locked
fcspolicytool on dmz machines RRS feed

  • Question

  • On our DMZ, we install forefront using the /nomom switch. We then install our forefront policy using the fcspolicytool. Our policy was created by deploying our internal domain policy to a GPO and a reg file. The problem is that the reg file says to use our management server in our internal domain. So when I install the policy on our DMZ machines, windows updates then decides to reinstall Forefront using the MOM agent (our DMZ servers receive updates from our internal WSUS server). My question, how do I create a policy reg file that will include the same exclusions as our internal policy, and not point at a MOM server? I don't want a MOM agent on our DMZ machines.

    • Moved by Miles Zhang Tuesday, November 2, 2010 1:42 AM (From:Forefront Client Security Setup and Configuration)
    Monday, November 1, 2010 3:51 PM

Answers

  • Hi!

    There are 2 reg values that the FCS setup looks for MOMGroupName and MOMServerName. if the values are not found FCS won't install unless you run /nomom.

    You could delete the values befor importing the reg file, however this means that you won't get the updates to FCS cllient since there is no way of supplying the /nomom switch to a wsus style setup. are there many servers. Could you handle the update of the FCS client itself (not defs)  manually?

     

    /Johan


    MCSE, forefront spec | www.msforefront.com
    • Marked as answer by Miles Zhang Monday, November 8, 2010 4:21 AM
    Thursday, November 4, 2010 9:27 PM

All replies

  • Hi,

    Thanks for the post.

    You can deploy a policy by registry file. This method exports the policy to a .reg file that you can distribute to client computers. Client Security does not distribute the .reg file. You must determine the means for distributing the .reg file. This can be as simple as making the .reg file available in a shared folder.

    To apply the registry file to client computers, you must use fcslocalpolicytool.exe, a tool provided on the Client Security disc. Each client computer with which you use registry file deployment must have access to fcslocalpolicytool.exe.

    For more information, please refer to the Registry file deployment section of the following article:

    http://technet.microsoft.com/en-us/library/bb418857.aspx

    Hope this helps.

    Miles


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, November 2, 2010 8:12 AM
  • That automated response does not answer my question.
    Tuesday, November 2, 2010 8:34 PM
  • Hi!

    There are 2 reg values that the FCS setup looks for MOMGroupName and MOMServerName. if the values are not found FCS won't install unless you run /nomom.

    You could delete the values befor importing the reg file, however this means that you won't get the updates to FCS cllient since there is no way of supplying the /nomom switch to a wsus style setup. are there many servers. Could you handle the update of the FCS client itself (not defs)  manually?

     

    /Johan


    MCSE, forefront spec | www.msforefront.com
    • Marked as answer by Miles Zhang Monday, November 8, 2010 4:21 AM
    Thursday, November 4, 2010 9:27 PM