- Forefront Endpoint Protection (FEP) 2012 – Part 2: Deployment and configuration - Wed, Jun 29 2011
- Forefront Endpoint Protection 2012 –Part 1: Installation on Configuration Manager 2012 - Wed, Jun 22 2011
- iPad for business? The consumerisation of enterprise - Fri, Nov 19 2010
With the move away from Forefront Client Security to Forefront Endpoint Protection, Microsoft did away with the MOM backend and instead made use of the infrastructure available to System Center Configuration Manager to install, manage and deploy FEP.
In spite of the similarities of the underlying infrastructure between SCCM 2007 and SCCM 2012, FEP 2010 does not integrate with SCCM 2012 because one of the installation prerequisites is the presence of the SCCM 2007 administrative console. From discussions with product experts within Microsoft, it seems that FEP 2010 will not be updated to install on SCCM 2012, so FEP 2012 (which is in beta at the time of writing) will be the first enterprise AV product from Microsoft which will integrate fully with SCCM 2012.
Installing Forefront Endpoint Protection 2012
Forefront Endpoint Protection 2012 is currently in beta and can be downloaded directly from Microsoft.
To install FEP 2012, you’ll need to have SCCM 2012 installed and configured. In addition, the SQL server which is acting as the SCCM site database server must also have installed/enabled:
- .NET Framework 4.0 on both the SCCM and SQL servers
- Microsoft IIS (default role properties)
- Microsoft SQL Analysis services
- Microsoft SQL Reporting services
- Reporting services point site system role installed on the SQL server via the SCCM 2012 console
Additionally, the IIS server needs an appropriate certificate to run SSL on port 443, so that the reporting services URL and the SQL TCP connection can be secured.
This installation was run in a lab environment running on Hyper-V.
From the SCCM server, run the serversetup.exe from the folder which relates to the appropriate operating system type (ie: 32-bit or 64-bit), then fill in the identification information:
Forefront Endpoint Protection 2012 Installation – Name and Organization
Then, be incredibly conscientious and read the EULA (or not):
Forefront Endpoint Protection 2012 Installation – EULA
Next, choose the installation type. The “Basic topology” option installs everything you’ll need for a full FEP environment, including server and console extensions as well as reporting services and reports. Additionally, this installation makes use of the existing SCCM environment to target the right servers (eg: SQL server). There may be times when you would want to target different SQL servers or perform a fully customised installation, but for our lab purposes the “Basic topology” option is sufficient.
Forefront Endpoint Protection 2012 – Installation Options
Next, make sure that the SQL Reporting Server URL is correct, and select an account with sufficient access to run reports. In the lab environment I used a domain admin account which isn’t recommended in an enterprise environment.
Caption: FEP 2012 Installation – SQL report execution account
It’s worth ensuring that the system is using Windows Update to automatically keep FEP 2012 up-to-date (the FEP 2012 client will also be installed on the system as part of the installation) and joining the Customer Experience Improvement Program (CEIP) is always worth it – Microsoft does actually receive the information and uses the metrics to improve current and future products.
Forefront Endpoint Protection Installation - Updates and Customer Experience Options
For the same reason, it’s worth signing up to Microsoft SpyNet:
Forefront Endpoint Protection Installation - SpyNet Configuration Policy
Before commencing the installation, serversetup.exe will run through all the prerequisites and verify that the environment is correct. If any check fails, the issue as well as the documented fix will be displayed in the console. At this point you can remediate the issue and simply re-run the checker – you don’t need to start the installation process over again.
Forefront Endpoint Protection Installation - Prerequisite Verification
Once all the prerequisites are met, installation starts.
Forefront Endpoint Protection Installation - Installation
Once complete, you’ll now have FEP 2012 functionality integrated into the SCCM 2012 console. In the Monitoring → FEP Status screen you get an overview of the health of your organization, in Reporting there is now a Forefront Endpoint Protection folder with pre-defined reports, and in Software Library the FEP 2012 client is available for deployment.
Forefront Endpoint Protection Installation- Configuration Manager Integration
In Part Two we will look at deploying the FEP client, enforcing compliance in your organization and reporting on the health of your workstations.