Forefront Protection for Exchange 2010 (FPE) is unable to get updates from the Cloudmark Antispam Engine

21 Sep

Currently in our Exchange environment we were facing strange issues with the Forefront Protection for Exchange (FPE) on the Edge Servers

Issue Description:

Out of the 7 engines we are unable to get updates on the Cloudmark engine. (See picture)

Two event ids in the application event log as follows: (6019 and 6012)

Log Name:      Application
Source:        GetEngineFiles
Date:          9/9/2011 6:57:20 AM
Event ID:      6019
Task Category: Engine Error
Level:         Error
Keywords:      Classic
Computer:      Description:
Microsoft Forefront Protection encountered an error while performing a scan engine update.
Scan Engine: Cloudmark

Log Name:      Application
Source:        GetEngineFiles
Date:          9/9/2011 6:57:20 AM
Event ID:      6012
Task Category: Engine Error
Level:         Error
Keywords:      Classic
Description:
Microsoft Forefront Protection encountered an error while performing a scan engine update.
   Scan Engine: Cloudmark
   Error Code: 0x80004005
   Error Detail: Description: An error occurred while loading the scan engine.

We have already added the 4 URL’s on port 80 and 443 (cdn-microsupdates.cloudmark, lvc.cloudmark.com, pki.cloudmark.com and tracks.cloudmark.com) into our Cisco firewalls and the httpsinspection option is disable on the firewall. One strange thing we are noticing is the FPE client and Cloudmark server is resetting the connection as per the network trace

Resolution:

When running the two telnet tests, only the one to port 80 is successful. The one to port 443 fails.

telnet cdn-microupdates.cloudmark.com 80
telnet lvc.cloudmark.com 443

The connection errors you are seeing have been seen before and are due to the firewall still having a restriction to the ports. In this case, port 443 is still being block which is preventing the Micro Updates from coming through.

The networking team on our side figured out the URL were not getting resolved properly for https connections and they decided to add the IP address for all the URL’s instead of the names and problem got fixed.

lvc.cloudmark.com: 208.83.138.34

cdn-microsupdates.cloudmark.com: 93.184.215.73

pki.cloudmark.com: 208.83.136.39

crl.microsoft.com: 207.152.124.49, 205.177.95.229, 198.173.20.88

forefrontdl.microsoft.com: 198.63.194.0/24, 198.173.2.0/24, 207.109.221.0/24, 198.63.196.51, 205.234.218.11, 63.216.54.57, 69.31.106.35, 128.242.191.32, 207.152.124.91, 198.63.203.49, 205.234.225.152, 198.173.20.113, 63.236.252.201, 63.236.252.232, 69.31.102.90, 63.216.54.42, 209.18.42.152, 64.145.91.135, 64.145.91.126, 205.234.218.35

I hope this information would be useful for people troubleshooting FPE issues and will save atleast couple of days worth of troubleshooting efforts.
If you like this post please leave your comments and don’t forget to say thanks.

Best Regards,

Aresh Sarkari

 


One Response to “Forefront Protection for Exchange 2010 (FPE) is unable to get updates from the Cloudmark Antispam Engine”

  1. Hany October 7, 2012 at 5:21 am #

    Very Good Aresh,I've exactly the same issue, and I'm letting servers to go through firewall to any url or IP address.But I still having the same Events 6012, and 6019 when any attempt to update Cloudmark.If you have any further help, that would be appreciated.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: