Thursday, October 6, 2011

Integrate Forefront Endpoint Protection (FEP) 2010 with ConfigMgr

With System Center Configuration Manager (ConfigMgr) it's possible to install and use Forefront Endpoint Protection (FEP) 2010 also. Both products can be integrated so ConfigMgr will also handle Forefront Antivirus and Definition updates. In this blog I will describe the installation of Forefront and configuring policies.

Before FEP 2010 can be installed some prerequisites are needed on the ConfigMgr server. These are:
When installing choose the following options:
  • Select "FEP 2010 Update Rollup 1"
  • Welcome to FEP 2010 Server Setup Wizard: Fill in name and organization
  • MS Software License Terms: "I accept the software license terms"
Based on type of installation there's the choice between Basic topology (with remote reporting database), Advanced topology & ConfigMgr console extension.

  • Installation Options: Advanced topology (Select All)
  • FEP 2010 Server Database Configuration: FEPDB_<sitecode>
  • Reporting Configuration: MS FEP 2010 Reporting Database settings: FEPDW_<sitecode>
  • Reporting Configuration: SQL Reporting Services execution account (domain user account)
  • Updates and Customer Experience Options (enable/disable)
  • Microsoft SpyNet Policy Configuration (enable/disable)
  • Specifify Installation Location
  • Prerequisites Verification: All verifications passed
  • Setup Summary and Complete
After that an Forefront Endpoint Protection pane is visible in the ConfigMgr console.

The following functionality is added in the ConfigMgr console now: 
  • Collections > FEP Collections
    • Definition Status
    • Deployment Status
    • Operations
    • Policy Distribution Status
    • Protection Status
    • Security Status
  • Software Distribution > Packages
    • FEP – Deployment
    • FEP – Operations
    • FEP – Policies
  • Software Distribution > Advertisements
    • FEP Operations
    • FEP Policies
  • Software Updates > Update Repository
    • Definition Updates > Microsoft > FEP 2010
  • Reporting > Reports/Reporting Services
    • FEP: FEP information for a specific computer
    • FEP – Deployment: Computers with a specific deployment state
    • FEP – Deployment: Deployment for a specific collection
    • FEP – Deployment: Deployment Overview
    • FEP – Policy: Policy Distribution for a specific collection
    • FEP – Policy: Computers with a specific policy distribution state
    • FEP – Policy: Policy Distribution Overview
  • Desired Configuration Management
    • Configuration Baselines
    • Configuration Items
  • Forefront Endpoint Protection node
    • Policies > Default Server Policy
    • Policies > Default Desktop Policy
    • Alerts > Malware Detection Alerts
    • Alerts > Malware Outbreak Alert
    • Alerts > Repeated Malware Detection Alerts
    • Alerts > Multiple Malware Detection Alerts
    • Reports > Antimalware Activity Report
    • Reports > Antimalware Protection Summary Report
    • Reports > Computer List Reports

Microsoft Forefront Endpoint Protection 2010 Update Rollup 1 includes the Definition Update Automation tool. This tool enables you to use System Center Configuration Manager 2007 software update points to distribute FEP definition updates to your client computers.

To configure your environment to use the Definition Update Automation tool, you must first download the tool (fepsuasetup.cab) and copy it to the appropriate location on your Configuration Manager site server. It can be download here: http://technet.microsoft.com/en-us/library/hh297450.aspx

There are also Microsoft Forefront Endpoint Protection (FEP) 2010 Update Rollup 1 Tools available. These free downloads make it easier for Forefront Endpoint Protection 2010 Update Rollup 1 customers to use Group Policy for centralized management, provide optimized settings for various server roles, and diagnose and troubleshoot support issues. They can be download here: http://www.microsoft.com/download/en/details.aspx?id=26613

As you can see many new functionality comes available in ConfigMgr. Now it's time to configure policies and create update packages. More about that in the next blogpost.

No comments:

Post a Comment