FEP is Microsoft’s offering for antivirus, try to think of it as the corporate version of Security Essentials. Just about everything on the net for managing it seems to be geared to managing it with SCCM. Which is fine if you have SCCM, but what if you don’t? Thankfully you can manage it with group policy, even if information on how to do it is rarer than hens teeth!
With a Microsoft CoreCAL you can use the FEP client, so if you already have CoreCALs, then it’s a solution that can save you some cash on your corporate AV strategy.
Solution
Installing Forefront Endpoint Protection
The client software is available in x64 and x86 bit flavours, it is installed from a single executable (FEPInstall.exe). There is no MSI installer (yeah thanks Microsoft!) So if you want to roll it out on mass, you need to either install it using a startup script, include the software in your ‘Master/Golden Image’ and re-image you machines, or tear your hair out trying to work out SCCM.
Managing Forefront Endpoint Protection with Group Policy
1. First you need to download the policy definitions, copy the FEP2010.admx file to %Systemroot%PolicyDefinitions.
2. Then copy the FEP2010.adml file to %Systemroot%PolicyDefinitionsEN-US
Creating a Group Policy Central Store
3. If you have all your ADMX policy definitions in a central location, all your clients can use them. The correct place for them is in the sysvol directory, in a folder called policies (this is where your clients read their group policies from). To create the directory issue the following command;
Here you will find the policy settings you require.
7. When you are controlling settings via GPO this is what you will see on the client machines.
Importing and Exporting Forefront Policy Settings
8. From the files you extracted earlier locate and run the FEP2010GPTool.exe. From here you can import and export all the policy settings from a particular group policy. Microsoft have published a set of policy settings which you can download for various server roles.
Note: By default each policy you import will merge with the existing settings in the GPO, unless you tick the “clear the existing Forefront Endpoint Protection settings before import” option.
Updates for Forefront Endpoint Protection
9. Windows uses it’s existing ‘Windows updates’ path for getting updates. If you have a WSUS server you will need to enable the updates in the ‘Products and Classifications’ section.
10. If you DONT have WSUS but you are behind a proxy, you can manage FEP proxy settings from the following policy.
Related Articles, References, Credits, or External Links
If you have a proxy server at your corporate/home location, then there a few methods you can use to ensure that your clients use it. Before you start running though this, remember if you have a proxy server then it’s common sense that your firewall/router will block web access for your clients, and only allow the Proxy server (and any other servers/machines) that need direct web access out. If you are forcing your users out through one machine, for either caching, URL filtering, monitoring usage or just because it’s part of your corporate security strategy, then locking down Internet access around the proxy server should be your first consideration.
Once that’s done you can install your proxy and deploy the settings to the client PC’s
Solution
How you do this depends on your circumstances.
It’s a single stand alone machine. (Option 1)
To manually configure one machine simply open internet explorer (other browsers are also available) Tools > Internet Options > Connections > Tick Use a proxy server for your LAN > Enter the IP address of the Proxy server > Enter the port number > Tick Bypass proxy server for local addresses (If you have web servers on your local network). > OK >OK > restart Internet Explorer.
It’s a single stand alone machine. (Option 2)
Optionally you can set the proxy with local policy – this is preferable if lots of people use the same computer and you don’t want to configure each user separately. Click start > In the search/run box type gpedit.msc {enter}
The Group Policy Editor window will open > Navigate to User Configuration > Windows Settings > Internet Explorer Maintenance > Connection > Proxy Settings.
Double click proxy settings > Tick Enable Proxy settings > Enter the IP address(es) > Enter the Port(s) > Tick Do not use proxy server for local (intranet) addresses, (If you have web servers on your local network). > Apply > OK > Close the policy editor > Reboot. (or run gpupdate /force).
Note: Using this method a technically savvy user can simply get into the settings and change them in the browser – to stop this happening you can hide the tab that displays the proxy settings.
It’s a single stand alone machine. (Option 3)
You can also set the proxy options by directly editing the registry (Warning editing the registry can cause earthquakes and lead to teenage pregnancy!). Click start > In the search/run box type regedit {enter}.
Navigate to HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings. The keys that look after your proxy settings are,
ProxyEnable set 0 for disabled and 1 for enabled ProxyOverride set <local> for bypass proxy for local addresses (Note:you can also add domains seperated by a semi colon ; that you don’t want to use the proxy for). ProxyServer Sets the IP address and Port i.e. 192.168.99.1:808 (Note this setting WONT BE THERE if there’s never been a proxy set), you will need to create it as a new string value (REG_SZ).
Or you can simply run the following .reg file
[box]
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
"ProxyEnable"=dword:00000001
"ProxyOverride"=""
"ProxyServer"="192.168.99.1:808"
[/box]
It’s On a Network with DHCP
You can lease proxy settings with your DHCP scope, its known as DHCP option 252.
To add Option 252 to a Server 2008 DHCP scope, On the Server Click Start > Administrative tools > DHCP > Expand your Server name> Right Click IPv4 > Select Set Predefined Options.
In the Predefined Options and Values dialog box, click Add In Name type WPAD >In Code, type 252 > In Data type, select String, and then click OK > In String, type http://192.168.99.1:808/wpad.dat, (change as appropriate).
