with version 8 of the Kaspersky antivirus engine, introduced with Rollup 2. The related knowledgebase article is kb2420644. Unfortunately the ForeFront Update page doesn’t mention the new Rollup (yet).

You can request the FSESP2RU3 here.

Forefront Security for Exchange SP2 RU2

For people running ForeFront Security for Exchange SP2, Rollup 2 was released.

The related knowledgebase article kb2270641 mentions the following additional fixes:

  1. The FSCTransportScanner.exe process in Forefront Server Security for Exchange may stop responding, and this generates a Dr. Watson crash that references Bucket ID 1211603866
  2. The FSECCRService.exe process in Forefront Server Security for Exchange may stop responding, and this generates a Dr. Watson crash that references Bucket ID 1076269539
  3. Forefront Server Security for Exchange fails to write a crypto checkpoint in the RSA\Machine Keys folder
  4. The FSCController.exe process in Forefront Server Security for Exchange may stop responding, and this generates a Dr. Watson crash that references Bucket ID 1229588505
  5. The Forefront Security for Exchange GetEngineFile process crashes and Forefront is unable to perform a scan engine update
  6. Kaspersky scan engine in Forefront Security for Exchange does not update on a CCR cluster
  7. Forefront Security for Exchange does not install on Windows Server 2008 R2
  8. Forefront Security for Exchange now supports the Kaspersky 8 engine

For more details, consult the KB article. You can download FSE SP2 RU2 after submitting a hotfix request here.

Forefront Server Protection Script Kit

Microsoft released version 1.0 of the Forefront Protection Server Script Kit (FPSSK). This kit, existing of several Powershell scripts, is to support you in managing multiple servers with Forefront Protection 2010 for Exchange Server (or Forefront Protection 2010 for SharePoint).

The script kit enables you to capture the names of all computers running Forefront Protection 2010 in a an Active Directory domain, capture Forefront Protection 2010 configuration settings from specified computers, deploy those settings to specified computers, compare captured settings to those on specified running computers, and run basic computer status reports.

Sounds a good solution for small environments or when budget is tight. It is no replacement for the  Forefront Server Security Management Console product.

You can download the kit here.

Microsoft Forefront Protection 2010 for Exchange Rollup 1

Microsoft released Hotfix Rollup 1 for Forefront Protection 2010 for Exchange Server (KB2181692).

Here’s the list of fixes included in this rollup:

  1. There is a handle leak in FSCController when SQM is uploading data in Microsoft Forefront Protection for Exchange
  2. A Forefront Protection for Exchange scan engine update fails and generates Application Log errors
  3. Forefront Protection for Exchange replacing legitimate attachments with text files and quarantining legitimate mail
  4. Proxy credentials and UNC path settings for Forefront Protection for Exchange do not replicate to passive node during cluster failover
  5. Forefront Protection for Exchange is blocking all incoming mail
  6. A system state backup fails while attempting to perform anything other than a full backup on a server running Forefront Protection for Exchange
  7. Forefront Protection for Exchange filters email with attached .MSG files that contain a subject line ending with a file extension
  8. The Forefront Protection for Exchange client crashes when adding an IP address, or range, to either the IP Allow/Block List
  9. Forefront Protection for Exchange sends legitimate email to Exchange’s UNDELIVERABLE folder
  10. Store slows down and RPC request queue length rises when Forefront Protection for Exchange is running on Windows 2003 64-bit server
  11. FSCUtility fails if run on a non clustered server that the cluster service is installed but disabled on
  12. FPE detecting valid .xls or.csv file as Exceedingly nested
  13. Forefront Protection for Exchange does not send External Sender notifications
  14. The FSCManualScanner.exe process in Forefront Protection for Exchange terminates unexpectedly
  15. The FSECCRService.exe process in Forefront Protection for Exchange may stop responding generating a Dr. Watson crash that references Bucket ID 107626953990176: Customer experiences OOXML performance issues when scanning
  16. Customer experiences OOXML performance issues when scanning
  17. Dr. Watson reports a null reference exception in Microsoft.FSS.AntiSpam.dll (from Forefront Protection for Exchange); Bucket ID [838554094]
  18. Spam Reports may take an excessive amount of time to retrieve in Forefront Protection for Exchange
  19. A scan job in Forefront Protection for Exchange will not restart after hitting the MaxDisableWait time timeout threshold
  20. Forefront Protection for Exchange allows mail to go through unscanned if the MaxDisbaledWait time threshold is exceeded
  21. Forefront Protection for Exchange generates more Realtime Scan Timeout notifications than expected
  22. Sluggish or stopped mail flow resulting from the FSCTransportScanner process, within Forefront Protection for Exchange, crashing while scanning files with embedded object links.
  23. Forefront Protection for Exchange does not have a Skip/Detect action option for the MaxContainerScanTime action menu

For more details on the fixes consult the related knowledge base article (2181692). You can download the Forefront Protection 2010 for Exchange Server Hotfix Rollup 1 here.

Forefront Protection 2010 Capacity Planning Tool

The folks at Microsoft released version 1.0 of the Forefront Protection 2010 for Exchange Server capacity planning tool. This tool is to aid you in planning and sizing your FPE configuration.

The tool starts with the question if you want to evaluate your current setup or are planning for a new environment. After that you need to select the required architecture, Standard for small to medium sized organizations or Enterprise for large organizations (e.g. combined Exchange Server roles). You can define the required level of protection (i.e. number of engines on Edge, Hub Transport and Mailbox Server roles) and see the predicted effect on the hardware requirements. After completing the questionnaire you receive the recommended hardware configuration.

You can also see the predicted performance for different setups, i.e. virtual or non-virtual setup, Windows Server 2003 or Windows Server 2008 R2 as well as Exchange level (2007 or 2010).

You can download the FPE capacity planning tool here.

Forefront Security for Exchange SP2 RU1

With all these “2010” information you could forget that most customers are still running earlier versions. For people running ForeFront Security for Exchange SP2, Rollup 1 was released yesterday. Besides a new parameter (called feature) for enabling of disabling FSE on a cluster node, RU1 contains no less than 30 hotfixes. For a list of fixes, consult the related knowledgebase article here. You can download FSE SP2 RU1 after submitting a hotfix request here.