About Configuration Manager Site Topologies and FEP 2010
Applies To: Forefront Endpoint Protection
You can deploy Forefront Endpoint Protection (FEP) to a Configuration Manager stand-alone (single) site or to a hierarchical site environment. Installation of Forefront Endpoint Protection on secondary sites is not supported. For more information about Configuration Manager sites, see Understanding Configuration Manager Sites (https://go.microsoft.com/fwlink/?LinkId=196956) in the Configuration Manager 2007 Technical Library.
Single-Site Deployment
In a single-site Configuration Manager deployment, Forefront Endpoint Protection is installed on the Configuration Manager site server. Configuration Manager administrators can perform the following tasks from the Configuration Manager console:
Create or modify Forefront Endpoint Protection policies
Assign Forefront Endpoint Protection policies to collections
Deploy Forefront Endpoint Protection clients to collections
Monitor Forefront Endpoint Protection via the Forefront Endpoint Protection dashboard
Configure Forefront Endpoint Protection alerts
Assign the Forefront Endpoint Protection Desired Configuration Management configuration baselines to collections
Hierarchical Deployment
In a hierarchical Configuration Manager deployment, a parent site has one or more attached child sites in the hierarchy. A parent site contains pertinent information about its child sites, and it can control many operations at the child sites. A site that has no parent site is known as a central site. For more information about planning and deploying Configuration Manager, see Planning and Deploying the Server Infrastructure for Configuration Manager 2007 (https://go.microsoft.com/fwlink/?LinkId=196960) in the Configuration Manager 2007 Technical Library.
Depending on the needs and requirements of an organization, you can deploy Forefront Endpoint Protection to achieve the following scenarios:
Centralized policy control and centralized FEP administration
Centralized policy control and decentralized FEP administration
Decentralized policy control and decentralized FEP administration
Decentralized policy control and FEP administration with centralized FEP reporting
Note
For the remainder of this topic, installing Forefront Endpoint Protection refers to the installation of Forefront Endpoint Protection server components. You must install the Forefront Endpoint Protection console extension on the computer on which the Configuration Manager console is installed and run.
Centralized policy control and centralized FEP administration
In this scenario, administrators at the Configuration Manager parent site control the configuration and administration of Forefront Endpoint Protection. Administrators at the parent site are responsible for policy management and day-to-day monitoring of Forefront Endpoint Protection. Administrators at the child sites can deploy the Forefront Endpoint Protection client software to collections in the child site and assign FEP policies, but have limited ability to monitor the progress of the FEP client software and policy deployments.
To implement this scenario, install Forefront Endpoint Protection only on the primary parent site.
The following table lists the tasks that you can accomplish when Forefront Endpoint Protection is installed on the parent primary site only.
| Task | Connected to the parent site | Connected to the child sites |
|---|---|---|
Deploy Forefront Endpoint Protection clients to collections |
Yes |
Yes |
Create or modify Forefront Endpoint Protection policies |
Yes |
No |
Assign Forefront Endpoint Protection policies to collections |
Yes |
Yes |
Monitor Forefront Endpoint Protection client deployment and policy deployment progress |
Yes |
Limited |
Monitor Forefront Endpoint Protection via the Forefront Endpoint Protection dashboard |
Yes |
No |
Forefront Endpoint Protection reporting |
Yes |
No |
Configure Forefront Endpoint Protection alerts |
Yes |
No |
Forefront Endpoint Protection Operations |
Yes |
Limited |
Centralized policy control and decentralized FEP administration
In this scenario, FEP policies are managed centrally at the parent site, but the administrators at the child sites are responsible for the deployment and day-to-day management of FEP. Administrators at the child sites can view the Forefront Endpoint Protection policies, but cannot create, modify, or delete a policy.
To implement this scenario, you must install Forefront Endpoint Protection on both the primary parent site and the primary child sites.
The following table lists the tasks that you can accomplish when Forefront Endpoint Protection is installed on the parent site and child sites.
| Task | Connected to the parent site | Connected to the child sites |
|---|---|---|
Deploy Forefront Endpoint Protection clients to collections |
Yes |
Yes |
Create or modify Forefront Endpoint Protection policies |
Yes |
No |
Assign Forefront Endpoint Protection policies to collections |
Yes |
Yes |
Monitor Forefront Endpoint Protection client deployment and policy deployment progress |
Yes |
Yes |
Monitor Forefront Endpoint Protection via the Forefront Endpoint Protection dashboard |
Yes |
Yes |
Forefront Endpoint Protection reporting |
Yes |
Yes |
Configure Forefront Endpoint Protection alerts |
Yes |
Yes |
Forefront Endpoint Protection Operations |
Yes |
Yes |
Important
- At a child site, there are two FEP – Deployment packages, one from the parent site and one from the child site. When deploying the Forefront Endpoint Protection client software from the child site, you must deploy by using the software package from the parent site. The first three letters of the software package Package ID indicate from which site the software package originates.
