Forefront Server Security TechCenter >
Forefront Server Security Forums
>
Forefront Security for Exchange Server
>
On which roles of Exchange 2010 do I need to install Forefront Security 2010 for Exchange
On which roles of Exchange 2010 do I need to install Forefront Security 2010 for Exchange
- Hi everyone, I have two Edge servers, two hub/client servers (cas-array with NLB) and two mailbox servers.
Do I have to install Forefront on the six servers?
Thanks a lot,
Ivan
Answers
- Hi Ivan,
it depends on how much security you want :-)
You can install FSE on every server that has the roles Edge, Hub transport or mailbox. If you want a high security design you can scan the emails on the edge server with 4 scan engines and on hub transport with 4 different.
You should always install FSE on the mailbox servers due to mobile access, eg OWA, Outlook Anywhere, whicht doesn't go over SMTP and so no edge or hub transport can detect the virus.
Greetings
Christian
Christian Groebner MVP Forefront- Marked As Answer byivan mckenzie Tuesday, October 13, 2009 7:21 PM
All Replies
- Hi Ivan,
it depends on how much security you want :-)
You can install FSE on every server that has the roles Edge, Hub transport or mailbox. If you want a high security design you can scan the emails on the edge server with 4 scan engines and on hub transport with 4 different.
You should always install FSE on the mailbox servers due to mobile access, eg OWA, Outlook Anywhere, whicht doesn't go over SMTP and so no edge or hub transport can detect the virus.
Greetings
Christian
Christian Groebner MVP Forefront- Marked As Answer byivan mckenzie Tuesday, October 13, 2009 7:21 PM
- Thanks for your quick replay.
Ivan - Great advice from Christian.
In addition, bear in mind that FSE is designed to do the majority of internal and outbound mail scanning at the Hub level. If you only install FSE on mailbox servers, you will be putting a high load on those servers, as regards scanning.
Where FSE is installed on Hub and Mailbox servers, load is taken off the mailbox servers, as most scanning will be done at the Hub level (even for local deliveries). This is therefore my own bare-minimum recommendation. Then add FSE on the Edge servers too, if you have them...but this is the optional part, IMHO.
Kind Regards, Andy Day | CSS Security, Sr. Support Engineer (Antigen/Forefront Server Security) - Best practice would be to install Forefront on all your Edge, Hub, and MB servers. When installed on the Hub and Edge, most scanning will be done at the transport, keeping the load on your MB server low. But if you want to run On-Demand or Scheduled background scans, you will need Forefront installed on your MB servers as well.
