FCS agent on server and clients without FCS management console possible? RRS feed

  • Question

  • I do basic IT support for a small nonprofit organization (1 server, 5 Windows XP clients: 4 PCs and 1 laptop) on a part-time volunteer basis. I recently replaced their dead server (Server 2000 & Exchange 2000) with a new one running SBS 2008. I really liked the trial versions of 1 Care and ForeFront for Exchange Server that was included.; however the trial period expires in about 60 days and I need to replace them.

    I expect that we are going to license Forefront for Exchange Server to handle email, but I need to protect the server and clients against viruses, malware, etc. I thought I would install the new Microsoft Security Essentials on everything, but a reply to my posting in the MSSE forum told me that I can't run MSSE on a server. So I guess my first question is, is that true?

    If it is true, my next question is, can I license/install the FCS agent on the server and clients as stand alone/unmanaged applications to protect them and not buy the management console? As small as the office is, the cost of the management console plus adminstering it, and dealing with SQL server isn't going to happen.

    Thanks in advance for your reply,
    Terry Moore

    Saturday, October 24, 2009 11:30 PM


  • Hi,

    Be aware that from the EULA, MSSE is only licensed to be run at home or a small home office.

    As far as Forefront goes, I'm currently running it standalone.
    If you want to do it as well, just install MP_AMBITS.msi and you are good to go. You can also run ClientSetup.exe /NOMOM. That will install the security assessement as well. But given that you will not have an interface for it, I think it doesn't make sense to have it running on the clients (just my opinion; if you like looking at the event log and XML files please install it as well).
    You can/should use the forefront adm (http://social.technet.microsoft.com/Forums/en/Forefrontclientgeneral/thread/8574ed97-b84d-4b0a-ae9e-d4985ed7217f) to manage the settings with GPO, or you can setup the client in one computer and then copy the registry keys to all the other computers (maybe with a logon script; not sure if you are licensed to use the localpolicy tool).
    If you have WSUS, make sure you subscribe and approve the Forefront definitions.
    By running FCS standalone you will not access to any centralized report. It will work the same way as MSSE.
    If you have System Center Essentials (I guess it is included in SBS2008) you can create a Management Pack that checks Event Logs and triggers alarms (check event 3004 of System/FcsAM) when a virus or security problem is present. You can also check if the daemon is running, and the definitions age and version. That's what I'm currently using as well, and it gives me some insight into my environment security.

    Sunday, October 25, 2009 8:55 PM