Chapter 1: Integration Kit Requirements
Published: May 15, 2008
This chapter is designed to help administrators plan to deploy the Microsoft® Forefront™ Integration Kit for Network Access Protection. Requirements for the Integration Kit include Forefront Client Security and a functioning NAP infrastructure, as described in this chapter. Forefront Client SecurityForefront Client Security is software that unifies the management of malware protection applications that would typically be managed independently. Forefront Client Security includes a malware protection agent and a central management system. The malware protection agent can be deployed to desktop, laptop, and server computers in an organization. The central management system provides IT administrators with a central location to view and manage all the computers that run Forefront Client Security. Forefront Client Security does not require IT administrators to create separate policies for each different type of malware (for example, viruses, Trojan horses, worms, spyware, and rootkits). Forefront Client Security streamlines the creation and management of anti-malware policy by using a single policy for the various forms of malware. This structure helps IT administrators to create policies for their organizations that they know will be enforced for all defined malware. The Integration Kit requires Forefront Client Security to be installed on the computers to be managed. In addition, the components in the following subsections are required. Windows Server Update Services (WSUS)This component is a distribution server that Forefront Client Security uses to distribute security agent and anti-malware signature definition updates to computers in the organization. The WSUS server is a critical component of the Integration Kit. For guidance about deploying WSUS, see Deploying Microsoft Windows Server Update Services 3.0. For more information about how to use WSUS, see Microsoft Windows Server Update Services. Planning for WSUS to Distribute Forefront Client Security UpdatesWSUS provides organizations with the ability to automatically download Microsoft product updates and distribute them to computers within the organization. WSUS connects to Microsoft Update and synchronizes the available updates to the local server. After you install and configure WSUS, you need to configure your computers to connect to the WSUS server to download updates. For more information about deploying Forefront Client Security to managed computers, see Deploying Client Security. Note The recommended method of deploying Forefront Client Security to target managed computers is through Group Policy or an approved deployment solution. You can use the Microsoft Forefront Client Security Management console to deploy a Forefront Client Security policy. After the target computers receive the Forefront Client Security policy, they will contact the WSUS server and download the Forefront Client Security client components, which the WSUS server will have downloaded from Microsoft Update. This step requires that the managed computers be configured to connect to a WSUS server. Adding Forefront Client Security to Your WSUS InfrastructureThe installation of the Forefront Client Security distribution component on your WSUS server adds a service called the Forefront Client Security Update Assistant. This service causes WSUS to query Microsoft Update for updates once an hour, which allows WSUS to obtain signature definition updates at more frequent intervals than the default configuration of WSUS. In addition, the installation of the distribution component configures your WSUS server to automatically synchronize the Forefront Client Security definition updates from Microsoft Update. Definition updates are also added to the Approve for Installation list in the WSUS Automatic Approval Options, which means that any definition updates downloaded by the WSUS server are automatically approved for installation by your managed computers. To ensure that your WSUS server synchronizes the Forefront Client Security client components and that they can be downloaded and installed by your managed computers after you deploy your Forefront Client Security policy, you must add Updates to the Update classifications list in Synchronization Options in WSUS. For more information, see Approving the client components in WSUS on Microsoft TechNet. Forefront Client Security Management ServerThis component is a Microsoft Operations Manager (MOM) server that provides central alerting, reporting, and administration of the anti-malware security policies that are pushed to the managed computers. MOM ConsiderationsThe Forefront Client Security SHA can be installed with the /nomom option. However, if this option is used it is very important to disable the monitoring of the MOM component in the SHV’s configuration. It should also be noted that integrating with MOM is the recommended configuration for administration of Forefront Client Security, because it allows administrators to easily manage and update preconfigured or customized malware protection agents in a production environment. If the SHA is installed with the /nomom option there will be no way to obtain reporting or monitoring information. Client Operating System RequirementsThe Forefront Client Security software must be installed. The Forefront Client Security agent provides protection from threats such as spyware, viruses, and rootkits. In addition, the Forefront Client Security system health agent (SHA) provided with this Integration Kit must be installed on all computers that you want to manage using this solution. The SHA can be installed on 32-bit and 64-bit versions of the Business, Enterprise, and Ultimate editions of Windows Vista®. It can also be installed on the 32-bit and 64-bit versions of the Standard and Enterprise editions of Windows Server® 2008 and on the 32-bit version of Windows® XP Professional Edition with SP3. Forefront Client Security – More InformationFor more information about Forefront Client Security, see the following:
Network Access ProtectionPlanning a NAP infrastructure requires making decisions about health policy, enforcement, and remediation. For more information about configuring a NAP infrastructure, see the NAP Step-by-Step Guides on the main page of the Network Access Protection site on Microsoft TechNet. To plan for your NAP implementation, you will need to:
Before proceeding, administrators should be familiar with how users and computers are grouped and managed within the network. This knowledge can help define how to control network health evaluation and enforcement. Administrators should also understand the requirements and components of NAP because they will make decisions regarding the SHAs that are installed on the managed computers and SHVs that are installed on the NAP Network Policy Server (NPS). Administrators will have to deploy these NAP components before they can configure and enable a network policy that enforces a Forefront Client Security health policy. Therefore, a good understanding of these concepts is necessary to the planning process. NAP Enforcement MethodsFour built-in enforcement methods work in conjunction with NAP to enforce health policies. NAP enforcement methods are not mutually exclusive; administrators can choose to implement multiple enforcement methods in varying combinations. For more information about the four enforcement methods, see Network Access Protection on Microsoft TechNet. The available NAP enforcement methods are:
NAP Enforcement ModesNAP provides a way to enforce security policy and isolate noncompliant computers from your secure network through different enforcement modes. NAP enforcement mode settings allow you to specify what happens when computers do not comply with your organization’s health policy. For more information about the three enforcement modes, see the "NAP enforcement and network restriction" heading in the Network Access Protection article referenced earlier. There are three modes to select from:
You can also specify whether the SHA should perform auto-remediation on the NAP client computers. Solution ArchitectureThe Forefront Client Security SHA/SHV solution includes the following components: · Forefront Client Security SHA. The SHA component is installed on computers to monitor their health, including whether Forefront Client Security is installed, patched, and has all of the latest signature definition files. The SHA sends a statement of health (SoH) to the Forefront Client Security SHV. · Forefront Client Security SHV. The SHV component is installed on a Windows Server® 2008–based server computer. The SHV provides an interface to configure a health policy on the NPS for Forefront Client Security. The following figure shows the NAP architecture in this solution.
Figure 1.1. Sample NAP architecture using this Forefront Client Security SHA/SHV solution This diagram includes the following components:
WSUS Remediation Server ConfigurationThis Solution Accelerator depends on Windows Server Update Services servers for client remediation. That is, for noncompliant NAP clients to be properly serviced, they must be able to reach a WSUS server even while isolated on a restricted network. The following two procedures provide step-by-step instructions to help you properly configure the WSUS remediation server; proper configuration is essential for the solution to function properly. To set up a Remediation Server Group in NAP
Enabling the remediation server for noncompliant computers
The preceding two procedures are essential for the solution to function properly. Network Access Protection – More InformationFor more information about NAP, see the following:
|
|