Configuring Client Security on a two-server topology

  • Article

Applies To: Forefront Client Security

To configure Client Security, you must run the Configuration wizard on the Client Security server. The wizard runs automatically when you open the Client Security console for the first time.

To configure Client Security

  1. Using an account that has local administrator privileges, log on to the Client Security server.

  2. Open the Client Security console. (Click Start, point to All Programs, point to Microsoft Forefront, point to Client Security, and then click Microsoft Forefront Client Security Console.)

  3. If the Configuration wizard doesn't start automatically, click Configure on the Action menu.

  4. On the wizard's Before You Begin page, click Next.

  5. On the Collection Server and Database page, do the following:

    1. In the Collection server box, enter the name of the current computer (the default value).

    2. In the Collection database box, enter the name of the current computer (the default value) and the SQL Server instance, if necessary.

    3. In the Management group name box, enter the name of the management group you specified during the Setup wizard.

  6. On the Reporting Database page, do the following:

    1. In the Reporting database box, enter the name of the current computer (the default value) and, if necessary, the SQL Server instance.

    2. In the Reporting account box, enter the user name and password for the reporting account, and then click Next.

  7. On the Reporting Server page, do the following:

    1. In the Reporting server box, enter the name of the current computer (the default value).

    2. In the URL for Report Server and URL for Report Manager boxes, ensure the default values are entered, and then click Next.

  8. On the Verifying Settings and Requirements page, verify your system requirements, and then click Next. If you receive an error, you cannot continue configuring Client Security. If you receive a warning or error, see the following resources for more information:

  9. On the Completing the Configuration Wizard page, verify that you have successfully configured Client Security, and then click Close. If you receive an error, you cannot continue configuring Client Security. If you receive a warning or error, see the following resources for more information:

Grant the correct permissions for the service accounts

Before using Client Security, you must grant additional permissions to the service accounts.

To grant the correct permissions for the service accounts

  1. On the Client Security server, add the action account to the Administrators group.

  2. Grant the reporting account db_owner permissions on the SystemCenterReporting database.

  3. If you used different accounts for the DAS account and the action account, grant the action account db_owner permissions on the OnePoint database.

  4. If you used different accounts for the DAS account and the reporting account, grant the reporting account db_owner permissions on the OnePoint database.

  5. If the collection server is installed on Windows Server 2008, and User Account Control (UAC) is enabled on that server, you must manually add the DAS account to the MOM Administrators local group.

To grant permissions to SQL Server databases

  1. On the server with the appropriate database (OnePoint or SystemCenterReporting), start SQL Server Management Studio.

  2. In the console tree, expand Security.

  3. Right-click Logins, and then click New Login on the shortcut menu.

  4. In the Login dialog box, type the appropriate service account (domain\username) in the Login name box.

  5. Under Select a page, click User Mapping, and then in the Map column, select the check box for the appropriate database.

  6. In the Database role membership box, select the db_owner check box, and then click OK.