Managing Forefront Endpoint Protection (FEP) with Microsoft Group Policy (GPO)

KB ID 0000604

Problem

FEP is Microsoft’s offering for antivirus, try to think of it as the corporate version of Security Essentials. Just about everything on the net for managing it seems to be geared to managing it with SCCM. Which is fine if you have SCCM, but what if you don’t? Thankfully you can manage it with group policy, even if information on how to do it is rarer than hens teeth!

With a Microsoft CoreCAL you can use the FEP client, so if you already have CoreCALs, then it’s a solution that can save you some cash on your corporate AV strategy.

Solution

Installing Forefront Endpoint Protection

The client software is available in x64 and x86 bit flavours, it is installed from a single executable (FEPInstall.exe). There is no MSI installer (yeah thanks Microsoft!) So if you want to roll it out on mass, you need to either install it using a startup script, include the software in your ‘Master/Golden Image’ and re-image you machines, or tear your hair out trying to work out SCCM.

Managing Forefront Endpoint Protection with Group Policy

1. First you need to download the policy definitions, copy the FEP2010.admx file to %Systemroot%PolicyDefinitions.

2. Then copy the FEP2010.adml file to %Systemroot%PolicyDefinitionsEN-US

Creating a Group Policy Central Store

3. If you have all your ADMX policy definitions in a central location, all your clients can use them. The correct place for them is in the sysvol directory, in a folder called policies (this is where your clients read their group policies from). To create the directory issue the following command;

[box]MD “%logonserver%sysvol%userdnsdomain%policiesPolicyDefinitions”[/box]

4. Now copy all your policy files into it, (from the folder we used earlier) with the following command;

[box]xcopy %systemroot%policydefinitions*.* “%logonserver%sysvol%userdnsdomain%policiesPolicyDefinitions” /S /Y[/box]

5. Then either create a new policy, or edit an existing one that’s linked to the COMPUTER objects you want to manage.

6. Navigate to;

[box]Computer Configuration > Policies > Administrative Templates > System > Forefront Endpoint Protection 2010[/box]

Here you will find the policy settings you require.

7. When you are controlling settings via GPO this is what you will see on the client machines.

Importing and Exporting Forefront Policy Settings

8. From the files you extracted earlier locate and run the FEP2010GPTool.exe. From here you can import and export all the policy settings from a particular group policy. Microsoft have published a set of policy settings which you can download for various server roles.

Note: By default each policy you import will merge with the existing settings in the GPO, unless you tick the “clear the existing Forefront Endpoint Protection settings before import” option.

Updates for Forefront Endpoint Protection

9. Windows uses it’s existing ‘Windows updates’ path for getting updates. If you have a WSUS server you will need to enable the updates in the ‘Products and Classifications’ section.

10. If you DONT have WSUS but you are behind a proxy, you can manage FEP proxy settings from the following policy.

Related Articles, References, Credits, or External Links

NA

Exchange – Unable to Mount Stores (log file missing)

KB ID 0000348

Problem

Exchange fails to mount a database and complains, with an error like the one below when you try and mount it manually.

Error:
Mailed to mount database ‘ database name’
Error:
Exchange is unable to mount the database that you specified. Specified
database {your server name}{path to database}{database name}; Error code:
MapiExeptionCallFailed: Unable to mount database. (hr=0x80004005,
ec=1032)

You may also see the following errors in the event log,

Event ID 9518

Log Name: Application
Source: MSExchangeIS
Date: 04/11/2010 13:51:09
Event ID: 9518
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: servername.doaminname
Description:
Error 0xfffffbf8 starting Storage Group /DC=local/DC=hc/CN=Configuration/CN=Services/CN=Microsoft Exchange/CN=First Organization/CN=Administrative Groups/CN=Exchange Administrative Group (FYDIBOHF23SPDLT)/CN=Servers/CN=SERVERNAME/CN=InformationStore/CN=First Storage Group on the Microsoft Exchange Information Store.
Storage Group – Initialization of Jet failed.

Event ID 489

Log Name: Application
Source: ESE
Date: 04/11/2010 13:51:09
Event ID: 489
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: servername.domainname
Description:
MSExchangeIS (2476) First Storage Group: An attempt to open the file “C:Program FilesMicrosoftExchange ServerMailboxFirst Storage GroupMailbox Database.edb” for read only access failed with system error 32 (0x00000020): “The process cannot access the file because it is being used by another process. “. The open file operation will fail with error -1032 (0xfffffbf8).

