Planning Forefront Client Security
To deploy Forefront Client Security (FCS) in a managed environment, you need to consider a number of issues. The information below includes a number of links to the Microsoft TechNet site. ITS recommends using the low-bandwidth view for easier navigation.
Considerations for converting from SAV to FCS
Hardware requirements may be different. See Database sizing and server topology (below) for more information.
The level of client management that you have in your environment will affect how you configure FCS.
Minimally managed, using WSUS to deploy software.
Highly managed, using WSUS to deploy software, plus a configuration management, tool, such as SCCM or LanDESK. See information from ITS lab testing of the FCS server integrated with an existing WSUS and SCCM architecture.
Uninstalling Symantec software from managed computers is not easy to do without moving the machines into an unmanaged state. Symantec may have tools that can help. With the expiration of the campus Symantec license, ITS is no longer distributing the Cleanwipe utility.
What is Forefront Client Security?
FCS consists of the client software, which in a managed environment is deployed to the client computers from a central location and provides anti-virus and anti-malware protection; and the management server roles:
Management Server Role provides a dashboard view of all the clients.
Collection Server Role accummulates data on errors and other information reported back from the clients.
Reporting Server Role allows administrators to view reports on clients and events in the managed environment.
Distribution Server Role provides updates for the anti-virus/malware engine as well as anti-virus and anti-malware definitions, via Windows Software Update Service (WSUS). Existing WSUS servers can and will be used in the UT environment.
The Reporting and Collection server roles have SQL Server database components. ITS strongly recommends using SQL Server 2005 Enterprise edition.
In addition to integrating with the WSUS, you can also use SCCM or another configuration management tool, such as LanDESK, to manage FCS clients at a greater level of detail.
Database sizing and server topology
Although you can install each FCS component on a separate server, ITS is recommending a one- or two-server topology for most campus groups. See more about FCS server topology on the Microsoft Technet site.
Database sizing
You will size your databases based on the number of client systems being managed and the amount of data that needs to be retained for auditing purposes. The Minimum Security Standard for Systems requires 14 days of security logs to be retained. You may want to review the entire standard as it pertains to anti-virus requirements and system setup.
Please review the following two articles on database sizing on the Microsoft TechNet site.
Note that SQL Server default location needs 100 gigabytes (GB) of space to accommodate the FCS database installation.
Installing Forefront Client Security
Before you install FCS or deploy it to client computers, be sure to perform the steps outlined in this TechNet article on Preparing to Install Client Security.
Follow these installation steps in the order specified for the following server topologies:
You can also review this blog post about installing a one-server topology.
Deploying Client Security
How to deploy Client Security to your client computers using Automatic Updates and WSUS (your distribution server).
If you are using SCCM for configuration management, you may want to consult the following articles:
Deploying Forefront client agents using System Center Configuration Manager (SCCM)
Deploying Forefront Client Security Using SCCM 2007 - Step-By-Step
Last updated September 14, 2011 @ 11:06 am
