Microsoft Forefront Aims to Integrate Security

For customers struggling to manage and maintain security wares from multiple vendors, Forefront offers a Microsoft-centric alternative.

b>Your customers probably buy client security software like anti-virus and anti-spyware from one vendor, server-based security like content-filtering and anti-spam from another, and edge security such as gateways, firewalls and VPNs from yet another. While they may have assembled those pieces to deploy a strong defense-in-depth strategy, they've also ended up with a security arsenal that's hard to manage and maintain.

With so many different security tools from so many different vendors -- each with their own thresholds, alerts, configurations, updates and management consoles -- customers can find it increasingly difficult to wade through the noise to recognize and prevent critical security issues.

Microsoft aims to change that with its suite of Forefront security products. By offering a single family of security wares for each area of the enterprise -- client, server and edge -- Microsoft hopes to bolster enterprise security by reducing the cost and complexity of managing those tools.

Spotlight Highlights: Forefront
Forefront's Key Features
  • Combined offerings tackle client security, server security and network edge security
  • Integrates well with Microsoft operating systems and software
  • Easy to install and maintain
  • One-console management, once "Stirling" debuts in 2009


  • McAfee Inc.
  • Symantec Corp.
  • Cisco Systems Inc.
  • Juniper Networks Inc.


  • Reduces cost and complexity of securing Microsoft-centric enterprise, from the client to the server to the edge
  • Eases security management
  • Reduces TCO

While none of the Forefront tools can secure non-Microsoft environments or be considered "best of breed," they're all contenders. The important thing is that they're all Microsoft, which means they work together, easily integrate with Windows environments, offer similar and easy-to-use management interfaces, and are easy to deploy and maintain.

Right now, the Forefront family of security tools includes five main products: Forefront Client Security (FCS) at the client, Forefront Security for Exchange Server and Forefront Security for SharePoint Server at the server level, and Microsoft Internet and Security Acceleration (ISA) Server and the Intelligent Application Gateway (IAG) 2007 at the network edge.

While those Forefront products cover the security bases for now, Microsoft plans to up the ante considerably when it releases a single management console for the entire suite of Forefront products -- a tool code-named "Stirling" that's set to debut in 2009.

Client-Side Combo
Microsoft FCS is agent software your customers deploy on their PCs, laptops and other client devices. It combines an anti-virus and anti-spyware engine that performs both real-time and scheduled scans for viruses, spyware and other threats. It also scans to assess the security posture of the managed devices and determines whether they need to be patched or are otherwise inappropriately configured.

FCS uses a single management console for generating reports and alerts, as well as for building policies to manage client security according to individual users or groups. For example, users can build a policy that configures the anti-spyware, anti-virus and state assessment for one client or for groups of clients. These settings include alert levels to specify the type and volume of alerts and events generated by different groups of protected machines.

Like the other parts of the suite, FCS plays on its ability to integrate well with the rest of the Microsoft ecosystem. For example, the console integrates with Active Directory, which eases policy deployment. It also works with Windows Server Update Services (WSUS) to facilitate smooth rollouts.

Server Security Salvo
The Forefront family includes two products at the server level, one for Exchange and one for SharePoint. Forefront for Exchange Server -- formerly Antigen for Exchange -- runs on your customers' Exchange server. It's designed to protect those servers from virus, worm and spam attacks. Forefront integrates virus scanners from as many as five different providers, including several non-Microsoft choices. This is worth pointing out to your customers, as it helps you build an easier to manage defense-in-depth approach.

Forefront ships with anti-virus engines from AhnLab Inc., Authentium Inc., CA Inc., Kaspersky Lab Ltd., Microsoft, Norman Data Defense Systems, Sophos plc and VirusBuster Ltd. Microsoft provides one-stop, automated updates for all of them. Once any vendor's scanner is updated, Microsoft tests it, confirms it and posts it for automatic download by Forefront.

Your customers can also deploy the various engines in different ways. If a scan fails at the Exchange Edge server, for example, another scanner deployed at the Exchange Hub can catch it. Forefront also integrates with Exchange's inherent anti-spam tools, such as Microsoft IP Reputation Service, Intelligent Message Filtering for content filtering and Exchange's anti-spam signature files. That makes for a compelling sell for your security conscious customers.

Securing SharePoint
Forefront Security for SharePoint is the other server-based tool. As the name implies, this is designed to help your customers protect their SharePoint 2007 and Windows SharePoint Services (WSS) 3.0 environments from documents containing malicious code, undesirable content or even confidential information disclosure. It comes with the same scanning engines as the Exchange product.

