Share via

Forefront Security for Exchange Server: How to Install in Hyper-V 2008 R2 Virtual Environment

  • Article

Forefront Security for Exchange Server (FSE) supports the Hyper-V platform. FSE is approved for any hypervisor-based virtualization technology certified under the Microsoft Server Virtualization program. 

Please feel free to update this article as necessary, it is the wiki way!

Verifying system requirements for using FSE in a Hyper-V environment

Before you install FSE, check that your system exceeds the minimum system memory and disk space requirements for Microsoft Exchange Server 2007. You need more than the minimum amount of memory and disk space for Exchange because too little available memory or disk space may impact the ability of Forefront to scan large files. 

If both the Exchange and SharePoint products are installed on the same server, only Forefront Security for Exchange can be installed to protect Exchange. You can't install Forefront Security for SharePoint on that same server to protect SharePoint.

Minimum requirements for FSE:

  • x64 Architecture-based computer with:
    • Intel Xeon or Intel Pentium Family processor that supports Intel Extended Memory 64 Technology (Intel EM64T) or
    • AMD Opteron or AMD Athlon 64 processor that supports the AMD64 platform.
  • Server software:
    • Microsoft Windows Server® 2003, Windows Small Business Server 2003, or Microsoft Windows Server 2008
    • Microsoft Exchange Server 2007 (Standard or Enterprise)
  • 1 gigabyte (GB) of free memory, in addition to that required to run Exchange 2007 (2 GB recommended). With each additional licensed scan engine, more memory is needed per scanning process.
  • 2 GB of available disk space. This is in addition to the disk space required for Microsoft Exchange Server 2007.
  • 1 gigahertz (GHz) Intel processor.

Minimum workstation requirements

  • Windows Server 2003, Windows® 2000 Professional, Windows XP, or Windows Vista
  • 6 MB of available memory
  • 10 MB of available disk space
  • Intel processor, or equivalent

About FSE virtualization guidelines

After you have verified that your computer meets the requirements for running Exchange Server in a Hyper-V environment, check that your host computer meets the following guidelines:

  • The host computer must have enough hardware resources to accommodate the virtual machines being deployed and their intended roles, and the host computer should be deployed with only the virtualization role.
  • Memory and CPU intensive applications should not be run on the same host computer as the virtual machine.
  • File-level antivirus scanning should be disabled on directories hosting the guest virtual hard drives (VHD).  If you use a third-party file-level antivirus program on a server containing Forefront Security for Exchange Server, you must ensure that the following program folders are not scanned in order to prevent corruption of FSE:

    • <Drive:>\Program Files (x86)\ Microsoft Forefront Security

      (or whatever folder in which you installed FSE)

    • <Drive:>\Program Files\Microsoft\Exchange Server

The file-level antivirus scan can also cause a conflict when FSE tries to scan e-mail messages.

The following are guidelines for the virtual machine on which FSE will be installed:

  • The size of the guest .vhd file must be a fixed value. Predefining the size of the .vhd file ensures that the host computer does not run out of hard drive space.
  • For performance reasons, it is recommended that you choose Small Computer System Interface (SCSI) or Internet SCSI-based (iSCSI) storage in order to host the FSE database, preferably separately from the guest operating system.
  • File-level antivirus scanning should exclude all necessary Exchange and FSE directories. See the steps above for disabling the file-level antivirus scanning.
  • Snapshots in guest virtual machines are strongly discouraged and are not supported.

You may encounter network bottlenecks if you are running more than one virtual machine and the host computer only has a single network card. You should add a second network card and create an additional Virtual Network adapter. Network bottlenecks may also occur if you are running more than one virtual machine and the host computer only has a single hard drive. Ideally, each VHD should be on its own hard drive to prevent slowdowns due to multiple VMs accessing the same physical hard drive.

Tuning performance

Adding FSE increases the resources utilized by your Exchange environment. To ensure that your virtual environment can handle the anticipated load from Exchange and FSE, it is recommended that you measure the performance counters before and after installing FSE.

Based on the differences in the performance data from before and after the FSE installation, you may want to adjust your virtual hardware requirements. This can include allocating more memory, CPU affinity, and improved disk I/O. Memory and CPU utilization are usually the most heavily impacted by FSE.

Optimizing guest and host operating system settings

Because guest and host operating system settings such as video, sound cards, floppy disk drives, and virtual hardware require resources, it is recommended that you configure all nonessential items for "best performance." If you are not using it, you may also want to consider disabling or removing any non- essential item. This helps optimize performance in general of both the guest and host computers.

About process counts

Be cautious when adjusting the number of processes you want running per server for the FSE scan jobs (transport or real-time scan jobs only), as this can quickly deplete memory resources in your virtual machine. For example, transport scanning is set by default to 4 process counts. If all 4 are in use, then the number of selected scan engines is multiplied by the number of transport processes in use plus the size of the files being scanned. The utilization of the process counts might multiply if Hyper V is not configured properly.

For example, if you are using the default transport process count of 4, the maximum of 5 scan engines for the transport scan job, and each engine is using 100 megabytes (MB) of memory, then you can estimate the overall memory utilization by using the following computation:

4 (transport processes) x 5 (scan engines) x 100 (MB) + file sizes of scanned attachments = memory utilization

 

Memory is quickly exhausted if you increase the transport or real-time process counts, add more scan engines, and increase the bias. In most cases, the default number of process counts is adequate; however, you should consult Transport Scan Job and Realtime Scan Job for more information on fine tuning these settings. Additionally, use the performance data you collected earlier to help gauge how many processes counts you should be using.