Microsoft Forefront Client Security - Topology, Setup, Preinstallation Considerations

This document is intended for the Information Technology professionals who want to evaluate Microsoft Forefront Client Security software on their personal computers. The document is not concerned about the best practices, but rather setting up a working system.

Microsoft provides Live Labs for evaluating the product, but Live Labs can be considerably slow even for users having 1 Mbps connection. Plus, any lab is restricted to 90 minutes of access. To overcome those situations, it can be more effective to evaluate the product using a personal computer. In addition, the default evaluation period for the software provided by Microsoft is 30 days, which result in prolonged usage.

Our virtual system will be on a domain named contoso.com as follows:

click to enlarge

Figure 1: The domain and the topology that will be used to install Microsoft Forefront Client Security.

We will install Microsoft’s Forefront Client Security product on Microsoft Virtual PC 2007. For our installation, the hardware and software setup will be as follows:

• Hardware Setup – Guest System
  • Intel Core i7 720QM Processor (Dual Core Processors will also do fine, but Core 2 Duo is recommended)
  • 4 Gigabytes of RAM
  • 100 GB of free hard disk space
  • Hardware Setup – Host Systems

• SRV2003DC:
  • 1 Gigabyte RAM
  • Minimum 50 Gigabytes of hard disk space
  • 2 Network Adapters
  • Hardware Virtualization and Shared Folders enabled.

• SRV2003FCS-DIST
  • 1 Gigabyte RAM
  • Minimum 40 Gigabytes of hard disk space
  • 1 Network Adapter
  • Hardware Virtualization and Shared Folders enabled.
  • Software Setup
    • Host operating system: Windows 7 Ultimate Edition 64-bit
    • Microsoft Virtual PC 2007
    • Microsoft SQL Server 2005 Enterprise with Service Pack 1
    • Microsoft Server 2003 R2 Enterprise with Service Pack 2
    • Windows Server Update Services
    • Group Policy Management Console
    • .NET Framework 2.0
    • IIS
    • ASP.NET, FrontPage 2002 Server Extensions
    • Windows Update Agent 3.0
    • Forefront Client Security

The evaluation versions of the commercial programs will work with our setup without any problems. You can download the programs told above free from Microsoft’s website.

If you are considering to build the systems on Windows Server 2008, please note that:

• Windows Server 2008 R2, which is currently offered for download is 64-bit only. Virtual PC 2007 does not work with 64-bit guest systems,
• Windows Server 2003 is lighter on resources, which means that a virtual machine with 1 Gigabyte of RAM will work satisfactorily.

Continuing our notation above, we will install the operating systems and roles as follows:

• Both servers
  • Windows Server 2003 R2 with Service Pack 1
  • Group Policy Management Console
  • .NET Framework 2.0
  • IIS
  • ASP.NET
  • FrontPage 2002 Server Extensions
  • Microsoft SQL Server 2005
  • Microsoft SQL Server 2005 SP1
  • Windows Update Agent 3.0

The items in italics can be installed using the Control Panel – Add or Remove Programs without too much effort in Windows Server 2003. If you are not familiar with SQL Server installation, you can leave the default values during the installation. However, make sure that you install the Database Services, Integration Services and Workstation Components when you are prompted by the wizard.

• SRV2003DC
  • No additional software installation is required for now.
• SRV2003FCS-DIST
  • Windows Report Builder Redistributable200
  • Windows Server Update Services

At this point, I can advise you a time saver: When you finish installing the programs/applications above, shut down your virtual disk and then Copy » Paste it and rename it. However, you will end up with two computers with the same Security ID (SID). Boot the system that you copied and pasted, download the application called “New Sid” and run it, which will give your virtual server a new SID. You can also change the computer name. Make sure that the virtual machine has not been a member of the domain. If this is the case, remove it from the domain, run New Sid and then rejoin it.

After finishing the installation, we need to configure the IP addresses of the network adapters:

• SRV2003DC: We need two network adapters. One adapter should be facing the external network (the Internet) and the other should be facing the internal network (the connection to the SRV2003FCS-DIST and any other systems that we may deploy). I recommend the external network adapter to work in Bridged mode, saving us from the probable DNS configuration with the NAT (Network Address Translation) settings.
• SRV2003FCS-DIST: One network adapter is enough; the server will connect to the Internet from SRV2003DC. Later on we will need Internet connection on this server to synchronize with Microsoft Update Services. For this reason, you may want to employ a second network adapter to connect SRV2003FCS-DIST to connect to the Internet directly and save your resources from running two virtual machines simultaneously. We will deploy one adapter with internal network setting.

It is time to head for the installation of Forefront Client Security. We will start with SRV2003DC.