News Stay informed about the latest enterprise technology news and product updates.

MS Forefront Protection Manager cut puts midmarket on new path

Microsoft's recent decision to not release Forefront Protection Manager will likely provide deployment benefits in the long run, but at least one midmarket pro will need to adjust to his new management console.

Microsoft will abandon Forefront Protection Manager in a move that the software giant says will simplify security deployments. The change in strategy could, however, present early challenges for at least one Microsoft beta customer and create issues for midmarket customers without skilled IT staff.

"I've gotten over the shock," said George Podolak, director at the NYC-based architecture firm Pei Cobb Freed & Partners, days after hearing an announcement that Microsoft, in another effort to combine security management and systems/application management functions, would not bring Forefront Protection Manager (FPM) to market.

More on Forefront

Early adopters, like George Podolak, share their thoughts on Microsoft Forefront Security.

lFirst American Title Insurance Company cut identity management user provisioning time from days to seconds with Microsoft Forefront Identity Manager 2010
As part of Microsoft's Technology Adoption Program, Podolak used Forefront Protection Manager beta software, which ran on System Center Operations Manager (SCOM, an interface Podolak and his team came to understand well over a period of two years. Prior to the April announcement of the changeover, the beta software was being used in a production environment, and Podolak was very satisfied with the arrangement. System Center Operations Manager allowed him to monitor and display the Forefront security status of both servers, like Exchange, and workstations on one SCOM console.

"We were almost at the Holy Grail: one screenshot for all our assets. … We're sort of back to square one, to be truthful."

Transitioning management platforms complicates matters, Podolak said. Podolak will now need both management consoles, SCCM to view the security status of workstations and SCOM to view the security status of servers.

Microsoft's decision means that Podolak will have to buy SCCM in addition to SCOM. Podolak, however, said he factored SCCM into the budget because he was already looking for a tool to handle software distribution and the upgrade of all of his PCs to Windows 7. Although he considered other tools like Ghost from Symantec Corp. and products from Acronis Inc., he said, SCCM made more sense because it could serve dual purposes.

'SCCCM is a great tool for deploying software," he said, "Now with the Forefront Endpoint Client, it'll be more than just a pure management tool. It's going to be a way of deploying software."

Before Microsoft made its decision, the standalone Forefront Protection Manager would have provided the central management of Forefront Client Security (FCS), Forefront Server Security for Exchange (FSE) and Forefront Server Security for SharePoint (FSSP).

Instead of staying with Forefront Protection Manager, Microsoft said on its Forefront Team Blog that management for Exchange Server (FPE) and Forefront Protection 2010 for SharePoint (FPSP) "will be delivered through a streamlined solution for messaging and collaboration workloads, both on-premises and in the cloud." Further details on the plan will be announced at a later date.

In late 2009, Microsoft announced that Forefront Endpoint Protection 2010 would be built on System Center Configuration Manager, which centralizes configuration, deployment, updating and reporting functions. A beta version of the integrated Forefront Endpoint Protection will be released in the third quarter of this year, according to the blog.

As Podolak heard the rumblings about a possible move from the SCOM console to SCCM, he sensed that there would be dual management platforms that an organization would have its choice of. "It wasn't until a couple of months ago that Microsoft made very clear that there would not be a SCOM platform for clients," added Podolak via email.

 I've gotten over the shock.
George Podolak,
directorPei Cobb Freed & Partners (a New York city-based architecture firm)
A Microsoft spokesperson said the company sees endpoint protection becoming "operationalized," -- a function that a desktop administrator or server administrator will manage. "It makes sense to build on top of the correct tools that customers already have rather than forcing them to purchase and deploy a separate infrastructure just for endpoint protection management," the spokesperson said.

Mike Rothman, president and analyst at Securosis, an independent research boutique focused on information security, said the decision to incorporate Forefront Endpoint Protection into SCCM makes sense, given IT professionals' desire for fewer vendors, less management overhead, and a need to uphold the same level of threat protection.

By integrating Forefront, he said, Microsoft "can help organizations manage and protect these endpoints to the greatest degree possible, rather than having a separate product and folding that into existing products that are mostly in use anyways for people who are using the whole Microsoft stack."

Microsoft's more integrated approach -- which combines the functions of availability, configuration management as well as security -- will benefit customers already doing large Microsoft rollouts, as well as those professionals working in smaller, midmarket organizations who may have various other security and networking responsibilities, Rothman said.

That may be true in the long-term, but for security professionals like Podolak, who have become familiar with SCOM, there will likely be pain points. The changeover to a different management console, Podolak said, will be his biggest challenge and will affect midmarket organizations like his own -- ones that may have small IT departments.

"To me, a large firm probably doesn't care [about the switch]. They probably have someone who knows SSCM inside out," he said, emphasizing that his organization had a good feel for the SCOM but now is presented with a whole new learning curve, albeit a manageable one.

Podolak and his staff have been using Microsoft's online video tutorials and hard-cover documentation to get up to speed on the new console.

"In the end, there'll be great benefits," he said about the move, and he'll continue with the Forefront protection suite. That doesn't mean, however, that he doesn't prefer his earlier option. "[Microsoft] took something that I thought was going to be a reasonable decision for a small firm and made it a bit more complex."

To ease the minds of its FPE and FPSP customers, Microsoft said it planned to release a Service Pack that expands support to those Forefront products. In addition, the software giant will offer a Forefront Server Security Script Kit that will allow IT administrators to use Remote PowerShell to configure and report on multiple deployments of FPE and FPSP. Both additions will be released in the second half of 2010 at no additional cost.

Send comments on this technical tip:

Join our IT Knowledge Exchange discussion forum; please use the midmarket security tag.

Dig Deeper on Microsoft security integration and centralized management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.