A Forefront Security for Exchange Server (FSE) user asked us a question recently about using the Forefront Server Security Management Console (FSSMC) to manage clustered Exchange servers. He was confused by our guidance that says the FSSMC can be used to manage clustered servers, but it cannot be installed on a clustered server.
So, I wanted to provide some clarification about using the FSSMC with clustered Exchange servers. Here are the important points:
1. FSSMC can be used to manage clustered servers.
2. The FSSMC deployment agent should be installed on all physical nodes of the cluster so that on failover it will be there to service FSSMC requests. FSSMC is aware of which nodes are active and which are passive and only the active node(s) will service requests (i.e. signature updates, configuration updates, etc.), but all nodes have jobs configured for them. If the node is passive, the configured job does not run.
3. The FSSMC manages the physical nodes of a cluster and not the virtual nodes.
4. The FSSMC cannot be INSTALLED on a clustered server. In other words, the management console cannot be installed on and run from a clustered server. Administrators need to install the FSSMC on a computer in their network that is not part of a cluster.
For example, in a Single Copy Cluster (SCC), only the active node is updated by the FSSMC because it is the only one that has the shared drive with the engine signatures and config/fdb files. For more information on using Forefront Security for Exchange Server in clustered Exchange environments, please refer to the Cluster Install Guide (http://technet.microsoft.com/en-us/library/bb892168.aspx) in the TechNet library.
For more information about using the FSSMC, please refer to the FSSMC documentation on TechNet at: http://technet.microsoft.com/en-us/library/bb974251.aspx