FCS Questions RRS feed

  • Question

  • MOM Questions

    1- How to automatic Approve MOM Agent Installation after 5 mins
    2- Why some times i found MOM agent need approval for uninstall at Pending Actions

    FCS Questions

    1- WSUS as distribution Server responsible for installing FCS Package and Virus Definition when applying a deployment GPO to specific OU, how WSUS know that these computers (inside OU) need FCS to be installed, does the GPO have something like internal command to ask WSUS server for the FCS Source, and from where WSUS get the FCS source that need to be installed, does WSUS download it from internet or get it from FCS Server itself.

    2- My GPO deployed to my Domain, but how to know that FCS are deployed to all computers at my Environment or how to can know computer that don't have FCS,  I need to discover unmanaged clients.

    3- If I need to get a report for specific computer, like infected files and viruses on it and so on, how can I do that?
    4- We build our DR site, have any article or recommendation take about how to DR the FCS server, what is the FCS server that should be at DR, reporting Server, collection server, DBs or all or none of them.

    5- I read that port 1720 TCP/UDP should be excluded from firewall, But which firewall?
    Client Firewall   or collection server Firewall.
    I need to know who take first Client push its logs and alert to FCS Server or FCS Server fetch it from clients.

    WSUS Questions

    1- When deploy GPO for install FCS, what the scenario that happen, for example after GPO applied, clients will ask WSUS for FCS update or WSUs will check Client machine if no FCS so push FCS package and virus definition form WSUS server.

    2- so time I notice  at WSUS console, computers that have for example about 1120 update are not applicable for the machine, what that mean ? i need  WSUS compare only Windows XP update catalog of with Client that have XP so that the not applicable at this time will be few and compare Windows 2003 update catalog with all 2003 machines and so on,

    Saturday, January 10, 2009 1:01 PM

All replies

  • Hi AbdallA

    I will try to answer as many questions as possible here.

    MOM Questions

    1.  Why do you want this to happen after 5 minutes?  It happens automatically after an hour or you can do it manually.  I have not looked if you can change this setting.


    FCS Questions

    1.  The WSUS server holds the update in its database just like any other update.  You can approve it to certain groups for install or to everything in WSUS.  But it will not deploy on its own.  When you create a FCS policy from the Forefront console and apply it to your domain/OU's it then gets applied to clients.  Once the client has this FCS policy and it checks WSUS the Forefront client is marked active and is then installed.  So it requires both WSUS to have the Forefront client set to approve for install and it requires a FCS policy on all the machines that you wish to install Forefront client security onto.  The actual update or client installation is downloaded from the internet from the Microsoft update servers.  It does not get the client or the definition updates from the Forefront server.  The forefront server is for managment and monitoring only.

    2.  Is your active directory up to date?  If it is and there are no old machines in your AD, Then export a list from the active directory OU's that have computer objects in it.  Then export a list of all the computers in the MOM administrator console and compare these lists using something like excel.  If machines are not a part of your domain then you wont pick them up unless you use some other 3rd party tool.

    3.  If you need a report for a specific computer you can draw one.  You can either select the malware option from the main forefront console and look for you machine or you can open up the report console on the forefront server and select malware or computer history options.  From there you can enter the name of the pc and enter up to 72 hours ago.

    4.  No Sure about the DR.  I just backup my SQL databases.  I will have to look into this.

    5.  You made a typo maybe.  It is actually port 1270 which is used for the MOM communication.  This would need to be opened on both client workstations firewalls and any other perimeter firewalls and devices that may block it.  The clients push their data to the server.

    WSUS Questions

    1.  First ensure that all your clients/workstations have a correct WSUS policy.  Then ensure that the Forefront client component has been downloaded by WSUS.  Then deploy a FCS policy to the clients.  Ensure that the group policy settings have been refreshed.  either within 90- minutes by default or using a gpupdate /force command.  Then the next time the clients speak to WSUS they will pull down and install Forefront client security as per your group policy settings for WSUS.  Eg if the policy for WSUS is set to download and notify for install with a check in every 22 hours then users will have to initiate the install manually.  If your policy for WSUS is set to download and schedule the install then users wont be responsible for the installation of Forefront or other patches and security updates.  My advice is to ensure in WSUS that definitions are set to automatic approval.  And I also change the frequency that WSUS updates check to every 1 hour.  I also set all workstations but not usually servers to download and schedule the installs.

    2.  For this it could be that you have old updates.  have you run a clean up on your WSUS server recently?

    Wednesday, January 14, 2009 12:12 PM
  •  Hi,

    I have some additional info...

    MOM questions:

    1. This is a script (floodetection script) that is scheduled to run every hour. and amongst other things it will approve any computers under pending actions.  you can reschedule the script to run when ever you want. (MOM admin console)

    2. This is due to a missing computer discovery rule for the computers that are wanting to uninstall the MOM agent.
    Under Discovery rules in MOM admin console. Create discovery rules for the computers that are complaining and the pending uniinstall will go away.

    I'm not 100% sure why this occurs though.

    MCSE, forefront spec | www.msforefront.com
    Wednesday, January 14, 2009 3:31 PM

    first I would like to thank Robert Lourenco, Johan Blom

    second I have two comments

    if MOM clients push the logs and alerts to MOM server, so connection initialized from Client PC, i think that no need to open port 1270 at client Firewall,,
    please correct me if i wrong.

    About FCS at DR
    if i can do Active/passive cluster for SQL Server, active at HQ and passive at DR
    but the question is  if HQ DB are down, how can i tell MOM clients to connect to DR SQL”,
    we may need to deploy new GPO to clients,
    please advice,,

    Wednesday, January 14, 2009 11:33 PM
  • Hi

    For the first question the MOM clients do push the information as far as I understand but I will do some further investigating.  I know with XP machines I have not had a problem so far but on some Vista machines I have had to enable a firewall rule to allow port 1270.

    I will look into the DR option when I get a chance.  As I mentioned previously, I just backup my databases currently so that I can restore the data if I need to reinstall.  If I reinstall the machines will check back into the server as Long as the hostname and forefront managment group names remain the same.


    Kind Regards


    Monday, January 19, 2009 7:45 AM
  • Robert Lourenco said:

     If I reinstall the machines will check back into the server as Long as the hostname and forefront management group names remain the same.

    in this case Can MOM Agent Communicate wih MOM Server "Collection Server", or shall i uninstall/reinstall MOM Agent again!!!

    Monday, March 9, 2009 12:03 AM
  • Hello,

    Where is the flooddetection script which is supposedto approve automatically the client?



    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 Support
    Thursday, June 24, 2010 7:28 PM
  • Hi,

    Felyjobs: You will find the rule (Run Flood Detection) in Management Packs\Rule Groups\Microsoft Forefront Client Security\Server Behaviors\

    Go to Data Provider in Event Rule Properties, there you should be able to specify the time of your choise.


    • Proposed as answer by Felyjos Friday, July 2, 2010 1:34 PM
    Friday, July 2, 2010 12:30 PM