HI I have a SCCM 2007 R3 server in Mixed mode. Single primary site with single box having SQL 2008 R2 Back end. currently i'm deploying software updates, software distributions and OSD. we are looking forward to go with Forefront endpoint protection. all the prerequisite are met and i'm ready for install. i want solutions for following concerns 1 Forefront endpoint protection to be High Available. 2 Forefront Endpoint protection Updates deployment should be High available with SCCM. 3 If SCCM SUP goes down can i send forefront updates through WSUS ? (for existing forefront clients) 4 If i used NLB for SCCM, is it gonna effect of Forefront Protection ? Please provide me a urgent solution for this... Thank and regards. Asitha De Silva Asitha

ConfigMgr does not provide any high availabilty features by default. Have you already considered placing ConfigMgr on a clustered Hypervisor so that fault tolerance is done on that level?Torsten Meringer | http://www.mssccmfaq.de

You can place the SUP in a NLB and configure addiontional distribution points. The SQL server is cluster aware.Kent Agerlund | My blogs: http://blog.coretech.dk/author/kea/ and http://scug.dk/ | Twitter @Agerlund | Linkedin: /kentagerlund

Hi Torsten Thanks for answering. I cannot virtualize the Current SCCM 2007. I’m considering on placing it on NLB. But I have a real doubt on that. SCCM High availability comes to play when we integrate it with forefront protection. So I need a HA solution to forefront protection. Is it possible to send updates through WSUS for forefront clients ? Asitha

Forefront clients will be protected, you will just lose reporting and updating if SCCM dies. John Marcum | http://myitforum.com/cs2/blogs/jmarcum/|

Hi Is there another way to send definition updates to Forefront clients if i loos the SCCM ?Asitha

You can configure multiple places where the clients can look for updates. Take a look here for the different possibilities: http://technet.microsoft.com/en-us/library/gg412502.aspxMy Blog: http://www.petervanderwoude.nl/ Follow me on twitter: pvanderwoude

Hi Asitha, it is possible to use the SUP / WSUS Server directly for Clients to get their definition updates, but they will primarly contact the wsus server which is configured as your sup as this one is set through sccm for clients for the "normal" software update process in sccm. Just create the Automatic Approval Rule as describe on technet to enable that. As second option clients could use Microsoft Update if WSUS and SCCM dies > http://technet.microsoft.com/en-us/library/gg398036.aspx I'm also using the FEP Definition Update Automation Tool to use the SCCM Update Process for FEP Updates > http://technet.microsoft.com/en-us/library/hh297450.aspx On the FEP Blog you'll find also some known issues and workarounds for that > http://blogs.technet.com/b/clientsecurity/archive/2011/07/18/errors-when-using-the-fep-2010-definition-update-automation-tool.aspx So in terms of HA you should put your SCCM DB on an SQL Cluster, use dedicated Servers for a NLB Cluster for Management Point and Software Update Point, use multiple DP's for the Definition Package and WSUS and Microsoft Update as second sources. You should also spend some time on Backup and Recovery testing, so if your Site Server fails, you should be able to restore in a few hours ... Regards, Stefan

Hi all Ok i'm going with NLB. first i'm gonna deploy forefront, and create secondary policy for WSUS, if my SUP in SCCM failed some how, I can use WSUS GPO for sending forefront updates. next slowly i will deploy NLB for SUP in SCCM. Thanks for everyone..Asitha

hi peter, if my complete site goes down where also my file server placed can i define another DR site fileshare server ?Usama Arif