Then You need to ad that option to your existing scope > Expand the scope > Right click server options > Select Configure Options > Advanced > Scroll down top option 252 and select > Apply > OK.
Now you need to create a wpad.dat file (simply create it in notepad) and serve it from the URL you entered above.
Sample wpad.dat file (simply change the URL’s and port numbers as applicable).
[box]
function FindProxyForURL(url, host)
{
// variable strings to return
var proxy_yes = "PROXY 192.168.99.1:808";
var proxy_no = "DIRECT";
if (shExpMatch(url, "http://www.petenetlive.com*")) { return proxy_no; }
if (shExpMatch(url, "http://www.dont_want_to_proxy.com*")) { return proxy_no; }
if (shExpMatch(url, "http://192.168.99.5*")) { return proxy_no; }
if (shExpMatch(url, "https://subdomain.dont_want_to_proxy.com*")) { return proxy_no; }
// Proxy if PC is on local LAN
if (isInNet(myIpAddress(), "192.168.99.0", "255.255.255.0"))
return "proxy_yes";
else
return "DIRECT";
}
[/box]
Once that’s done you need to allow .dat as a MIME extention on your IIS Server > Start Administrative tools > Internet Information Services (IIS) Manager > Select The Server name > Select MIME Types.
In the right hand column > Click Add > Put in the file extension as .dat and the MIME Type as “application/x-ns-proxy-autoconfig” > OK.
Then either reboot or run “iis /restart”
It’s on a Windows Domain
You can set the proxy settings for your USERS (Note: its a user policy so it CANT be applied to computers). On your Server Click Start > Administrative Tools > Group Policy Management > Right click Your domain (if you want the policy to apply at domain level) > Select Create a GPO in this domain and link it here > Give it a sensible name > OK.
Right Click your new Policy and select Edit > Navigate to User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > Connection > Proxy Settings.
Note: In modern domains this policy has been removed, see the following article;
Double click proxy settings > Tick Enable Proxy settings > Enter the IP address(es) > Enter the Port(s) > Tick “Do not use proxy server for local (intranet) addresses”, (If you have web servers on your local network). > Apply > OK > Close the policy editor > Reboot. (or run gpupdate /force).
Note: Using this method a technically savvy user can simply get into the settings and change them in the browser – to stop this happening you can hide the tab that displays the proxy settings.
My Users complain that their Laptops don’t work when they go home since I set the proxy?
Well that’s to be expected? While at home they can’t see your proxy server, some companies like this option, as it stops their users surfing the internet from their home internet connection. For other people this is a big problem, there are essentially three ways to solve this problem. 1) Send out your proxy settings Via DHCP. Then while your users are offsite they wont get any proxy settings (see above). Or 2) feel free to use the script I wrote (below), this can be applied via policy (Local or Domain), or simply put in the startup folder of your users laptops. Finally you can use a “Proxy.pac” file to autoconfigure the clients proxy settings.
How it works: It pings an IP address on your corporate network, (in this case the router) which is always on, if it gets a reply – then it must be on the corporate network so it enables the proxy Server, If it gets no reply, then it must not be connected to the corporate network and turns off the proxy server.
[box]
::-----------------------Begin Script------------------------------------
@ECHO OFF
:: Check LAN connectivity
PING 192.168.99.254 | FIND "TTL" > NUL
IF NOT ERRORLEVEL 1 GOTO ON_LAN
GOTO OFF_LAN
:ON_LAN
::**************Proxy ON**************
::Enable the Proxy Server (ticks the box "user a proxy server for your LAN...")
REG ADD "HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f
:: SET the proxy (fills in the Address and port values)
REG ADD "HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings" /v ProxyServer /t REG_SZ /d "192.168.99.1:808" /f
:: Set the bypass proxy server for local addresses option - ticks the box each subsequent entry is additional domains to bypass for
REG ADD "HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings" /v ProxyOverride /t REG_SZ /d ";*.local;www.dontproxy.com" /f
GOTO END
:OFF_LAN
::**************Proxy OFF**************
REG ADD "HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
:END
::-----------------------End Script------------------------------------
[/box]
Or to use a proxy.pac file
1. Create a file on your PC in notepad and call it proxy.pac change the relevant network details, proxy IP address, and port number from the example below.
[box]
function FindProxyForURL(url, host)
{
if (isInNet(myIpAddress(), "192.168.99.0", "255.255.255.0"))
return "PROXY 192.168.99.1:808";
else
return "DIRECT";
}
[/box]
2. Save the file in your C:windowssystem32 directory.
3. On the client open Internet Explorer > Tools > Options > Connections > LAN Settings > Tick “Use an automatic configuration script” and enter the following
file://c:/windows/system32/proxy.pac
Note: this can be done with a registry file see below.
[box]
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
"AutoConfigURL"="file://c:/windows/system32/proxy.pac"
[/box]
Note: This can be set in Policy as well, the policy lives in User Configuration > Windows Settings > Internet Explorer Maintenance > Automatic Browser Configuration> Configure as below.
Related Articles, References, Credits, or External Links