Gjennomgang System Center og Forefront produkter, nyheter.
Operation Manager, Virtual Machine Manager, Service Manager, Essentials,
Forefront Endpoint Protection, Management i Cloud med Windows Intune. Suite Lisensiering
PCTY 2012, Overvågning af forretningssystemer i et virtuelt miljø v. Hans Ped...
TechNet Live spor 2 sesjon 4 - sc-forefront
1. Nicolai Henriksen
Chief Infrastructure Architect
VELKOMMEN TIL TECHNET LIVE
SYSTEM CENTER OG FOREFRONT
Nicolai.Henriksen@ErgoGroup.no STRATEGISK
2. IT – Viktigere enn noensinne
Sikre infrastruktur
Håndtere systemer
Redusere kostnader
Tilby nye applikasjoner
Kompabilitet
Produktivitet blandt ansatte
80%
Vedlikehold
20%
Nyskapende
3. Kjerneinfrastruktur optimalisering (Core IO):
http://www.microsoft.com/norge/infrastruktur/default.mspx
Grunnivå Standardisert Rasjonalisert Dynamisk
Identitet og tilgangsadministrasjon
Klient-, enhets- og serveradministrasjon
Ukoordinerte Delvis sentralisert IT Administrert og Fullstendig
manuelle prosesser administrasjon med konsolidert IT automatisert
og minimal Sikkerhet
begrenset og nettverk med
infrastruktur
administrasjon,
automatisering dynamisk
sentralisert styring maksimal ressursbruk
automatisering
Databeskyttelse og gjennopprettning
Dynamisk IT
Kostsenter Effektiv Strategisk verktøy
kostsenter Forretningsverdi
6. Hvorfor Forefront Endpoint
Protection?
• Spare penger på lisenser
• Administrer antivirus i SCCM konsoll
• Scorer høyt på å beskytte mot malware.
• Mer effektiv delegering og kontroll av roller.
• Sentralisert rapportering
• Ny teknologi innen Netverks Inspeksjon System (NIS), som
vil hindre angrep på hver klient bassert på avansert
deteksjon av malware.
• Benytter Cload for å levere real-time signatur oppdateringer
til clienten dersom noe mistenkelig oppdages.
• Lett å rulle ut.
• Erstatter og fjerner Mcaffe, Trend, Symantec..
• FEP løsninger dimensjoneres til 100.000 + klienter.
• Liten, 11MB disk, trekker lite resurser.
8. Secure Endpoint Solution
Protect endpoints from emerging threats and information loss, while enabling more
secure access from virtually anywhere
PROTECT everywhere INTEGRATE and SIMPLIFY security,
ACCESS anywhere EXTEND security MANAGE compliance
• Enables multi-layered • Uses existing System • Provides unified
anti-malware protection Center Configuration administration for
Manager infrastructure desktop management
• Protects critical data and protection
wherever it resides • Builds on and extends
Windows security • Increases visibility of
• Provides more secure potentially vulnerable
always-on access desktops
9. Management Scenarios
Keep Protected
I need to centrally monitor FEP Management
deployment, push missing
updates and fix configuration • Converged System
issues Management
• Simple Centralized
Report Compliance Policy
• Critical Level
Show me last month trend of Alerting
protection compliance • Security admin-
oriented Reporting
Alert on Outbreak • Desired
Configuration
Alert me on emerging threats Manager (DCM)-
before they affect productivity based Vulnerability
Assessments
10.
11.
12.
