technet live spor 2 sesjon 4 - sc-forefront
DESCRIPTION
Gjennomgang System Center og Forefront produkter, nyheter.Operation Manager, Virtual Machine Manager, Service Manager, Essentials,Forefront Endpoint Protection, Management i Cloud med Windows Intune. Suite LisensieringTRANSCRIPT
VELKOMMEN TIL TECHNET LIVE
SYSTEM CENTER OG FOREFRONT
STRATEGISK
Nicolai Henriksen Chief Infrastructure Architect
IT – Viktigere enn noensinne
Sikre infrastruktur
Håndtere systemer
Redusere kostnader
Tilby nye applikasjoner
Kompabilitet
Produktivitet blandt ansatte 80% 20% Vedlikehold Nyskapende
Standardisert Rasjonalisert Dynamisk
Kjerneinfrastruktur optimalisering (Core IO): http://www.microsoft.com/norge/infrastruktur/default.mspx
Grunnivå
Delvis sentralisert IT administrasjon med
begrenset automatisering
Administrert og
konsolidert IT
infrastruktur med
maksimal
automatisering
Fullstendig automatisert
administrasjon, dynamisk
ressursbruk
Ukoordinerte
manuelle prosesser
og minimal
sentralisert styring
Dynamisk IT
Kostsenter Effektiv kostsenter Forretningsverdi Strategisk verktøy
Databeskyttelse og gjennopprettning
Klient-, enhets- og serveradministrasjon
Sikkerhet og nettverk
Identitet og tilgangsadministrasjon
2009 2010 2011 2012
2009 &
R2
2010 &
R2
2011 &
R2
2007
R3
2012
2008
R2
vNext
2007
R2 vNext
2010 2010
R2
Acquired vNext
2010 vNext
2010 vNext
2010 vNext
v1
Hvorfor Forefront Endpoint
Protection? • Spare penger på lisenser
• Administrer antivirus i SCCM konsoll
• Scorer høyt på å beskytte mot malware.
• Mer effektiv delegering og kontroll av roller.
• Sentralisert rapportering
• Ny teknologi innen Netverks Inspeksjon System (NIS), som
vil hindre angrep på hver klient bassert på avansert
deteksjon av malware.
• Benytter Cload for å levere real-time signatur oppdateringer
til clienten dersom noe mistenkelig oppdages.
• Lett å rulle ut.
• Erstatter og fjerner Mcaffe, Trend, Symantec..
• FEP løsninger dimensjoneres til 100.000 + klienter.
• Liten, 11MB disk, trekker lite resurser.
Secure Desktop
PROTECT everywhere
ACCESS anywhere
SIMPLIFY security,
MANAGE compliance
Protect endpoints from emerging threats and information loss, while enabling more
secure access from virtually anywhere
INTEGRATE and
EXTEND security
Secure Endpoint Solution
• Provides unified
administration for
desktop management
and protection
• Increases visibility of
potentially vulnerable
desktops
• Uses existing System
Center Configuration
Manager infrastructure
• Builds on and extends
Windows security
• Enables multi-layered
anti-malware protection
• Protects critical data
wherever it resides
• Provides more secure
always-on access
Management Scenarios Keep Protected
I need to centrally monitor FEP deployment, push missing
updates and fix configuration issues
Report Compliance
Show me last month trend of protection compliance
• Converged System Management
• Simple Centralized Policy
• Critical Level Alerting
• Security admin-oriented Reporting
• Desired
Configuration Manager (DCM)-based Vulnerability Assessments
Management
Alert on Outbreak
Alert me on emerging threats before they affect productivity
Dynamic Signature Service
• Low-Fidelity Signatures
– New class of generics looks for suspicious characteristics as behavior is emulated with dynamic translation
– Queries reputation service about „interesting‟ files
