When attempting to run Rapid Release updates for virus definitions in Symantec Mail Security for Microsoft Exchange (SMSMSE), you notice that the status never changes from "Running" in the SMSMSE console, and the virus definition date never successfully updates.
Rapid Release uses FTP to transfer the virus definition data. Forefront Threat Management Gateway 2010 automatically blocks active FTP connections by default.
To configure Forefront Threat Managment Gateway 2010 to allow Rapid Release definition download:
- Open the "Forefront TMG" console.
- In the navigation tree on the left side, select System.
- On the right pane, select the Application Filters tab.
- Right click the entry "FTP Access" and select Properties.
- Select the FTP Properties tab.
- Check the box for "Allow active FTP access" click Apply then click Ok.
Forefront Threat Management Gateway 2010 is installed in the network.
The final response from the remote FTP server is "502 Active FTP not allowed"
To determine if this condition is met complete the following steps:
NOTE: The steps below are for using Wireshark (www.wireshark.org), however any network capture and analysis tool may be used.
Perform a network trace on the Exchange server while reproducing the RapidRelease update attempt and failure:
1. Download and install Wireshark to the Exchange server in question.
2. After installation completes, open the Wireshark interface.
3. Open the Symantec Mail Security for Microsoft Exchange interface, and select the Admin -> LiveUpdate/RapidRelease Status page
4. In the Wireshark interface select the external network card listed under the Capture -> Interface list section of the home page. This will start the packet capture.
5. In the Symantec Mail Security for Microsoft Exchange interface, click the Run Rapid Release Definitions (via FTP) button under 'Tasks'.
6. Wait at least 15 seconds after clicking the Rapid Release button, and then stop the network capture in Wireshark by going to Capture -> Stop
7. In the "Filter:" field at the top of the Wireshark window enter the following string (without quotes): 'tcp.port == 21'
8. If you see the string "502 Active FTP Not allowed" in the last few lines of the filtered network trace, this condition is met.
Imported Document Id