13. Dynamic Signature Service
• Low-Fidelity Signatures
– New class of generics looks for
suspicious characteristics as
behavior is emulated with Real-Time
Signature
Behavior
dynamic translation
Classifiers
Delivery
Reputation
– Queries reputation service
about „interesting‟ files Researchers
• If the file is known bad, a new SpyNet /
MRS
signature is delivered in real-time
to the client requesting it
Properties / Behavior
Real-time Signature
Sample Submit
• Balances signature distribution
Sample Req
time/cost with need for real-time
updates
• Admins must choose to opt-in to
use this feature
Client
14. Microsoft
Update REPORTS
SETTINGS
Configuration Manager Reporting and
Alerting Server
(OR ALTERNATE SYSTEM)
Configuration Manager
(OR ALTERNATE SYSTEM)
Configuration Manger
DEFINITIONS EVENTS
Desktops, Laptops and Server Operating Systems
Running Microsoft Forefront Endpoint Protection
15. Check client protection status
• Fix client security
problems in
Configuration
Manager
– Dashboard view of
status
– Drill down to see
affected computers
to remediate within
Configuration
Manager
• Receive email
alerts on outbreaks
17. One dashboard for visibility into threats
and vulnerabilities
View insightful reports
Stay informed with state assessment
scans and security alerts
21. System Center Operations Manager
2007
En ende-til-ende service administrasjons-løsning som hjelper virksomheten til å
enklere overvåke og kontrollere IT tjenestene og IT miljøet sitt
Ende-til-ende service overvåking
• Proaktiv administrasjon av IT tjenester
• Integrert overvåking
Økt effektivitet og kontroll
• Forbedred “time to value”
• Redusert IT administrasjons kompleksitet
“Best of Breed” for Windows
• Redusert problemløsnings-tid
• Redusert TCO for Windows miljø
• Ekspertis for mer enn 50 Microsoft
applikasjoner, servere, og klienter
“Vi har altid drevet kostnadsbevisst IT, så dette kommer ikke til å endres med Operations Manager.
Det skal bare bli enda bedre og muligjøre selskapet å tjene mere penger.
-Robert Fort, Chief Information Officer, Virgin Megastores USA
22. Kunnskap drevet administrasjon
IT policy
Utviklere Forretningskrav
innsikt
Oppdagelse & IT service
integritetsmodeller modeller
23. Operations Manager 2007 R2 leverer
betydningsfulle muligheter
• Forbedret applikasjons ytelse og
tilgjenglighet gjennom x-plattform
overvåking
• ”Best-of-breed” overvåkingsevne for HP-
UX®, Sun Solaris™, Red Hat® Enterprise
Linux®, Novell SUSE® Linux Enterprise
Server, IBM AIX 5L®, og Windows server
miljøer.
• Forbedret ytelse administrasjon av
applikasjoner i datasentere med SLO
service nivå overvåking
• Øk tilgangshastighet til overvåking
informasjon og funksjonalitet med UI
forbedringer og forenklet administrasjon
pack fremstilling
24. Service Level Tracking
• I dag – Tilgjenglig som en
Solution Accelerator:
– Service Level Dashboard MP
V1.1
http://technet.microsoft.com/
en-us/opsmgr/cc539535.aspx
– Tilgjenglig gjennom
Management Pack (MP)
Katalog
• Hva er nytt i R2:
– Fremstilling av SLOer med
Ops konsoll og offline i MPs
– Definer SLOer for integritet og “Jeg trenger å følge opp tilgjengligheten av
ytelse data
– Utvid service nivå
“Line of business” -applikasjonene mot min
rapporteringsevner avtalte service nivå mål av 99.99%
– SharePoint integrering for innenfor vanlig arbeidstid”
visning av service nivå ytelse
Service nivå : Målt og rapportert utførelse mot en eller flere Service Level Objectives(SLO).
Service Level Objective : En metrikk brukt til å administrere en IT tjeneste.