• If the file is known bad, a new signature is delivered in real-time to the client requesting it
• Balances signature distribution time/cost with need for real-time updates
• Admins must choose to opt-in to use this feature
Client
Researchers
SpyNet / MRS
Real-Time Signature Delivery
Behavior Classifiers
Pro
per
ties
/ B
ehav
ior
Sam
ple
Req
Sam
ple
Su
bm
it
Rea
l-ti
me
Sig
nat
ure
Reputation
Desktops, Laptops and Server Operating Systems Running Microsoft Forefront Endpoint Protection
Microsoft Update
SETTINGS REPORTS
Configuration Manager Reporting and Alerting Server
(OR ALTERNATE SYSTEM)
Configuration Manger
(OR ALTERNATE SYSTEM)
Configuration Manager
DEFINITIONS EVENTS
Check client protection status • Fix client security
problems in Configuration Manager – Dashboard view of
status
– Drill down to see affected computers to remediate within Configuration Manager
• Receive email alerts on outbreaks
Extending Endpoint Protection to Servers
One dashboard for visibility into threats
and vulnerabilities
View insightful reports
Stay informed with state assessment
scans and security alerts
Security SummarySecurity Summary
System Center Operation Manager
2007
Ende-til-ende service overvåking • Proaktiv administrasjon av IT tjenester • Integrert overvåking
Økt effektivitet og kontroll • Forbedred “time to value” • Redusert IT administrasjons kompleksitet
“Best of Breed” for Windows • Redusert problemløsnings-tid • Redusert TCO for Windows miljø • Ekspertis for mer enn 50 Microsoft
applikasjoner, servere, og klienter
“Vi har altid drevet kostnadsbevisst IT, så dette kommer ikke til å endres med Operations Manager.
Det skal bare bli enda bedre og muligjøre selskapet å tjene mere penger.
-Robert Fort, Chief Information Officer, Virgin Megastores USA
En ende-til-ende service administrasjons-løsning som hjelper virksomheten til å
enklere overvåke og kontrollere IT tjenestene og IT miljøet sitt
System Center Operations Manager
2007
Kunnskap drevet administrasjon
Oppdagelse & integritetsmodeller
IT policy
Forretningskrav Utviklere innsikt
IT service modeller
Operations Manager 2007 R2 leverer
betydningsfulle muligheter
• Forbedret applikasjons ytelse og tilgjenglighet gjennom x-plattform overvåking
• ”Best-of-breed” overvåkingsevne for HP-UX®, Sun Solaris™, Red Hat® Enterprise Linux®, Novell SUSE® Linux Enterprise Server, IBM AIX 5L®, og Windows server miljøer.
• Forbedret ytelse administrasjon av applikasjoner i datasentere med SLO service nivå overvåking
• Øk tilgangshastighet til overvåking informasjon og funksjonalitet med UI forbedringer og forenklet administrasjon pack fremstilling
Service Level Tracking
• I dag – Tilgjenglig som en Solution Accelerator: – Service Level Dashboard MP
V1.1 http://technet.microsoft.com/en-us/opsmgr/cc539535.aspx
– Tilgjenglig gjennom Management Pack (MP) Katalog
• Hva er nytt i R2: – Fremstilling av SLOer med
Ops konsoll og offline i MPs
– Definer SLOer for integritet og ytelse data
– Utvid service nivå rapporteringsevner
– SharePoint integrering for visning av service nivå ytelse
“Jeg trenger å følge opp tilgjengligheten av “Line of business” -applikasjonene mot min
avtalte service nivå mål av 99.99% innenfor vanlig arbeidstid”
Service nivå : Målt og rapportert utførelse mot en eller flere Service Level Objectives(SLO). Service Level Objective : En metrikk brukt til å administrere en IT tjeneste.
