locked
Preparing for FCS 2 server topology - WSUS already in use RRS feed

  • Question

  • As the title states, I am getting ready to deploy Forefront Client Security.  I have determined that I will need to use a 2 server topology because I am hoping to make use of our existing WSUS server.

    I am checking if there is any reason that I can't use an already configured and functional domain wide windows update server, with a new installation of forefront client security.

    If there is a compatibility issue, would I be safe installing a separate instance of WSUS on the FCS server to do a single server topology deployment, or will the two WSUS servers conflict with each other?

    Any advice will be appreciated!

    Thanks,
    jalgl

    Monday, June 25, 2012 9:11 PM

Answers

  • Hi jalgl,

    Thank you for the post.

    You could use the existing WSUS server for FCS. No need to install distribution server role and there is no compatibility issue. Here are similar threads about it.
    http://social.technet.microsoft.com/Forums/en-CA/Forefrontclientgeneral/thread/f41ecf11-980b-4388-80bf-b8f70102c0c7
    http://social.technet.microsoft.com/Forums/en-US/Forefrontclientsetup/thread/db4b173d-14f5-417d-a446-2f04a25022b9

    If there are more inquiries on this issue, please feel free to let us know.
     
    Regards


    Rick Tan

    TechNet Community Support

    • Marked as answer by Rick Tan Friday, June 29, 2012 1:34 AM
    Tuesday, June 26, 2012 9:13 AM
  • Okay, looks like I have made progress.
    It appears that my SCCM setup is configured at least functionally.  The Issue I was running into was client side firewalls.

    I have them configured now and over the night last night several of my test machines received the System Configuration and Endpoint Protection as Expected.

    However, I can't "Force" the programs out or "Install" the client manually from SCCM 2012.  I am wondering where the setting is that I can create a test group and then On Demand send the programs out.  

    Or set the frequency so that I can set it for a an hour for testing purposes.



    For others information:  I DID NOT need to integrate with WSUS or use a SUP.  I have an existing WSUS install that is set to deliver updates for FEP 2010 (which apparently is the SC2012EP updates as well), and then I have a standalone SCCM 2012 server as a Distribution Point to deliver FEP and the required Configuration Manger Client.  Of course the WSUS Admin Console is installed and pointed at my WSUS server per the SCCM prereqs.  But I am not integrating WSUS with SCCM as far as my understanding is concerned with my configuration on SCCM

    Hope this helps.  And I would appreciate any clarification to this point if any one has an explanation why we need to integrate SCCM with WSUS at all.

    Thanks!
    • Marked as answer by jalgl Thursday, July 12, 2012 3:14 PM
    Thursday, July 12, 2012 3:14 PM

All replies

  • Hi jalgl,

    Thank you for the post.

    You could use the existing WSUS server for FCS. No need to install distribution server role and there is no compatibility issue. Here are similar threads about it.
    http://social.technet.microsoft.com/Forums/en-CA/Forefrontclientgeneral/thread/f41ecf11-980b-4388-80bf-b8f70102c0c7
    http://social.technet.microsoft.com/Forums/en-US/Forefrontclientsetup/thread/db4b173d-14f5-417d-a446-2f04a25022b9

    If there are more inquiries on this issue, please feel free to let us know.
     
    Regards


    Rick Tan

    TechNet Community Support

    • Marked as answer by Rick Tan Friday, June 29, 2012 1:34 AM
    Tuesday, June 26, 2012 9:13 AM
  • Thank you for that!  good information.

    I went to perform the installer and it said that the Configuration Manager was not found, but it didn't give me the chance to tell it where WSUS was installed (its on a different server).

    Any clue as to why the installer isn't allowing me to configure the location for the distribution point?

    Friday, June 29, 2012 7:44 PM
  • Hi jalgl,

    Oh, WSUS and Configuration Manager server must set up on a same server. Check the prerequisites in article below:
    http://technet.microsoft.com/en-us/library/dd185652.aspx

    Regards


    Rick Tan

    TechNet Community Support

    Monday, July 2, 2012 2:03 AM
  • Alright... I think I am getting closer here:

    I have System Center Configuration Manager 2012 and System Center 2012 Endpoint Protection Installed on the same server now.  I did not install a Distribution point, but I cannot figure out how to utilize my previous WSUS installation on the other server with my new SCCM configuration.  Everything that matters is default (save for sql isntance name and port).  So I should be pretty cookie cutter here.  Anyone have a link to a similar setup?

    Thursday, July 5, 2012 8:20 PM
  • Hi jalgl,

    Let me explain more.

