Forefront Client Security (FCS) is the protection technology for desktop and server against spyware and antivirus. FCS is centrally managed for both servers and client delivering automated virus protection for organisation. FCS got four different roles such as management, collection, reporting and distribution server. You can combine in a single server or your choice of multiple server. If you already have WSUS in your organisation you can install first three roles in one server and use WSUS as a distribution server. The key features and benefits of FCS are:
- Integrated solution for real-time virus and spyware protection
- Includes advanced malware protection technologies
- Backed by global malware research & response organization
- Define one policy to manage client agent protection settings
- Deploy security software and signatures effectively
- Integrate with your existing infrastructure
- View insightful reports
- Stay informed with state assessment scans and security alerts
- Customize alerts based on incidents and assets
The following are systems requirement you have to meet before you deploy FCS. Install and configure WSUS server before hand for update services. Follow the step by step guide to configure WSUS.
- SQL Server 2005 with SP1 or later, Enterprise or Standard (including Database Services, Integration Services, Reporting Services, and Workstation components)
- .NET Framework 2.0
- GPMC with SP1
- WSUS 3.0 with SP1 or later
- IIS 6.0 and ASP.NET
- MMC 3.0
Client computers are Windows XP, Windows 7, Windows Server 2003, Windows server 2008, vista and windows HPC with windows update services running.
Note: FCS does not support SQL server 2008 and Windows Server 2008 R2.
Installation of FCS:
Insert disk into FCS server or mount FCS ISO if you want virtualize FCS server.
For the shake this article, I am showing all the component in the component selection. However, in practical you have choose right server roles to deploy FCS.
WSUS Deployment: You must specify that Automatic Updates download updates from the WSUS server rather than from Windows Update or Microsoft Update.
To Select FCS Client in WSUS:
- In the WSUS console, click Options, Click on Products and Classification
- Click on products Tab, Scroll down and Click on Forefront Client Security
- Click on Apply
- Click on Classifications, Select Critical Updates, Definition Updates, Security Updates, Updates
- Click Apply and OK.
To configure Automatic Updates
- In the Group Policy Object Editor dialog box, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
- In the Setting list, double-click Configure Automatic Updates.
- In the Configure Automatic Updates dialog box, click Enabled, and then click OK.
- In the Setting list, double-click Specify intranet Microsoft update service location.
- In the Specify intranet Microsoft update service location dialog box, click Enabled, enter the client configuration URL in both the Set the intranet update service box and the Set the intranet statistics server box. For example, type http://servername in both boxes, and then click OK. or http://servername:8530
- In the Setting list, double-click Allow Automatic Updates immediate installation.
- In the Allow Automatic Updates immediate installation Properties dialog box, click Enabled, and then click OK.
To approve the client components in WSUS
- In the WSUS console, click Options, and then click Synchronization Options.
- On the Synchronization Options page, under Update Classifications, click Change and verify that the following check boxes are selected: Critical Updates, Definition Updates, and Updates.Click OK.
- In the console, click the Updates icon.
- Select the most recent Client Update for Microsoft Forefront Client Security, and then under Update Tasks, click Approve for installation. In the Approve Updates dialog box, click OK.
- In the End User License Agreement dialog box, click I Accept.
To create a policy
- In the Client Security console, click the Policy Management tab.
- On the Policy Management tab, click New.
- In the New Policy dialog box, enter the settings you want for this policy.
- After you finish creating the policy, click OK.
To deploy a policy
- In the Client Security console, click the Policy Management tab, and then click the policy you want to deploy.
- Click Deploy.
In the Deploy dialog box, select the targets to which you want to deploy the policy. You can add multiple targets to deploy the policy.
- Click Add OU/GPO/Group. The Active Directory dialog box appears and lists the top-level OUs.
- Under Select a target, find an OU to which you want to deploy the policy and select it. If you want to deploy a policy to all of the managed computers in a domain, you can select the domain instead of an OU.
- Click OK.
- Click Deploy. Client Security deploys the policy to the targets you selected.
If you deployed the policy to an OU and you want the policy to take effect immediately, you can run the gpudate /force command on each client computer in the OU or restart each client computer. Otherwise, the policy is applied to client computers when the standard Group Policy refresh occurs.
To approve clients manually through the MOM server:
- On the Client Security management server, click Start, click All Programs, click Microsoft Operations Manager, and then click Administrator Console.
- In the MOM 2005 Administrator Console, under Console Root, expand Administration, expand Computers, and then click Pending Action.
- In the Pending Action list, right-click the client computer, and then click Approve Manual Agent Installation Now. If you do not see the client in the Pending Action list, wait a few minutes, and then on the Action menu, click Refresh.
- In the Microsoft Operations Manager dialog box, click Yes to confirm approval. The client computer will disappear from the Pending Action list.
Note: During the installation of FCS, a basic version of MOM install in FCS management server.