Additionally if you have McAfee (and it caused the problem) you may also see,

Event ID 259

Log Name: Application
Source: McLogEvent
Date: 04/11/2010 13:45:33
Event ID: 259
Task Category: None
Level: Error
Keywords: Classic
User: SYSTEM
Computer: servername.domainname
Description:
The file C:Program FilesMicrosoftExchange ServerMailboxFirst Storage GroupE00.log�00074b5.js contains the JS/Redirector Trojan. Undetermined clean error, deleted successfully. Detected using Scan engine version 5400.1158 DAT version 6156.0000.

Solution

Essentially we are missing a log file and the database is not happy, in my case the AV software had quarantined the file and even restoring it didn’t fix the problem.

1. Before you proceed make sure that the folder that contains the log files, is NOT included in your AV scan in the future, to negate this happening again.

2. We need to repair the database, click start > run > cmd {enter}.

3. At command line, change directory to the exchange “bin” directory with the following command,

[box]
cd “C:Program filesMicrosoftExchange ServerBin”
[/box]

Note: Your “bin” directory may be elsewhere check the path.

4. MAKE SURE the drive has plenty of spare room – there needs to be 110% the size of the database FREE for this process to work. If that’s a problem you need to copy the database to a larger drive for this procedure.

Note: You can carry out the procedure on another drive, to run eseutil you need the following three files (eseutil.exe, ese.dll, and exchmem.dll)

5. Take a copy of the broken database and put it somewhere safe.

6. Execute the following command,

[box]
eseutil /d “C:{path to the database}{database name}”
[/box]

7. Depending on the size of the database this can take a little time. When complete it will say DONE.

8. Now locate the directory that has the log files in it, (it will be on the properties of the storage group – in this example you can scroll left and right to see the full path).

9. Copy all the log files to the same place you copied the database earlier. (Note: they will all start E00xxxxx in this case).

10. Remount the affected database.

 

Related Articles, References, Credits, or External Links

NA

Outlook Error 0x800CCC0F – Using POP3 To Exchange – Behind a Cisco CSC (Trend InterScan) Module

KB ID 0000642 

Problem

I upgraded a clients firewall and CSC software a couple of weeks ago, and ever since “some” users saw the following errors,

Error 0x800CCC0F

Task ‘{email address} – Sending’ reports error (0x800CCC0F): #The connection to the server was interrupted. If the problem continues, contact your server administrator or Internet service provider (ISP).’

Eventually it would time out altogether with the following error,

Error 0x800CCC0B

Task ‘{email address} – Sending’ reported error (0x800CCC0B): ‘Unknown Error 0x800CCC0B’

Solution

All I could discern from Googling the error, was that the AV (In this case the Trend Micro InterScan for Cisco CSC SSM), in the Cisco CSC Module) was probably the culprit.

I tried stopping the POP3 Service on the CSC that did NOT fix the error.

I confirmed that the CSC module was the root cause of the problem, by disabling the entire module with the following command on the Cisco ASA firewall;

[box]hw-module module 1 shutdown[/box]

Warning: If you do this, your CSC settings must be set to “csc fail-open” or web and email traffic will stop! Once you have confirmed this IS the problem you can re-enable the module with the following command.

[box]hw-module module 1 reset[/box]

I tried from my office and it worked fine, I could not replicate the error, I tried from various servers and Citrix box’s from other clients who kindly let me test from their network. Still I could not replicate the error! I went home and that was the first time I could see the same error their users were seeing. Sadly this led me on a wild goose chase, (I use Outlook 2007 at home and Outlook 2010 everywhere else so I (wrongly) assumed that was the problem).

Breakthrough!

As I could now replicate the error, I could at least do some testing, I attempted a send/receive and looked at the CSC Logging.

Note: To view CSC Logging, connect to the ASDM > Monitoring > Logging > Trend Micro Content Security > Continue > Enter the password > OK > View.

Every time it failed, I saw my public IP being logged with a RejectWithErrorCide-550 and RBL-Fail,QIL-NA. At last something I could work with.

This error indicates a problem with the Email Reputation system, I logged into the CSC web management console > and located this.

Then I disabled the ‘SMTP Anti-spam (Email Reputation)’, and everything started to work.

Conclusion

I understand the need for this system, but the nature of POP3 email clients, dictates they can connect in from anywhere, usually from a home ISP account on a DHCP address. I know from experience that major ISP’s IP ranges get put in RBL block lists (I checked by popping my IP in here, and sure enough it was blocked).

If you are going to use POP3 then you need to leave this system disabled, but to be honest, if you have Exchange, simply swap over to Outlook Anywhere and stop using POP3.

Related Articles, References, Credits, or External Links

Special thanks to Jenny Ames for her patience while I fought with this over a number of days.