Ytelse og resurs optimalisering
• UNIX & Linux
overvåking med SCOM
2007 R2
• Backup for Linux VMs
med DPM
• VMWare virtuell
infrastruktur-
administrasjon
– SCVMM 2008 R2
– Støtter Live Migrering
System Center overvåker heterogene
plattformer
Service Availability
Deployment - Økonomi
Manuel utrulling 3000 – 6000kr per PC
Light Touch ~ 1500kr per PC
Zero Touch mindre enn 600kr per PC
System Center Configuration Manager
2007
System Center Configuration Manager 2007
Automatisk utrulling av OS og støtte informasjon
DCM – Definer konfigurerings standards, oppretthold regulering og policy
Styr når og hvilke workloads å oppdatere : spesifik målretting og tidsplanlegging for servere, desktop og enheter, fjernstyring
Definer konfigurering, partition modell, OS,
drivere og applikasjon suite
Få oversikt av programvaren før utrulling eller migrering
System Center Configuration Manager 2007
Data/SW oversikt HW/SW
inventarliste
SW oppdatering SW distribusjon
Drift støtte
Konfigurerings- administrasjon og
kontroll
OS utrulling
Kient/Server design
Configuration Manager Server Roles
SQL Server SQL Server
SCCM Primary Site Server
SCCM MP
SCCM SLP
SCCM RP
SCCM DP
SCCM SMP
SCCM PSP
SCCM SUP/WSUS
SCCM FSP
SCCM SHV
Primary Site
Secondary Site
MP - Management Point
SLP - Server Locator Point
RP - Reporting Point
DP - Distribution Point
Branch DP
SMP - State Migration Point*
Branch DP - Branch Office DP*
SUP - Software Update Point*
FSP - Fallback Status Point*
SHV - System Health Validator*
PSP - PXE Service Point*
* Denotes new server role
Supported Client Numbers
Scalable Support for any Size Organization
Site Role Maximum # of Client Systems
Hierarchy (Central Site Server) 200,000
Primary Site Server 100,000
System Health Validator 200,000
Management Point 25,000
Distribution Point (Non OSD) 4,000
Distribution Point (OSD) Limited by Network & Disk I/O
State Migration Point Limited by Network & Disk I/O
Software Update Point (WSUS) 25,000
Fallback Status Point 100,000
Branch Distribution Point Limited by OS License, Network & Disk I/O
Comprehensive Deployment
and Updating
Enhanced Insight and
Control
Optimized for Windows and
Extensible Beyond
Platform Support
Feature / Platform HW/SW
Inventory OS Deployment
Software Distribution
Software Update Mgmt
Desired Config Mgmt
Windows 7
Vista
XP SP2
Windows 2000
Server 2008/2008R2
Server 2003
Server 2000
WFLOP
WePOS
XP Embedded
Windows CE
Windows Mobile*
SCCM SP2 Not
supported
Comprehensive Deployment
and Updating
Enhanced Insight and
Control
Optimized for Windows and
Extensible Beyond
Significant improvements to existing scenarios
Increased range of scenario support
Windows Deployment Automation
New machine
-Clean install
-No migration considerations
- New or repurposed hardware
Wipe-and-load
- Target and install new OS to existing H/W
- Application reinstall under new OS
- Securely save/restore user state & settings
Side-by-side
- Machine to machine
- User and app data migration
- Application reinstall
-Securely save/restore user state & settings
In-place migration
- Scripted, targeted OS upgrade
- Not wipe and load
- Sent as software distribution package
Offline with removable
media
- Install without network
- Removable media is source
- CD/DVD,USB flash drive
- Good for low bandwidth, mobile staff
PXE boot
- WDS integration, network boot delivered
- PXE style delivery
- Lite touch, network connection based
Comprehensive Deployment
and Updating
Enhanced Insight and
Control
Optimized for Windows and
Extensible Beyond
Ønsket konfigurasjon
39
SMS reports with categories from AssetMetrix DB
Configuration Manager 2007 R3
• Hva er nytt i R3?
– Bli grønnnnnn
– Bedre Konfigurasjonsstyring
– Raskere Collection oppdatering
– Raskere AD Discovery
– Prestage
– 300.000
Monitor current power state and consumptions
Plan and create a power management policy, check for exceptions
Apply power management policy
Check compliance and remediate non-compliance.
Report saving in power consumption and costs and environmental impact.
System Center Power Management
Machine and User Activity Report
Deployment
Gjør vi det riktig nå eller..
• Har du en effektiv deployment løsning i
dag? Og kan du håndtere alle klienter?
