Defining and defending private clouds with MS System Center and Forefront

John Joyner explains how you can achieve the same managed Windows updates and anti-malware defense to PCs that Intune provides by setting up Microsoft System Center and FEP.

In a previous post, I wrote about Microsoft's Windows Intune, a new public cloud offering for management of Windows client computer updates and anti-malware. An advantage to managing PCs from the cloud is that each computer makes its own direct connection to the cloud management service, regardless of the PC location or security status. The business benefit is that organizational resources stay connected for asset control and updating purposes anywhere they are, as long as they are powered on and have a connection to the Internet.

The Internet-Based Client Management feature of Microsoft System Center Configuration Manager 2007 R3 (SCCM), combined with Microsoft Forefront Endpoint Protection 2010 (FEP) delivers Windows updates and managed anti-malware defense to PCs in almost exactly the same way Intune does. To achieve this, you have to set up SCCM in "native" mode using certificates, add the FEP product, and then you have some recurring administration tasks to package and deploy selected updates to computers. After deploying SCCM and FEP, you will be in complete control of the updating and security status for all computers, from the "high ground" of your private cloud.

This solution should be considered for all medium and larger organizations with a highly distributed topology, where there is a need for a centralized PC updating and security solution, and where Windows Intune is not a good fit for whatever reason. This article will step through and discuss seven high-level tasks that establish the private cloud management infrastructure.

1. Prepare your certificate infrastructure

  1. The solution leverages a Certificate Authority (CA) that establishes the trust federation for your organization. This may include publishing a Certificate Revocation List (CRL) to the Internet.
  2. Computer certificates must be issued for each computer that will be managed. Computers on the network can be issued certificates via group policy automatically.
  3. Create a custom SCCM Site Signing Certificate (Figure A is an example) and issue one to the prospective SCCM site server. This certificate must be pre-installed on the server in order to complete installation of SCCM in native mode. Manually installed SCCM agents include an exported copy of this certificate on the command line.

Figure A

The SCCM Site Signing Certificate has a unique subject name that contains the site code.
2. Plan your SCCM deployment

  1. Determine if SCCM will integrate with an existing Windows Server Updates Service (WSUS) server in your organization, or if you will use a new one with SCCM. If using an existing WSUS server, be aware that moving to SCCM for updates means removing previous WSUS group policies from your AD.
  2. Consider the cost and availability of inbound bandwidth from the Internet to the WSUS server. This channel is used to pull Forefront Endpoint Protection updates by private cloud clients and can be significant for large numbers of Internet-based clients. Make sure there is a WSUS automatic approval rule for FEP client anti-malware updates.
  3. SCCM with FEP requires SQL database server support in the Database Server, Analysis Server, and Reporting Server roles.
3. Prepare your Active Directory (AD) and pubic DNS

  1. Import SCCM group policy templates to a Group Policy Object (GPO) in your domain. Client computers can read their setup information from AD this way.
  2. Optionally update AD Schema with SCCM extensions. While some SCCM features depend on extending the schema, such as Network Access Protection (NAP) and global roaming, there are workarounds for not extending the schema to enable most features. This is a small modification to AD and can be routinely implemented.
  3. The SCCM site server, WSUS server, and some other SCCM roles require inbound Internet connections. Public DNS entries need to exist to allow Internet-based clients to communicate with the CA and SCCM servers.
4. Install the site server and other SCCM roles

  1. Select Configuration Manager Native Mode during installation of the SCCM primary site.
  2. Add the Software Update Point component to your WSUS server. After a little while, your SCCM console will update server options such as the product selections available on the WSUS server. From this point forward, control your WSUS server options, such as synchronization schedule, from the SCCM console.
  3. Add the Reporting Services Point (RSP) component to your SQL Reporting Server. There may be an additional step to configure the RSP and copy SCCM reports to it.
5. Install the FEP 2010 integration

  1. The FEP server setup runs on top of SCCM 2007 R3. A default FEP server installation piggy-backs the FCS roles on the same database and reporting servers that the SCCM primary site uses.
  2. It might be necessary to manually copy the three (3) FEP report folders to the SCCM Reporting Service Point (RSP). Also, consider importing the sixteen (16) FEP Policies from the %Program Files%\Microsoft Forefront\PolicyTemplates folder to the FEP Policies node of the SCCM console.
  3. The FEP anti-malware client will get installed on the SCCM site server as part of a default FEP server installation.
6. Deploy the SCCM agent

  1. For domain-joined computers with LAN or VPN access, install the SCCM client automatically using a variety of methods such as login script, client push from the SCCM console, or group policy.
  2. For untrusted and workgroup computers, or domain computers on the Internet, issue and install a client certificate, then manually install the SCCM client using a command line.
7. Push the FEP client and assign FEP policies

  1. Create an SCCM advertisement to push the FEP client to computers. Then select and apply appropriate FEP policies for your various server roles. Right-click on the desired policy and choose Assign Policy to assign that policy to an SCCM collection
  2. FEP Policies can only be applied to SCCM clients that already have the FEP client installed, so target your FEP Policies to members of FEP Collections.
  3. Optionally invoke the Desired Configuration Management (DCM) feature of SCCM--FEP adds configuration baselines to DCM that can help with compliance reporting.

The next big task is to create workflows to package and deploy Windows updates on a recurring basis such as monthly.  Once the basic infrastructure described above is in place, you have effectively carved out a very scalable private management cloud that spans the Internet.

By John Joyner

John Joyner, MCSE, CMSP, MVP Cloud and Datacenter Management, is senior architect at ClearPointe, a cloud provider of systems management services. He is co-author of the "System Center Operations Manager: Unleashed" book series from Sams Publishing, ...