Running OneCare on a SBS network

All replies

• 

  

  0

  Sign in to vote

  There have been other discussions on using OneCare on an SBS network in the past and the two issues mentioned are what you have identified. OneCare needs for the PCs to use Automatic Updates for Windows Update and OneCare needs to be able to update itself, using BITS. I can't tell you what ports or configuration you might need for this environment, but someone else may be able step in or you can contact support to see if they have any documentation for this.

  How to reach support (FAQ) - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=2421771&SiteID=2

  -steve

  Friday, February 8, 2008 6:37 PM

  Moderator
• 

  

  0

  Sign in to vote

  I basically have OneCare running on a Vista client that is hooked up to a SBS 03 R2 server with ISA 04.

   

  I did not have to change any config settings on the server OR on the client pc. The only drawback to this approach, besides the entire idea of running OneCare on a SBS network, is that the default client policy for Automatic Updates is set to look to the SBS WSUS. Because of this, OneCare cannot take control of the Auto Updating causing it to flag the PC as "At Risk". However, WSUS continues to work properly and keeps the client PC updated just fine.

   

  So if you can live with the little systray icon for OneCare being Red and indicating (falsely) the computer is at risk, then you can go ahead and install it. Alternatively, for all those people that want to run it without the annoying little red icon saying that you are at risk, you can easily create a client policy on the SBS server that does not point the client Auto Update to WSUS, but instead leaves it at the OS default. Then OneCare can take over the Auto Updates and will not label the computer "at risk".

   

  More important than the info I present here, is the fact that Microsoft made OneCare to run on small home networks, or more accurately, made it to run on computers that are NOT part of a business network/domain. For all of those businesses out there, they provide Microsoft Forefront Client. It does essentially what OneCare does, but it plays nice with Windows Server and other Server programs like WSUS and ISA. Forefront is the way to go if you have a Client/Server environment and need antivirus protection. I also remind you that there are other non-Microsoft antivirus programs out there - but for the Microsoft fans, Forefront is the solution. Besides Forefront works with Exchange Server/Outlook to keep away those bad little guys - OneCare cannot claim that ability!

   

  I hope this is helpful...

  -Christopher

  Monday, February 11, 2008 9:27 PM
• 

  

  0

  Sign in to vote

  Thanks, Christopher. This is most helpful.

  -steve

   

  Tuesday, February 12, 2008 1:17 AM

  Moderator
• 

  

  0

  Sign in to vote

  Cristopher,

   

  You are correct in that OneCare is not meant to be put behind an ISA server.  Furthermore it really at present isn't a good fit in any domain due to the fact you can't actively manage the licensing compliance other than saying to the auditor from BSA 'it was green the last time I looked!'.

   

  However aka BUT you can do it.  I've been since beta days.  The 'how' is the tricky part and this requires an understanding of ISA'a default rules, Web Proxy filtering on HTTP/HTTPS traffic, the LOC needed anonymous Web Proxy authentication, and running around the rubust security.

   

  For me this is necessary to run my lab.  Due to the security reduction I hesitate to promote running this software this way in a business environment.

   

  Also for yourself, if you are a MAPS subscriber you can break out your Forefront Client Security and use it for your AV needs (search my blog for help on doing this without the fuss of the management components).

   

  So ...the short of it is I created a specific rule that only applies to my OneCare PC's (requiring static or reserved IP's).  This rule is a copy of the SBS Internet Access Rule and then pasted, modified, and eventually enabled.  Below are the modifications:

  • Protocols - from All Outbound Traffic - to short list of HTTP & HTTPS
  • From/Listener - from All Protected Networks - to a computer object of my single OneCare PC (this meant a constanst IP address so static or DHCP reservation is needed)
    • you could instead use a computer set and drop in multiple PC's
    • you could also choose Internal ..etc
  • To - I create subnet objects for the following IP addresses: 207.46.235.29/24 & 216.68.54.56/24
    • these were discoverd while monitoring ISA's logs as I told LOC to Update
    • these could change over time and I have no way of knowing - so if it goes red go to the motoring log again
  • Condition - from SBS Internet Users - changed to "All Users" (Warning - that alone is a huge security hole - I do this understanding the risks and limit this rule carefully for its TO field)
  • See Dr. Tom Schinder's ISA 2004 book in Chapter 7 pages 588-589 for allowing access to MSN Messenger via Web Proxy - my rule is an immitation of this
    • while your there read back to pages 573-574
  • This new rule is placed right above the SBS Microsoft Update Sites Access Rule
    • its important that it is the first HTTP/HTTPS access rule that applies to this host machine as it relates to these specific external destinations.

  Speaking of "green".  I don't reach the same conclusion you do with WSUS.  In my experience, although my clients fall under WSUS GPO's, OneCare is fine with having its client be GPO configured as long as it is AU fully automatic (download & install).  With that caveat my OneCare PC stays green like Kermit.

   

  Regards,

  Dale

  DU IT with SBS

  http://duitwithsbs.wordpress.com

  Sunday, March 23, 2008 1:46 PM