26. System Center overvåker heterogene
plattformer
• UNIX & Linux
overvåking med SCOM
2007 R2
• Backup for Linux VMs
med DPM
• VMWare virtuell
infrastruktur-
administrasjon
– SCVMM 2008 R2
– Støtter Live Migrering
33. System Center Configuration Manager 2007
Styr når og hvilke workloads å Få oversikt av programvaren før
oppdatere : spesifik målretting og utrulling eller migrering
tidsplanlegging for servere,
desktop og enheter, fjernstyring
SW oppdatering Data/SW oversikt
SW distribusjon HW/SW
Drift støtte inventarliste
DCM – Definer Definer konfigurering,
konfigurerings Konfigurerings- partition modell, OS,
Kient/Server
standards, oppretthold administrasjon og drivere og applikasjon
design
kontroll suite
regulering og policy
OS utrulling
Automatisk utrulling av OS
og støtte informasjon
34. Configuration Manager Server Roles Primary Site
Secondary Site
MP - Management Point
SLP - Server Locator Point
RP - Reporting Point
DP - Distribution Point
SQL Server SQL Server SMP - State Migration Point*
Branch DP - Branch Office DP*
SCCM MP SUP - Software Update Point*
SCCM Primary Site FSP - Fallback Status Point*
Server
SCCM SLP SHV - System Health Validator*
PSP - PXE Service Point*
SCCM SHV * Denotes new server role
SCCM RP
SCCM DP SCCM FSP
Branch DP
SCCM
SUP/WSUS
SCCM PSP
SCCM SMP
35. Scalable Support for any Size Organization
Supported Client Numbers
Site Role Maximum # of Client Systems
Hierarchy (Central Site Server) 200,000
Primary Site Server 100,000
System Health Validator 200,000
Management Point 25,000
Distribution Point (Non OSD) 4,000
Distribution Point (OSD) Limited by Network & Disk I/O
State Migration Point Limited by Network & Disk I/O
Software Update Point (WSUS) 25,000
Fallback Status Point 100,000
Branch Distribution Point Limited by OS License, Network & Disk I/O
Optimized for
Comprehensive Enhanced
Windows and
Deployment Insight and
Extensible
and Updating Control
Beyond
36. Platform Support
HW/SW Software Software Desired Config
Feature / Platform Inventory
OS Deployment
Distribution Update Mgmt Mgmt
Windows 7
Vista
XP SP2
Windows 2000
Server 2008/2008R2
Server 2003
Server 2000
WFLOP
WePOS
XP Embedded
Windows CE
Windows Mobile*
Optimized for
Comprehensive Enhanced
Windows and
Deployment Insight and
Extensible
Not and Updating Control
SCCM SP2 Beyond
supported
37. Windows Deployment Automation
Significant improvements to existing scenarios
Increased range of scenario support
Offline with
Wipe-and- In-place
New machine Side-by-side removable PXE boot
load migration
media
-Clean install - Target and - Machine to - Scripted, - Install without - WDS
-No migration install new OS to machine targeted OS network integration,
considerations existing H/W - User and app upgrade - Removable network boot
- Application data migration - Not wipe and media is source delivered
- New or
repurposed reinstall under - Application load - CD/DVD,USB - PXE style
hardware new OS reinstall - Sent as flash drive delivery
- Securely -Securely software - Good for low - Lite touch,
save/restore user save/restore user distribution bandwidth, network
state & settings state & settings package mobile staff connection
based
Optimized for
Comprehensive Enhanced
Windows and
Deployment Insight and
Extensible
and Updating Control
Beyond
41. Configuration Manager 2007 R3
• Hva er nytt i R3?
– Bli grønnnnnn
– Bedre Konfigurasjonsstyring
– Raskere Collection oppdatering
– Raskere AD Discovery
– Prestage
– 300.000
42. System Center Power Management
Monitor current power
state and consumptions
Plan and create a power
management policy, check
for exceptions
Apply power management
policy
Check compliance and
remediate non-compliance.
Report saving in power
consumption and costs and
environmental impact.
46. Gjør vi det riktig nå eller..
• Har du en effektiv deployment løsning i
dag? Og kan du håndtere alle klienter?
• Scenario: Hva om halvparten av maskinene
dine ble infiserte og ikke ville starte opp.
• Hvordan bygge Image?
