Enterprise Manager is a great way for Client Security customers to do centralized management and reporting across two or more down-level deployments. Enterprise Manager is a separate FCS server installation that does not support client connectivity and is used for management of down-level deployments. Typically this is done when the down-level deployments would exceed the 10,000 client supportability limit, but on occasion it is done for network bandwidth or division of responsibility reasons.
Enterprise Manager (EM) has three main features:
The architecture of Enterprise Manager is such that it remotely accesses the down-level deployments to perform this work:
To do reporting, Enterprise Manager calls stored procedures on the down-level Collection and Reporting databases and aggregates the information into the reports. It does not use a store-and-forward approach which would duplicate the entire contents of the down-level databases; this would result in extremely large EM databases, not to mention network congestion. In fact, the EM databases really only store information about those client computers which have experienced an alert that has been forward from a down-level deployment.
FCS reporting is HTTP-based and can be viewed from any system which has connectivity and permission to the reporting server. The down-level reporting servers will continue to be able to generate reports for their clients in an EM environment. The scope of the EM reports will be all down-level deployments; the scope of the down-level reporting servers will be strictly their respective deployment. This enables both a centralized and decentralized reporting.
Alerts are generated on client computers based upon the alert level set in the applicable Client Security policy and events which occur on those computers (e.g. malware successfully cleaned). If an alert is generated, it is first sent to the down-level Collection server to which that client reports. In an Enterprise Manager environment, that alert is then forwarded through the MOM-to-MOM connector to the EM server Collection component. The alert is then sent to the “Client Security Notification Group” on the EM server. The recipients of the alert are centrally managed in the MOM Administrator console by controlling the operators in that notification group.
Client Security policies
Policy deployment with Enterprise Manager works just like it does with down-level deployments: you can deploy to either Active Directory or a file. The exception is that you need to ensure that client computers report to their down-level Collection servers, not directly to the EM server. If your deployment method calls clientsetup.exe directly, this is easy to do with command line parameters. If you are using WSUS client deployment, or another method which does not use command line parameters, an additional policy is necessary to override certain EM registry keys to point new clients to the right down-level Collection server. This "caretaker" policy is described in the EM deployment documentation.
Enterprise-wide antimalware scanning
The Scan Now button in the FCS dashboard will queue both an antimalware and security state assessment scan for client computers. As mentioned above, Enterprise Manager does not store information about every computer in the environment. Therefore, to scan clients it will remotely request each of the down-level deployments to enumerate their clients and initiate the scans.
This is similar to reporting in that the down-level management consoles will continue to be able to generate scans in an EM environment. The scope of the EM scans will be all down-level deployments, the scope of the down-level management consoles will be strictly their respective deployment.
Craig Wiand Microsoft Forefront Escalation Engineer