What server roles should have Symantec Mail Security for Microsoft Exchange installed in an Exchange 2007 / 2010 environment?

Article:TECH167370  |  Created: 2011-08-17  |  Updated: 2014-06-06  |  Article URL http://www.symantec.com/docs/TECH167370
Article Type
Technical Solution


Issue



 When installing Symantec Mail Security for Microsoft Exchange (SMSMSE) in an Exchange 2007 / 2010 environment with several server roles, which servers should have SMSMSE installed on them? 


Solution



If you are installing SMSMSE on an Exchange 2007 server or an Exchange 2010 server, install the product on all of the following server roles in your organization: 

  • Edge Transport servers, if available
  • Hub Transport servers
  • Mailbox servers

SMSMSE uses technology to ensure email is scanned only once.  If an email is scanned at an Edge server coming into the organization, it will not be scanned again at the Mailbox server.  

It may seem redundant to install SMSMSE on a Mailbox server if Edge and Hub servers have SMSMSE installed and virus detection is installed on all servers and desktop computers.  However, it is always recommended to have layered redundant technologies to scan for threats.  Here are several examples where having SMSMSE installed on a mailbox server may be helpful:

  • An Exchange server had about 80,000 copies of the same virus in one of their public folders. Every time replication would kick off from the public folder server, all 80,000 copies of the virus would pass through the Hub server on the way to the other public folder servers and SMSMSE would see 80,000 detections. Users could access those files directly within that public folder store and all it takes is a single un-protected client accessing those files to potentially start a very bad chain reaction. If SMSMSE is installed on that mailbox server cleanup would have been easy.
  • Another Exchange server was under a polymorphic mass mailer attack. Polymorphic viruses change constantly to avoid signature based detection. Even while running rapid release definition updates as often as possible, some of the variants were slipping through the Hub server due to being too new for SMSMSE to have a definition. After it has slipped by the hub server if SMSMSE is not installed on the mailbox server there is no option to remove the file from the information store except to manually identify and delete the viral messages. In this case installing SMSMSE on the Mailbox servers and running a constant background scan with rapid release definitions until the attack ceased.



Article URL http://www.symantec.com/docs/TECH167370


Terms of use for this information are found in Legal Notices