– Lag Image på en Virtuell maskin, Hyper-V,
VMWare...
47. • Windows 7 32bit eller 64bit??
– Mange går for 64bit i utgangspunktet, men faller som
regel ned på 32bit som standard pga en eller to sentrale
eldre typer applikasjoner/drivere ikke fungerer. Og kjører
begge versjoner.
• Anbefaling: Gå for 64bit i utgangspunktet dersom
hardware/software tillater det. Med tiden vil det
uansett gå den veien.
• Office 2010 32bit eller 64bit??
– Kjør 32bit, fordi det er for mange komplikasjoner med
office tillegg og integrasjoner som ikke vil fungere på
64bit.
– Men kjører man en helt ren Office, uten noe 3 parts
produkter eller eldre versjoner, så Yes! 64bit.
48. • Har du SCCM client på alle maskiner? Fungerer de som de skal?
• Tykkt eller tynnt..?
– Tykkt Image med alle standard applikasjoner, kan være fornuftig i en masse
utrullings fase ved f.eks overgang til ny plattform for raskest deployment.
– Tynnt Image er det mest dynamiske, lett å endre på, legge
til/fjerne/oppdatere applikasjoner, men det går noe mer tid under selve
deploymenten.
• Anbefales i normal driftsfase.
• Driver struktur
– Bruk Hybrid driver model.
• Bruker data?
– Bruk USMT, integrert i SCCM.
• Profil håndtering !?
– Roaming eller Redirecting
49. • 300.000
• SCCM - Treg?
• Spekk server tilstrekkelig.
• OS : Disk1 min 50GB
• SCCM: Disk2 min 100GB
• Source Pakker: Disk3 ...GB (Kan være nettverkshare, NAS, etc..)
• Distribution share: Disk4 ...GB (OBS, må være Windows Server, NTFS)
• Minne: min 8GB
• Dersom virtuell: Reserver CPU, Minne.
• Disk IO mest kritisk!
• SQL på samme som SCCM dersom kraftig nok. Eller dedikert med nok båndbredde - Gbit, kraft.
• Sikkerhet!!!
– Enterprise Admins
– Domain Admins
– Men, må være admin på klienter.
– Bruk preferences.
53. Requirements
• Administrative Console
– A browser that supports Silverlight 3.0
• Managed Machines
– Windows 7 Enterprise, Ultimate and Professional
– Windows Vista Enterprise, Ultimate and Business
– Windows XP Professional, Service Pack SP2 or SP3
(recommended)
54. Service Architecture
Windows Intune
Service
Ops and
Support
Contoso.com foo.com
Windows Update
Agent
SCOM
Malware Protection Admin
(FEP)
Lantern (SCCM DCM)
EZ Assist
55. Initial Deployment Checklist
• Chose a technique to deploy the enrollment MSIs
– GP-SI, psexec, login script, email, ACLed public share, …
– Enrollment will fail after seat limit is reached
• Can retire computers or purchase more seats
• Define your initial group structure
– Newly enrolled computers go to “Unassigned Computers”
– Can create additional (nested) groups as needed for reporting/policy
boundaries
• Typically by role or region (often nested by one then the other)
• Machines can belong to multiple hierarchies
• Configure polices as needed
– Malware Protection: Conditionally enabled, …
– Windows Update: Daily scheduled install, …
– Firewall: Not configured, …
If using GPOs, filter them to not apply to Windows Intune clients (else
GP overrides)
• Add admins, configure alert notifications, deploy security updates
Microsoft Confidential
59. Key Technologies
• A work-flow engine for automating all or portions of IT
processes and for integrating System Center solutions
• A common data warehouse and reporting platform for
integrating business intelligence information across
System Center
• A connector framework to support technology
integration across System Center, other Microsoft
products, and common industry management tools
• A CMDB to support the management of information
about IT service components and how they relate to one
another
