Install and configure Forefront Client Security Step by Step part I

Forefront Client Security (FCS) is the protection technology for desktop and server against spyware and antivirus. FCS is centrally managed for both servers and client delivering automated virus protection for organisation. FCS got four different roles such as management, collection, reporting and distribution server. You can combine in a single server or your choice of multiple server. If you already have WSUS in your organisation you can install first three roles in one server and use WSUS as a distribution server.  The key features and benefits of FCS are:

  • Integrated solution for real-time virus and spyware protection
  • Includes advanced malware protection technologies
  • Backed by global malware research & response organization
  • Define one policy to manage client agent protection settings
  • Deploy security software and signatures effectively
  • Integrate with your existing infrastructure
  • View insightful reports
  • Stay informed with state assessment scans and security alerts
  • Customize alerts based on incidents and assets

The following are systems requirement you have to meet before you deploy FCS. Install and configure WSUS server before hand for update services. Follow the step by step guide to configure WSUS.

  • SQL Server 2005 with SP1 or later, Enterprise or Standard (including Database Services, Integration Services, Reporting Services, and Workstation components)
  • .NET Framework 2.0
  • GPMC with SP1
  • WSUS 3.0 with SP1 or later
  • IIS 6.0 and ASP.NET
  • MMC 3.0

Client computers are Windows XP, Windows 7, Windows Server 2003, Windows server 2008, vista and windows HPC with windows update services running.

Note: FCS does not support SQL server 2008 and Windows Server 2008 R2.

Installation of FCS:

Insert disk into FCS server or mount FCS ISO if you want virtualize FCS server.

  1 2

3 4

For the shake this article, I am showing all the component in the component selection. However, in practical you have choose right server roles to deploy FCS.

5 6

7 8

 9 10

11 12


WSUS Deployment:  You must specify that Automatic Updates download updates from the WSUS server rather than from Windows Update or Microsoft Update.

To Select FCS Client in WSUS:

  1. In the WSUS console, click Options, Click on Products and Classification
  2. Click on products Tab, Scroll down and Click on Forefront Client Security
  3. Click on Apply
  4. Click on Classifications, Select Critical Updates, Definition Updates, Security Updates, Updates
  5. Click Apply and OK.

image 15

To configure Automatic Updates

  1. In the Group Policy Object Editor dialog box, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the Setting list, double-click Configure Automatic Updates.
  3. In the Configure Automatic Updates dialog box, click Enabled, and then click OK.
  4. In the Setting list, double-click Specify intranet Microsoft update service location.
  5. In the Specify intranet Microsoft update service location dialog box, click Enabled, enter the client configuration URL in both the Set the intranet update service box and the Set the intranet statistics server box. For example, type http://servername in both boxes, and then click OK.  or http://servername:8530
  6. In the Setting list, double-click Allow Automatic Updates immediate installation.
  7. In the Allow Automatic Updates immediate installation Properties dialog box, click Enabled, and then click OK.

To approve the client components in WSUS

  1. In the WSUS console, click Options, and then click Synchronization Options.
  2. On the Synchronization Options page, under Update Classifications, click Change and verify that the following check boxes are selected: Critical Updates, Definition Updates, and Updates.Click OK.
  3. In the console, click the Updates icon.
  4. Select the most recent Client Update for Microsoft Forefront Client Security, and then under Update Tasks, click Approve for installation. In the Approve Updates dialog box, click OK.
  5. In the End User License Agreement dialog box, click I Accept.


17 18

 19 20

FCS Administration:

To create a policy

  1. In the Client Security console, click the Policy Management tab.
  2. On the Policy Management tab, click New.
  3. In the New Policy dialog box, enter the settings you want for this policy.
  4. After you finish creating the policy, click OK.

To deploy a policy

  1. In the Client Security console, click the Policy Management tab, and then click the policy you want to deploy.
  2. Click Deploy.

In the Deploy dialog box, select the targets to which you want to deploy the policy. You can add multiple targets to deploy the policy.

  1. Click Add OU/GPO/Group. The Active Directory dialog box appears and lists the top-level OUs.
  2. Under Select a target, find an OU to which you want to deploy the policy and select it. If you want to deploy a policy to all of the managed computers in a domain, you can select the domain instead of an OU.
  3. Click OK.
  4. Click Deploy. Client Security deploys the policy to the targets you selected.
  5. If you deployed the policy to an OU and you want the policy to take effect immediately, you can run the gpudate /force command on each client computer in the OU or restart each client computer. Otherwise, the policy is applied to client computers when the standard Group Policy refresh occurs.

To approve clients manually through the MOM server:

  1. On the Client Security management server, click Start, click All Programs, click Microsoft Operations Manager, and then click Administrator Console.
  2. In the MOM 2005 Administrator Console, under Console Root, expand Administration, expand Computers, and then click Pending Action.
  3. In the Pending Action list, right-click the client computer, and then click Approve Manual Agent Installation Now. If you do not see the client in the Pending Action list, wait a few minutes, and then on the Action menu, click Refresh.
  4. In the Microsoft Operations Manager dialog box, click Yes to confirm approval. The client computer will disappear from the Pending Action list.

Note: During the installation of FCS, a basic version of MOM install in FCS management server.

Relevant Articles:

How to install SQL Server 2005 Reporting Services on a Windows Vista-based computer

Install and configure WSUS 3.0 SP2 – Step-By-Step

Forefront Endpoint Protection

ShareAdd to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
This entry was posted in Windows Server and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s