- When you install Forefront Endpoint Protection on the child site first, and then install Forefront Endpoint Protection on the parent site, the FEP – Policies package on the client site is disabled, and the FEP – Policies package from the parent site is propagated to the child site. Policies created on the child site no longer exist. We recommend that you export the policies from the child site before you install Forefront Endpoint Protection on the parent site. After installing Forefront Endpoint Protection on the parent site, you can import the policies on the parent site. For more information about importing and exporting policies, see Exporting a Policy and Importing a Policy.
- Uninstalling Forefront Endpoint Protection on the parent site while Forefront Endpoint Protection is also installed on child sites disrupts Forefront Endpoint Protection functionality of the child sites. Repair the Forefront Endpoint Protection installation on each child site after Forefront Endpoint Protection is uninstalled from the parent site.
- FEP clients deployed at the child sites appear only in the following Client Deployment Status categories at the parent site:
- Deployed
- Out of date
The information for the following deployment categories is based on the Configuration Manager advertisements: Removed, Failed, and Pending. Because the parent site cannot see the advertisements created at a child site, deployment information for these categories is not displayed at the parent site. You can view the full deployment status for deployed FEP client software at the child site.
- Deployed
- Policy distribution status for FEP policies assigned to collections at a child site can take up to 24 hours to display at the parent site.
Decentralized policy control and decentralized FEP administration
In this scenario, the FEP policies are managed independently at each of the child sites, and the child site administrators are responsible for the deployment and day-to-day management of Forefront Endpoint Protection. Site administrators can share policies by exporting and importing Forefront Endpoint Protection policies from one site to another. For more information about exporting and importing Forefront Endpoint Protection policies, see Exporting a Policy and Importing a Policy.
To implement this scenario, install Forefront Endpoint Protection on primary child sites only.
Warning
Do not install Forefront Endpoint Protection on the parent site because this disables the existing policies on the child sites and enables the following scenarios, Centralized policy control and decentralized FEP administration.
The following table lists the tasks that you can accomplish when Forefront Endpoint Protection is installed at the child sites only.
| Task | Connected to the parent site | Connected to the child sites |
|---|---|---|
Deploy Forefront Endpoint Protection clients to collections |
No |
Yes |
Create or modify Forefront Endpoint Protection policies |
No |
Yes |
Assign Forefront Endpoint Protection policies to collections |
No |
Yes |
Monitor Forefront Endpoint Protection via the Forefront Endpoint Protection dashboard |
No |
Yes |
Forefront Endpoint Protection reporting |
No |
Yes |
Configure Forefront Endpoint Protection alerts |
No |
Yes |
Forefront Endpoint Protection Operations |
No |
Yes |
Note
Tasks performed on a child site only affect the devices of that child site.
Decentralized policy control and FEP administration with centralized FEP reporting
This scenario is very similar to the Decentralized policy control and FEP administration scenario, and in addition, provides centralized organization-wide reporting.
In this scenario, FEP policies are managed independently at each of the child sites, and the child site administrators are responsible for the deployment and day-to-day management of FEP. Site administrators can share policies by exporting and importing Forefront Endpoint Protection policies from one site to another. For more information about exporting and importing Forefront Endpoint Protection policies, see Exporting a Policy and Importing a Policy.
To implement this scenario, install Forefront Endpoint Protection on primary child sites and install only FEP reporting on the primary parent site.
Warning
Do not install full Forefront Endpoint Protection on the parent site, because this disables the existing policies on the child sites and enables the following scenarios, Centralized policy control and decentralized FEP administration.
The following table lists the Forefront Endpoint Protection tasks that you can accomplish when Forefront Endpoint Protection is installed at the child sites only.
| Task | Connected to the parent site | Connected to the child sites |
|---|---|---|
Deploy Forefront Endpoint Protection clients to collections |
No |
Yes |
Create or modify Forefront Endpoint Protection policies |
No |
Yes |
Assign Forefront Endpoint Protection policies to collections |
No |
Yes |
Monitor Forefront Endpoint Protection via the Forefront Endpoint Protection dashboard |
No |
Yes |
Forefront Endpoint Protection reporting |
Yes |
Yes |
Configure Forefront Endpoint Protection alerts |
Yes |
Yes |
Forefront Endpoint Protection Operations |
No |
Yes |
Note
Tasks performed on a child site only affect the devices of that child site.