• A Self-Service Portal to provide end users with access to
IT resources, reducing the volume of calls to the help
desk
• A knowledge base to capture and share practical
knowledge for IT professionals and end users
60. Service Manager : The Power is in the Integration
SELF SERVICE COMPLIANCE IT BUSINESS IT ANALYST
INTELLIGENCE ASSET
AND RISK
MANAGEMENT
PROVANCE
Incident and Problem Change
Workflows
Portal
Knowledge Authoring
Base CMDB Data Warehouse
61. Empowering the End User The average cost of a
single call is $25 to $30
Self Service Portals
reduce calls by 30%
Provision Software
Reset Passwords
Create/view service requests
View announcements
Search/view knowledge base
INTEGRATED | EFFICIENT | BUSINESS ALIGNED
62. Integrated System Center CMDB
System Center common schema
Common schema across
System Center
IT assets are represented
as configuration items (CIs)
Incidents, change requests,
and problems are represented
as work items (WIs)
Configuration Management
Database (CMDB) features
Create, update, and view CIs
Create relationships among CIs, WIs,
IT staff, and Active Directory® Domain
Services (AD DS) users
Automatically track CI change history
Service definition and mapping
INTEGRATED | EFFICIENT | BUSINESS ALIGNED
63. Knowledge Management
Reducing time to resolution
• Knowledge articles:
• Customer, Partner, and Analyst
authored content
• Capture existing knowledge
published on the Web
• Links to external and local content
• Ratings
• Searchable:
• Full text
• Keywords
• Related incidents, change requests,
knowledge articles
64. INTEGRATED EFFICIENT BUSINESS ALIGNED
INTEGRATED | EFFICIENT | BUSINESS ALIGNED
65. Addition Of Opalis To System Center Enables
Process Automation
IT Process Automation (ITPA), also known as Run Book Automation (RBA), is
the ability to orchestrate and integrate IT management tools through workflow
Data Configuration
Protection & Management
(Physical &
Recovery Virtual)
Server End-To-End
Compliance Monitoring
66. Automated Processes
IT Silos VM Provisioning Process
Event Mgmt
Remove from Add to
Ops Manager Ops Manager
Service Desk
Monitor Create Update Update Update & close
Service incident request request request
request
Asset/CMDB
Retire CI Create CI
Configuration
Test VM Deploy Verify
Applications Application
Virtual
Stop VM Clone new Update
VM properties
Security
Storage
Detach Storage
Server
Network Detach Network Adapter
Integration for Virtual Machine Manager 2008 R2 not yet RTM
67. Opalis And Service Manager Available
Through System Center License Suites
SMSE / SMSD
*
* Opalis technology granted to SMSE/SMSD customers by Opalis subsidiary
70. 2 X Kr per
Host OSE ML
Server Management Suite + 4 OSE ML
0 Kr
Server Management Suite
voksende
0 Kr Server Management
Server Management Suite
voksende Suite Enterprise (SMSE)
2 X Kr
0 Kr Per Host OSE ML
Server Management Suite
voksende + 4 OSE MLs
0 Kr
Server Management Suite
voksende Med SMSE: 2 X Kr
71. Server Management Suite Datacenter lisensering
spar kostnader for kunder med tung virtualisering
SMSD tillater kunder til å administrere og kontrollere tungt virtualiserte
workloads med full Systems Management evne uten voksende kostnader
Server Management 2.4 X NOK per 2-proc
Suite Datacenter (SMSD) Ubegrenset OSE MLs
$0 voksende
SMSD
$0 voksende
SMSD
$0 voksende Server Management
SMSD
Suite Datacenter (SMSD)
$0 voksende
SMSD
$0 voksende
2.4 X NOK per 2-proc
SMSD server
$0 voksende
SMSD Ubegrenset OSE MLs
$0 voksende
SMSD
$0 voksende
SMSD
$0 voksende
SMSD
72. Takk for meg !!
Nicolai.Henriksen@EdbErgoGroup.no