It automatically scans every document as your customers upload or retrieve them from a SharePoint library. Forefront for SharePoint can more readily scan SharePoint's SQL databases and document libraries. It can also protect against inappropriate content by scanning for administrator-defined keywords and phrases within most Microsoft Office documents, including OpenXML documents. It also supports both 32- and 64-bit servers. You can point out these aspects to your customers as part of your presentations.

Living on the Edge
The final piece of the Forefront story is security at the network edge. Here, Microsoft has two products: ISA Server 2006 and IAG 2007. When used together, the two provide enhanced network edge protection from Internet-based threats. The pair also gives your customers application-centric, policy-based access to corporate IT infrastructure. This is especially important for remote users and branch offices.

ISA Server 2006 runs on Windows Server 2003 and provides firewall, VPN and Web caching services. The idea is to let remote and branch office users securely connect to the corporate network.

IAG 2007 is a security appliance Microsoft recently acquired from Whale Communications. It combines SSL VPN, Web application firewall and endpoint security management. It's designed to ensure secure remote communications, so mobile and remote workers can securely access the corporate network from a broad range of devices and locations.

What will perhaps be Forefront's biggest selling factor, Stirling, isn't due until 2009. Stirling will reportedly let enterprise users centrally set policy. They'll also be able to configure, deploy and manage security across all the Forefront product lines -- from client to server to edge. And they can do all this all from a single console.

Competitive Landscape
Microsoft is not usually at the top of most companies' lists when it comes to security, so Forefront has some formidable competition. The competition is as broad as its product suite and tends to fall into two camps: Those who focus on client and server security, and those who focus on edge security. Neither camp, however, focuses on all three areas -- client, server and edge -- as does Forefront.

The main competitors in terms of client security suites are Symantec Corp. and McAfee Inc., both of which recently made Stirling-like announcements. Symantec announced that it's combining its endpoint security technologies -- anti-virus, anti-spyware, desktop firewall, intrusion prevention and device control -- into a single agent.

Endpoint Protection 11.0, as the new bundle is called, is slated for availability in September. Symantec says it's also compatible with its Network Access Control (NAC) technologies. It will be integrated into the same endpoint agent and management console, further easing security.

Last year, McAfee announced its Total Protection suite. This combines anti-virus, anti-spyware, firewall and spam protection, as well as host intrusion prevention and NAC for higher-end installations.

McAfee also recently announced that the latest version of its ePolicy Orchestrator unified security console, version 4.0, is currently in beta. The beta has several new features, including improved Web-based controls, configurable reports and other enhancements designed to make it easier for your IT customers to manage multiple security and compliance applications from a single Web-based console.

The key to both competitors is that they include a client firewall. Forefront does not. Both are also noted for their strong anti-virus and anti-spam offerings. Microsoft tends to be an also-ran. Both products, however, tend to stop at the client or the server. They offer little, if anything, at the edge.

At the edge, the main competitors are formidable and include companies like Cisco Systems Inc. and Juniper Networks Inc. These firms are known for their network prowess and enterprise-grade features and functionality, especially in terms of SSL VPNs, Web caches and firewalls. Still, the robust feature sets in those products come with equally robust pricing. They also offer little when it comes to client-side protection. No matter how you slice it, few vendors are offering the one-stop security shop like Forefront.

Marketing and Sales
Microsoft Forefront

Forefront Client Security

  • Released May 2007
  • Estimated pricing starts at $1.06 per user, per device, per month for the agent and $205.66 per server, per month for the management console

Forefront Security for Exchange Server

  • Released December 2006
  • Estimated pricing starts at $1.25 per user, per month

Forefront Security for SharePoint

  • Released December 2006
  • Estimated pricing starts at $0.60 per user, per month

A key point to emphasize in your sales presentations is that market researcher Gartner Inc. has placed Microsoft in the Leaders quadrant for e-mail security, based on Forefront.

Additionally, Microsoft -- as usual -- offers a host of tools and guides to get you out in front. The best place to start is the "Introducing Microsoft Forefront" page on the Microsoft Partner site.

Here, Microsoft gives you an in-depth look at every part of the Forefront suite. It emphasizes which tools are designed to handle securing each portion of the enterprise. It details how Forefront fits into Microsoft's overall product roadmap, provides an interactive Forefront demo, and tells you more about Microsoft's Antigen products (which form the basis for Forefront). There are also several links aimed to help you get up to speed on security and gain your Security Competency.

The Final Word
Microsoft seems to be heading in the right direction with Forefront. It addresses your customers' primary pain point -- getting their various security tools and suites to work together to secure the entire enterprise. Once Stirling comes out, Redmond will have an even stronger proposition. Until then, your customers can safely invest in Forefront. They'll have a roadmap for integration, and easy-to-manage security in the future.