Forefront = Not an Enterprise product? RRS feed

  • Question

  • OK, does anyone else feel that Forefront is not ready to be an enterprise product? The things I see that are problems for it so far....

    •  Fine-Grained policy management and settings - The settings for a policy are overly simplistic and lack flexibility. I have been asked by the Microsoft performance team to make certain settings to improve performance in our file servers. Unfortunately the policy lacks that level of control
    • Overly complex environment - WSUS, SQL, MOM 2005, Forefront. Way too many products that can have a problem just to get virus scanning. A problem with any one of them creates a headache that can require a DBA, MOM Expert etc. At past places I have been the Helpdesk could manage the Symantec server and it just worked for years without a problem unless you upgraded the software. Forefront requires a DBA to manage the database and a Systems Admin to troubleshoot problems.
    • Lack of documentation - The Forefront portion of technet seems to be very weak on actual documentation or guides. Installation and configuration instructions are typically less than a page of info. There are no best practices info that I have seen to tell you how to configure Forefront for things like SQL servers, Domain Controllers, File Servers, etc. There are also no books published for the product that are any good. I purchased the one book by Syngress that I found and it reads like a sales promo sheet of features. Of course with the lack of configuration options there is not much tweaking you can do.

    I am open to rebuttal if someone can prove me wrong.

    Wednesday, October 15, 2008 2:26 PM

All replies

  • Since no one is disagreeing with me on this I think that kind of answers my question.
    Friday, October 17, 2008 5:17 PM
  • Hi Brian
    Actually I would like to follow up with you on a few of the items you posted:

    1) Can you be more specific about the granular policy settings that you don't see?  Do these settings exist in other competitive products?
    2) Documentation:  Can you point me to a set of content on TechNet that you do like, or that has the type(s) of information you are looking for?

    To your middle point about complexity - yes, FCS v1 does rely on existing/common MSFT technologies which do require some expertise in other areas that seem disconnected from virus scanning.  But at MSFT, if each and every team went ahead and build the entire end to end infrastructure themselves, we'd a) never ship anything and b) we'd have tons of duplicate products that do slightly different things.  For a customer that is already familiar with some/many/all of these technologies, the learning curve for implementation is lower.  And having a single DB platform (SQL) that can host a wide variety of applications across your enterprise does lower your overall cost of ownership.  Many customers use WSUS for distributing updates, so it's a natural fit to add distributing signatures

    Competitive products obviously elect not to leverage MSFT technologies in many cases, so they are required to build the full end to end solution themselves.  And while that may look ok when it's a single solution, but if you (as an enterprise admin) have 5 different solutions, delivered by 5 different vendors where none of the technologies share any of the same platform, your administration effort really rises

    Hope this helps and look forward your feedback
    Forefront Client Security PM
    Chris Sfanos / Forefront PM
    Friday, October 17, 2008 5:59 PM
  • 1. I am currently working a performance issue with Microsoft Premier support. They have asked for AV settings like Scan only on write for real time scanning, multiple scanning schedules to allow for quick scans during the week and a full on the weekend, do not scan files larger than a certain size, etc. All of these are options I have had in the past when using Symantec or McAfee products but do not with Forefront.

    2. I will use the MSCOM or MSCCM sections of Technet as examples. They both have extensive documentation areas that refer directly to their products. Sometimes even a little too much info. Their forums are filled with very detailed info also. I don't know if these teams are that much larger than yours but there seems to be a definite difference. I can find multiple blogs, forums and websites that all have info related to either one. I watched the webcasts for Forefront and they seemed to be more sales pitches of features than actual content. Also the derth of published books seems like this product is an afterthought for Microsoft.

    As far as leveraging existing technologies I am all for it. As long as it doesn't make the system unwieldy. The use of MOM 2005 seems like complete overkill for just providing notification. Plus it now creates a scenario where I have multiple agents on each computer, a MOM 2005 and MSCOM 2007 in the case of a server, and MOM 2005 and SCCM 2007 in the case of client pc's. I wish Forefront could leverage those technologies if they exist and if not provide it's own lightweight agent.

    I will give you credit for the Exchange scanning. It is a good product, of course I expected it to be since it is the old Sybari Antigen which was excellent.
    Friday, October 17, 2008 8:00 PM
  • Just to add a few blog links for you:

    http://blogs.technet.com/clientsecurity/default.aspx  for the FCS Product Team blog

    http://blogs.technet.com/fcsnerds for the CSS Security FCS blog

    http://blogs.microsoft.co.il/blogs/yanivf/ for Yaniv's blog

    http://codeplex.microsoft.com/fcscompete for some various utilities/scripts for FCS

    http://blogs.technet.com/kfalde my attempt at blogging some FCS items

    I would say give us time this product has only been out a little over a year as opposed to SCCM/SMS which is sitting at 14 years now I believe and MOM which has about 8 years behind it.  There does seem to be a growing momentum of users which will in turn produce more tech content in the forums and on the web.  The growing user base will also help with pressing the need for more defined feature requests to the product group.
    Friday, October 17, 2008 9:40 PM
  • Kurt,

    Thanks for the links.

    Unfortunately you are correct. The product needs time. Of course that doesn't stop microsoft from pushing the product to managers and CIO's that can not see where the products are lacking. Microsoft has a history of releasing products that lack features in the first couple of releases and then getting it right in release 3 or 4. With heavy discounts, free consulting hours and other perks Microsoft gets these products in the door. The problem is that those that have to work with them daily get so frustrated that they make sure to never recommend them to anyone else.
    Monday, October 20, 2008 12:14 PM