Microsoft will abandon Forefront Protection Manager in a move that the software giant says will simplify security...
deployments. The change in strategy could, however, present early challenges for at least one Microsoft beta customer and create issues for midmarket customers without skilled IT staff.
"I've gotten over the shock," said George Podolak, director at the NYC-based architecture firm Pei Cobb Freed & Partners, days after hearing an announcement that Microsoft, in another effort to combine security management and systems/application management functions, would not bring Forefront Protection Manager (FPM) to market.
"We were almost at the Holy Grail: one screenshot for all our assets. … We're sort of back to square one, to be truthful."
Transitioning management platforms complicates matters, Podolak said. Podolak will now need both management consoles, SCCM to view the security status of workstations and SCOM to view the security status of servers.
Microsoft's decision means that Podolak will have to buy SCCM in addition to SCOM. Podolak, however, said he factored SCCM into the budget because he was already looking for a tool to handle software distribution and the upgrade of all of his PCs to Windows 7. Although he considered other tools like Ghost from Symantec Corp. and products from Acronis Inc., he said, SCCM made more sense because it could serve dual purposes.
'SCCCM is a great tool for deploying software," he said, "Now with the Forefront Endpoint Client, it'll be more than just a pure management tool. It's going to be a way of deploying software."
Before Microsoft made its decision, the standalone Forefront Protection Manager would have provided the central management of Forefront Client Security (FCS), Forefront Server Security for Exchange (FSE) and Forefront Server Security for SharePoint (FSSP).
Instead of staying with Forefront Protection Manager, Microsoft said on its Forefront Team Blog that management for Exchange Server (FPE) and Forefront Protection 2010 for SharePoint (FPSP) "will be delivered through a streamlined solution for messaging and collaboration workloads, both on-premises and in the cloud." Further details on the plan will be announced at a later date.
In late 2009, Microsoft announced that Forefront Endpoint Protection 2010 would be built on System Center Configuration Manager, which centralizes configuration, deployment, updating and reporting functions. A beta version of the integrated Forefront Endpoint Protection will be released in the third quarter of this year, according to the blog.
As Podolak heard the rumblings about a possible move from the SCOM console to SCCM, he sensed that there would be dual management platforms that an organization would have its choice of. "It wasn't until a couple of months ago that Microsoft made very clear that there would not be a SCOM platform for clients," added Podolak via email.
Mike Rothman, president and analyst at Securosis, an independent research boutique focused on information security, said the decision to incorporate Forefront Endpoint Protection into SCCM makes sense, given IT professionals' desire for fewer vendors, less management overhead, and a need to uphold the same level of threat protection.
By integrating Forefront, he said, Microsoft "can help organizations manage and protect these endpoints to the greatest degree possible, rather than having a separate product and folding that into existing products that are mostly in use anyways for people who are using the whole Microsoft stack."
Microsoft's more integrated approach -- which combines the functions of availability, configuration management as well as security -- will benefit customers already doing large Microsoft rollouts, as well as those professionals working in smaller, midmarket organizations who may have various other security and networking responsibilities, Rothman said.
That may be true in the long-term, but for security professionals like Podolak, who have become familiar with SCOM, there will likely be pain points. The changeover to a different management console, Podolak said, will be his biggest challenge and will affect midmarket organizations like his own -- ones that may have small IT departments.
"To me, a large firm probably doesn't care [about the switch]. They probably have someone who knows SSCM inside out," he said, emphasizing that his organization had a good feel for the SCOM but now is presented with a whole new learning curve, albeit a manageable one.
Podolak and his staff have been using Microsoft's online video tutorials and hard-cover documentation to get up to speed on the new console.
"In the end, there'll be great benefits," he said about the move, and he'll continue with the Forefront protection suite. That doesn't mean, however, that he doesn't prefer his earlier option. "[Microsoft] took something that I thought was going to be a reasonable decision for a small firm and made it a bit more complex."
To ease the minds of its FPE and FPSP customers, Microsoft said it planned to release a Service Pack that expands support to those Forefront products. In addition, the software giant will offer a Forefront Server Security Script Kit that will allow IT administrators to use Remote PowerShell to configure and report on multiple deployments of FPE and FPSP. Both additions will be released in the second half of 2010 at no additional cost.
Send comments on this technical tip: firstname.lastname@example.org.