• Scenario: Hva om halvparten av maskinene
dine ble infiserte og ikke ville starte opp.
• Hvordan bygge Image?
– Lag Image på en Virtuell maskin, Hyper-V,
VMWare...
• Windows 7 32bit eller 64bit?? – Mange går for 64bit i utgangspunktet, men faller som
regel ned på 32bit som standard pga en eller to sentrale eldre typer applikasjoner/drivere ikke fungerer. Og kjører begge versjoner.
• Anbefaling: Gå for 64bit i utgangspunktet dersom hardware/software tillater det. Med tiden vil det uansett gå den veien.
• Office 2010 32bit eller 64bit?? – Kjør 32bit, fordi det er for mange komplikasjoner med
office tillegg og integrasjoner som ikke vil fungere på 64bit.
– Men kjører man en helt ren Office, uten noe 3 parts produkter eller eldre versjoner, så Yes! 64bit.
• Har du SCCM client på alle maskiner? Fungerer de som de skal?
• Tykkt eller tynnt..?
– Tykkt Image med alle standard applikasjoner, kan være fornuftig i en masse
utrullings fase ved f.eks overgang til ny plattform for raskest deployment.
– Tynnt Image er det mest dynamiske, lett å endre på, legge
til/fjerne/oppdatere applikasjoner, men det går noe mer tid under selve
deploymenten.
• Anbefales i normal driftsfase.
• Driver struktur
– Bruk Hybrid driver model.
• Bruker data?
– Bruk USMT, integrert i SCCM.
• Profil håndtering !?
– Roaming eller Redirecting
• 300.000
• SCCM - Treg?
• Spekk server tilstrekkelig.
• OS : Disk1 min 50GB
• SCCM: Disk2 min 100GB
• Source Pakker: Disk3 ...GB (Kan være nettverkshare, NAS, etc..)
• Distribution share: Disk4 ...GB (OBS, må være Windows Server, NTFS)
• Minne: min 8GB
• Dersom virtuell: Reserver CPU, Minne.
• Disk IO mest kritisk!
• SQL på samme som SCCM dersom kraftig nok. Eller dedikert med nok båndbredde - Gbit, kraft.
• Sikkerhet!!!
– Enterprise Admins
– Domain Admins
– Men, må være admin på klienter.
– Bruk preferences.
Commercial Cloud Services
BUSINESS APPS COLLABORATION STORAGE PLATFORM MANAGEMENT PRODUCTIVITY COMMUNICATIONS
Help Manage & Secure PCs Anywhere
Requirements
• Administrative Console – A browser that supports Silverlight 3.0
• Managed Machines – Windows 7 Enterprise, Ultimate and Professional
– Windows Vista Enterprise, Ultimate and Business
– Windows XP Professional, Service Pack SP2 or SP3 (recommended)
Service Architecture
Ops and Support
Windows Intune Service
Contoso.com
Admin
Windows Update Agent
SCOM
Malware Protection (FEP)
Lantern (SCCM DCM)
EZ Assist
foo.com
Initial Deployment Checklist • Chose a technique to deploy the enrollment MSIs
– GP-SI, psexec, login script, email, ACLed public share, …
– Enrollment will fail after seat limit is reached • Can retire computers or purchase more seats
• Define your initial group structure – Newly enrolled computers go to “Unassigned Computers”
– Can create additional (nested) groups as needed for reporting/policy boundaries • Typically by role or region (often nested by one then the other)
• Machines can belong to multiple hierarchies
• Configure polices as needed – Malware Protection: Conditionally enabled, …
– Windows Update: Daily scheduled install, …
– Firewall: Not configured, …
If using GPOs, filter them to not apply to Windows Intune clients (else GP overrides)
• Add admins, configure alert notifications, deploy security updates
Microsoft Confidential
TWO ADDITIONAL SOLUTIONS TO
SYSTEM CENTER FAMILY
Microsoft Confidential
Key Technologies
• A work-flow engine for automating all or portions of IT processes and for integrating System Center solutions
• A common data warehouse and reporting platform for integrating business intelligence information across System Center
• A connector framework to support technology integration across System Center, other Microsoft products, and common industry management tools
