Managing Forefront Client Security using MOM TechnologyChris SfanosProgram ManagerForefront Client SecurityMicrosoft

Session Code: SW17

Session Takeaways and Objectives

Objectives for today’s talk:Understand how MOM 2005/SP1 integrates into FCS server managementUnderstand how to leverage MOM 2005/SP1 for

migration to FCSimportant FCS management tasks

Key Takeaway: MOM is a key infrastructure component for FCS

AgendaIntroduction to the Forefront Client Security (FCS) architectureKey MOM integration points in the FCS systemUsing MOM to assist in migrating your current AV solution to FCSUsing MOM for essential day to day management tasks in FCSQ&A

FCS Architecture

Key Integration PointsComponents of FCS

MOM 2005/SP1 and MOM ReportingBoth ships as part of the FCS v1 packageFCS “Collection” role: MOM 2005/SP1FCS “Reporting” role: MOM Reporting

ArchitectureEvent gathering and Alert generation

MOM 2005 agent on all client machines

ReportingMOM 2005 Reporting / SQL Reporting services provide rich, detailed system reportsSystemCenterReporting is the historical reporting DB for FCS

Key Integration PointsFunctionality

FCS Security Management pack defines which security events to gatherOn-demand scans are implemented as MOM tasksAlert management via the MOM Operations consoleMOM scripts to provide:

Flood Detection: Is a computer flooding the MOM server with too many eventsAuto Approval: Auto approve new machines in Pending ActionsNumerous others

Important PointsExisting MOM installations (Server)

You cannot use an existing OnePoint or SystemCenterReporting database for FCSFCS includes a full version of MOM 2005 (licensed only for use with FCS)Performance and Scalability drove this requirement in v1

MOM agentsFCS supports clients that are multi-homed to an existing MOM server and to the FCS ServerFCS supports MOM 2005 agent with a SCOM 2007 Agent

MigrationUsing MOM to migrate to FCS

Goals of the migrationClient machines are always protectedClear insight into the state of the migrationLeverage the MOM server component of FCS to help manage the transition

MigrationUsing MOM to migrate to FCS

Overview of the processStep 1: Deploy your FCS Server infrastructureStep 2: Deploy the MOM agent to all your managed computersStep 3: Determine which version(s) of your current AV software are installedStep 4: Group machines by version and begin systematic uninstallsStep 5: Deploy the FCS client via a MOM task

MigrationStep 1: Deploy your FCS Servers

This migration to FCS will use the MOM server infrastructure to help identify the status of your existing clients and bootstrap the deployment of FCSFor today, we will detail the migration for this new FCS customer:

Name: XYZ EnterprisesManaged Desktops: 8,000Current AV solution: eTrust version 7.1

MigrationStep 1: Deploy your FCS Servers

Recommended FCS Server topology for XYZ Enterprises

All FCS roles on separate serversSQL DB’s are “off-box” on a back-end SQL server“5 Server topology”

MigrationStep 2: Deploy the MOM Agent

After successfully deploying the FCS Server infrastructure, we deploy the MOM agent via Group Policy

An MSI transform is created with the necessary install properties and then deployed to all client machines that you plan to manage with FCSDeployment of the MOM agent allows us to gather critical data on the status of our existing AV install and bootstrap the installation of FCS

MigrationStep 2: Deploy the MOM Agent• Two properties need to be configured

• Config Group• Ex:

ForefrontClientSecurity

•Management Server• Ex:

FCSCollectionServer

MigrationStep 3: Determine current AV version

Create a Computer Attribute for your existing AV version

MigrationStep 3: Determine current AV version

Create a Computer Group for clients with that attribute

MigrationStep 4: Group machines for uninstall

Identify those machines via the newly created Computer group

MigrationStep 4: Group machines for uninstall

Run a MOM task to uninstall

MigrationStep 5: Deploy FCS via a MOM task

Run a MOM task to install FCS

MigrationAlternate options during the migration

Using MOM to deploy the agentsPlacing the uninstall script as a logoff script and the FCS install script as a machine startup scriptUsing FCS Policy and MU/WSUS to distribute the FCS client

FCS will publish the client installer as a package on MU (which can only be downloaded to WSUS)Clients that have an FCS policy deployed will allow the client to be installed automatically from WSUS

FCS System ManagementUsing MOM for day-to-day tasks

MOM is used for the following tasks:Alert ManagementClient Monitoring/TroubleshootingClient/Policy DeploymentAdministrator notification

FCS System ManagementAlert Management

Recommendation: Create Alert Views for high-priority items

FCS System ManagementAlert Management

Recommendation: Create additional Resolution states

FCS System ManagementClient Troubleshooting

Recommendation: Create MOM tasks to gather logs and run the FCS log gathering utility

FCS System ManagementClient Troubleshooting

Recommendation: Create a MOM task to distribute exported FCS policies

FCS System ManagementClient Troubleshooting

Recommendation: Create notification groups for key FCS alerts

Q&ADidn’t get your question answered today?Thought of something later?

Send me email!

Chris.Sfanos@microsoft.com

Please Complete An Evaluation FormYour input is important!

Two ways to access online evaluation forms

CommNet and evaluation stations located throughout the San Diego Convention CenterFrom any wired or wireless connection to http://mms2007.comBe eligible to win fun daily prizes –

t-shirts, wireless mice, portable hard drives!

© 2007 Microsoft Corporation. All rights reserved.Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation.Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft,

and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.