Forefront... Defender's Big Daddy!
by, 9th April 2009 at 08:16 PM (3631 Views)
I said in my last blog about us deploying Forefront over Easter, and its all pretty much done... ahead of schedule!
Before I get into it, a bit of blurb about what it is...
Snazzy then!! On into deploying it... and a few gotchas particularly if you plan to use Server 2008 (and why wouldnt you now anyway!!). For the time being, forget x64 until Stirling (aka Forefront v2) - getting all the pre-requisites sorted for this is a real pain and for the time being x86 will do just fine.What is ForeFront Client Security (FCS) then? This is a client/server solution that helps scan and remove malware (virus, spyware, rootkit, Trojan...) in client and server operating systems. This is a new product from Microsoft. It uses WSUS 3.0 for distributing i installation and definitions. All agent policy can be managed remotely using AD Group Policy.
Getting started - but before you even think about installing...
:: Install MS .NET Framework 1.1 with SP1
:: Install MS .NET Framework 3 via Server Manager
:: Install IIS and ASP.NET via Server Manager
[Install the following role services: Static Content, Default Document, HTTP Redirection, Directory Browsing, ASP.NET, ISAPI Extension, ISAPI Filters, Windows Authentication, IIS Metabase, IIS 6 WMI]
:: Install SQL Server 2005 with SP2
[Install the following components: Database Services, Reporting Services, Integration Services, and Workstation components]
:: Verify and record the reporting server URL (you will need that later)
:: Install GPMC with SP1 via Server Manager
:: Install, configure, and synchronize Windows Server Update Services (WSUS) with SP1
[In particular, make sure you have configured the following: Synchronize Product: Forefront Client Security, Synchronize Classification: Definition Updates, Create an auto-approval rule for Definition Updates]
:: Add the Client Security server site to the Local intranet zone
Now you can install...
:: Run the Server Setup wizard for the media
:: Dismiss the Program Compatibility Assistant dialog box
:: On the Component Installation page, select all the check boxes
In the Setup wizard, you will provide server names, SQL Server instances, and service accounts you have already set up. In addition, you must specify the following:
Size of the databases - make sure the size does not exceed the space on your server.
Management group name - use the default value (ForefrontClientSecurity). Record the name that you enter, because you will need to provide it when configuring Client Security group policies...
Options here... use the built in WSUS deployment - YES it pushes the main install too!!
Alternatively, if you really want you can push it via Group Policy software install. You have 4 packages to push though - and you will need to edit the MOMAgent.msi to include details for your setup.
We went with WSUS deployment - which you configure via the FCS Console on the server. Open it up and go to the Policies tab. Either edit the default one, or create a new one. Configure all you settings (fairly self explainatory really), and then done. Select your policy and either deploy to OU (which will create a new GPO to control the OU), or add to an existing OU. We created new one - so I could see what all the settings were.
Simple - takes little or no time. You will have to have set up a GPO to deal with Windows Update already tho to auto install updates.
On MS Schools: around £1 per machine!! Peanuts compared to other products and you have MS support!
Questions, ideas and comments welcome as always...
Total Trackbacks 0