• A CMDB to support the management of information about IT service components and how they relate to one another
• A Self-Service Portal to provide end users with access to IT resources, reducing the volume of calls to the help desk
• A knowledge base to capture and share practical knowledge for IT professionals and end users
ASSET MANAGEMENT
PROVANCE
SELF SERVICE IT BUSINESS INTELLIGENCE
COMPLIANCE AND RISK
IT ANALYST
Service Manager : The Power is in the Integration
Incident and Problem Change
Portal
Workflows
Knowledge Base
Data Warehouse
CMDB
Authoring
Empowering the End User The average cost of a single call is $25 to $30
Self Service Portals reduce calls by 30%
Provision Software
Reset Passwords
Create/view service requests
View announcements
Search/view knowledge base
INTEGRATED | EFFICIENT | BUSINESS ALIGNED
Integrated System Center CMDB
System Center common schema
Common schema across System Center
IT assets are represented as configuration items (CIs)
Incidents, change requests, and problems are represented as work items (WIs)
Configuration Management Database (CMDB) features
Create, update, and view CIs
Create relationships among CIs, WIs, IT staff, and Active Directory® Domain Services (AD DS) users
Automatically track CI change history
Service definition and mapping
INTEGRATED | EFFICIENT | BUSINESS ALIGNED
Knowledge Management
Reducing time to resolution
• Knowledge articles:
• Customer, Partner, and Analyst authored content
• Capture existing knowledge published on the Web
• Links to external and local content • Ratings
• Searchable:
• Full text • Keywords • Related incidents, change requests,
knowledge articles
INTEGRATED EFFICIENT BUSINESS ALIGNED
INTEGRATED | EFFICIENT | BUSINESS ALIGNED
Addition Of Opalis To System Center Enables
Process Automation
IT Process Automation (ITPA), also known as Run Book Automation (RBA), is the ability to orchestrate and integrate IT management tools through workflow
Configuration Management
(Physical & Virtual)
End-To-End Monitoring
Server Compliance
Data Protection &
Recovery
Event Mgmt
Service Desk
Asset/CMDB
Configuration
Virtual
Security
Storage
Server
Network
Automated Processes IT Silos VM Provisioning Process
Monitor Service request
Stop VM
Update request
Update request
Update & close request
Clone new VM
Update properties
Remove from Ops Manager
Test VM Deploy Applications
Verify Application
Add to Ops Manager
Create CI Retire CI
Create incident
Integration for Virtual Machine Manager 2008 R2 not yet RTM
Detach Storage
Detach Network Adapter
Opalis And Service Manager Available
Through System Center License Suites
SMSE / SMSD
* * Opalis technology granted to SMSE/SMSD customers by Opalis subsidiary
LISENSER • System Center Server Management
Suite 2010 – Licensing Update
Server Management Suite Enterprise (SMSE)
2 X Kr
Per Host OSE ML + 4 OSE MLs
2 X Kr per Host OSE ML + 4 OSE ML Server Management Suite
0 Kr voksende
Server Management Suite
0 Kr voksende
Server Management Suite
0 Kr voksende
Server Management Suite
0 Kr voksende
Server Management Suite Med SMSE: 2 X Kr
Server Management Suite Datacenter (SMSD)
2.4 X NOK per 2-proc server Ubegrenset OSE MLs
SMSD tillater kunder til å administrere og kontrollere tungt virtualiserte
workloads med full Systems Management evne uten voksende kostnader
2.4 X NOK per 2-proc Ubegrenset OSE MLs
Server Management Suite Datacenter (SMSD)
$0 voksende SMSD
$0 voksende SMSD
$0 voksende SMSD
$0 voksende SMSD
$0 voksende SMSD
$0 voksende SMSD
$0 voksende SMSD
$0 voksende SMSD
$0 voksende SMSD
Server Management Suite Datacenter lisensering spar kostnader for kunder med tung virtualisering