    1. When you want to use SCCM/SUP to push FCS definition, WSUS server must be installed on the same SCCM server. Or you install WSUS on SCCM server to sync with the current WSUS server. To this scenario, no need to set up any WSUS GPO and all operation should be in SUP console.
    2. When you want to use only WSUS to push FCS definition. Just need to configure FCS products/updates and approve rule in WSUS console. To this scenario, you need to set up WSUS GPO.
    3. FCS installation does no need to verify the WSUS settings. You just should ensure your FCS client could update definition successful from WSUS or SUP.
    4. As you said, you have installed SCCM 2012 and SCEP 2012. Why not implement SCEP 2012 instead of FCS to your clients?

    http://microsoftguru.com.au/2010/08/14/install-and-configure-forefront-client-security-step-by-step-part-i/

    Regards


    Rick Tan

    TechNet Community Support

    Friday, July 6, 2012 2:10 AM
  • Per your point number 4, I guess that is really what I do want to do, but I thought that SCCM 2012 and SCEP 2012 are what is required on the server to push out FCS to our clients. 
    Friday, July 6, 2012 5:07 PM
  • I have been trying to follow the 64 page PDF found on THIS  web page, and it has been helpful, but I don't see it communicating the WSUS configuration very well.

    Also, during my stumbling around in SCCM I have managed to get my WSUS server (that isn't supposed to be a part of my site as far as I can tell) stuck with one of the required site roles to the point that I cannot remove it now.  I thought it had to be a SUP and so I configured it as such in SCCM, I got a bunch of Access Denied Errors, but I thought everything was supposed to be communicating over WSUS Administrative Console (which works when used standalone).

    I feel like I am missing something simple, as I have an Endpoint Protection Point configured, I have an automatic update policy configured, I have a distribution group setup to test the settings, but on page 24 of the above referenced PDF where it has me go to the client's Control Panel, I dont have System and Security available.

    I must be missing the big picture somewhere.

    Would it be possible for me to configure a standalone SCCM / SCEP server to push out the software to all my client machines without messing around with the previously configured WSUS server?  I can't be the first organization to install SCCM/SCEP along side an existing WSUS deployment, can I?

    Thanks go to anyone able to offer some insight.

    Friday, July 6, 2012 8:29 PM
  • Hi jalgl,

    but I thought that SCCM 2012 and SCEP 2012 are what is required on the server to push out FCS to our clients.
    SCEP 2012 is new version of FCS. It means you need not push FCS if you have installed SCEP 2012.

    I dont have System and Security available.I must be missing the big picture somewhere.
    Please skip/ignore "System and Security", just read "in Control Panel,start Configuration Manager".

    I can't be the first organization to install SCCM/SCEP along side an existing WSUS deployment, can I?
    To your scenario, no need to install SUP and just configure your WSUS to push SCEP.
    2. When you want to use only WSUS to push FCS definition. Just need to configure FCS products/updates and approve rule in WSUS console. To this scenario, you need to set up WSUS GPO.

    Regards


    Rick Tan

    TechNet Community Support

    Monday, July 9, 2012 2:41 AM
  • It doesn't look like the Configuration Manager Client is getting pushed out to the clients.  Perhaps its this that is causing my headache.  When I go to the client control panel the configuration manager isn't an option, even after using the "install client" function in SCCM 2012.
    Monday, July 9, 2012 2:45 PM
  • Okay, looks like I have made progress.
    It appears that my SCCM setup is configured at least functionally.  The Issue I was running into was client side firewalls.

    I have them configured now and over the night last night several of my test machines received the System Configuration and Endpoint Protection as Expected.

    However, I can't "Force" the programs out or "Install" the client manually from SCCM 2012.  I am wondering where the setting is that I can create a test group and then On Demand send the programs out.  

    Or set the frequency so that I can set it for a an hour for testing purposes.



    For others information:  I DID NOT need to integrate with WSUS or use a SUP.  I have an existing WSUS install that is set to deliver updates for FEP 2010 (which apparently is the SC2012EP updates as well), and then I have a standalone SCCM 2012 server as a Distribution Point to deliver FEP and the required Configuration Manger Client.  Of course the WSUS Admin Console is installed and pointed at my WSUS server per the SCCM prereqs.  But I am not integrating WSUS with SCCM as far as my understanding is concerned with my configuration on SCCM

    Hope this helps.  And I would appreciate any clarification to this point if any one has an explanation why we need to integrate SCCM with WSUS at all.

    Thanks!
    • Marked as answer by jalgl Thursday, July 12, 2012 3:14 PM
    Thursday, July 12, 2012 3:14 PM