Installing Forefront Client on Windows Server 2008

Installing Forefront Client Security seems like a daunting task on Windows Server 2008. It can be done, but with a little extra help. If like me, you already have a WSUS server and you have less than 1000 clients, a two server solution is fine. The first thing is to read through the documentation found at:

http://technet.microsoft.com/en-gb/library/bb432630.aspx

However, it does appear that the technical manual department for the Forefront team did not want to spend much time with the documentation. There is a lot of repitition and a few things that are left out or are implied. We will go through and identify these missing instructions...

The first thing to notice is that there are separate instructions for installing on Server 2008. This are specifically for the 32-bit version of Server 2008. As noted in the hardware requirements, Forefront will not work on the 64-bit version of Windows Server 2008. However, these instructions correctly state that you MUST do everything in the order listed. For your own sanity, do so, while added the bits below:

The first missing/implied instruction is to complete the installation of .net 1.1 sp1. To complete the installation of .net 1.1 you have to wait until installing IIS. After installing IIS, you need to complete the .net 1.1 installation or the MOM components (I know, you don't have MOM) will fail and the entire installation will falter.

Step 1: Run the aspnet_regiis.exe /i command from the C:\Windows\Microsoft.NET\Framework\v1.1.4322 directory.

Step 2: Open IIS Manager. Click on the Server name. Under IIS in the main panel, open ISAPI and CGI Restrictions. Change "ASP.NET v1.1.4322" to 'allowed'.

The other is a peculiar problem with Reporting Services. You should check the following URLs to ensure that Reporting Services is installed:

http://reportservername/Reports
http://reportservername/ReportServer

If you get an error message amounting to a lack of permission on the installation account's part, then there is a way round this. This is, in fact, a UAC issue. (Please do not run to switch UAC off...) To get round this, go into the start menu and elevate IE by right clicking the IE link in the programs menu. Then go to the first URL. You now have a "Site Settings" link in the top right hand corner. Click it. Down the bottom of this page you now have a "Configure site-wide security" link. Add the installation account as a System Administrator and System User.

Checking the second URL now results in a blank directory list... Okay? You are now ready to complete the Forefront Client installation. (Remember that the installation will run elevated, so don't worry if you still get the error when running IE when not elevated.)

You may find yourself frustrated trying to run the distribution server installation on your WSUS server. SERVERSETUP.exe just seems to crash everytime. If you have WSUS v3 then you are wasting your time running the installation program. The Forefront Client installation for the Distribution Server is intended to fix WSUS v2 installations so that you can poll for updates every hour. WSUS v3 does this already as installed. Consequently, you do not need to install anything on your WSUS Server. Instead, you need to change the frequency of the synchronization to anything up to each hour of the day, depending how soon you want to recieve antivirus and malware updates.

Oh, and one more thing. The requirements state that a 32-bit installation of Server 2008 is required for the distribution server. Seeing that you do not need to install anything on the WSUS server with v3, you can still have your 64-bit cake there and eat it...

Finally, do not forget that to be truly compatible with Windows Server 2008, you need SP1. This is obtained through Windows Update rather than a seperate download. So get synchronising...

I still have some hair left.