Endpoint Protection

I would like to install Endpoint Small Business MR4 trial on SBS 2003 Standard SP1. Since this version of SBS doesn't have ISA firewall, can we install the Network Threat Protection on this server? The Best Practices Analyzer recommends turning off Windows Firewall/ Internet Connection Sharing so I presume we have no firewall at all at the moment.

Thanks for any advice.

Yes, you should be fine.  By default the SEP firewall should allow most traffic with an SBS server, you shouldn't have too many problems with the default ruleset, but you may want to tune it to offer more security.

Failing that, you can start with Network Threat Protection installed, but "withdraw" the firewall policy - that will tell the SEP client to pass all network traffic, but it will still be scanned with the IPS engine, which will considerably increase your network threat protection level without giving you the headache of configuring firewall rules straight away

Do I need the SEPM installed to "withdraw" the firewall policy?

is it possible to add NTP later or will I have to reinstall SEP?

Yes, you will need the client managed by SEPM in order to "withdraw" the policy - otherwise the SEP client comes with a default set of rules (which should allow all traffic anyway), but they are fairly easily removable and replacable with a single rule to allow all.

You certainly can add NTP at a later date, there is no issue with that.  If its unmanaged, then its simply just a case of adding it through Add/Remove programs.  If its managed, you can control the change from SEPM.