Distributing updates by using UNC updating
Applies to: Forefront Protection for Exchange
Tip
Before reading this topic, it is recommended that you first read Maximizing scan engine performance.
The most common method of distributing engine and definition updates is to use UNC updating where one Exchange server (the redistribution server) downloads updates from the Microsoft HTTP server and then hosts those updates for the rest of the Exchange servers in your environment (the receiving servers). After the redistribution server downloads an update, any receiving server whose update path points to the redistribution server can download the updates from the redistribution server.
Note
UNC updating is the only supported method for redistribution. Also, antispam updates can only be downloaded from the Exchange Edge and Hub roles.
Configuring servers to receive and distribute updates
Before distributing updates, you must configure both the distributing server and receiving servers.
To configure servers to receive and distribute updates
To prepare a server to act as an update redistribution server, you need to establish a Windows share for its Engines folder. For information about the location of the default Engines folder on your operating system, see Default folders.
Warning
After establishing the share on Windows Server 2008 R2, the default permissions may be changed. The Include inheritable permissions from this object's parent check box may no longer be checked, causing engine updates to fail. To correct the situation, perform the following steps:
-
In the Engines folder properties, click the Security tab.
-
Click the Advanced button.
-
Edit the Network Service permissions, and ensure that the Include inheritable permissions from this object's parent check box is selected.
-
Click OK until you have exited all dialog boxes.
-
On the chosen server, enable the redistribution server functionality, and optionally set up UNC authentication user credentials:
In the Global Settings - Engine Options pane, in the Additional Options section, select the Enable as an update redistribution server check box, and then click Save.
This configures FPE to save the two most recent engine update packages instead of the usual single engine package. FPE also downloads the full update package rather than performing an incremental update. The multiple engine packages enable the receiving servers to continue pulling updates from the redistribution server while a new update is being downloaded.
Optionally, create UNC authentication user credentials. It is recommended that you use credentials with the minimum privileges. These should not be domain credentials, and the user should only be granted access to the share.
Configure each receiving server to point to the shared folder:
In the Global Settings - Engine Options pane, in the UNC Authentication section, to enable UNC authentication, select Enable UNC.
Optionally, click Edit UNC Credentials in order to display a dialog box where you can specify your UNC authentication user credentials. After specifying your credentials, click OK and then click Save.
In the Global Settings - Advanced Options pane, in the Intelligent Engine Management section, using the Engine management drop-down list, select Manual.
In the Update scheduling section, select the engines and then click the Edit Selected Engines button.
In the Edit Selected Engines dialog box, in the Primary update path field, enter the redistribution server's UNC path (\\ServerName\ShareName).
Note
-
The use of static IP addresses within the update path is not recommended or supported. Also, the update path cannot end with a backslash (\).
-
For redundancy, you may want to configure a second redistribution server. Then you can enter this redistribution server in the Secondary update path field. If updating from the first redistribution server fails, the latest updates can still be retrieved by the second redistribution server. You can also enter the Microsoft download location in the Secondary update path field. Then, if updating by means of the redistribution server fails, the latest updates can still be retrieved from Microsoft by using the Secondary update path.
-
If antispam updating is enabled for the receiving server, you must also enter proxy server information. For more information about how to do this, see Configuring and scheduling updates.
-
Click Apply and Close to return to the Global Settings - Advanced Options pane, and then click Save.
Example: Server Ex1 downloads its updates automatically from the Microsoft HTTP server. Ex1 has FPE installed in the following location:
C:\Program Files(x86)\Microsoft Forefront Protection for Exchange Server
You have created a share, called AdminShare, which begins at the Engines folder. Another server, Ex2, receives its updates from Ex1 by using the following primary update path:
\\Ex1\AdminShare